filebeat

5 years ago · 0c65407388
6 changed files with 34 additions and 2 deletions
--- a/scripts/services/Mistborn-scirius.service
+++ b/scripts/services/Mistborn-scirius.service
@ -15,9 +15,13 @@ ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius docker-co
				@@ -15,9 +15,13 @@ ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius docker-co

 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius docker-compose -f /opt/mistborn/extra/scirius.yml up --build
+# Suricata
+ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius /opt/mistborn/scripts/services/scirius/suricata_start.sh
+
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius docker-compose -f /opt/mistborn/extra/scirius.yml down
 # Post stop
+ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius /opt/mistborn/scripts/services/scirius/suricata_stop.sh

 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-wazuh.service
+++ b/scripts/services/Mistborn-wazuh.service
@ -18,9 +18,8 @@ ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose
				@@ -18,9 +18,8 @@ ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose
 ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent.sh
 ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_start.sh
 # Stop container when unit is stopped
-ExecStop=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down
-
+ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh

 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/scirius/files/filebeat.docker.yml
+++ b/scripts/services/scirius/files/filebeat.docker.yml
@ -0,0 +1,17 @@
				@@ -0,0 +1,17 @@
+filebeat.config:
+  modules:
+    path: ${path.config}/modules.d/*.yml
+    reload.enabled: false
+
+filebeat.autodiscover:
+  providers:
+    - type: docker
+      hints.enabled: true
+
+processors:
+- add_cloud_metadata: ~
+
+output.elasticsearch:
+  hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}'
+  username: '${ELASTICSEARCH_USERNAME:}'
+  password: '${ELASTICSEARCH_PASSWORD:}'
--- a/scripts/services/scirius/init.sh
+++ b/scripts/services/scirius/init.sh
@ -54,3 +54,7 @@ fi
				@@ -54,3 +54,7 @@ fi
 # sudo cp ./scripts/conf/20-suricata.conf /etc/rsyslog.d/
 # sudo chown root:root /etc/rsyslog.d/20-suricata.conf
 # sudo systemctl restart rsyslog
+
+IFACE=$(ip -o -4 route show to default | awk 'NR==1{print $5}')
+sudo sed -i "s/eth0/${IFACE}/g" /etc/suricata/suricata.yml
+sudo sed -i "s/eth0/${IFACE}/g" /etc/default/suricata
--- a/scripts/services/scirius/suricata_start.sh
+++ b/scripts/services/scirius/suricata_start.sh
@ -0,0 +1,4 @@
				@@ -0,0 +1,4 @@
+#!/bin/bash
+
+systemctl start suricata
+systemctl enable suricata
--- a/scripts/services/scirius/suricata_stop.sh
+++ b/scripts/services/scirius/suricata_stop.sh
@ -0,0 +1,4 @@
				@@ -0,0 +1,4 @@
+#!/bin/bash
+
+systemctl stop suricata
+systemctl disable suricata