mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
45 lines
1.2 KiB
YAML
45 lines
1.2 KiB
YAML
{%- set ZEEKVER = salt['pillar.get']('global:mdengine', '') %}
|
|
{% set ZEEKLOGLOOKUP = {
|
|
'conn': 'connection',
|
|
} %}
|
|
|
|
securityonion_filebeat:
|
|
modules:
|
|
elasticsearch:
|
|
server:
|
|
enabled: true
|
|
var.paths: ["/logs/elasticsearch/*.log"]
|
|
kibana:
|
|
log:
|
|
enabled: true
|
|
var.paths: ["/logs/kibana/kibana.log"]
|
|
logstash:
|
|
log:
|
|
enabled: true
|
|
var.paths: ["/logs/logstash.log"]
|
|
redis:
|
|
log:
|
|
enabled: true
|
|
var.paths: ["/logs/redis.log"]
|
|
slowlog:
|
|
enabled: false
|
|
suricata:
|
|
eve:
|
|
enabled: true
|
|
var.paths: ["/nsm/suricata/eve*.json"]
|
|
{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %}
|
|
{%- if ZEEKVER != 'SURICATA' %}
|
|
zeek:
|
|
{%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %}
|
|
{% if LOGNAME in ZEEKLOGLOOKUP.keys() %}
|
|
{% set FILESET = ZEEKLOGLOOKUP.get(LOGNAME) %}
|
|
{% else %}
|
|
{% set FILESET = LOGNAME %}
|
|
{% endif %}
|
|
{{ FILESET }}:
|
|
enabled: true
|
|
var.paths: ["/nsm/zeek/logs/current/{{ LOGNAME }}.log"]
|
|
{%- endfor %}
|
|
{%- endif %}
|
|
{%- endif %}
|