From a64b0e3b8c3f8d4328f9d5177225af7d7e3516b6 Mon Sep 17 00:00:00 2001 From: Alex Dworjan Date: Mon, 16 Oct 2023 15:12:30 -0400 Subject: [PATCH] changed template --- .ansible-sign/sha256sum.txt | 2 +- .ansible-sign/sha256sum.txt.sig | 22 ++++++------ roles/winlogbeat/templates/winlogbeat.yml.j2 | 38 ++++++++++++++++++-- 3 files changed, 48 insertions(+), 14 deletions(-) diff --git a/.ansible-sign/sha256sum.txt b/.ansible-sign/sha256sum.txt index d6a4b8b..0313298 100644 --- a/.ansible-sign/sha256sum.txt +++ b/.ansible-sign/sha256sum.txt @@ -53,7 +53,7 @@ fba914c608f1a6ccdad971355139b98f0670fc8e7d51d13dca7a6e65bdc82429 roles/snort_bu c14464aebb98e5f62dfcea72fb9eb5e78594cd400344af7e201091d7effe206e roles/winlogbeat/defaults/main.yml a06c3bed9503b47cfa11d61ff3609dde83b4599b522160f5e14f13088df5ebaf roles/winlogbeat/handlers/main.yml 9780c8e92510aba03fff312c5cc461d8f1b866b269311e16628da76a95bfbafb roles/winlogbeat/tasks/main.yml -fb921fe466c7d458cbf8d6ea989aa146f0893de9999a3ce312f4d8c683dadc63 roles/winlogbeat/templates/winlogbeat.yml.j2 +7b80092df1fc17ea69aa8af7f05125f8d6c40ef898a841d69c57b3eab231a346 roles/winlogbeat/templates/winlogbeat.yml.j2 f15fd50d2ee1d7cd5043153a707948b5897de8b1a544b226b33d493f4fe98f95 snortbuildconfig.yml 117d2f3e9d48d0d59d5dcfca9c9829295c1039c7204784c68978778db75e288a templates/cpu-rules.yml.j2 ff3bc0d052a72eb88bf093b9a2b9f31946032ab78dc7c4c742017f161f38763f templates/disk-rules.yml.j2 diff --git a/.ansible-sign/sha256sum.txt.sig b/.ansible-sign/sha256sum.txt.sig index e098f31..e767101 100644 --- a/.ansible-sign/sha256sum.txt.sig +++ b/.ansible-sign/sha256sum.txt.sig @@ -1,14 +1,14 @@ -----BEGIN PGP SIGNATURE----- -iQGzBAABCAAdFiEE/bJvyFHKKJdaZDOLTiIiIXrUDNEFAmUtgQoACgkQTiIiIXrU -DNH9Ugv/WXoa+5MWWwJpzmTood70+69J14W+UmUOgRqZXty5JUEkA5sPfvnK4cTz -ekcaPJn8sk5EcDiZF/qiUhN7qaPwi/vdji4D2G7bOYx/XSBolMuLi2u2XUtyWCNz -TfaNzr8uChCDsYbtjB1NOOjtA+xPyEHMbRtRBuk+8XBRumPXwLoks9nPhDaOudWJ -C9YG95BlGH5QvzvXnrzAKnFVVJRMYD90uYtOdtJRCQvY7m4XYCGXjE3SU6Ez0Gfh -eE4EEbJRS3j7bjR3POHd6cOEqv11OdSRHeHweT3gqOmoY8GFyh9ANbDL4Gs4XrPE -Hvg7HzNWiuWjkXi318I8+5dMzPs8EzoxV3pH3APawAnomqYRumjRw6OQvO2RIoQ4 -/RfFyPb+eOOg5PBH02CALBGZmvUmLjCzS+PJC//4ZoG+l8MM28c6kU9vUk6eWwFT -v376GLuv8UUxl1T724nlUZmqptScu5NdSer6B6V+/BDrDTb/JwOe6oPJlwkBSKaP -p8OdjHoa -=ir6V +iQGzBAABCAAdFiEE/bJvyFHKKJdaZDOLTiIiIXrUDNEFAmUtixkACgkQTiIiIXrU +DNEO5wv+IRTH9hOeT29cEU9YtuBAPOKyXDaZLolvq/sI6tDvRm4Z3UAvUAVIs+G6 +K73fsKpj5vj3CUVGuw9i/f6/HCLSdg8doAcbCjhobRWSS0/eEjLhaUEQmGxVwuy5 +2jJV2FbsmOa38ZMT1T8WEX3vZzJehPK0035aNNBAJjJMZM7FV1w4D8nizSk2Imdc +rkEyvlTXC6q3Yw8YpPoKYCR2ma8QX0ShClC2+P6JsfoBO7OftHY0n+XqsaXjwnwY +LeLpezMtiXSiZlYErhIpGCPDOM32bO6v8B88p9GI9jOokaaPIjO/83EVcIysMNKA +0Fo8p2mtWqIBUfdw562sNOMVP2K3uaKbwoZRQeBXQIhEozfOD5ztk/UcKmmX4IkQ +WQe6CmX9EIRxz2apKbg2Gqlp2jcvOOTXytfdnuy8P1erPjSyrVscZ6MiCp1TVE1Q +ORIku6Xq+gpsjVKeyW6A6vdr6hFXOotSaRHE+ICQa0MzNIDXpkOFMjKp97epZhQ7 +B+NJ1Cyi +=Ds7g -----END PGP SIGNATURE----- diff --git a/roles/winlogbeat/templates/winlogbeat.yml.j2 b/roles/winlogbeat/templates/winlogbeat.yml.j2 index c045af0..f64fa5e 100644 --- a/roles/winlogbeat/templates/winlogbeat.yml.j2 +++ b/roles/winlogbeat/templates/winlogbeat.yml.j2 @@ -1,12 +1,44 @@ --- +###################### Winlogbeat Configuration ######################## + +# ======================== Winlogbeat specific options ========================= + +# event_logs specifies a list of event logs to monitor as well as any +# accompanying options. The YAML data type of event_logs is a list of +# dictionaries. -# Events winlogbeat.event_logs: - {{ winlogbeat_event_logs | to_json }} + - name: Application + ignore_older: 72h + + - name: Security + + - name: System + + - name: Microsoft-Windows-Sysmon/Operational + + - name: Windows PowerShell + event_id: 400, 403, 600, 800 + + - name: Microsoft-Windows-PowerShell/Operational + event_id: 4103, 4104, 4105, 4106 + + - name: ForwardedEvents + tags: [forwarded] + + # ====================== Elasticsearch template settings ======================= setup.template.settings: index.number_of_shards: 1 +# =================================== Kibana =================================== + +# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. +# This requires a Kibana endpoint configuration. +setup.kibana: + +# ------------------------------ Kibana Output ------------------------------- + output.kafka: hosts: ["{{ kafkahost }}"] @@ -18,6 +50,8 @@ output.kafka: compression: gzip max_message_tyes: 10000000 +# ================================= Processors ================================= + processors: - add_host_metadata: when.not.contains.tags: forwarded