From 4fb188cb29fce44555da22e1dfa503be9cdf4a8b Mon Sep 17 00:00:00 2001 From: Niels Hofmans <hello@ironpeak.be> Date: Tue, 26 May 2020 12:52:43 +0200 Subject: [PATCH] fix: use type:tcp --- x-pack/filebeat/filebeat.reference.yml | 681 +++++++++++++++++- .../checkpoint}/checkpoint/_meta/config.yml | 0 .../checkpoint/_meta/docs.asciidoc | 0 .../checkpoint}/checkpoint/_meta/fields.yml | 0 .../module/checkpoint}/checkpoint/fields.go | 0 .../checkpoint/firewall/_meta/fields.yml | 0 .../checkpoint/firewall/config/firewall.yml | 25 +- .../checkpoint/firewall/ingest/pipeline.json | 0 .../checkpoint/firewall/manifest.yml | 0 .../checkpoint/firewall/test/checkpoint.log | 0 .../test/checkpoint.log-expected.json | 0 .../module/checkpoint}/checkpoint/module.yml | 0 .../checkpoint/firewall/config/firewall.yml | 25 +- .../modules.d/checkpoint.yml.disabled | 8 +- 14 files changed, 702 insertions(+), 37 deletions(-) rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/_meta/config.yml (100%) rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/_meta/docs.asciidoc (100%) rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/_meta/fields.yml (100%) rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/fields.go (100%) rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/firewall/_meta/fields.yml (100%) rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/firewall/config/firewall.yml (55%) rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/firewall/ingest/pipeline.json (100%) rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/firewall/manifest.yml (100%) rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/firewall/test/checkpoint.log (100%) rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/firewall/test/checkpoint.log-expected.json (100%) rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/module.yml (100%) diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index f18b1247838..3ca1b4b6ccf 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -37,6 +37,24 @@ filebeat.modules: # can be added under this section. #input: +#------------------------------- Activemq Module ------------------------------- +- module: activemq + # Audit logs + audit: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Application logs + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + #------------------------------- ActiveMQ Module ------------------------------- - module: activemq # Audit logs @@ -300,6 +318,212 @@ filebeat.modules: # AWS IAM Role to assume #var.role_arn: arn:aws:iam::123456789012:role/test-mb +#--------------------------------- AWS Module --------------------------------- +- module: aws + cloudtrail: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # Use access_key_id, secret_access_key and/or session_token instead of shared credential file + #var.access_key_id: access_key_id + #var.secret_access_key: secret_access_key + #var.session_token: session_token + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + + cloudwatch: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # Use access_key_id, secret_access_key and/or session_token instead of shared credential file + #var.access_key_id: access_key_id + #var.secret_access_key: secret_access_key + #var.session_token: session_token + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + + ec2: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # Use access_key_id, secret_access_key and/or session_token instead of shared credential file + #var.access_key_id: access_key_id + #var.secret_access_key: secret_access_key + #var.session_token: session_token + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + + elb: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # Use access_key_id, secret_access_key and/or session_token instead of shared credential file + #var.access_key_id: access_key_id + #var.secret_access_key: secret_access_key + #var.session_token: session_token + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + + s3access: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # Use access_key_id, secret_access_key and/or session_token instead of shared credential file + #var.access_key_id: access_key_id + #var.secret_access_key: secret_access_key + #var.session_token: session_token + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + + vpcflow: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # Use access_key_id, secret_access_key and/or session_token instead of shared credential file + #var.access_key_id: access_key_id + #var.secret_access_key: secret_access_key + #var.session_token: session_token + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + # AWS IAM Role to assume + #var.role_arn: arn:aws:iam::123456789012:role/test-mb + #-------------------------------- Azure Module -------------------------------- - module: azure # All logs @@ -334,6 +558,48 @@ filebeat.modules: # storage_account: "" # storage_account_key: "" +#-------------------------------- Azure Module -------------------------------- +- module: azure + # All logs + activitylogs: + enabled: true + var: + # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub + eventhub: "insights-operational-logs" + # consumer group name that has access to the event hub, we advise creating a dedicated consumer group for the azure module + consumer_group: "$Default" + # the connection string required to communicate with Event Hubs, steps to generate one here https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string + connection_string: "" + # the name of the storage account the state/offsets will be stored and updated + storage_account: "" + # the storage account key, this key will be used to authorize access to data in your storage account + storage_account_key: "" + + auditlogs: + enabled: false + # var: + # eventhub: "insights-logs-auditlogs" + # consumer_group: "$Default" + # connection_string: "" + # storage_account: "" + # storage_account_key: "" + signinlogs: + enabled: false + # var: + # eventhub: "insights-logs-signinlogs" + # consumer_group: "$Default" + # connection_string: "" + # storage_account: "" + # storage_account_key: "" + +#--------------------------------- CEF Module --------------------------------- +- module: cef + log: + enabled: true + var: + syslog_host: localhost + syslog_port: 9003 + #--------------------------------- CEF Module --------------------------------- - module: cef log: @@ -357,6 +623,84 @@ filebeat.modules: # The UDP port to listen for syslog traffic. Defaults to 9001. #var.syslog_port: 9001 + # Set the log level from 1 (alerts only) to 7 (include all messages). + # Messages with a log level higher than the specified will be dropped. + # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html + #var.log_level: 7 +#------------------------------ Checkpoint Module ------------------------------ +- module: checkpoint + firewall: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9001. + #var.syslog_port: 9001 + + # Set the log level from 1 (alerts only) to 7 (include all messages). + # Messages with a log level higher than the specified will be dropped. + # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html + #var.log_level: 7 +#-------------------------------- Cisco Module -------------------------------- +- module: cisco + asa: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9001. + #var.syslog_port: 9001 + + # Set the log level from 1 (alerts only) to 7 (include all messages). + # Messages with a log level higher than the specified will be dropped. + # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html + #var.log_level: 7 + + ftd: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9003. + #var.syslog_port: 9003 + + # Set the log level from 1 (alerts only) to 7 (include all messages). + # Messages with a log level higher than the specified will be dropped. + # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html + #var.log_level: 7 + + ios: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9002. + #var.syslog_port: 9002 + + # Set custom paths for the log files when using file input. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + #-------------------------------- Cisco Module -------------------------------- - module: cisco asa: @@ -422,6 +766,26 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#------------------------------- Coredns Module ------------------------------- +- module: coredns + # Fileset for native deployment + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + +#----------------------------- Crowdstrike Module ----------------------------- +- module: crowdstrike + + falcon: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + #----------------------------- Crowdstrike Module ----------------------------- - module: crowdstrike @@ -476,20 +840,86 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#------------------------------ Envoyproxy Module ------------------------------ +- module: envoyproxy + # Fileset for native deployment + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + #------------------------------- Fortinet Module ------------------------------- - module: fortinet firewall: enabled: true - # Set which input to use between tcp, udp (default) or file. - #var.input: udp + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9004 + +#----------------------------- Google Cloud Module ----------------------------- +- module: googlecloud + vpcflow: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing VPC flow logs. Stackdriver must be + # configured to use this topic as a sink for VPC flow logs. + var.topic: googlecloud-vpc-flowlogs + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-googlecloud-vpc-flowlogs-sub + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json + + firewall: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing firewall logs. Stackdriver must be + # configured to use this topic as a sink for firewall logs. + var.topic: googlecloud-vpc-firewall + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-googlecloud-firewall-sub + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json + + audit: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id - # The interface to listen to syslog traffic. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.syslog_host: localhost + # Google Pub/Sub topic containing firewall logs. Stackdriver must be + # configured to use this topic as a sink for firewall logs. + var.topic: googlecloud-vpc-audit - # The port to listen for syslog traffic. Defaults to 9004. - #var.syslog_port: 9004 + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-googlecloud-audit + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json #----------------------------- Google Cloud Module ----------------------------- - module: googlecloud @@ -570,6 +1000,16 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#-------------------------------- Ibmmq Module -------------------------------- +- module: ibmmq + # All logs + errorlog: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + #-------------------------------- Icinga Module -------------------------------- #- module: icinga # Main logs @@ -646,6 +1086,18 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#------------------------------- Iptables Module ------------------------------- +- module: iptables + log: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + #-------------------------------- Kafka Module -------------------------------- - module: kafka # All logs @@ -707,6 +1159,25 @@ filebeat.modules: # verification_mode: none # } +#--------------------------------- MISP Module --------------------------------- +- module: misp + threat: + enabled: true + # API key to access MISP + #var.api_key + + # Array object in MISP response + #var.json_objects_array + + # URL of the MISP REST API + #var.url + + # You can also pass SSL options. For example: + #var.ssl: |- + # { + # verification_mode: none + # } + #------------------------------- Mongodb Module ------------------------------- #- module: mongodb # Logs @@ -731,6 +1202,16 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#-------------------------------- Mssql Module -------------------------------- +- module: mssql + # Fileset for native deployment + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + #-------------------------------- MySQL Module -------------------------------- #- module: mysql # Error logs @@ -775,6 +1256,14 @@ filebeat.modules: netflow_host: localhost netflow_port: 2055 +#------------------------------- NetFlow Module ------------------------------- +- module: netflow + log: + enabled: true + var: + netflow_host: localhost + netflow_port: 2055 + #-------------------------------- Nginx Module -------------------------------- #- module: nginx # Access logs @@ -856,6 +1345,69 @@ filebeat.modules: # max_requests_per_minute: 2000 # poll_interval: 3m +#------------------------------ Office 365 Module ------------------------------ +- module: o365 + audit: + enabled: true + + # Set the application_id (also known as client ID): + var.application_id: "<MyApplicationID>" + + # Configure the tenants to monitor: + # Use the tenant ID (also known as directory ID) and the domain name. + # var.tenants: + # - id: "tenant_id_1" + # name: "mydomain.onmicrosoft.com" + # - id: "tenant_id_2" + # name: "mycompany.com" + var.tenants: + - id: "<MyTenantID>" + name: "mytenant.onmicrosoft.com" + + # List of content-types to fetch. By default all known content-types + # are retrieved: + # var.content_type: + # - "Audit.AzureActiveDirectory" + # - "Audit.Exchange" + # - "Audit.SharePoint" + # - "Audit.General" + # - "DLP.All" + + # Use the following settings to enable certificate-based authentication: + # var.certificate: "/path/to/certificate.pem" + # var.key: "/path/to/private_key.pem" + # var.key_passphrase: "myPrivateKeyPassword" + + # Client-secret based authentication: + # Comment the following line if using certificate authentication. + var.client_secret: "<YourClientSecretHere>" + + # Advanced settings, use with care: + # var.api: + # # Settings for custom endpoints: + # authentication_endpoint: "https://login.microsoftonline.us/" + # resource: "https://manage.office365.us" + # + # max_retention: 7d + # max_requests_per_minute: 2000 + # poll_interval: 3m + +#--------------------------------- Okta Module --------------------------------- +- module: okta + system: + enabled: true + # API key to access Okta + #var.api_key + + # URL of the Okta REST API + #var.url + + # Disable SSL verification + #var.ssl: |- + # { + # "verification_mode": "none" + # } + #--------------------------------- Okta Module --------------------------------- - module: okta system: @@ -898,6 +1450,18 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#--------------------------------- Panw Module --------------------------------- +- module: panw + panos: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + #------------------------------ PostgreSQL Module ------------------------------ #- module: postgresql # Logs @@ -922,6 +1486,16 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: ["/var/log/rabbitmq/rabbit@localhost.log*"] +#------------------------------- RabbitMQ Module ------------------------------- +- module: rabbitmq + # All logs + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: ["/var/log/rabbitmq/rabbit@localhost.log*"] + #-------------------------------- Redis Module -------------------------------- #- module: redis # Main logs @@ -960,6 +1534,16 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#------------------------------- Suricata Module ------------------------------- +- module: suricata + # All logs + eve: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + #------------------------------- Traefik Module ------------------------------- #- module: traefik # Access logs @@ -1057,6 +1641,89 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#--------------------------------- Zeek Module --------------------------------- +- module: zeek + capture_loss: + enabled: true + connection: + enabled: true + dce_rpc: + enabled: true + dhcp: + enabled: true + dnp3: + enabled: true + dns: + enabled: true + dpd: + enabled: true + files: + enabled: true + ftp: + enabled: true + http: + enabled: true + intel: + enabled: true + irc: + enabled: true + kerberos: + enabled: true + modbus: + enabled: true + mysql: + enabled: true + notice: + enabled: true + ntlm: + enabled: true + ocsp: + enabled: true + pe: + enabled: true + radius: + enabled: true + rdp: + enabled: true + rfb: + enabled: true + signatures: + enabled: true + sip: + enabled: true + smb_cmd: + enabled: true + smb_files: + enabled: true + smb_mapping: + enabled: true + smtp: + enabled: true + snmp: + enabled: true + socks: + enabled: true + ssh: + enabled: true + ssl: + enabled: true + stats: + enabled: true + syslog: + enabled: true + traceroute: + enabled: true + tunnel: + enabled: true + weird: + enabled: true + x509: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + #=========================== Filebeat inputs ============================= diff --git a/filebeat/module/checkpoint/_meta/config.yml b/x-pack/filebeat/module/checkpoint/checkpoint/_meta/config.yml similarity index 100% rename from filebeat/module/checkpoint/_meta/config.yml rename to x-pack/filebeat/module/checkpoint/checkpoint/_meta/config.yml diff --git a/filebeat/module/checkpoint/_meta/docs.asciidoc b/x-pack/filebeat/module/checkpoint/checkpoint/_meta/docs.asciidoc similarity index 100% rename from filebeat/module/checkpoint/_meta/docs.asciidoc rename to x-pack/filebeat/module/checkpoint/checkpoint/_meta/docs.asciidoc diff --git a/filebeat/module/checkpoint/_meta/fields.yml b/x-pack/filebeat/module/checkpoint/checkpoint/_meta/fields.yml similarity index 100% rename from filebeat/module/checkpoint/_meta/fields.yml rename to x-pack/filebeat/module/checkpoint/checkpoint/_meta/fields.yml diff --git a/filebeat/module/checkpoint/fields.go b/x-pack/filebeat/module/checkpoint/checkpoint/fields.go similarity index 100% rename from filebeat/module/checkpoint/fields.go rename to x-pack/filebeat/module/checkpoint/checkpoint/fields.go diff --git a/filebeat/module/checkpoint/firewall/_meta/fields.yml b/x-pack/filebeat/module/checkpoint/checkpoint/firewall/_meta/fields.yml similarity index 100% rename from filebeat/module/checkpoint/firewall/_meta/fields.yml rename to x-pack/filebeat/module/checkpoint/checkpoint/firewall/_meta/fields.yml diff --git a/filebeat/module/checkpoint/firewall/config/firewall.yml b/x-pack/filebeat/module/checkpoint/checkpoint/firewall/config/firewall.yml similarity index 55% rename from filebeat/module/checkpoint/firewall/config/firewall.yml rename to x-pack/filebeat/module/checkpoint/checkpoint/firewall/config/firewall.yml index 558bdab1644..5bb6a91d37a 100644 --- a/filebeat/module/checkpoint/firewall/config/firewall.yml +++ b/x-pack/filebeat/module/checkpoint/checkpoint/firewall/config/firewall.yml @@ -6,19 +6,20 @@ protocol.udp: {{ if ne .pipeline "" }} pipeline: "{{.pipeline}}" {{ end }} + {{ else if eq .input "tls" }} -type: syslog -protocol.tcp: - host: "{{.syslog_host}}:{{.syslog_port}}" - ssl: - enabled: true - certificate_authorities: ["{{.cafile}}"] - certificate: "{{.certfile}}" - key: "{{.keyfile}}" - client_authentication: "required" - {{ if ne .pipeline "" }} - pipeline: "{{.pipeline}}" - {{ end }} +type: tcp +host: "{{.syslog_host}}:{{.syslog_port}}" +ssl: + enabled: true + certificate_authorities: ["{{.cafile}}"] + certificate: "{{.certfile}}" + key: "{{.keyfile}}" + client_authentication: "required" +{{ if ne .pipeline "" }} +pipeline: "{{.pipeline}}" +{{ end }} + {{ else if eq .input "file" }} type: log diff --git a/filebeat/module/checkpoint/firewall/ingest/pipeline.json b/x-pack/filebeat/module/checkpoint/checkpoint/firewall/ingest/pipeline.json similarity index 100% rename from filebeat/module/checkpoint/firewall/ingest/pipeline.json rename to x-pack/filebeat/module/checkpoint/checkpoint/firewall/ingest/pipeline.json diff --git a/filebeat/module/checkpoint/firewall/manifest.yml b/x-pack/filebeat/module/checkpoint/checkpoint/firewall/manifest.yml similarity index 100% rename from filebeat/module/checkpoint/firewall/manifest.yml rename to x-pack/filebeat/module/checkpoint/checkpoint/firewall/manifest.yml diff --git a/filebeat/module/checkpoint/firewall/test/checkpoint.log b/x-pack/filebeat/module/checkpoint/checkpoint/firewall/test/checkpoint.log similarity index 100% rename from filebeat/module/checkpoint/firewall/test/checkpoint.log rename to x-pack/filebeat/module/checkpoint/checkpoint/firewall/test/checkpoint.log diff --git a/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json b/x-pack/filebeat/module/checkpoint/checkpoint/firewall/test/checkpoint.log-expected.json similarity index 100% rename from filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json rename to x-pack/filebeat/module/checkpoint/checkpoint/firewall/test/checkpoint.log-expected.json diff --git a/filebeat/module/checkpoint/module.yml b/x-pack/filebeat/module/checkpoint/checkpoint/module.yml similarity index 100% rename from filebeat/module/checkpoint/module.yml rename to x-pack/filebeat/module/checkpoint/checkpoint/module.yml diff --git a/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml b/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml index 0655a4a1e5e..5bb6a91d37a 100644 --- a/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml +++ b/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml @@ -6,19 +6,20 @@ protocol.udp: {{ if ne .pipeline "" }} pipeline: "{{.pipeline}}" {{ end }} + {{ else if eq .input "tls" }} -type: syslog -protocol.tcp: - host: "{{.syslog_host}}:{{.syslog_port}}" - ssl: - enabled: true - certificate_authorities: ["{{.cafile}}"] - certificate: "{{.certfile}}" - key: "{{.keyfile}}" - client_authentication: "full" - {{ if ne .pipeline "" }} - pipeline: "{{.pipeline}}" - {{ end }} +type: tcp +host: "{{.syslog_host}}:{{.syslog_port}}" +ssl: + enabled: true + certificate_authorities: ["{{.cafile}}"] + certificate: "{{.certfile}}" + key: "{{.keyfile}}" + client_authentication: "required" +{{ if ne .pipeline "" }} +pipeline: "{{.pipeline}}" +{{ end }} + {{ else if eq .input "file" }} type: log diff --git a/x-pack/filebeat/modules.d/checkpoint.yml.disabled b/x-pack/filebeat/modules.d/checkpoint.yml.disabled index ba2d98acfb0..9bb681447fb 100644 --- a/x-pack/filebeat/modules.d/checkpoint.yml.disabled +++ b/x-pack/filebeat/modules.d/checkpoint.yml.disabled @@ -5,8 +5,7 @@ firewall: enabled: true - # Set which input to use between syslog (default), file or tls - # if you set tls, also set cafile, certfile and keyfile to their respective file paths + # Set which input to use between syslog (default) or file. #var.input: syslog # The interface to listen to UDP based syslog traffic. Defaults to @@ -19,7 +18,4 @@ # Set the log level from 1 (alerts only) to 7 (include all messages). # Messages with a log level higher than the specified will be dropped. # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html - #var.log_level: 7 - - # If using pipelines, specify the pipeline name - #var.pipeline: mypipeline + #var.log_level: 7 \ No newline at end of file