Merge pull request #285 from wazuh/fix-271-update-ymk
Updated Filebeat and Elasticsearch templates
This commit is contained in:
Manuel J. Bernal
GitHub
commit
f980cd679f
@ -162,6 +162,7 @@
|
|||||||
"data.dstip",
|
"data.dstip",
|
||||||
"data.dstport",
|
"data.dstport",
|
||||||
"data.dstuser",
|
"data.dstuser",
|
||||||
|
"data.extra_data",
|
||||||
"data.hardware.serial",
|
"data.hardware.serial",
|
||||||
"data.id",
|
"data.id",
|
||||||
"data.integration",
|
"data.integration",
|
||||||
@ -943,6 +944,9 @@
|
|||||||
"data": {
|
"data": {
|
||||||
"type": "keyword"
|
"type": "keyword"
|
||||||
},
|
},
|
||||||
|
"extra_data": {
|
||||||
|
"type": "keyword"
|
||||||
|
},
|
||||||
"system_name": {
|
"system_name": {
|
||||||
"type": "keyword"
|
"type": "keyword"
|
||||||
},
|
},
|
||||||
|
|||||||
@ -1,58 +1,24 @@
|
|||||||
# Wazuh - Filebeat configuration file
|
# Wazuh - Filebeat configuration file
|
||||||
|
|
||||||
filebeat.inputs:
|
# Wazuh - Filebeat configuration file
|
||||||
- type: log
|
filebeat.modules:
|
||||||
paths:
|
- module: wazuh
|
||||||
- '/var/ossec/logs/alerts/alerts.json'
|
alerts:
|
||||||
|
enabled: true
|
||||||
|
archives:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
setup.template.json.enabled: true
|
setup.template.json.enabled: true
|
||||||
setup.template.json.path: "/etc/filebeat/wazuh-template.json"
|
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
|
||||||
setup.template.json.name: "wazuh"
|
setup.template.json.name: 'wazuh'
|
||||||
setup.template.overwrite: true
|
setup.template.overwrite: true
|
||||||
|
setup.ilm.enabled: false
|
||||||
|
|
||||||
processors:
|
|
||||||
- decode_json_fields:
|
|
||||||
fields: ['message']
|
|
||||||
process_array: true
|
|
||||||
max_depth: 200
|
|
||||||
target: ''
|
|
||||||
overwrite_keys: true
|
|
||||||
- drop_fields:
|
|
||||||
fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
|
|
||||||
- rename:
|
|
||||||
fields:
|
|
||||||
- from: "data.aws.sourceIPAddress"
|
|
||||||
to: "@src_ip"
|
|
||||||
ignore_missing: true
|
|
||||||
fail_on_error: false
|
|
||||||
when:
|
|
||||||
regexp:
|
|
||||||
data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
|
|
||||||
- rename:
|
|
||||||
fields:
|
|
||||||
- from: "data.srcip"
|
|
||||||
to: "@src_ip"
|
|
||||||
ignore_missing: true
|
|
||||||
fail_on_error: false
|
|
||||||
when:
|
|
||||||
regexp:
|
|
||||||
data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
|
|
||||||
- rename:
|
|
||||||
fields:
|
|
||||||
- from: "data.win.eventdata.ipAddress"
|
|
||||||
to: "@src_ip"
|
|
||||||
ignore_missing: true
|
|
||||||
fail_on_error: false
|
|
||||||
when:
|
|
||||||
regexp:
|
|
||||||
data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
|
|
||||||
|
|
||||||
# Send events directly to Elasticsearch
|
# Send events directly to Elasticsearch
|
||||||
output.elasticsearch:
|
output.elasticsearch:
|
||||||
hosts: {{ filebeat_output_elasticsearch_hosts | to_json }}
|
hosts: {{ filebeat_output_elasticsearch_hosts | to_json }}
|
||||||
#pipeline: geoip
|
|
||||||
indices:
|
|
||||||
- index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'
|
|
||||||
{% if filebeat_xpack_security %}
|
{% if filebeat_xpack_security %}
|
||||||
username: {{ elasticsearch_xpack_security_user }}
|
username: {{ elasticsearch_xpack_security_user }}
|
||||||
password: {{ elasticsearch_xpack_security_password }}
|
password: {{ elasticsearch_xpack_security_password }}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user