From 43b511387805ffd719c166f058dd66d76ab9e711 Mon Sep 17 00:00:00 2001 From: manegron Date: Tue, 24 Dec 2024 19:59:01 +0000 Subject: [PATCH 1/4] Remove alarms from vault pipeline --- resources/providers/config.rb | 11 ++----- .../templates/default/vault_alarms.conf.erb | 30 ------------------- 2 files changed, 3 insertions(+), 38 deletions(-) delete mode 100644 resources/templates/default/vault_alarms.conf.erb diff --git a/resources/providers/config.rb b/resources/providers/config.rb index 7bf0ac0..9cb2563 100644 --- a/resources/providers/config.rb +++ b/resources/providers/config.rb @@ -189,14 +189,9 @@ notifies :restart, 'service[logstash]', :delayed unless node['redborder']['leader_configuring'] end - template "#{pipelines_dir}/vault/06_alarms.conf" do - source 'vault_alarms.conf.erb' - owner user - group user - mode '0644' - ignore_failure true - cookbook 'logstash' - notifies :restart, 'service[logstash]', :delayed unless node['redborder']['leader_configuring'] + # We dont need this file anymore as is parsed by rsyslog + file "#{pipelines_dir}/vault/06_alarms.conf" do + action :delete end # Renamed so we clean the old file diff --git a/resources/templates/default/vault_alarms.conf.erb b/resources/templates/default/vault_alarms.conf.erb deleted file mode 100644 index 3b7ac02..0000000 --- a/resources/templates/default/vault_alarms.conf.erb +++ /dev/null @@ -1,30 +0,0 @@ -filter { - if "alarmsjob" in [app_name] { - ruby { - code => ' - message = event.get("message") - - if message - regex = /(\w+)="([^"]*)"/ - message.scan(regex).each do |field, value| - event.set(field, value) - end - end - - alert_msg = event.get("alert_msg") - if alert_msg - event.set("message", alert_msg) - event.remove("alert_msg") - end - - # We "simulate" the alert comes from the sensor_ip - # To correlate later with the incidents - # TODO: find a nicer way of doing this - sensor_ip = event.get("sensor_ip") - if sensor_ip - event.set("fromhost_ip", sensor_ip) - end - ' - } - } -} From 69bb4b76ac4f0dae86fc6366c80577807a5a242a Mon Sep 17 00:00:00 2001 From: manegron Date: Wed, 25 Dec 2024 20:16:28 +0000 Subject: [PATCH 2/4] Dont incident_enrichment if is already enriched --- .../intrusion_incident_enrichment.conf.erb | 10 ++++++---- .../vault_incident_enrichment.conf.erb | 20 ++++++++++--------- 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/resources/templates/default/intrusion_incident_enrichment.conf.erb b/resources/templates/default/intrusion_incident_enrichment.conf.erb index 5a9eb10..0197699 100644 --- a/resources/templates/default/intrusion_incident_enrichment.conf.erb +++ b/resources/templates/default/intrusion_incident_enrichment.conf.erb @@ -1,7 +1,9 @@ filter { - incident_enrichment { - incident_fields => ["src","src_port", "dst", "dst_port"] - source => "redBorder Intrusion" - incidents_priority_filter => "<%= @intrusion_incidents_priority_filter %>" + if ![incident_uuid] { + incident_enrichment { + incident_fields => ["src","src_port", "dst", "dst_port"] + source => "redBorder Intrusion" + incidents_priority_filter => "<%= @intrusion_incidents_priority_filter %>" + } } } diff --git a/resources/templates/default/vault_incident_enrichment.conf.erb b/resources/templates/default/vault_incident_enrichment.conf.erb index 2e5264d..a2cf533 100644 --- a/resources/templates/default/vault_incident_enrichment.conf.erb +++ b/resources/templates/default/vault_incident_enrichment.conf.erb @@ -1,13 +1,15 @@ filter { - incident_enrichment { - incident_fields => ["fromhost_ip"] - source => "redBorder Vault" - incidents_priority_filter => "<%= @vault_incidents_priority_filter %>" - field_scores => { - "fromhost_ip" => 100 - } - field_map => { - "fromhost_ip" => "ip" + if ![incident_uuid] { + incident_enrichment { + incident_fields => ["fromhost_ip"] + source => "redBorder Vault" + incidents_priority_filter => "<%= @vault_incidents_priority_filter %>" + field_scores => { + "fromhost_ip" => 100 + } + field_map => { + "fromhost_ip" => "ip" + } } } } From bd193fcf289d0c4dd1599ab1630bcd8c22cded17 Mon Sep 17 00:00:00 2001 From: manegron Date: Wed, 25 Dec 2024 23:16:18 +0000 Subject: [PATCH 3/4] remove space --- .../templates/default/intrusion_incident_enrichment.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/templates/default/intrusion_incident_enrichment.conf.erb b/resources/templates/default/intrusion_incident_enrichment.conf.erb index 0197699..fd79db2 100644 --- a/resources/templates/default/intrusion_incident_enrichment.conf.erb +++ b/resources/templates/default/intrusion_incident_enrichment.conf.erb @@ -1,6 +1,6 @@ filter { if ![incident_uuid] { - incident_enrichment { + incident_enrichment { incident_fields => ["src","src_port", "dst", "dst_port"] source => "redBorder Intrusion" incidents_priority_filter => "<%= @intrusion_incidents_priority_filter %>" From 2da39169561d917504801cc07eb22b634a0f1d7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20Negr=C3=B3n?= Date: Wed, 25 Dec 2024 23:17:32 +0000 Subject: [PATCH 4/4] Bump version --- CHANGELOG.md | 7 +++++++ resources/metadata.rb | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 80d0f95..1f2a2f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,13 @@ cookbook-logstash CHANGELOG =============== +## 4.0.0 + + - manegron + - [bd193fc] remove space + - [69bb4b7] Dont incident_enrichment if is already enriched + - [43b5113] Remove alarms from vault pipeline + ## 3.3.0 - Miguel Negrón diff --git a/resources/metadata.rb b/resources/metadata.rb index 652b2e8..034f0ef 100644 --- a/resources/metadata.rb +++ b/resources/metadata.rb @@ -3,4 +3,4 @@ maintainer_email 'git@redborder.com' license 'AGPL-3.0' description 'Installs/Configures cookbook-logstash' -version '3.3.0' +version '4.0.0'