From 5f11b10f56903464028e8cc232f05c06711c8c3c Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Wed, 9 Aug 2017 21:12:40 -0400 Subject: [PATCH] organized/updated scripts and files --- docker-compose.yml | 10 +++++----- kibana/docker/{ => config}/kibana.yml | 0 logstash/{ => pipeline}/02-beats-input.conf | 0 logstash/{ => pipeline}/10-powershell-filter.conf | 0 logstash/{ => pipeline}/50-elasticsearch-output.conf | 0 scripts/helk_install.sh | 6 +++--- winlogbeat/winlogbeat.yml | 1 + 7 files changed, 9 insertions(+), 8 deletions(-) rename kibana/docker/{ => config}/kibana.yml (100%) rename logstash/{ => pipeline}/02-beats-input.conf (100%) rename logstash/{ => pipeline}/10-powershell-filter.conf (100%) rename logstash/{ => pipeline}/50-elasticsearch-output.conf (100%) diff --git a/docker-compose.yml b/docker-compose.yml index 9b5cb1b..a7b4c76 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -8,7 +8,7 @@ version: '2' services: elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:5.4.1 + image: docker.elastic.co/elasticsearch/elasticsearch:5.5.1 volumes: - ./elasticsearch/docker/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml environment: @@ -16,17 +16,17 @@ services: networks: - helk kibana: - image: docker.elastic.co/kibana/kibana:5.4.1 + image: docker.elastic.co/kibana/kibana:5.5.1 volumes: - - ./kibana/docker/kibana.yml:/usr/share/config/kibana/kibana.yml + - ./kibana/docker/config/kibana.yml:/usr/share/config/kibana/kibana.yml depends_on: - elasticsearch networks: - helk logstash: - image: docker.elastic.co/logstash/logstash:5.4.1 + image: docker.elastic.co/logstash/logstash:5.5.1 volumes: - - ./logstash/docker/pipeline/logstash.conf:/usr/share/logstash/pipeline/logstash.conf + - ./logstash/docker/pipeline/:/usr/share/logstash/pipeline/ - ./logstash/docker/config/logstash.yml:/usr/share/logstash/config/logstash.yml depends_on: - elasticsearch diff --git a/kibana/docker/kibana.yml b/kibana/docker/config/kibana.yml similarity index 100% rename from kibana/docker/kibana.yml rename to kibana/docker/config/kibana.yml diff --git a/logstash/02-beats-input.conf b/logstash/pipeline/02-beats-input.conf similarity index 100% rename from logstash/02-beats-input.conf rename to logstash/pipeline/02-beats-input.conf diff --git a/logstash/10-powershell-filter.conf b/logstash/pipeline/10-powershell-filter.conf similarity index 100% rename from logstash/10-powershell-filter.conf rename to logstash/pipeline/10-powershell-filter.conf diff --git a/logstash/50-elasticsearch-output.conf b/logstash/pipeline/50-elasticsearch-output.conf similarity index 100% rename from logstash/50-elasticsearch-output.conf rename to logstash/pipeline/50-elasticsearch-output.conf diff --git a/scripts/helk_install.sh b/scripts/helk_install.sh index fe6d0f3..548e3c7 100755 --- a/scripts/helk_install.sh +++ b/scripts/helk_install.sh @@ -185,9 +185,9 @@ ERROR=$? fi echo "[HELK INFO] Copying logstash's .conf files.." -cp -v ../logstash/02-beats-input.conf /etc/logstash/conf.d/ >> $LOGFILE 2>&1 -cp -v ../logstash/10-powershell-filter.conf /etc/logstash/conf.d/ >> $LOGFILE 2>&1 -cp -v ../logstash/50-elasticsearch-output.conf /etc/logstash/conf.d/ >> $LOGFILE 2>&1 +cp -v ../pipeline/logstash/02-beats-input.conf /etc/logstash/conf.d/ >> $LOGFILE 2>&1 +cp -v ../pipeline/logstash/10-powershell-filter.conf /etc/logstash/conf.d/ >> $LOGFILE 2>&1 +cp -v ../pipeline/logstash/50-elasticsearch-output.conf /etc/logstash/conf.d/ >> $LOGFILE 2>&1 ERROR=$? if [ $ERROR -ne 0 ]; then echoerror "Could not copy logstash files (Error Code: $ERROR)." diff --git a/winlogbeat/winlogbeat.yml b/winlogbeat/winlogbeat.yml index 7413232..1cc4352 100644 --- a/winlogbeat/winlogbeat.yml +++ b/winlogbeat/winlogbeat.yml @@ -23,6 +23,7 @@ winlogbeat.event_logs: - name: Security - name: System - name: Microsoft-windows-sysmon/operational + - name: Microsoft-windows-PowerShell/Operational event_id: 4103, 4104 #================================ General =====================================