Merge pull request #81 from redBorder/development

Release 4.0.0

CHANGELOG.md

@@ -1,6 +1,13 @@
 cookbook-logstash CHANGELOG
 ===============
 
+## 4.0.0
+
+  - manegron
+    - [bd193fc] remove space
+    - [69bb4b7] Dont incident_enrichment if is already enriched
+    - [43b5113] Remove alarms from vault pipeline
+
 ## 3.3.0
 
   - Miguel Negrón

resources/metadata.rb

@@ -3,4 +3,4 @@
 maintainer_email 'git@redborder.com'
 license          'AGPL-3.0'
 description      'Installs/Configures cookbook-logstash'
-version          '3.3.0'
+version          '4.0.0'

resources/providers/config.rb

@@ -189,14 +189,9 @@
         notifies :restart, 'service[logstash]', :delayed unless node['redborder']['leader_configuring']
       end
 
-      template "#{pipelines_dir}/vault/06_alarms.conf" do
-        source 'vault_alarms.conf.erb'
-        owner user
-        group user
-        mode '0644'
-        ignore_failure true
-        cookbook 'logstash'
-        notifies :restart, 'service[logstash]', :delayed unless node['redborder']['leader_configuring']
+      # We dont need this file anymore as is parsed by rsyslog
+      file "#{pipelines_dir}/vault/06_alarms.conf" do
+        action :delete
       end
 
       # Renamed so we clean the old file

resources/templates/default/intrusion_incident_enrichment.conf.erb

@@ -1,7 +1,9 @@
 filter {
-  incident_enrichment { 
-    incident_fields => ["src","src_port", "dst", "dst_port"]
-    source => "redBorder Intrusion"
-    incidents_priority_filter => "<%= @intrusion_incidents_priority_filter %>"
+  if ![incident_uuid] {
+    incident_enrichment {
+      incident_fields => ["src","src_port", "dst", "dst_port"]
+      source => "redBorder Intrusion"
+      incidents_priority_filter => "<%= @intrusion_incidents_priority_filter %>"
+    }
   }
 }

resources/templates/default/vault_incident_enrichment.conf.erb

@@ -1,13 +1,15 @@
 filter {
-  incident_enrichment {
-    incident_fields => ["fromhost_ip"]
-    source => "redBorder Vault"
-    incidents_priority_filter => "<%= @vault_incidents_priority_filter %>"
-    field_scores => {
-      "fromhost_ip" => 100
-    }
-    field_map => {
-      "fromhost_ip" => "ip"
+  if ![incident_uuid] {
+    incident_enrichment {
+      incident_fields => ["fromhost_ip"]
+      source => "redBorder Vault"
+      incidents_priority_filter => "<%= @vault_incidents_priority_filter %>"
+      field_scores => {
+        "fromhost_ip" => 100
+      }
+      field_map => {
+        "fromhost_ip" => "ip"
+      }
     }
   }
 }