mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
68 lines
2.9 KiB
Bash
Executable File
68 lines
2.9 KiB
Bash
Executable File
#!/bin/bash
|
|
# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
{%- set mainint = salt['pillar.get']('host:mainint') %}
|
|
{%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %}
|
|
|
|
default_conf_dir=/opt/so/conf
|
|
ELASTICSEARCH_HOST="{{ MYIP }}"
|
|
ELASTICSEARCH_PORT=9200
|
|
#ELASTICSEARCH_AUTH=""
|
|
|
|
# Define a default directory to load pipelines from
|
|
FB_MODULE_YML="/usr/share/filebeat/module-setup.yml"
|
|
|
|
|
|
# Wait for ElasticSearch to initialize
|
|
echo -n "Waiting for ElasticSearch..."
|
|
COUNT=0
|
|
ELASTICSEARCH_CONNECTED="no"
|
|
while [[ "$COUNT" -le 240 ]]; do
|
|
{{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
|
|
if [ $? -eq 0 ]; then
|
|
ELASTICSEARCH_CONNECTED="yes"
|
|
echo "connected!"
|
|
break
|
|
else
|
|
((COUNT+=1))
|
|
sleep 1
|
|
echo -n "."
|
|
fi
|
|
done
|
|
if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
|
|
echo
|
|
echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'"
|
|
echo
|
|
fi
|
|
echo "Testing to see if the pipelines are already applied"
|
|
ESVER=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" |jq .version.number |tr -d \")
|
|
PIPELINES=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"/_ingest/pipeline/filebeat-$ESVER-suricata-eve-pipeline | jq . | wc -c)
|
|
|
|
if [[ "$PIPELINES" -lt 5 ]]; then
|
|
echo "Setting up ingest pipeline(s)"
|
|
|
|
for MODULE in activemq apache auditd aws azure barracuda bluecoat cef checkpoint cisco coredns crowdstrike cyberark cylance elasticsearch envoyproxy f5 fortinet gcp google_workspace googlecloud gsuite haproxy ibmmq icinga iis imperva infoblox iptables juniper kafka kibana logstash microsoft mongodb mssql mysql nats netscout nginx o365 okta osquery panw postgresql rabbitmq radware redis santa snort snyk sonicwall sophos squid suricata system threatintel tomcat traefik zeek zscaler
|
|
do
|
|
echo "Loading $MODULE"
|
|
docker exec -i so-filebeat filebeat setup modules -pipelines -modules $MODULE -c $FB_MODULE_YML
|
|
sleep 2
|
|
done
|
|
else
|
|
exit 0
|
|
fi
|
|
|
|
|