CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-02-12 02:03:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
dc4cd93c024b2d9efe9fac4fd6376e029215d4ee
securityonion/salt/elasticagent/files/elastic-agent.yml.jinja

333 lines
10 KiB
Django/Jinja
Raw Blame History

{% from 'vars/globals.map.jinja' import GLOBALS %}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
id: aea1ba80-1065-11ee-a369-97538913b6a9
revision: 4
outputs:
default:
type: elasticsearch
hosts:
- 'https://{{ GLOBALS.hostname }}:9200'
username: '{{ ES_USER }}'
password: '{{ ES_PASS }}'
ssl.verification_mode: full
output_permissions: {}
agent:
download:
sourceURI: 'http://{{ GLOBALS.manager }}:8443/artifacts/'
monitoring:
enabled: false
logs: false
metrics: false
features: {}
inputs:
- id: filestream-filestream-85820eb0-25ef-11f0-a18d-1b26f69b8310
name: import-suricata-logs
revision: 3
type: filestream
use_output: default
meta:
package:
name: filestream
version:
data_stream:
namespace: so
package_policy_id: 85820eb0-25ef-11f0-a18d-1b26f69b8310
streams:
- id: filestream-filestream.generic-85820eb0-25ef-11f0-a18d-1b26f69b8310
data_stream:
dataset: import
paths:
- /nsm/import/*/suricata/eve*.json
pipeline: suricata.common
prospector.scanner.recursive_glob: true
prospector.scanner.exclude_files:
- \.gz$
ignore_older: 72h
clean_inactive: -1
parsers: null
processors:
- add_fields:
target: event
fields:
category: network
module: suricata
imported: true
- dissect:
tokenizer: /nsm/import/%{import.id}/suricata/%{import.file}
field: log.file.path
target_prefix: ''
file_identity.native: null
prospector.scanner.fingerprint.enabled: false
- id: filestream-filestream-86b4e960-25ef-11f0-a18d-1b26f69b8310
name: import-zeek-logs
revision: 3
type: filestream
use_output: default
meta:
package:
name: filestream
version:
data_stream:
namespace: so
package_policy_id: 86b4e960-25ef-11f0-a18d-1b26f69b8310
streams:
- id: filestream-filestream.generic-86b4e960-25ef-11f0-a18d-1b26f69b8310
data_stream:
dataset: import
paths:
- /nsm/import/*/zeek/logs/*.log
prospector.scanner.recursive_glob: true
prospector.scanner.exclude_files:
- >-
(broker|capture_loss|cluster|conn-summary|console|ecat_arp_info|known_certs|known_hosts|known_services|loaded_scripts|ntp|ocsp|packet_filter|reporter|stats|stderr|stdout).log$
clean_inactive: -1
parsers: null
processors:
- dissect:
tokenizer: /nsm/import/%{import.id}/zeek/logs/%{import.file}
field: log.file.path
target_prefix: ''
- script:
lang: javascript
source: |
function process(event) {
var pl = event.Get("import.file").slice(0,-4);
event.Put("@metadata.pipeline", "zeek." + pl);
}
- add_fields:
target: event
fields:
category: network
module: zeek
imported: true
- add_tags:
tags: ics
when:
regexp:
import.file: >-
^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*
file_identity.native: null
prospector.scanner.fingerprint.enabled: false
- id: filestream-filestream-91741240-25ef-11f0-a18d-1b26f69b8310
name: soc-sensoroni-logs
revision: 3
type: filestream
use_output: default
meta:
package:
name: filestream
version:
data_stream:
namespace: so
package_policy_id: 91741240-25ef-11f0-a18d-1b26f69b8310
streams:
- id: filestream-filestream.generic-91741240-25ef-11f0-a18d-1b26f69b8310
data_stream:
dataset: soc
paths:
- /opt/so/log/sensoroni/sensoroni.log
pipeline: common
prospector.scanner.recursive_glob: true
prospector.scanner.exclude_files:
- \.gz$
clean_inactive: -1
parsers: null
processors:
- decode_json_fields:
fields:
- message
target: sensoroni
process_array: true
max_depth: 2
add_error_key: true
- add_fields:
target: event
fields:
category: host
module: soc
dataset_temp: sensoroni
- rename:
fields:
- from: sensoroni.fields.sourceIp
to: source.ip
- from: sensoroni.fields.status
to: http.response.status_code
- from: sensoroni.fields.method
to: http.request.method
- from: sensoroni.fields.path
to: url.path
- from: sensoroni.message
to: event.action
- from: sensoroni.level
to: log.level
ignore_missing: true
file_identity.native: null
prospector.scanner.fingerprint.enabled: false
- id: filestream-filestream-976e3900-25ef-11f0-a18d-1b26f69b8310
name: suricata-logs
revision: 3
type: filestream
use_output: default
meta:
package:
name: filestream
version:
data_stream:
namespace: so
package_policy_id: 976e3900-25ef-11f0-a18d-1b26f69b8310
streams:
- id: filestream-filestream.generic-976e3900-25ef-11f0-a18d-1b26f69b8310
data_stream:
dataset: suricata
paths:
- /nsm/suricata/eve*.json
pipeline: suricata.common
prospector.scanner.recursive_glob: true
prospector.scanner.exclude_files:
- \.gz$
clean_inactive: -1
parsers: null
processors:
- add_fields:
target: event
fields:
category: network
module: suricata
file_identity.native: null
prospector.scanner.fingerprint.enabled: false
- id: filestream-filestream-95091fe0-25ef-11f0-a18d-1b26f69b8310
name: strelka-logs
revision: 3
type: filestream
use_output: default
meta:
package:
name: filestream
version:
data_stream:
namespace: so
package_policy_id: 95091fe0-25ef-11f0-a18d-1b26f69b8310
streams:
- id: filestream-filestream.generic-95091fe0-25ef-11f0-a18d-1b26f69b8310
data_stream:
dataset: strelka
paths:
- /nsm/strelka/log/strelka.log
pipeline: strelka.file
prospector.scanner.recursive_glob: true
prospector.scanner.exclude_files:
- \.gz$
clean_inactive: -1
parsers: null
processors:
- add_fields:
target: event
fields:
category: file
module: strelka
file_identity.native: null
prospector.scanner.fingerprint.enabled: false
- id: filestream-filestream-9f309ca0-25ef-11f0-a18d-1b26f69b8310
name: zeek-logs
revision: 2
type: filestream
use_output: default
meta:
package:
name: filestream
version:
data_stream:
namespace: so
package_policy_id: 9f309ca0-25ef-11f0-a18d-1b26f69b8310
streams:
- id: filestream-filestream.generic-9f309ca0-25ef-11f0-a18d-1b26f69b8310
data_stream:
dataset: zeek
paths:
- /nsm/zeek/logs/current/*.log
prospector.scanner.recursive_glob: true
prospector.scanner.exclude_files:
- >-
(broker|capture_loss|cluster|conn-summary|console|ecat_arp_info|known_certs|known_hosts|known_services|loaded_scripts|ntp|ocsp|packet_filter|reporter|stats|stderr|stdout).log$
clean_inactive: -1
parsers: null
processors:
- dissect:
tokenizer: /nsm/zeek/logs/current/%{pipeline}.log
field: log.file.path
trim_chars: .log
target_prefix: ''
- script:
lang: javascript
source: |
function process(event) {
var pl = event.Get("pipeline");
event.Put("@metadata.pipeline", "zeek." + pl);
}
- add_fields:
target: event
fields:
category: network
module: zeek
- add_tags:
tags: ics
when:
regexp:
pipeline: >-
^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*
file_identity.native: null
prospector.scanner.fingerprint.enabled: false
- id: udp-udp-35051de0-46a5-11ee-8d5d-9f98c8182f60
name: syslog-udp-514
revision: 4
type: udp
use_output: default
meta:
package:
name: udp
version:
data_stream:
namespace: so
package_policy_id: 35051de0-46a5-11ee-8d5d-9f98c8182f60
streams:
- id: udp-udp.generic-35051de0-46a5-11ee-8d5d-9f98c8182f60
data_stream:
dataset: syslog
pipeline: syslog
host: '0.0.0.0:514'
max_message_size: 10KiB
processors:
- add_fields:
fields:
module: syslog
target: event
tags:
- syslog
- id: tcp-tcp-33d37bb0-46a5-11ee-8d5d-9f98c8182f60
name: syslog-tcp-514
revision: 4
type: tcp
use_output: default
meta:
package:
name: tcp
version:
data_stream:
namespace: so
package_policy_id: 33d37bb0-46a5-11ee-8d5d-9f98c8182f60
streams:
- id: tcp-tcp.generic-33d37bb0-46a5-11ee-8d5d-9f98c8182f60
data_stream:
dataset: syslog
pipeline: syslog
host: '0.0.0.0:514'
processors:
- add_fields:
fields:
module: syslog
target: event
tags:
- syslog
Reference in New Issue View Git Blame Copy Permalink