From 4baf4dd67a55aff0a5dbd458ecbbd0578e562c22 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 6 Sep 2021 10:21:27 +0200 Subject: [PATCH 1/5] Mage: Validate modules.d dir in Filebeat + Disabled filesets --- dev-tools/mage/modules.go | 70 +++++++++++++++++++++++++++++++++++++ filebeat/magefile.go | 1 + x-pack/filebeat/magefile.go | 1 + 3 files changed, 72 insertions(+) diff --git a/dev-tools/mage/modules.go b/dev-tools/mage/modules.go index 80fc4c2f7c5c..a65c2c2a1213 100644 --- a/dev-tools/mage/modules.go +++ b/dev-tools/mage/modules.go @@ -18,10 +18,15 @@ package mage import ( + "fmt" "io/ioutil" "os" "path/filepath" "strings" + + "github.com/joeshaw/multierror" + "github.com/pkg/errors" + "gopkg.in/yaml.v2" ) var modulesDConfigTemplate = ` @@ -71,3 +76,68 @@ func GenerateDirModulesD() error { } return nil } + +type datasetDefinition struct { + Enabled *bool +} + +type moduleDefinition struct { + Name string `yaml:"module"` + Filesets map[string]datasetDefinition `yaml:",inline"` +} + +// ValidateDirModulesD validates a modules.d directory containing the +// .yml.disabled files. It checks that the files are valid +// yaml and conform to module definitions. +func ValidateDirModulesD() error { + _, err := loadModulesD() + return err +} + +// ValidateDirModulesDDatasetsDisabled ensures that all the datasets +// are disabled by default. +func ValidateDirModulesDDatasetsDisabled() error { + cfgs, err := loadModulesD() + if err != nil { + return err + } + var errs multierror.Errors + for path, cfg := range cfgs { + // A config.yml is a list of module configurations. + for modIdx, mod := range cfg { + // A module config is a map of datasets. + for dsName, ds := range mod.Filesets { + if ds.Enabled == nil || *ds.Enabled { + var entry string + if len(cfg) > 1 { + entry = fmt.Sprintf(" (entry #%d)", modIdx+1) + } + err = fmt.Errorf("in file '%s': %s module%s dataset %s must be explicitly disabled (needs `enabled: false`)", + path, mod.Name, entry, dsName) + errs = append(errs, err) + } + } + } + } + return errs.Err() +} + +func loadModulesD() (modules map[string][]moduleDefinition, err error) { + files, err := filepath.Glob("modules.d/*.disabled") + if err != nil { + return nil, err + } + modules = make(map[string][]moduleDefinition, len(files)) + for _, file := range files { + contents, err := ioutil.ReadFile(file) + if err != nil { + return nil, errors.Wrapf(err, "reading %s", file) + } + var cfg []moduleDefinition + if err = yaml.Unmarshal(contents, &cfg); err != nil { + return nil, errors.Wrapf(err, "parsing %s as YAML", file) + } + modules[file] = cfg + } + return modules, nil +} diff --git a/filebeat/magefile.go b/filebeat/magefile.go index 0d68e5a86c4a..45b3e2c34c4e 100644 --- a/filebeat/magefile.go +++ b/filebeat/magefile.go @@ -123,6 +123,7 @@ func Update() { // modules.d directory. func Config() { mg.Deps(devtools.GenerateDirModulesD, configYML) + mg.SerialDeps(devtools.ValidateDirModulesD, devtools.ValidateDirModulesDDatasetsDisabled) } func configYML() error { diff --git a/x-pack/filebeat/magefile.go b/x-pack/filebeat/magefile.go index 9c7f436e2e43..7aa64c30e5d7 100644 --- a/x-pack/filebeat/magefile.go +++ b/x-pack/filebeat/magefile.go @@ -130,6 +130,7 @@ func ExportDashboard() error { // Config generates both the short and reference configs. func Config() { mg.Deps(configYML, devtools.GenerateDirModulesD) + mg.SerialDeps(devtools.ValidateDirModulesD, devtools.ValidateDirModulesDDatasetsDisabled) } func configYML() error { From 17a8580f4c74bffebb5994257615ba31b27c70bc Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 6 Sep 2021 14:12:13 +0200 Subject: [PATCH 2/5] Change default fileset configurations to explicit disable --- filebeat/filebeat.reference.yml | 24 +- filebeat/module/apache/_meta/config.yml | 4 +- filebeat/module/auditd/_meta/config.yml | 2 +- .../module/elasticsearch/_meta/config.yml | 10 +- filebeat/module/haproxy/_meta/config.yml | 2 +- filebeat/module/icinga/_meta/config.yml | 6 +- filebeat/module/iis/_meta/config.yml | 6 +- filebeat/module/kafka/_meta/config.yml | 2 +- filebeat/module/kibana/_meta/config.yml | 4 +- filebeat/module/logstash/_meta/config.yml | 4 +- filebeat/module/mongodb/_meta/config.yml | 2 +- filebeat/module/mysql/_meta/config.yml | 4 +- filebeat/module/nats/_meta/config.yml | 2 +- filebeat/module/nginx/_meta/config.yml | 4 +- .../module/osquery/_meta/config.reference.yml | 6 +- filebeat/module/osquery/_meta/config.yml | 2 +- filebeat/module/pensando/_meta/config.yml | 2 +- filebeat/module/postgresql/_meta/config.yml | 2 +- filebeat/module/redis/_meta/config.yml | 4 +- filebeat/module/santa/_meta/config.yml | 2 +- filebeat/module/system/_meta/config.yml | 4 +- filebeat/module/traefik/_meta/config.yml | 2 +- filebeat/modules.d/apache.yml.disabled | 4 +- filebeat/modules.d/auditd.yml.disabled | 2 +- filebeat/modules.d/elasticsearch.yml.disabled | 10 +- filebeat/modules.d/haproxy.yml.disabled | 2 +- filebeat/modules.d/icinga.yml.disabled | 6 +- filebeat/modules.d/iis.yml.disabled | 6 +- filebeat/modules.d/kafka.yml.disabled | 2 +- filebeat/modules.d/kibana.yml.disabled | 4 +- filebeat/modules.d/logstash.yml.disabled | 4 +- filebeat/modules.d/mongodb.yml.disabled | 2 +- filebeat/modules.d/mysql.yml.disabled | 4 +- filebeat/modules.d/nats.yml.disabled | 2 +- filebeat/modules.d/nginx.yml.disabled | 4 +- filebeat/modules.d/osquery.yml.disabled | 2 +- filebeat/modules.d/pensando.yml.disabled | 2 +- filebeat/modules.d/postgresql.yml.disabled | 2 +- filebeat/modules.d/redis.yml.disabled | 4 +- filebeat/modules.d/santa.yml.disabled | 2 +- filebeat/modules.d/system.yml.disabled | 4 +- filebeat/modules.d/traefik.yml.disabled | 2 +- x-pack/filebeat/filebeat.reference.yml | 254 +++++++++--------- .../module/barracuda/_meta/config.yml | 4 +- .../filebeat/module/bluecoat/_meta/config.yml | 2 +- x-pack/filebeat/module/cef/_meta/config.yml | 2 +- x-pack/filebeat/module/cisco/_meta/config.yml | 14 +- .../filebeat/module/coredns/_meta/config.yml | 2 +- .../module/crowdstrike/_meta/config.yml | 2 +- .../filebeat/module/cyberark/_meta/config.yml | 2 +- .../module/cyberarkpas/_meta/config.yml | 2 +- .../filebeat/module/cylance/_meta/config.yml | 2 +- .../module/envoyproxy/_meta/config.yml | 2 +- x-pack/filebeat/module/f5/_meta/config.yml | 4 +- .../filebeat/module/fortinet/_meta/config.yml | 8 +- x-pack/filebeat/module/gcp/_meta/config.yml | 6 +- .../module/google_workspace/_meta/config.yml | 12 +- .../module/googlecloud/_meta/config.yml | 6 +- .../filebeat/module/gsuite/_meta/config.yml | 12 +- x-pack/filebeat/module/ibmmq/_meta/config.yml | 2 +- .../filebeat/module/imperva/_meta/config.yml | 2 +- .../filebeat/module/infoblox/_meta/config.yml | 2 +- .../filebeat/module/iptables/_meta/config.yml | 2 +- .../filebeat/module/juniper/_meta/config.yml | 6 +- .../module/microsoft/_meta/config.yml | 6 +- x-pack/filebeat/module/misp/_meta/config.yml | 2 +- x-pack/filebeat/module/mssql/_meta/config.yml | 2 +- .../module/mysqlenterprise/_meta/config.yml | 2 +- .../filebeat/module/netflow/_meta/config.yml | 2 +- .../filebeat/module/netscout/_meta/config.yml | 2 +- x-pack/filebeat/module/o365/_meta/config.yml | 2 +- x-pack/filebeat/module/okta/_meta/config.yml | 2 +- .../filebeat/module/oracle/_meta/config.yml | 2 +- x-pack/filebeat/module/panw/_meta/config.yml | 2 +- .../module/proofpoint/_meta/config.yml | 2 +- .../filebeat/module/rabbitmq/_meta/config.yml | 2 +- .../filebeat/module/radware/_meta/config.yml | 2 +- x-pack/filebeat/module/snort/_meta/config.yml | 2 +- x-pack/filebeat/module/snyk/_meta/config.yml | 4 +- .../module/sonicwall/_meta/config.yml | 2 +- .../filebeat/module/sophos/_meta/config.yml | 4 +- x-pack/filebeat/module/squid/_meta/config.yml | 2 +- .../filebeat/module/suricata/_meta/config.yml | 2 +- .../module/threatintel/_meta/config.yml | 16 +- .../filebeat/module/tomcat/_meta/config.yml | 2 +- x-pack/filebeat/module/zeek/_meta/config.yml | 78 +++--- .../module/zookeeper/_meta/config.yml | 4 +- x-pack/filebeat/module/zoom/_meta/config.yml | 2 +- .../filebeat/module/zscaler/_meta/config.yml | 2 +- .../filebeat/modules.d/activemq.yml.disabled | 4 +- x-pack/filebeat/modules.d/azure.yml.disabled | 2 +- .../filebeat/modules.d/barracuda.yml.disabled | 4 +- .../filebeat/modules.d/bluecoat.yml.disabled | 2 +- x-pack/filebeat/modules.d/cef.yml.disabled | 2 +- .../modules.d/checkpoint.yml.disabled | 2 +- x-pack/filebeat/modules.d/cisco.yml.disabled | 14 +- .../filebeat/modules.d/coredns.yml.disabled | 2 +- .../modules.d/crowdstrike.yml.disabled | 2 +- .../filebeat/modules.d/cyberark.yml.disabled | 2 +- .../modules.d/cyberarkpas.yml.disabled | 2 +- .../filebeat/modules.d/cylance.yml.disabled | 2 +- .../modules.d/envoyproxy.yml.disabled | 2 +- x-pack/filebeat/modules.d/f5.yml.disabled | 4 +- .../filebeat/modules.d/fortinet.yml.disabled | 8 +- x-pack/filebeat/modules.d/gcp.yml.disabled | 6 +- .../modules.d/google_workspace.yml.disabled | 12 +- .../modules.d/googlecloud.yml.disabled | 6 +- x-pack/filebeat/modules.d/gsuite.yml.disabled | 12 +- x-pack/filebeat/modules.d/ibmmq.yml.disabled | 2 +- .../filebeat/modules.d/imperva.yml.disabled | 2 +- .../filebeat/modules.d/infoblox.yml.disabled | 2 +- .../filebeat/modules.d/iptables.yml.disabled | 2 +- .../filebeat/modules.d/juniper.yml.disabled | 6 +- .../filebeat/modules.d/microsoft.yml.disabled | 6 +- x-pack/filebeat/modules.d/misp.yml.disabled | 2 +- x-pack/filebeat/modules.d/mssql.yml.disabled | 2 +- .../modules.d/mysqlenterprise.yml.disabled | 2 +- .../filebeat/modules.d/netflow.yml.disabled | 2 +- .../filebeat/modules.d/netscout.yml.disabled | 2 +- x-pack/filebeat/modules.d/o365.yml.disabled | 2 +- x-pack/filebeat/modules.d/okta.yml.disabled | 2 +- x-pack/filebeat/modules.d/oracle.yml.disabled | 2 +- x-pack/filebeat/modules.d/panw.yml.disabled | 2 +- .../modules.d/proofpoint.yml.disabled | 2 +- .../filebeat/modules.d/rabbitmq.yml.disabled | 2 +- .../filebeat/modules.d/radware.yml.disabled | 2 +- x-pack/filebeat/modules.d/snort.yml.disabled | 2 +- x-pack/filebeat/modules.d/snyk.yml.disabled | 4 +- .../filebeat/modules.d/sonicwall.yml.disabled | 2 +- x-pack/filebeat/modules.d/sophos.yml.disabled | 4 +- x-pack/filebeat/modules.d/squid.yml.disabled | 2 +- .../filebeat/modules.d/suricata.yml.disabled | 2 +- .../modules.d/threatintel.yml.disabled | 16 +- x-pack/filebeat/modules.d/tomcat.yml.disabled | 2 +- x-pack/filebeat/modules.d/zeek.yml.disabled | 78 +++--- .../filebeat/modules.d/zookeeper.yml.disabled | 4 +- x-pack/filebeat/modules.d/zoom.yml.disabled | 2 +- .../filebeat/modules.d/zscaler.yml.disabled | 2 +- 138 files changed, 462 insertions(+), 462 deletions(-) diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index dbdb731c0dc0..40746558c22c 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -80,32 +80,32 @@ filebeat.modules: - module: elasticsearch # Server log server: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: gc: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: deprecation: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: @@ -114,7 +114,7 @@ filebeat.modules: - module: haproxy # All logs log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: @@ -191,7 +191,7 @@ filebeat.modules: - module: kafka # All logs log: - enabled: true + enabled: false # Set custom paths for Kafka. If left empty, # Filebeat will look under /opt. @@ -205,7 +205,7 @@ filebeat.modules: - module: kibana # Server logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -213,7 +213,7 @@ filebeat.modules: # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -281,7 +281,7 @@ filebeat.modules: - module: nats # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -339,7 +339,7 @@ filebeat.modules: - module: pensando # Firewall logs dfw: - enabled: true + enabled: false var.syslog_host: 0.0.0.0 var.syslog_port: 9001 @@ -384,7 +384,7 @@ filebeat.modules: #----------------------------- Google Santa Module ----------------------------- - module: santa log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the the default path. #var.paths: diff --git a/filebeat/module/apache/_meta/config.yml b/filebeat/module/apache/_meta/config.yml index 24e64df694a6..ddf2b0c40d47 100644 --- a/filebeat/module/apache/_meta/config.yml +++ b/filebeat/module/apache/_meta/config.yml @@ -1,7 +1,7 @@ - module: apache # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/auditd/_meta/config.yml b/filebeat/module/auditd/_meta/config.yml index bd952f49cc9d..eaf816cec78c 100644 --- a/filebeat/module/auditd/_meta/config.yml +++ b/filebeat/module/auditd/_meta/config.yml @@ -1,6 +1,6 @@ - module: auditd log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/elasticsearch/_meta/config.yml b/filebeat/module/elasticsearch/_meta/config.yml index 0c2562f27969..4a2f751b67c7 100644 --- a/filebeat/module/elasticsearch/_meta/config.yml +++ b/filebeat/module/elasticsearch/_meta/config.yml @@ -1,32 +1,32 @@ - module: elasticsearch # Server log server: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: gc: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: deprecation: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: diff --git a/filebeat/module/haproxy/_meta/config.yml b/filebeat/module/haproxy/_meta/config.yml index 0e1431e503c0..b559d6d837f7 100644 --- a/filebeat/module/haproxy/_meta/config.yml +++ b/filebeat/module/haproxy/_meta/config.yml @@ -1,7 +1,7 @@ - module: haproxy # All logs log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: diff --git a/filebeat/module/icinga/_meta/config.yml b/filebeat/module/icinga/_meta/config.yml index afcd57986a2d..5fe0ddc20544 100644 --- a/filebeat/module/icinga/_meta/config.yml +++ b/filebeat/module/icinga/_meta/config.yml @@ -1,7 +1,7 @@ - module: icinga # Main logs main: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Debug logs debug: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -17,7 +17,7 @@ # Startup logs startup: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/iis/_meta/config.yml b/filebeat/module/iis/_meta/config.yml index 0ed84f14e52d..f4f1d8cec36c 100644 --- a/filebeat/module/iis/_meta/config.yml +++ b/filebeat/module/iis/_meta/config.yml @@ -1,7 +1,7 @@ - module: iis # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,9 +9,9 @@ # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: - \ No newline at end of file + diff --git a/filebeat/module/kafka/_meta/config.yml b/filebeat/module/kafka/_meta/config.yml index cbda5709c399..72e6d49ab442 100644 --- a/filebeat/module/kafka/_meta/config.yml +++ b/filebeat/module/kafka/_meta/config.yml @@ -1,7 +1,7 @@ - module: kafka # All logs log: - enabled: true + enabled: false # Set custom paths for Kafka. If left empty, # Filebeat will look under /opt. diff --git a/filebeat/module/kibana/_meta/config.yml b/filebeat/module/kibana/_meta/config.yml index ffb82496fcae..2d6904e30c61 100644 --- a/filebeat/module/kibana/_meta/config.yml +++ b/filebeat/module/kibana/_meta/config.yml @@ -1,7 +1,7 @@ - module: kibana # Server logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/logstash/_meta/config.yml b/filebeat/module/logstash/_meta/config.yml index bdb8e488dac4..d38c8058aca9 100644 --- a/filebeat/module/logstash/_meta/config.yml +++ b/filebeat/module/logstash/_meta/config.yml @@ -1,7 +1,7 @@ - module: logstash # logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Slow logs slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: diff --git a/filebeat/module/mongodb/_meta/config.yml b/filebeat/module/mongodb/_meta/config.yml index be6ea989c1c2..28143b64eb4e 100644 --- a/filebeat/module/mongodb/_meta/config.yml +++ b/filebeat/module/mongodb/_meta/config.yml @@ -1,7 +1,7 @@ - module: mongodb # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/mysql/_meta/config.yml b/filebeat/module/mysql/_meta/config.yml index 10afcb9e0ab6..2b7c393eecca 100644 --- a/filebeat/module/mysql/_meta/config.yml +++ b/filebeat/module/mysql/_meta/config.yml @@ -1,7 +1,7 @@ - module: mysql # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Slow logs slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/nats/_meta/config.yml b/filebeat/module/nats/_meta/config.yml index 59a636376807..b09a36dd006a 100644 --- a/filebeat/module/nats/_meta/config.yml +++ b/filebeat/module/nats/_meta/config.yml @@ -1,7 +1,7 @@ - module: nats # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/nginx/_meta/config.yml b/filebeat/module/nginx/_meta/config.yml index 3967af2693f1..d520f4225b9e 100644 --- a/filebeat/module/nginx/_meta/config.yml +++ b/filebeat/module/nginx/_meta/config.yml @@ -1,7 +1,7 @@ - module: nginx # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/osquery/_meta/config.reference.yml b/filebeat/module/osquery/_meta/config.reference.yml index b2a86b43c679..890e602f6888 100644 --- a/filebeat/module/osquery/_meta/config.reference.yml +++ b/filebeat/module/osquery/_meta/config.reference.yml @@ -1,6 +1,6 @@ -- module: osquery - result: - enabled: true +#- module: osquery + #result: + #enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/osquery/_meta/config.yml b/filebeat/module/osquery/_meta/config.yml index b2a86b43c679..2f4fd9118070 100644 --- a/filebeat/module/osquery/_meta/config.yml +++ b/filebeat/module/osquery/_meta/config.yml @@ -1,6 +1,6 @@ - module: osquery result: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/pensando/_meta/config.yml b/filebeat/module/pensando/_meta/config.yml index e632160bdd77..f352f5421240 100644 --- a/filebeat/module/pensando/_meta/config.yml +++ b/filebeat/module/pensando/_meta/config.yml @@ -1,7 +1,7 @@ - module: pensando # Firewall logs dfw: - enabled: true + enabled: false var.syslog_host: 0.0.0.0 var.syslog_port: 9001 diff --git a/filebeat/module/postgresql/_meta/config.yml b/filebeat/module/postgresql/_meta/config.yml index c82734a9570f..373954e6e4f5 100644 --- a/filebeat/module/postgresql/_meta/config.yml +++ b/filebeat/module/postgresql/_meta/config.yml @@ -1,7 +1,7 @@ - module: postgresql # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/redis/_meta/config.yml b/filebeat/module/redis/_meta/config.yml index 4aa2f1eacf0f..1a99edf7d29f 100644 --- a/filebeat/module/redis/_meta/config.yml +++ b/filebeat/module/redis/_meta/config.yml @@ -1,7 +1,7 @@ - module: redis # Main logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Slow logs, retrieved via the Redis API (SLOWLOG) slowlog: - enabled: true + enabled: false # The Redis hosts to connect to. #var.hosts: ["localhost:6379"] diff --git a/filebeat/module/santa/_meta/config.yml b/filebeat/module/santa/_meta/config.yml index ab2588f900ed..b6b03be3fe40 100644 --- a/filebeat/module/santa/_meta/config.yml +++ b/filebeat/module/santa/_meta/config.yml @@ -1,6 +1,6 @@ - module: santa log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the the default path. #var.paths: diff --git a/filebeat/module/system/_meta/config.yml b/filebeat/module/system/_meta/config.yml index f76dd905b4d7..c1fe882374d3 100644 --- a/filebeat/module/system/_meta/config.yml +++ b/filebeat/module/system/_meta/config.yml @@ -1,7 +1,7 @@ - module: system # Syslog syslog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Authorization logs auth: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/traefik/_meta/config.yml b/filebeat/module/traefik/_meta/config.yml index 16ec37f975e1..3e9f73ce10b1 100644 --- a/filebeat/module/traefik/_meta/config.yml +++ b/filebeat/module/traefik/_meta/config.yml @@ -1,7 +1,7 @@ - module: traefik # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/apache.yml.disabled b/filebeat/modules.d/apache.yml.disabled index c6a2c941469c..d4fbc61659d3 100644 --- a/filebeat/modules.d/apache.yml.disabled +++ b/filebeat/modules.d/apache.yml.disabled @@ -4,7 +4,7 @@ - module: apache # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/auditd.yml.disabled b/filebeat/modules.d/auditd.yml.disabled index 4b0bd49c6f65..8bcedafdee9a 100644 --- a/filebeat/modules.d/auditd.yml.disabled +++ b/filebeat/modules.d/auditd.yml.disabled @@ -3,7 +3,7 @@ - module: auditd log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/elasticsearch.yml.disabled b/filebeat/modules.d/elasticsearch.yml.disabled index 4db2df4eaea3..75236f1a6640 100644 --- a/filebeat/modules.d/elasticsearch.yml.disabled +++ b/filebeat/modules.d/elasticsearch.yml.disabled @@ -4,32 +4,32 @@ - module: elasticsearch # Server log server: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: gc: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: deprecation: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: diff --git a/filebeat/modules.d/haproxy.yml.disabled b/filebeat/modules.d/haproxy.yml.disabled index 7493d93d7633..5863c5bbdf8c 100644 --- a/filebeat/modules.d/haproxy.yml.disabled +++ b/filebeat/modules.d/haproxy.yml.disabled @@ -4,7 +4,7 @@ - module: haproxy # All logs log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: diff --git a/filebeat/modules.d/icinga.yml.disabled b/filebeat/modules.d/icinga.yml.disabled index 2b136d520728..10ab79616eb9 100644 --- a/filebeat/modules.d/icinga.yml.disabled +++ b/filebeat/modules.d/icinga.yml.disabled @@ -4,7 +4,7 @@ - module: icinga # Main logs main: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Debug logs debug: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -20,7 +20,7 @@ # Startup logs startup: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/iis.yml.disabled b/filebeat/modules.d/iis.yml.disabled index 3fb8768b3911..868fadedbb09 100644 --- a/filebeat/modules.d/iis.yml.disabled +++ b/filebeat/modules.d/iis.yml.disabled @@ -4,7 +4,7 @@ - module: iis # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,9 +12,9 @@ # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: - \ No newline at end of file + diff --git a/filebeat/modules.d/kafka.yml.disabled b/filebeat/modules.d/kafka.yml.disabled index 9d1b367b5c3e..fd7b00137392 100644 --- a/filebeat/modules.d/kafka.yml.disabled +++ b/filebeat/modules.d/kafka.yml.disabled @@ -4,7 +4,7 @@ - module: kafka # All logs log: - enabled: true + enabled: false # Set custom paths for Kafka. If left empty, # Filebeat will look under /opt. diff --git a/filebeat/modules.d/kibana.yml.disabled b/filebeat/modules.d/kibana.yml.disabled index 0dbffa7e766f..bc34de819a57 100644 --- a/filebeat/modules.d/kibana.yml.disabled +++ b/filebeat/modules.d/kibana.yml.disabled @@ -4,7 +4,7 @@ - module: kibana # Server logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/logstash.yml.disabled b/filebeat/modules.d/logstash.yml.disabled index 3eee07b97bf0..fe99eeabae47 100644 --- a/filebeat/modules.d/logstash.yml.disabled +++ b/filebeat/modules.d/logstash.yml.disabled @@ -4,7 +4,7 @@ - module: logstash # logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Slow logs slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: diff --git a/filebeat/modules.d/mongodb.yml.disabled b/filebeat/modules.d/mongodb.yml.disabled index 36745bca4196..ac31f64bed1d 100644 --- a/filebeat/modules.d/mongodb.yml.disabled +++ b/filebeat/modules.d/mongodb.yml.disabled @@ -4,7 +4,7 @@ - module: mongodb # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/mysql.yml.disabled b/filebeat/modules.d/mysql.yml.disabled index a7904e69f1b0..dd5079648bc4 100644 --- a/filebeat/modules.d/mysql.yml.disabled +++ b/filebeat/modules.d/mysql.yml.disabled @@ -4,7 +4,7 @@ - module: mysql # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Slow logs slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/nats.yml.disabled b/filebeat/modules.d/nats.yml.disabled index d203a1735e44..6074f499cad7 100644 --- a/filebeat/modules.d/nats.yml.disabled +++ b/filebeat/modules.d/nats.yml.disabled @@ -4,7 +4,7 @@ - module: nats # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/nginx.yml.disabled b/filebeat/modules.d/nginx.yml.disabled index e15f4fe492d7..450b30c0e013 100644 --- a/filebeat/modules.d/nginx.yml.disabled +++ b/filebeat/modules.d/nginx.yml.disabled @@ -4,7 +4,7 @@ - module: nginx # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/osquery.yml.disabled b/filebeat/modules.d/osquery.yml.disabled index 1c66965bfe94..0740b774a527 100644 --- a/filebeat/modules.d/osquery.yml.disabled +++ b/filebeat/modules.d/osquery.yml.disabled @@ -3,7 +3,7 @@ - module: osquery result: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/pensando.yml.disabled b/filebeat/modules.d/pensando.yml.disabled index 72350a5dcb69..1002b61bf3e9 100644 --- a/filebeat/modules.d/pensando.yml.disabled +++ b/filebeat/modules.d/pensando.yml.disabled @@ -4,7 +4,7 @@ - module: pensando # Firewall logs dfw: - enabled: true + enabled: false var.syslog_host: 0.0.0.0 var.syslog_port: 9001 diff --git a/filebeat/modules.d/postgresql.yml.disabled b/filebeat/modules.d/postgresql.yml.disabled index 1e01709d02cf..5df32fefc491 100644 --- a/filebeat/modules.d/postgresql.yml.disabled +++ b/filebeat/modules.d/postgresql.yml.disabled @@ -4,7 +4,7 @@ - module: postgresql # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/redis.yml.disabled b/filebeat/modules.d/redis.yml.disabled index 6a43828abfec..dfec32f8849b 100644 --- a/filebeat/modules.d/redis.yml.disabled +++ b/filebeat/modules.d/redis.yml.disabled @@ -4,7 +4,7 @@ - module: redis # Main logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Slow logs, retrieved via the Redis API (SLOWLOG) slowlog: - enabled: true + enabled: false # The Redis hosts to connect to. #var.hosts: ["localhost:6379"] diff --git a/filebeat/modules.d/santa.yml.disabled b/filebeat/modules.d/santa.yml.disabled index 8e187d56b62f..9655b1afb599 100644 --- a/filebeat/modules.d/santa.yml.disabled +++ b/filebeat/modules.d/santa.yml.disabled @@ -3,7 +3,7 @@ - module: santa log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the the default path. #var.paths: diff --git a/filebeat/modules.d/system.yml.disabled b/filebeat/modules.d/system.yml.disabled index 49e5c9c4d984..4171c65f7ad2 100644 --- a/filebeat/modules.d/system.yml.disabled +++ b/filebeat/modules.d/system.yml.disabled @@ -4,7 +4,7 @@ - module: system # Syslog syslog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Authorization logs auth: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/traefik.yml.disabled b/filebeat/modules.d/traefik.yml.disabled index 22e6cdf0dc84..440028cc1823 100644 --- a/filebeat/modules.d/traefik.yml.disabled +++ b/filebeat/modules.d/traefik.yml.disabled @@ -4,7 +4,7 @@ - module: traefik # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index b30193416cc6..e2df3c14ee21 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -41,7 +41,7 @@ filebeat.modules: - module: activemq # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -49,7 +49,7 @@ filebeat.modules: # Application logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -462,7 +462,7 @@ filebeat.modules: - module: azure # All logs activitylogs: - enabled: true + enabled: false var: # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub eventhub: "insights-operational-logs" @@ -505,7 +505,7 @@ filebeat.modules: #------------------ Barracuda Web Application Firewall Module ------------------ - module: barracuda waf: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -524,7 +524,7 @@ filebeat.modules: # var.tz_offset: local spamfirewall: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -545,7 +545,7 @@ filebeat.modules: #-------------------------- Blue Coat Director Module -------------------------- - module: bluecoat director: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -566,7 +566,7 @@ filebeat.modules: #--------------------------------- CEF Module --------------------------------- - module: cef log: - enabled: true + enabled: false var: syslog_host: localhost syslog_port: 9003 @@ -582,7 +582,7 @@ filebeat.modules: #------------------------------ Checkpoint Module ------------------------------ - module: checkpoint firewall: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -605,7 +605,7 @@ filebeat.modules: #-------------------------------- Cisco Module -------------------------------- - module: cisco asa: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -631,7 +631,7 @@ filebeat.modules: #var.external_zones: [ "External" ] ftd: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -657,7 +657,7 @@ filebeat.modules: #var.external_zones: [ "External" ] ios: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -674,7 +674,7 @@ filebeat.modules: #var.paths: nexus: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -693,7 +693,7 @@ filebeat.modules: # var.tz_offset: local meraki: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -712,7 +712,7 @@ filebeat.modules: # var.tz_offset: local umbrella: - enabled: true + enabled: false #var.input: aws-s3 # AWS SQS queue url @@ -727,7 +727,7 @@ filebeat.modules: #var.api_timeout: 120s amp: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson @@ -747,7 +747,7 @@ filebeat.modules: - module: coredns # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -757,7 +757,7 @@ filebeat.modules: - module: crowdstrike falcon: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -768,7 +768,7 @@ filebeat.modules: # Please use the Cyberark Privileged Account Security (cyberarkpas) module instead. - module: cyberark corepas: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -789,7 +789,7 @@ filebeat.modules: #----------------------------- CyberArk PAS Module ----------------------------- - module: cyberarkpas audit: - enabled: true + enabled: false # Set which input to use between tcp (default), udp, or file. # @@ -815,7 +815,7 @@ filebeat.modules: #---------------------------- CylanceProtect Module ---------------------------- - module: cylance protect: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -871,7 +871,7 @@ filebeat.modules: - module: envoyproxy # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -880,7 +880,7 @@ filebeat.modules: #--------------------- Big-IP Access Policy Manager Module --------------------- - module: f5 bigipapm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -899,7 +899,7 @@ filebeat.modules: # var.tz_offset: local bigipafm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -920,7 +920,7 @@ filebeat.modules: #------------------------------- Fortinet Module ------------------------------- - module: fortinet firewall: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -943,7 +943,7 @@ filebeat.modules: #var.external_interfaces: [ "WAN" ] clientendpoint: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -962,7 +962,7 @@ filebeat.modules: # var.tz_offset: local fortimail: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -981,7 +981,7 @@ filebeat.modules: # var.tz_offset: local fortimanager: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1002,7 +1002,7 @@ filebeat.modules: #--------------------- Google Cloud Platform (GCP) Module --------------------- - module: gcp vpcflow: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -1030,7 +1030,7 @@ filebeat.modules: #var.internal_networks: [ "private" ] firewall: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -1057,7 +1057,7 @@ filebeat.modules: #var.internal_networks: [ "private" ] audit: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -1077,7 +1077,7 @@ filebeat.modules: #--------------------------- Google_workspace Module --------------------------- - module: google_workspace saml: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1085,7 +1085,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h user_accounts: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1093,7 +1093,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h login: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1101,7 +1101,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h admin: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1109,7 +1109,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h drive: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1117,7 +1117,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h groups: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1130,7 +1130,7 @@ filebeat.modules: # googlecloud module is deprecated, please use gcp instead - module: gcp vpcflow: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -1148,7 +1148,7 @@ filebeat.modules: var.credentials_file: ${path.config}/gcp-service-account-xyz.json firewall: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -1166,7 +1166,7 @@ filebeat.modules: var.credentials_file: ${path.config}/gcp-service-account-xyz.json audit: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -1187,7 +1187,7 @@ filebeat.modules: # Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. - module: gsuite saml: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1195,7 +1195,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h user_accounts: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1203,7 +1203,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h login: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1211,7 +1211,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h admin: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1219,7 +1219,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h drive: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1227,7 +1227,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h groups: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1252,7 +1252,7 @@ filebeat.modules: - module: ibmmq # All logs errorlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1325,7 +1325,7 @@ filebeat.modules: #------------------------- Imperva SecureSphere Module ------------------------- - module: imperva securesphere: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1346,7 +1346,7 @@ filebeat.modules: #---------------------------- Infoblox NIOS Module ---------------------------- - module: infoblox nios: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1367,7 +1367,7 @@ filebeat.modules: #------------------------------- Iptables Module ------------------------------- - module: iptables log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: @@ -1379,7 +1379,7 @@ filebeat.modules: #---------------------------- Juniper JUNOS Module ---------------------------- - module: juniper junos: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1398,7 +1398,7 @@ filebeat.modules: # var.tz_offset: local netscreen: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1417,7 +1417,7 @@ filebeat.modules: # var.tz_offset: local srx: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -1483,7 +1483,7 @@ filebeat.modules: - module: microsoft # ATP configuration defender_atp: - enabled: true + enabled: false # How often the API should be polled #var.interval: 5m @@ -1496,7 +1496,7 @@ filebeat.modules: # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" m365_defender: - enabled: true + enabled: false # How often the API should be polled #var.interval: 5m @@ -1513,7 +1513,7 @@ filebeat.modules: #var.oauth2.scopes: # - "https://api.security.microsoft.com/.default" dhcp: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1536,7 +1536,7 @@ filebeat.modules: - module: misp threat: - enabled: true + enabled: false # API key to access MISP #var.api_key @@ -1567,7 +1567,7 @@ filebeat.modules: - module: mssql # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1602,7 +1602,7 @@ filebeat.modules: #--------------------------- MySQL Enterprise Module --------------------------- - module: mysqlenterprise audit: - enabled: true + enabled: false # Sets the input type. Currently only supports file #var.input: file @@ -1625,7 +1625,7 @@ filebeat.modules: #------------------------------- NetFlow Module ------------------------------- - module: netflow log: - enabled: true + enabled: false var: netflow_host: localhost netflow_port: 2055 @@ -1638,7 +1638,7 @@ filebeat.modules: #-------------------------- Arbor Peakflow SP Module -------------------------- - module: netscout sightline: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1693,7 +1693,7 @@ filebeat.modules: #------------------------------ Office 365 Module ------------------------------ - module: o365 audit: - enabled: true + enabled: false # Set the application_id (also known as client ID): var.application_id: "" @@ -1740,7 +1740,7 @@ filebeat.modules: #--------------------------------- Okta Module --------------------------------- - module: okta system: - enabled: true + enabled: false # You must configure the URL with your Okta domain and provide an # API token to access the logs API. #var.url: https://yourOktaDomain/api/v1/logs @@ -1749,7 +1749,7 @@ filebeat.modules: #-------------------------------- Oracle Module -------------------------------- - module: oracle database_audit: - enabled: true + enabled: false # Set which input to use between syslog or file (default). #var.input: file @@ -1775,7 +1775,7 @@ filebeat.modules: #--------------------------------- Panw Module --------------------------------- - module: panw panos: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: @@ -1822,7 +1822,7 @@ filebeat.modules: #---------------------- Proofpoint Email Security Module ---------------------- - module: proofpoint emailsecurity: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1844,7 +1844,7 @@ filebeat.modules: - module: rabbitmq # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1853,7 +1853,7 @@ filebeat.modules: #-------------------------- Radware DefensePro Module -------------------------- - module: radware defensepro: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1902,7 +1902,7 @@ filebeat.modules: #--------------------------- Snort/Sourcefire Module --------------------------- - module: snort log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1923,7 +1923,7 @@ filebeat.modules: #--------------------------------- Snyk Module --------------------------------- - module: snyk audit: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson # @@ -1952,7 +1952,7 @@ filebeat.modules: #var.email_address: "" vulnerabilities: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson # How often the API should be polled. Data from the Snyk API is automatically updated @@ -2027,7 +2027,7 @@ filebeat.modules: #----------------------------- Sonicwall-FW Module ----------------------------- - module: sonicwall firewall: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -2048,7 +2048,7 @@ filebeat.modules: #-------------------------------- Sophos Module -------------------------------- - module: sophos xg: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -2072,7 +2072,7 @@ filebeat.modules: utm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -2093,7 +2093,7 @@ filebeat.modules: #-------------------------------- Squid Module -------------------------------- - module: squid log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -2115,7 +2115,7 @@ filebeat.modules: - module: suricata # All logs eve: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -2124,7 +2124,7 @@ filebeat.modules: #----------------------------- Threatintel Module ----------------------------- - module: threatintel abuseurl: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -2136,7 +2136,7 @@ filebeat.modules: var.interval: 10m abusemalware: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -2148,7 +2148,7 @@ filebeat.modules: var.interval: 10m malwarebazaar: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -2160,7 +2160,7 @@ filebeat.modules: var.interval: 10m misp: - enabled: true + enabled: false # Input used for ingesting threat intel data, defaults to JSON. var.input: httpjson @@ -2189,7 +2189,7 @@ filebeat.modules: var.interval: 5m otx: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -2216,7 +2216,7 @@ filebeat.modules: var.interval: 5m anomali: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -2238,7 +2238,7 @@ filebeat.modules: var.interval: 5m anomalithreatstream: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: http_endpoint @@ -2263,7 +2263,7 @@ filebeat.modules: # var.ssl_key: path/to/ssl_key.pem recordedfuture: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -2297,7 +2297,7 @@ filebeat.modules: #---------------------------- Apache Tomcat Module ---------------------------- - module: tomcat log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -2333,83 +2333,83 @@ filebeat.modules: #--------------------------------- Zeek Module --------------------------------- - module: zeek capture_loss: - enabled: true + enabled: false connection: - enabled: true + enabled: false dce_rpc: - enabled: true + enabled: false dhcp: - enabled: true + enabled: false dnp3: - enabled: true + enabled: false dns: - enabled: true + enabled: false dpd: - enabled: true + enabled: false files: - enabled: true + enabled: false ftp: - enabled: true + enabled: false http: - enabled: true + enabled: false intel: - enabled: true + enabled: false irc: - enabled: true + enabled: false kerberos: - enabled: true + enabled: false modbus: - enabled: true + enabled: false mysql: - enabled: true + enabled: false notice: - enabled: true + enabled: false ntp: - enabled: true + enabled: false ntlm: - enabled: true + enabled: false ocsp: - enabled: true + enabled: false pe: - enabled: true + enabled: false radius: - enabled: true + enabled: false rdp: - enabled: true + enabled: false rfb: - enabled: true + enabled: false signature: - enabled: true + enabled: false sip: - enabled: true + enabled: false smb_cmd: - enabled: true + enabled: false smb_files: - enabled: true + enabled: false smb_mapping: - enabled: true + enabled: false smtp: - enabled: true + enabled: false snmp: - enabled: true + enabled: false socks: - enabled: true + enabled: false ssh: - enabled: true + enabled: false ssl: - enabled: true + enabled: false stats: - enabled: true + enabled: false syslog: - enabled: true + enabled: false traceroute: - enabled: true + enabled: false tunnel: - enabled: true + enabled: false weird: - enabled: true + enabled: false x509: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -2419,14 +2419,14 @@ filebeat.modules: - module: zookeeper # All logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -2435,7 +2435,7 @@ filebeat.modules: #--------------------------------- Zoom Module --------------------------------- - module: zoom webhook: - enabled: true + enabled: false # The type of input to use #var.input: http_endpoint @@ -2456,7 +2456,7 @@ filebeat.modules: #----------------------------- Zscaler NSS Module ----------------------------- - module: zscaler zia: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/barracuda/_meta/config.yml b/x-pack/filebeat/module/barracuda/_meta/config.yml index 36ecc93be833..c6e7a48e75be 100644 --- a/x-pack/filebeat/module/barracuda/_meta/config.yml +++ b/x-pack/filebeat/module/barracuda/_meta/config.yml @@ -1,6 +1,6 @@ - module: barracuda waf: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -19,7 +19,7 @@ # var.tz_offset: local spamfirewall: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/bluecoat/_meta/config.yml b/x-pack/filebeat/module/bluecoat/_meta/config.yml index b4c71666b1c5..76056292f7b6 100644 --- a/x-pack/filebeat/module/bluecoat/_meta/config.yml +++ b/x-pack/filebeat/module/bluecoat/_meta/config.yml @@ -1,6 +1,6 @@ - module: bluecoat director: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/cef/_meta/config.yml b/x-pack/filebeat/module/cef/_meta/config.yml index 1b9ff319441d..53a29aa10ba8 100644 --- a/x-pack/filebeat/module/cef/_meta/config.yml +++ b/x-pack/filebeat/module/cef/_meta/config.yml @@ -1,6 +1,6 @@ - module: cef log: - enabled: true + enabled: false var: syslog_host: localhost syslog_port: 9003 diff --git a/x-pack/filebeat/module/cisco/_meta/config.yml b/x-pack/filebeat/module/cisco/_meta/config.yml index 3af897a1225a..3fd735c050db 100644 --- a/x-pack/filebeat/module/cisco/_meta/config.yml +++ b/x-pack/filebeat/module/cisco/_meta/config.yml @@ -1,6 +1,6 @@ - module: cisco asa: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -26,7 +26,7 @@ #var.external_zones: [ "External" ] ftd: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -52,7 +52,7 @@ #var.external_zones: [ "External" ] ios: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -69,7 +69,7 @@ #var.paths: nexus: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -88,7 +88,7 @@ # var.tz_offset: local meraki: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -107,7 +107,7 @@ # var.tz_offset: local umbrella: - enabled: true + enabled: false #var.input: aws-s3 # AWS SQS queue url @@ -122,7 +122,7 @@ #var.api_timeout: 120s amp: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson diff --git a/x-pack/filebeat/module/coredns/_meta/config.yml b/x-pack/filebeat/module/coredns/_meta/config.yml index d9ef777bde5e..4cfd48edb1eb 100644 --- a/x-pack/filebeat/module/coredns/_meta/config.yml +++ b/x-pack/filebeat/module/coredns/_meta/config.yml @@ -1,7 +1,7 @@ - module: coredns # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/crowdstrike/_meta/config.yml b/x-pack/filebeat/module/crowdstrike/_meta/config.yml index 04cf80889ba6..84901e8779b6 100644 --- a/x-pack/filebeat/module/crowdstrike/_meta/config.yml +++ b/x-pack/filebeat/module/crowdstrike/_meta/config.yml @@ -1,7 +1,7 @@ - module: crowdstrike falcon: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/cyberark/_meta/config.yml b/x-pack/filebeat/module/cyberark/_meta/config.yml index d3a1f20ec6f3..9b0e08f26c88 100644 --- a/x-pack/filebeat/module/cyberark/_meta/config.yml +++ b/x-pack/filebeat/module/cyberark/_meta/config.yml @@ -2,7 +2,7 @@ # Please use the Cyberark Privileged Account Security (cyberarkpas) module instead. - module: cyberark corepas: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/cyberarkpas/_meta/config.yml b/x-pack/filebeat/module/cyberarkpas/_meta/config.yml index 4ebf2db818de..9b2cc6d0e27f 100644 --- a/x-pack/filebeat/module/cyberarkpas/_meta/config.yml +++ b/x-pack/filebeat/module/cyberarkpas/_meta/config.yml @@ -1,6 +1,6 @@ - module: cyberarkpas audit: - enabled: true + enabled: false # Set which input to use between tcp (default), udp, or file. # diff --git a/x-pack/filebeat/module/cylance/_meta/config.yml b/x-pack/filebeat/module/cylance/_meta/config.yml index f48f72b6065d..3025ab384017 100644 --- a/x-pack/filebeat/module/cylance/_meta/config.yml +++ b/x-pack/filebeat/module/cylance/_meta/config.yml @@ -1,6 +1,6 @@ - module: cylance protect: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/envoyproxy/_meta/config.yml b/x-pack/filebeat/module/envoyproxy/_meta/config.yml index c0fada4e3ae7..8009773045d1 100644 --- a/x-pack/filebeat/module/envoyproxy/_meta/config.yml +++ b/x-pack/filebeat/module/envoyproxy/_meta/config.yml @@ -1,7 +1,7 @@ - module: envoyproxy # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/f5/_meta/config.yml b/x-pack/filebeat/module/f5/_meta/config.yml index a939fc021f87..48ccc13d31a3 100644 --- a/x-pack/filebeat/module/f5/_meta/config.yml +++ b/x-pack/filebeat/module/f5/_meta/config.yml @@ -1,6 +1,6 @@ - module: f5 bigipapm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -19,7 +19,7 @@ # var.tz_offset: local bigipafm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/fortinet/_meta/config.yml b/x-pack/filebeat/module/fortinet/_meta/config.yml index 5f5561c79251..f71e5732b142 100644 --- a/x-pack/filebeat/module/fortinet/_meta/config.yml +++ b/x-pack/filebeat/module/fortinet/_meta/config.yml @@ -1,6 +1,6 @@ - module: fortinet firewall: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -23,7 +23,7 @@ #var.external_interfaces: [ "WAN" ] clientendpoint: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -42,7 +42,7 @@ # var.tz_offset: local fortimail: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -61,7 +61,7 @@ # var.tz_offset: local fortimanager: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/gcp/_meta/config.yml b/x-pack/filebeat/module/gcp/_meta/config.yml index b32c5a659576..7b804388694b 100644 --- a/x-pack/filebeat/module/gcp/_meta/config.yml +++ b/x-pack/filebeat/module/gcp/_meta/config.yml @@ -1,6 +1,6 @@ - module: gcp vpcflow: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -28,7 +28,7 @@ #var.internal_networks: [ "private" ] firewall: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -55,7 +55,7 @@ #var.internal_networks: [ "private" ] audit: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id diff --git a/x-pack/filebeat/module/google_workspace/_meta/config.yml b/x-pack/filebeat/module/google_workspace/_meta/config.yml index 1d6c5ad4589c..58d6a754b1e0 100644 --- a/x-pack/filebeat/module/google_workspace/_meta/config.yml +++ b/x-pack/filebeat/module/google_workspace/_meta/config.yml @@ -1,6 +1,6 @@ - module: google_workspace saml: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -8,7 +8,7 @@ # var.user_key: all # var.interval: 2h user_accounts: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -16,7 +16,7 @@ # var.user_key: all # var.interval: 2h login: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -24,7 +24,7 @@ # var.user_key: all # var.interval: 2h admin: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -32,7 +32,7 @@ # var.user_key: all # var.interval: 2h drive: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -40,7 +40,7 @@ # var.user_key: all # var.interval: 2h groups: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h diff --git a/x-pack/filebeat/module/googlecloud/_meta/config.yml b/x-pack/filebeat/module/googlecloud/_meta/config.yml index 2c535fb4664d..c2808c288542 100644 --- a/x-pack/filebeat/module/googlecloud/_meta/config.yml +++ b/x-pack/filebeat/module/googlecloud/_meta/config.yml @@ -1,7 +1,7 @@ # googlecloud module is deprecated, please use gcp instead - module: gcp vpcflow: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -19,7 +19,7 @@ var.credentials_file: ${path.config}/gcp-service-account-xyz.json firewall: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -37,7 +37,7 @@ var.credentials_file: ${path.config}/gcp-service-account-xyz.json audit: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id diff --git a/x-pack/filebeat/module/gsuite/_meta/config.yml b/x-pack/filebeat/module/gsuite/_meta/config.yml index 0badc11284eb..24cdb4931674 100644 --- a/x-pack/filebeat/module/gsuite/_meta/config.yml +++ b/x-pack/filebeat/module/gsuite/_meta/config.yml @@ -1,7 +1,7 @@ # Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. - module: gsuite saml: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -9,7 +9,7 @@ # var.user_key: all # var.interval: 2h user_accounts: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -17,7 +17,7 @@ # var.user_key: all # var.interval: 2h login: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -25,7 +25,7 @@ # var.user_key: all # var.interval: 2h admin: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -33,7 +33,7 @@ # var.user_key: all # var.interval: 2h drive: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -41,7 +41,7 @@ # var.user_key: all # var.interval: 2h groups: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h diff --git a/x-pack/filebeat/module/ibmmq/_meta/config.yml b/x-pack/filebeat/module/ibmmq/_meta/config.yml index 320922d37e04..e81a5fca28ef 100644 --- a/x-pack/filebeat/module/ibmmq/_meta/config.yml +++ b/x-pack/filebeat/module/ibmmq/_meta/config.yml @@ -1,7 +1,7 @@ - module: ibmmq # All logs errorlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/imperva/_meta/config.yml b/x-pack/filebeat/module/imperva/_meta/config.yml index 2b5660cd4c25..1ffb9f5d7087 100644 --- a/x-pack/filebeat/module/imperva/_meta/config.yml +++ b/x-pack/filebeat/module/imperva/_meta/config.yml @@ -1,6 +1,6 @@ - module: imperva securesphere: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/infoblox/_meta/config.yml b/x-pack/filebeat/module/infoblox/_meta/config.yml index 85df3964b38f..03c704cc5baa 100644 --- a/x-pack/filebeat/module/infoblox/_meta/config.yml +++ b/x-pack/filebeat/module/infoblox/_meta/config.yml @@ -1,6 +1,6 @@ - module: infoblox nios: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/iptables/_meta/config.yml b/x-pack/filebeat/module/iptables/_meta/config.yml index 0de64687f6eb..3b7911969853 100644 --- a/x-pack/filebeat/module/iptables/_meta/config.yml +++ b/x-pack/filebeat/module/iptables/_meta/config.yml @@ -1,6 +1,6 @@ - module: iptables log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: diff --git a/x-pack/filebeat/module/juniper/_meta/config.yml b/x-pack/filebeat/module/juniper/_meta/config.yml index 7f9926567886..2ad874d9c4ff 100644 --- a/x-pack/filebeat/module/juniper/_meta/config.yml +++ b/x-pack/filebeat/module/juniper/_meta/config.yml @@ -1,6 +1,6 @@ - module: juniper junos: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -19,7 +19,7 @@ # var.tz_offset: local netscreen: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -38,7 +38,7 @@ # var.tz_offset: local srx: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp diff --git a/x-pack/filebeat/module/microsoft/_meta/config.yml b/x-pack/filebeat/module/microsoft/_meta/config.yml index a168b621ba5e..96b1f3db1db5 100644 --- a/x-pack/filebeat/module/microsoft/_meta/config.yml +++ b/x-pack/filebeat/module/microsoft/_meta/config.yml @@ -1,7 +1,7 @@ - module: microsoft # ATP configuration defender_atp: - enabled: true + enabled: false # How often the API should be polled #var.interval: 5m @@ -14,7 +14,7 @@ # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" m365_defender: - enabled: true + enabled: false # How often the API should be polled #var.interval: 5m @@ -31,7 +31,7 @@ #var.oauth2.scopes: # - "https://api.security.microsoft.com/.default" dhcp: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/misp/_meta/config.yml b/x-pack/filebeat/module/misp/_meta/config.yml index 0eab72db2053..1e6ce8928d16 100644 --- a/x-pack/filebeat/module/misp/_meta/config.yml +++ b/x-pack/filebeat/module/misp/_meta/config.yml @@ -2,7 +2,7 @@ - module: misp threat: - enabled: true + enabled: false # API key to access MISP #var.api_key diff --git a/x-pack/filebeat/module/mssql/_meta/config.yml b/x-pack/filebeat/module/mssql/_meta/config.yml index a56e658f7b71..3735debfcfd9 100644 --- a/x-pack/filebeat/module/mssql/_meta/config.yml +++ b/x-pack/filebeat/module/mssql/_meta/config.yml @@ -1,7 +1,7 @@ - module: mssql # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/mysqlenterprise/_meta/config.yml b/x-pack/filebeat/module/mysqlenterprise/_meta/config.yml index a4350a0ac608..ee13c51ec1ee 100644 --- a/x-pack/filebeat/module/mysqlenterprise/_meta/config.yml +++ b/x-pack/filebeat/module/mysqlenterprise/_meta/config.yml @@ -1,6 +1,6 @@ - module: mysqlenterprise audit: - enabled: true + enabled: false # Sets the input type. Currently only supports file #var.input: file diff --git a/x-pack/filebeat/module/netflow/_meta/config.yml b/x-pack/filebeat/module/netflow/_meta/config.yml index 91fe3953e94f..5fed6db35819 100644 --- a/x-pack/filebeat/module/netflow/_meta/config.yml +++ b/x-pack/filebeat/module/netflow/_meta/config.yml @@ -1,6 +1,6 @@ - module: netflow log: - enabled: true + enabled: false var: netflow_host: localhost netflow_port: 2055 diff --git a/x-pack/filebeat/module/netscout/_meta/config.yml b/x-pack/filebeat/module/netscout/_meta/config.yml index 168d7284a9f5..d7bcfcf2e7f3 100644 --- a/x-pack/filebeat/module/netscout/_meta/config.yml +++ b/x-pack/filebeat/module/netscout/_meta/config.yml @@ -1,6 +1,6 @@ - module: netscout sightline: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/o365/_meta/config.yml b/x-pack/filebeat/module/o365/_meta/config.yml index b1a30d6dbe98..9ff4f9fb9260 100644 --- a/x-pack/filebeat/module/o365/_meta/config.yml +++ b/x-pack/filebeat/module/o365/_meta/config.yml @@ -1,6 +1,6 @@ - module: o365 audit: - enabled: true + enabled: false # Set the application_id (also known as client ID): var.application_id: "" diff --git a/x-pack/filebeat/module/okta/_meta/config.yml b/x-pack/filebeat/module/okta/_meta/config.yml index bb2da13eca4f..21fc87b737d7 100644 --- a/x-pack/filebeat/module/okta/_meta/config.yml +++ b/x-pack/filebeat/module/okta/_meta/config.yml @@ -1,6 +1,6 @@ - module: okta system: - enabled: true + enabled: false # You must configure the URL with your Okta domain and provide an # API token to access the logs API. #var.url: https://yourOktaDomain/api/v1/logs diff --git a/x-pack/filebeat/module/oracle/_meta/config.yml b/x-pack/filebeat/module/oracle/_meta/config.yml index 7b1f569b835c..230ad88e6842 100644 --- a/x-pack/filebeat/module/oracle/_meta/config.yml +++ b/x-pack/filebeat/module/oracle/_meta/config.yml @@ -1,6 +1,6 @@ - module: oracle database_audit: - enabled: true + enabled: false # Set which input to use between syslog or file (default). #var.input: file diff --git a/x-pack/filebeat/module/panw/_meta/config.yml b/x-pack/filebeat/module/panw/_meta/config.yml index 737825f598cb..8b28631ddd98 100644 --- a/x-pack/filebeat/module/panw/_meta/config.yml +++ b/x-pack/filebeat/module/panw/_meta/config.yml @@ -1,6 +1,6 @@ - module: panw panos: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: diff --git a/x-pack/filebeat/module/proofpoint/_meta/config.yml b/x-pack/filebeat/module/proofpoint/_meta/config.yml index d25f23041e34..05dcc780bcd3 100644 --- a/x-pack/filebeat/module/proofpoint/_meta/config.yml +++ b/x-pack/filebeat/module/proofpoint/_meta/config.yml @@ -1,6 +1,6 @@ - module: proofpoint emailsecurity: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/rabbitmq/_meta/config.yml b/x-pack/filebeat/module/rabbitmq/_meta/config.yml index 246c13225c6a..966f2169accc 100644 --- a/x-pack/filebeat/module/rabbitmq/_meta/config.yml +++ b/x-pack/filebeat/module/rabbitmq/_meta/config.yml @@ -1,7 +1,7 @@ - module: rabbitmq # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/radware/_meta/config.yml b/x-pack/filebeat/module/radware/_meta/config.yml index dc134fbe59f6..5341bf6064f9 100644 --- a/x-pack/filebeat/module/radware/_meta/config.yml +++ b/x-pack/filebeat/module/radware/_meta/config.yml @@ -1,6 +1,6 @@ - module: radware defensepro: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/snort/_meta/config.yml b/x-pack/filebeat/module/snort/_meta/config.yml index e3804a605b95..e428234a1800 100644 --- a/x-pack/filebeat/module/snort/_meta/config.yml +++ b/x-pack/filebeat/module/snort/_meta/config.yml @@ -1,6 +1,6 @@ - module: snort log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/snyk/_meta/config.yml b/x-pack/filebeat/module/snyk/_meta/config.yml index 2d4331396383..6c2247380763 100644 --- a/x-pack/filebeat/module/snyk/_meta/config.yml +++ b/x-pack/filebeat/module/snyk/_meta/config.yml @@ -1,6 +1,6 @@ - module: snyk audit: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson # @@ -29,7 +29,7 @@ #var.email_address: "" vulnerabilities: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson # How often the API should be polled. Data from the Snyk API is automatically updated diff --git a/x-pack/filebeat/module/sonicwall/_meta/config.yml b/x-pack/filebeat/module/sonicwall/_meta/config.yml index fcc2abefb794..92a719102868 100644 --- a/x-pack/filebeat/module/sonicwall/_meta/config.yml +++ b/x-pack/filebeat/module/sonicwall/_meta/config.yml @@ -1,6 +1,6 @@ - module: sonicwall firewall: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/sophos/_meta/config.yml b/x-pack/filebeat/module/sophos/_meta/config.yml index 5388cbdfcbc4..4b07d941401a 100644 --- a/x-pack/filebeat/module/sophos/_meta/config.yml +++ b/x-pack/filebeat/module/sophos/_meta/config.yml @@ -1,6 +1,6 @@ - module: sophos xg: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -24,7 +24,7 @@ utm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/squid/_meta/config.yml b/x-pack/filebeat/module/squid/_meta/config.yml index e3d681dac2a6..ad0f3f2053cb 100644 --- a/x-pack/filebeat/module/squid/_meta/config.yml +++ b/x-pack/filebeat/module/squid/_meta/config.yml @@ -1,6 +1,6 @@ - module: squid log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/suricata/_meta/config.yml b/x-pack/filebeat/module/suricata/_meta/config.yml index 1556d5d04516..1ad37b0427e9 100644 --- a/x-pack/filebeat/module/suricata/_meta/config.yml +++ b/x-pack/filebeat/module/suricata/_meta/config.yml @@ -1,7 +1,7 @@ - module: suricata # All logs eve: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/threatintel/_meta/config.yml b/x-pack/filebeat/module/threatintel/_meta/config.yml index f2cf00bcf0de..41451f6e33ae 100644 --- a/x-pack/filebeat/module/threatintel/_meta/config.yml +++ b/x-pack/filebeat/module/threatintel/_meta/config.yml @@ -1,6 +1,6 @@ - module: threatintel abuseurl: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -12,7 +12,7 @@ var.interval: 10m abusemalware: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -24,7 +24,7 @@ var.interval: 10m malwarebazaar: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -36,7 +36,7 @@ var.interval: 10m misp: - enabled: true + enabled: false # Input used for ingesting threat intel data, defaults to JSON. var.input: httpjson @@ -65,7 +65,7 @@ var.interval: 5m otx: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -92,7 +92,7 @@ var.interval: 5m anomali: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -114,7 +114,7 @@ var.interval: 5m anomalithreatstream: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: http_endpoint @@ -139,7 +139,7 @@ # var.ssl_key: path/to/ssl_key.pem recordedfuture: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson diff --git a/x-pack/filebeat/module/tomcat/_meta/config.yml b/x-pack/filebeat/module/tomcat/_meta/config.yml index e3640165f610..e04b9201704c 100644 --- a/x-pack/filebeat/module/tomcat/_meta/config.yml +++ b/x-pack/filebeat/module/tomcat/_meta/config.yml @@ -1,6 +1,6 @@ - module: tomcat log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/zeek/_meta/config.yml b/x-pack/filebeat/module/zeek/_meta/config.yml index dbe6012df6bf..496581963faa 100644 --- a/x-pack/filebeat/module/zeek/_meta/config.yml +++ b/x-pack/filebeat/module/zeek/_meta/config.yml @@ -1,82 +1,82 @@ - module: zeek capture_loss: - enabled: true + enabled: false connection: - enabled: true + enabled: false dce_rpc: - enabled: true + enabled: false dhcp: - enabled: true + enabled: false dnp3: - enabled: true + enabled: false dns: - enabled: true + enabled: false dpd: - enabled: true + enabled: false files: - enabled: true + enabled: false ftp: - enabled: true + enabled: false http: - enabled: true + enabled: false intel: - enabled: true + enabled: false irc: - enabled: true + enabled: false kerberos: - enabled: true + enabled: false modbus: - enabled: true + enabled: false mysql: - enabled: true + enabled: false notice: - enabled: true + enabled: false ntp: - enabled: true + enabled: false ntlm: - enabled: true + enabled: false ocsp: - enabled: true + enabled: false pe: - enabled: true + enabled: false radius: - enabled: true + enabled: false rdp: - enabled: true + enabled: false rfb: - enabled: true + enabled: false signature: - enabled: true + enabled: false sip: - enabled: true + enabled: false smb_cmd: - enabled: true + enabled: false smb_files: - enabled: true + enabled: false smb_mapping: - enabled: true + enabled: false smtp: - enabled: true + enabled: false snmp: - enabled: true + enabled: false socks: - enabled: true + enabled: false ssh: - enabled: true + enabled: false ssl: - enabled: true + enabled: false stats: - enabled: true + enabled: false syslog: - enabled: true + enabled: false traceroute: - enabled: true + enabled: false tunnel: - enabled: true + enabled: false weird: - enabled: true + enabled: false x509: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/zookeeper/_meta/config.yml b/x-pack/filebeat/module/zookeeper/_meta/config.yml index a31d217a5ecb..e14f9d1020f4 100644 --- a/x-pack/filebeat/module/zookeeper/_meta/config.yml +++ b/x-pack/filebeat/module/zookeeper/_meta/config.yml @@ -1,14 +1,14 @@ - module: zookeeper # All logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/zoom/_meta/config.yml b/x-pack/filebeat/module/zoom/_meta/config.yml index 43c8ed436285..a010f43f3a99 100644 --- a/x-pack/filebeat/module/zoom/_meta/config.yml +++ b/x-pack/filebeat/module/zoom/_meta/config.yml @@ -1,6 +1,6 @@ - module: zoom webhook: - enabled: true + enabled: false # The type of input to use #var.input: http_endpoint diff --git a/x-pack/filebeat/module/zscaler/_meta/config.yml b/x-pack/filebeat/module/zscaler/_meta/config.yml index 9afb8712afbd..d7c47dc6e70f 100644 --- a/x-pack/filebeat/module/zscaler/_meta/config.yml +++ b/x-pack/filebeat/module/zscaler/_meta/config.yml @@ -1,6 +1,6 @@ - module: zscaler zia: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/activemq.yml.disabled b/x-pack/filebeat/modules.d/activemq.yml.disabled index 1c6728dd8c42..82c70b169479 100644 --- a/x-pack/filebeat/modules.d/activemq.yml.disabled +++ b/x-pack/filebeat/modules.d/activemq.yml.disabled @@ -4,7 +4,7 @@ - module: activemq # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Application logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/azure.yml.disabled b/x-pack/filebeat/modules.d/azure.yml.disabled index dcf5b1764d72..89ccfff82049 100644 --- a/x-pack/filebeat/modules.d/azure.yml.disabled +++ b/x-pack/filebeat/modules.d/azure.yml.disabled @@ -4,7 +4,7 @@ - module: azure # All logs activitylogs: - enabled: true + enabled: false var: # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub eventhub: "insights-operational-logs" diff --git a/x-pack/filebeat/modules.d/barracuda.yml.disabled b/x-pack/filebeat/modules.d/barracuda.yml.disabled index 20552d4c5031..6327b8d6a755 100644 --- a/x-pack/filebeat/modules.d/barracuda.yml.disabled +++ b/x-pack/filebeat/modules.d/barracuda.yml.disabled @@ -3,7 +3,7 @@ - module: barracuda waf: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -22,7 +22,7 @@ # var.tz_offset: local spamfirewall: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/bluecoat.yml.disabled b/x-pack/filebeat/modules.d/bluecoat.yml.disabled index df71bb8ab044..98a4cef099bb 100644 --- a/x-pack/filebeat/modules.d/bluecoat.yml.disabled +++ b/x-pack/filebeat/modules.d/bluecoat.yml.disabled @@ -3,7 +3,7 @@ - module: bluecoat director: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/cef.yml.disabled b/x-pack/filebeat/modules.d/cef.yml.disabled index bb8eca97d6b2..cda083f4a5eb 100644 --- a/x-pack/filebeat/modules.d/cef.yml.disabled +++ b/x-pack/filebeat/modules.d/cef.yml.disabled @@ -3,7 +3,7 @@ - module: cef log: - enabled: true + enabled: false var: syslog_host: localhost syslog_port: 9003 diff --git a/x-pack/filebeat/modules.d/checkpoint.yml.disabled b/x-pack/filebeat/modules.d/checkpoint.yml.disabled index 03db911f1923..05fdfc0aa272 100644 --- a/x-pack/filebeat/modules.d/checkpoint.yml.disabled +++ b/x-pack/filebeat/modules.d/checkpoint.yml.disabled @@ -3,7 +3,7 @@ - module: checkpoint firewall: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog diff --git a/x-pack/filebeat/modules.d/cisco.yml.disabled b/x-pack/filebeat/modules.d/cisco.yml.disabled index 6a9336103367..3ad2d76a875f 100644 --- a/x-pack/filebeat/modules.d/cisco.yml.disabled +++ b/x-pack/filebeat/modules.d/cisco.yml.disabled @@ -3,7 +3,7 @@ - module: cisco asa: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -29,7 +29,7 @@ #var.external_zones: [ "External" ] ftd: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -55,7 +55,7 @@ #var.external_zones: [ "External" ] ios: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -72,7 +72,7 @@ #var.paths: nexus: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -91,7 +91,7 @@ # var.tz_offset: local meraki: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -110,7 +110,7 @@ # var.tz_offset: local umbrella: - enabled: true + enabled: false #var.input: aws-s3 # AWS SQS queue url @@ -125,7 +125,7 @@ #var.api_timeout: 120s amp: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson diff --git a/x-pack/filebeat/modules.d/coredns.yml.disabled b/x-pack/filebeat/modules.d/coredns.yml.disabled index d4a871455fd3..fb7e99951305 100644 --- a/x-pack/filebeat/modules.d/coredns.yml.disabled +++ b/x-pack/filebeat/modules.d/coredns.yml.disabled @@ -4,7 +4,7 @@ - module: coredns # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/crowdstrike.yml.disabled b/x-pack/filebeat/modules.d/crowdstrike.yml.disabled index a51bf2818a1c..aea362f2e403 100644 --- a/x-pack/filebeat/modules.d/crowdstrike.yml.disabled +++ b/x-pack/filebeat/modules.d/crowdstrike.yml.disabled @@ -4,7 +4,7 @@ - module: crowdstrike falcon: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/cyberark.yml.disabled b/x-pack/filebeat/modules.d/cyberark.yml.disabled index 833a92645b13..391acfe7b248 100644 --- a/x-pack/filebeat/modules.d/cyberark.yml.disabled +++ b/x-pack/filebeat/modules.d/cyberark.yml.disabled @@ -5,7 +5,7 @@ # Please use the Cyberark Privileged Account Security (cyberarkpas) module instead. - module: cyberark corepas: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled b/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled index 2045718a6b7b..f2168e9d4530 100644 --- a/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled +++ b/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled @@ -3,7 +3,7 @@ - module: cyberarkpas audit: - enabled: true + enabled: false # Set which input to use between tcp (default), udp, or file. # diff --git a/x-pack/filebeat/modules.d/cylance.yml.disabled b/x-pack/filebeat/modules.d/cylance.yml.disabled index 8f16f29ca5bc..164642f07382 100644 --- a/x-pack/filebeat/modules.d/cylance.yml.disabled +++ b/x-pack/filebeat/modules.d/cylance.yml.disabled @@ -3,7 +3,7 @@ - module: cylance protect: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/envoyproxy.yml.disabled b/x-pack/filebeat/modules.d/envoyproxy.yml.disabled index a46cf2792826..d95316b3c301 100644 --- a/x-pack/filebeat/modules.d/envoyproxy.yml.disabled +++ b/x-pack/filebeat/modules.d/envoyproxy.yml.disabled @@ -4,7 +4,7 @@ - module: envoyproxy # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/f5.yml.disabled b/x-pack/filebeat/modules.d/f5.yml.disabled index fdf357dae440..4db5209693d3 100644 --- a/x-pack/filebeat/modules.d/f5.yml.disabled +++ b/x-pack/filebeat/modules.d/f5.yml.disabled @@ -3,7 +3,7 @@ - module: f5 bigipapm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -22,7 +22,7 @@ # var.tz_offset: local bigipafm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/fortinet.yml.disabled b/x-pack/filebeat/modules.d/fortinet.yml.disabled index f77f2169d6de..e31eb967d733 100644 --- a/x-pack/filebeat/modules.d/fortinet.yml.disabled +++ b/x-pack/filebeat/modules.d/fortinet.yml.disabled @@ -3,7 +3,7 @@ - module: fortinet firewall: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -26,7 +26,7 @@ #var.external_interfaces: [ "WAN" ] clientendpoint: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -45,7 +45,7 @@ # var.tz_offset: local fortimail: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -64,7 +64,7 @@ # var.tz_offset: local fortimanager: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/gcp.yml.disabled b/x-pack/filebeat/modules.d/gcp.yml.disabled index 0a1971525a32..b0b5f636b101 100644 --- a/x-pack/filebeat/modules.d/gcp.yml.disabled +++ b/x-pack/filebeat/modules.d/gcp.yml.disabled @@ -3,7 +3,7 @@ - module: gcp vpcflow: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -31,7 +31,7 @@ #var.internal_networks: [ "private" ] firewall: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -58,7 +58,7 @@ #var.internal_networks: [ "private" ] audit: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id diff --git a/x-pack/filebeat/modules.d/google_workspace.yml.disabled b/x-pack/filebeat/modules.d/google_workspace.yml.disabled index b5eb00519652..85142dfcaf02 100644 --- a/x-pack/filebeat/modules.d/google_workspace.yml.disabled +++ b/x-pack/filebeat/modules.d/google_workspace.yml.disabled @@ -3,7 +3,7 @@ - module: google_workspace saml: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -11,7 +11,7 @@ # var.user_key: all # var.interval: 2h user_accounts: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -19,7 +19,7 @@ # var.user_key: all # var.interval: 2h login: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -27,7 +27,7 @@ # var.user_key: all # var.interval: 2h admin: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -35,7 +35,7 @@ # var.user_key: all # var.interval: 2h drive: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -43,7 +43,7 @@ # var.user_key: all # var.interval: 2h groups: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h diff --git a/x-pack/filebeat/modules.d/googlecloud.yml.disabled b/x-pack/filebeat/modules.d/googlecloud.yml.disabled index 6f3e6b53e21d..c337a0e7645b 100644 --- a/x-pack/filebeat/modules.d/googlecloud.yml.disabled +++ b/x-pack/filebeat/modules.d/googlecloud.yml.disabled @@ -4,7 +4,7 @@ # googlecloud module is deprecated, please use gcp instead - module: gcp vpcflow: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -22,7 +22,7 @@ var.credentials_file: ${path.config}/gcp-service-account-xyz.json firewall: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -40,7 +40,7 @@ var.credentials_file: ${path.config}/gcp-service-account-xyz.json audit: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id diff --git a/x-pack/filebeat/modules.d/gsuite.yml.disabled b/x-pack/filebeat/modules.d/gsuite.yml.disabled index ddb160dcbac8..ec38309a193d 100644 --- a/x-pack/filebeat/modules.d/gsuite.yml.disabled +++ b/x-pack/filebeat/modules.d/gsuite.yml.disabled @@ -4,7 +4,7 @@ # Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. - module: gsuite saml: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -12,7 +12,7 @@ # var.user_key: all # var.interval: 2h user_accounts: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -20,7 +20,7 @@ # var.user_key: all # var.interval: 2h login: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -28,7 +28,7 @@ # var.user_key: all # var.interval: 2h admin: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -36,7 +36,7 @@ # var.user_key: all # var.interval: 2h drive: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -44,7 +44,7 @@ # var.user_key: all # var.interval: 2h groups: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h diff --git a/x-pack/filebeat/modules.d/ibmmq.yml.disabled b/x-pack/filebeat/modules.d/ibmmq.yml.disabled index 0acfa0b0bce9..4ad3209a90ec 100644 --- a/x-pack/filebeat/modules.d/ibmmq.yml.disabled +++ b/x-pack/filebeat/modules.d/ibmmq.yml.disabled @@ -4,7 +4,7 @@ - module: ibmmq # All logs errorlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/imperva.yml.disabled b/x-pack/filebeat/modules.d/imperva.yml.disabled index f5e69959cf98..cd864075960b 100644 --- a/x-pack/filebeat/modules.d/imperva.yml.disabled +++ b/x-pack/filebeat/modules.d/imperva.yml.disabled @@ -3,7 +3,7 @@ - module: imperva securesphere: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/infoblox.yml.disabled b/x-pack/filebeat/modules.d/infoblox.yml.disabled index ec5385c6df7e..24d524d259d3 100644 --- a/x-pack/filebeat/modules.d/infoblox.yml.disabled +++ b/x-pack/filebeat/modules.d/infoblox.yml.disabled @@ -3,7 +3,7 @@ - module: infoblox nios: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/iptables.yml.disabled b/x-pack/filebeat/modules.d/iptables.yml.disabled index 833fd91537b9..2d51c67f24e5 100644 --- a/x-pack/filebeat/modules.d/iptables.yml.disabled +++ b/x-pack/filebeat/modules.d/iptables.yml.disabled @@ -3,7 +3,7 @@ - module: iptables log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: diff --git a/x-pack/filebeat/modules.d/juniper.yml.disabled b/x-pack/filebeat/modules.d/juniper.yml.disabled index 6ffe87834a43..583f47bb7f73 100644 --- a/x-pack/filebeat/modules.d/juniper.yml.disabled +++ b/x-pack/filebeat/modules.d/juniper.yml.disabled @@ -3,7 +3,7 @@ - module: juniper junos: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -22,7 +22,7 @@ # var.tz_offset: local netscreen: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -41,7 +41,7 @@ # var.tz_offset: local srx: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp diff --git a/x-pack/filebeat/modules.d/microsoft.yml.disabled b/x-pack/filebeat/modules.d/microsoft.yml.disabled index 43944caad29c..e4af73ad6ede 100644 --- a/x-pack/filebeat/modules.d/microsoft.yml.disabled +++ b/x-pack/filebeat/modules.d/microsoft.yml.disabled @@ -4,7 +4,7 @@ - module: microsoft # ATP configuration defender_atp: - enabled: true + enabled: false # How often the API should be polled #var.interval: 5m @@ -17,7 +17,7 @@ # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" m365_defender: - enabled: true + enabled: false # How often the API should be polled #var.interval: 5m @@ -34,7 +34,7 @@ #var.oauth2.scopes: # - "https://api.security.microsoft.com/.default" dhcp: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/misp.yml.disabled b/x-pack/filebeat/modules.d/misp.yml.disabled index 610cc8740739..4e405aaac70e 100644 --- a/x-pack/filebeat/modules.d/misp.yml.disabled +++ b/x-pack/filebeat/modules.d/misp.yml.disabled @@ -5,7 +5,7 @@ - module: misp threat: - enabled: true + enabled: false # API key to access MISP #var.api_key diff --git a/x-pack/filebeat/modules.d/mssql.yml.disabled b/x-pack/filebeat/modules.d/mssql.yml.disabled index 3fdaac9e8a66..c8473c91dd5f 100644 --- a/x-pack/filebeat/modules.d/mssql.yml.disabled +++ b/x-pack/filebeat/modules.d/mssql.yml.disabled @@ -4,7 +4,7 @@ - module: mssql # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/mysqlenterprise.yml.disabled b/x-pack/filebeat/modules.d/mysqlenterprise.yml.disabled index c04fb9c19087..33c1731cd19d 100644 --- a/x-pack/filebeat/modules.d/mysqlenterprise.yml.disabled +++ b/x-pack/filebeat/modules.d/mysqlenterprise.yml.disabled @@ -3,7 +3,7 @@ - module: mysqlenterprise audit: - enabled: true + enabled: false # Sets the input type. Currently only supports file #var.input: file diff --git a/x-pack/filebeat/modules.d/netflow.yml.disabled b/x-pack/filebeat/modules.d/netflow.yml.disabled index f0d03a1fef27..7f365e90b436 100644 --- a/x-pack/filebeat/modules.d/netflow.yml.disabled +++ b/x-pack/filebeat/modules.d/netflow.yml.disabled @@ -3,7 +3,7 @@ - module: netflow log: - enabled: true + enabled: false var: netflow_host: localhost netflow_port: 2055 diff --git a/x-pack/filebeat/modules.d/netscout.yml.disabled b/x-pack/filebeat/modules.d/netscout.yml.disabled index 988f1b988993..c6d5520629b8 100644 --- a/x-pack/filebeat/modules.d/netscout.yml.disabled +++ b/x-pack/filebeat/modules.d/netscout.yml.disabled @@ -3,7 +3,7 @@ - module: netscout sightline: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/o365.yml.disabled b/x-pack/filebeat/modules.d/o365.yml.disabled index a2bdc1ecee30..ab61528d6f9d 100644 --- a/x-pack/filebeat/modules.d/o365.yml.disabled +++ b/x-pack/filebeat/modules.d/o365.yml.disabled @@ -3,7 +3,7 @@ - module: o365 audit: - enabled: true + enabled: false # Set the application_id (also known as client ID): var.application_id: "" diff --git a/x-pack/filebeat/modules.d/okta.yml.disabled b/x-pack/filebeat/modules.d/okta.yml.disabled index 66965ac4ba25..062856ce4e4c 100644 --- a/x-pack/filebeat/modules.d/okta.yml.disabled +++ b/x-pack/filebeat/modules.d/okta.yml.disabled @@ -3,7 +3,7 @@ - module: okta system: - enabled: true + enabled: false # You must configure the URL with your Okta domain and provide an # API token to access the logs API. #var.url: https://yourOktaDomain/api/v1/logs diff --git a/x-pack/filebeat/modules.d/oracle.yml.disabled b/x-pack/filebeat/modules.d/oracle.yml.disabled index d8b1d8c58e2d..aa24b1f67554 100644 --- a/x-pack/filebeat/modules.d/oracle.yml.disabled +++ b/x-pack/filebeat/modules.d/oracle.yml.disabled @@ -3,7 +3,7 @@ - module: oracle database_audit: - enabled: true + enabled: false # Set which input to use between syslog or file (default). #var.input: file diff --git a/x-pack/filebeat/modules.d/panw.yml.disabled b/x-pack/filebeat/modules.d/panw.yml.disabled index 0bd5bf33419f..1a630f8fb4ee 100644 --- a/x-pack/filebeat/modules.d/panw.yml.disabled +++ b/x-pack/filebeat/modules.d/panw.yml.disabled @@ -3,7 +3,7 @@ - module: panw panos: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: diff --git a/x-pack/filebeat/modules.d/proofpoint.yml.disabled b/x-pack/filebeat/modules.d/proofpoint.yml.disabled index b0f94ac30222..34b31277086d 100644 --- a/x-pack/filebeat/modules.d/proofpoint.yml.disabled +++ b/x-pack/filebeat/modules.d/proofpoint.yml.disabled @@ -3,7 +3,7 @@ - module: proofpoint emailsecurity: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/rabbitmq.yml.disabled b/x-pack/filebeat/modules.d/rabbitmq.yml.disabled index c446834f99e0..437cf9a57219 100644 --- a/x-pack/filebeat/modules.d/rabbitmq.yml.disabled +++ b/x-pack/filebeat/modules.d/rabbitmq.yml.disabled @@ -4,7 +4,7 @@ - module: rabbitmq # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/radware.yml.disabled b/x-pack/filebeat/modules.d/radware.yml.disabled index ad17e4fcd7d3..553d84591276 100644 --- a/x-pack/filebeat/modules.d/radware.yml.disabled +++ b/x-pack/filebeat/modules.d/radware.yml.disabled @@ -3,7 +3,7 @@ - module: radware defensepro: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/snort.yml.disabled b/x-pack/filebeat/modules.d/snort.yml.disabled index b8abbd3e370d..89d25c4b5566 100644 --- a/x-pack/filebeat/modules.d/snort.yml.disabled +++ b/x-pack/filebeat/modules.d/snort.yml.disabled @@ -3,7 +3,7 @@ - module: snort log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/snyk.yml.disabled b/x-pack/filebeat/modules.d/snyk.yml.disabled index b8f62d7b885c..f92cf1d71f06 100644 --- a/x-pack/filebeat/modules.d/snyk.yml.disabled +++ b/x-pack/filebeat/modules.d/snyk.yml.disabled @@ -3,7 +3,7 @@ - module: snyk audit: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson # @@ -32,7 +32,7 @@ #var.email_address: "" vulnerabilities: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson # How often the API should be polled. Data from the Snyk API is automatically updated diff --git a/x-pack/filebeat/modules.d/sonicwall.yml.disabled b/x-pack/filebeat/modules.d/sonicwall.yml.disabled index 975b4577c135..f267d355b370 100644 --- a/x-pack/filebeat/modules.d/sonicwall.yml.disabled +++ b/x-pack/filebeat/modules.d/sonicwall.yml.disabled @@ -3,7 +3,7 @@ - module: sonicwall firewall: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/sophos.yml.disabled b/x-pack/filebeat/modules.d/sophos.yml.disabled index d0a7b23c6321..e875354ad628 100644 --- a/x-pack/filebeat/modules.d/sophos.yml.disabled +++ b/x-pack/filebeat/modules.d/sophos.yml.disabled @@ -3,7 +3,7 @@ - module: sophos xg: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -27,7 +27,7 @@ utm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/squid.yml.disabled b/x-pack/filebeat/modules.d/squid.yml.disabled index 3656c1b8eedc..81d5f6e0af03 100644 --- a/x-pack/filebeat/modules.d/squid.yml.disabled +++ b/x-pack/filebeat/modules.d/squid.yml.disabled @@ -3,7 +3,7 @@ - module: squid log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/suricata.yml.disabled b/x-pack/filebeat/modules.d/suricata.yml.disabled index d710dac848f6..98e905fff23e 100644 --- a/x-pack/filebeat/modules.d/suricata.yml.disabled +++ b/x-pack/filebeat/modules.d/suricata.yml.disabled @@ -4,7 +4,7 @@ - module: suricata # All logs eve: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/threatintel.yml.disabled b/x-pack/filebeat/modules.d/threatintel.yml.disabled index e150fe8835a7..55f192feb115 100644 --- a/x-pack/filebeat/modules.d/threatintel.yml.disabled +++ b/x-pack/filebeat/modules.d/threatintel.yml.disabled @@ -3,7 +3,7 @@ - module: threatintel abuseurl: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -15,7 +15,7 @@ var.interval: 10m abusemalware: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -27,7 +27,7 @@ var.interval: 10m malwarebazaar: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -39,7 +39,7 @@ var.interval: 10m misp: - enabled: true + enabled: false # Input used for ingesting threat intel data, defaults to JSON. var.input: httpjson @@ -68,7 +68,7 @@ var.interval: 5m otx: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -95,7 +95,7 @@ var.interval: 5m anomali: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -117,7 +117,7 @@ var.interval: 5m anomalithreatstream: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: http_endpoint @@ -142,7 +142,7 @@ # var.ssl_key: path/to/ssl_key.pem recordedfuture: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson diff --git a/x-pack/filebeat/modules.d/tomcat.yml.disabled b/x-pack/filebeat/modules.d/tomcat.yml.disabled index 3dde8911ac08..dc7a8d7eadd4 100644 --- a/x-pack/filebeat/modules.d/tomcat.yml.disabled +++ b/x-pack/filebeat/modules.d/tomcat.yml.disabled @@ -3,7 +3,7 @@ - module: tomcat log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/zeek.yml.disabled b/x-pack/filebeat/modules.d/zeek.yml.disabled index d1349bf13889..2ceeeea911da 100644 --- a/x-pack/filebeat/modules.d/zeek.yml.disabled +++ b/x-pack/filebeat/modules.d/zeek.yml.disabled @@ -3,83 +3,83 @@ - module: zeek capture_loss: - enabled: true + enabled: false connection: - enabled: true + enabled: false dce_rpc: - enabled: true + enabled: false dhcp: - enabled: true + enabled: false dnp3: - enabled: true + enabled: false dns: - enabled: true + enabled: false dpd: - enabled: true + enabled: false files: - enabled: true + enabled: false ftp: - enabled: true + enabled: false http: - enabled: true + enabled: false intel: - enabled: true + enabled: false irc: - enabled: true + enabled: false kerberos: - enabled: true + enabled: false modbus: - enabled: true + enabled: false mysql: - enabled: true + enabled: false notice: - enabled: true + enabled: false ntp: - enabled: true + enabled: false ntlm: - enabled: true + enabled: false ocsp: - enabled: true + enabled: false pe: - enabled: true + enabled: false radius: - enabled: true + enabled: false rdp: - enabled: true + enabled: false rfb: - enabled: true + enabled: false signature: - enabled: true + enabled: false sip: - enabled: true + enabled: false smb_cmd: - enabled: true + enabled: false smb_files: - enabled: true + enabled: false smb_mapping: - enabled: true + enabled: false smtp: - enabled: true + enabled: false snmp: - enabled: true + enabled: false socks: - enabled: true + enabled: false ssh: - enabled: true + enabled: false ssl: - enabled: true + enabled: false stats: - enabled: true + enabled: false syslog: - enabled: true + enabled: false traceroute: - enabled: true + enabled: false tunnel: - enabled: true + enabled: false weird: - enabled: true + enabled: false x509: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/zookeeper.yml.disabled b/x-pack/filebeat/modules.d/zookeeper.yml.disabled index 34273eacff4c..f632c0de9e70 100644 --- a/x-pack/filebeat/modules.d/zookeeper.yml.disabled +++ b/x-pack/filebeat/modules.d/zookeeper.yml.disabled @@ -4,14 +4,14 @@ - module: zookeeper # All logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/zoom.yml.disabled b/x-pack/filebeat/modules.d/zoom.yml.disabled index f5320d112b9e..a04706cf15a3 100644 --- a/x-pack/filebeat/modules.d/zoom.yml.disabled +++ b/x-pack/filebeat/modules.d/zoom.yml.disabled @@ -3,7 +3,7 @@ - module: zoom webhook: - enabled: true + enabled: false # The type of input to use #var.input: http_endpoint diff --git a/x-pack/filebeat/modules.d/zscaler.yml.disabled b/x-pack/filebeat/modules.d/zscaler.yml.disabled index 2c8f03ebcc39..732a033073b6 100644 --- a/x-pack/filebeat/modules.d/zscaler.yml.disabled +++ b/x-pack/filebeat/modules.d/zscaler.yml.disabled @@ -3,7 +3,7 @@ - module: zscaler zia: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp From c87bf37063822b10381c18cb5f5b09641f8c05ea Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 6 Sep 2021 15:47:02 +0200 Subject: [PATCH 3/5] mage update --- filebeat/filebeat.reference.yml | 6 ++-- x-pack/filebeat/filebeat.reference.yml | 30 +++++++++---------- .../filebeat/module/activemq/_meta/config.yml | 4 +-- x-pack/filebeat/module/azure/_meta/config.yml | 2 +- .../module/checkpoint/_meta/config.yml | 2 +- 5 files changed, 22 insertions(+), 22 deletions(-) diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index 40746558c22c..33a24a5fb9ce 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -322,9 +322,9 @@ filebeat.modules: # #var.paths: #------------------------------- Osquery Module ------------------------------- -- module: osquery - result: - enabled: true +#- module: osquery + #result: + #enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index e2df3c14ee21..acb3e5d1cd17 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -837,32 +837,32 @@ filebeat.modules: - module: elasticsearch # Server log server: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: gc: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: deprecation: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: @@ -1239,7 +1239,7 @@ filebeat.modules: - module: haproxy # All logs log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: @@ -1433,7 +1433,7 @@ filebeat.modules: - module: kafka # All logs log: - enabled: true + enabled: false # Set custom paths for Kafka. If left empty, # Filebeat will look under /opt. @@ -1447,7 +1447,7 @@ filebeat.modules: - module: kibana # Server logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1455,7 +1455,7 @@ filebeat.modules: # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1616,7 +1616,7 @@ filebeat.modules: - module: nats # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1759,9 +1759,9 @@ filebeat.modules: #var.paths: ["/home/user/oracleauditlogs/*.aud"] #------------------------------- Osquery Module ------------------------------- -- module: osquery - result: - enabled: true +#- module: osquery + #result: + #enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1797,7 +1797,7 @@ filebeat.modules: - module: pensando # Firewall logs dfw: - enabled: true + enabled: false var.syslog_host: 0.0.0.0 var.syslog_port: 9001 @@ -1894,7 +1894,7 @@ filebeat.modules: #----------------------------- Google Santa Module ----------------------------- - module: santa log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the the default path. #var.paths: diff --git a/x-pack/filebeat/module/activemq/_meta/config.yml b/x-pack/filebeat/module/activemq/_meta/config.yml index 593c6c1632d1..8c965bd1a8eb 100644 --- a/x-pack/filebeat/module/activemq/_meta/config.yml +++ b/x-pack/filebeat/module/activemq/_meta/config.yml @@ -1,7 +1,7 @@ - module: activemq # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Application logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/azure/_meta/config.yml b/x-pack/filebeat/module/azure/_meta/config.yml index fdea9b1f2526..02f06ae956de 100644 --- a/x-pack/filebeat/module/azure/_meta/config.yml +++ b/x-pack/filebeat/module/azure/_meta/config.yml @@ -1,7 +1,7 @@ - module: azure # All logs activitylogs: - enabled: true + enabled: false var: # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub eventhub: "insights-operational-logs" diff --git a/x-pack/filebeat/module/checkpoint/_meta/config.yml b/x-pack/filebeat/module/checkpoint/_meta/config.yml index 8ed0c7d11c21..69357058b66f 100644 --- a/x-pack/filebeat/module/checkpoint/_meta/config.yml +++ b/x-pack/filebeat/module/checkpoint/_meta/config.yml @@ -1,6 +1,6 @@ - module: checkpoint firewall: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog From caa8d4a418de97840e1df8927e1cafe2aedcb5c8 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 6 Sep 2021 15:47:59 +0200 Subject: [PATCH 4/5] Changelog entry --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 0aacb43832a5..2738486f43bd 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -84,6 +84,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Remove all alias fields pointing to ECS fields from modules. This affects the Suricata and Traefik modules. {issue}10535[10535] {pull}26627[26627] - Add option for S3 input to work without SQS notification {issue}18205[18205] {pull}27332[27332] - Fix Crowdstrike ingest pipeline that was creating flattened `process` fields. {issue}27622[27622] {pull}27623[27623] +- All filesets are disabled in the default configuration. {issue}17256[17256] {pull}27762[27762] *Heartbeat* - Remove long deprecated `watch_poll` functionality. {pull}27166[27166] From 1bba1cad59ed62507d3b1210c57cfe0929c8ed4d Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 6 Sep 2021 16:59:42 +0200 Subject: [PATCH 5/5] Update docs --- filebeat/docs/getting-started.asciidoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/filebeat/docs/getting-started.asciidoc b/filebeat/docs/getting-started.asciidoc index 8f340bde6a54..d51a267b91f2 100644 --- a/filebeat/docs/getting-started.asciidoc +++ b/filebeat/docs/getting-started.asciidoc @@ -86,8 +86,8 @@ configs: include::{libbeat-dir}/tab-widgets/enable-modules-widget.asciidoc[] -- -. In the module configs under `modules.d`, change the module settings to match -your environment. +. In the module configs under `modules.d`, enable the desired datasets and +change the module settings to match your environment. + For example, log locations are set based on the OS. If your logs aren't in default locations, set the `paths` variable: @@ -97,6 +97,7 @@ default locations, set the `paths` variable: ---- - module: nginx access: + enabled: true var.paths: ["/var/log/nginx/access.log*"] <1> ---- --