Merge pull request #285 from wazuh/fix-271-update-ymk

Updated Filebeat and Elasticsearch templates
2019-10-25 14:34:58 +02:00 · 2019-10-25 14:34:58 +02:00 · f980cd679f
commit f980cd679f
parent 39133d2520 359f3e3cb4
2 changed files with 16 additions and 46 deletions
--- a/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2
+++ b/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2
@ -162,6 +162,7 @@
      "data.dstip",
      "data.dstport",
      "data.dstuser",
+      "data.extra_data",
      "data.hardware.serial",
      "data.id",
      "data.integration",
@ -943,6 +944,9 @@
          "data": {
            "type": "keyword"
          },
+          "extra_data": {
+            "type": "keyword"
+          },
          "system_name": {
            "type": "keyword"
          },
@ -1673,4 +1677,4 @@
    }
  },
  "version": 1
-}
+}
--- a/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2
+++ b/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2
@ -1,58 +1,24 @@
 # Wazuh - Filebeat configuration file

-filebeat.inputs:
-  - type: log
-    paths:
-      - '/var/ossec/logs/alerts/alerts.json'
+# Wazuh - Filebeat configuration file
+filebeat.modules:
+  - module: wazuh
+    alerts:
+      enabled: true
+    archives:
+      enabled: false

 setup.template.json.enabled: true
-setup.template.json.path: "/etc/filebeat/wazuh-template.json"
-setup.template.json.name: "wazuh"
+setup.template.json.path: '/etc/filebeat/wazuh-template.json'
+setup.template.json.name: 'wazuh'
 setup.template.overwrite: true
+setup.ilm.enabled: false

-processors:
-  - decode_json_fields:
-      fields: ['message']
-      process_array: true
-      max_depth: 200
-      target: ''
-      overwrite_keys: true
-  - drop_fields:
-      fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
-  - rename:
-      fields:
-        - from: "data.aws.sourceIPAddress"
-          to: "@src_ip"
-      ignore_missing: true
-      fail_on_error: false
-      when:
-        regexp:
-          data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
-  - rename:
-      fields:
-        - from: "data.srcip"
-          to: "@src_ip"
-      ignore_missing: true
-      fail_on_error: false
-      when:
-        regexp:
-          data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
-  - rename:
-      fields:
-        - from: "data.win.eventdata.ipAddress"
-          to: "@src_ip"
-      ignore_missing: true
-      fail_on_error: false
-      when:
-        regexp:
-          data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b

 # Send events directly to Elasticsearch
 output.elasticsearch:
  hosts: {{ filebeat_output_elasticsearch_hosts | to_json }}
-  #pipeline: geoip
-  indices:
-    - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'
+
 {% if filebeat_xpack_security %}
  username: {{ elasticsearch_xpack_security_user }}
  password: {{ elasticsearch_xpack_security_password }}