securityonion/salt/filebeat/defaults.yaml

filebeat:
  config:
  zeek_logs_enabled:
    - conn
    - dce_rpc
    - dhcp
    - dnp3
    - dns
    - dpd
    - files
    - ftp
    - http
    - intel
    - irc
    - kerberos
    - modbus
    - notice
    - ntlm
    - pe
    - radius
    - rfb
    - rdp
    - sip
    - smb_files
    - smb_mapping
    - smtp
    - snmp
    - ssh
    - ssl
    - tunnel
    - weird
    - mysql
    - socks
    - x509
    - dnp3_objects
    - modbus_detailed
    - modbus_mask_write_single_register
    - modbus_read_write_multiple_registers
    - bacnet
    - bacnet_discovery
    - bacnet_property
    - ecat_registers
    - ecat_log_address
    - ecat_dev_info
    - ecat_aoe_info
    - ecat_coe_info
    - ecat_foe_info
    - ecat_soe_info
    - ecat_arp_info
    - enip
    - cip
    - cip_io
    - cip_identity
    - opcua_binary
    - opcua_binary_status_code_detail
    - opcua_binary_diag_info_detail
    - opcua_binary_get_endpoints
    - opcua_binary_get_endpoints_discovery
    - opcua_binary_get_endpoints_user_token
    - opcua_binary_get_endpoints_description
    - opcua_binary_get_endpoints_locale_id
    - opcua_binary_get_endpoints_profile_uri
    - opcua_binary_create_session
    - opcua_binary_create_session_user_token
    - opcua_binary_create_session_endpoints
    - opcua_binary_create_session_discovery
    - opcua_binary_activate_session
    - opcua_binary_activate_session_client_software_cert
    - opcua_binary_activate_session_locale_id
    - opcua_binary_activate_session_diagnostic_info
    - opcua_binary_browse
    - opcua_binary_browse_description
    - opcua_binary_browse_request_continuation_point
    - opcua_binary_browse_result
    - opcua_binary_browse_response_references
    - opcua_binary_browse_diagnostic_info
    - opcua_binary_create_subscription
    - opcua_binary_read
    - cotp
    - s7comm
    - s7comm_read_szl
    - s7comm_upload_download
    - s7comm_plus
    - tds
    - tds_rpc
    - tds_sql_batch
    - profinet_dce_rpc
    - profinet
    - profinet_debug
    - stun
    - stun_nat
    - wireguard