Merge branch 'splunk-james-develop' into develop

splunk · Dec 9, 2024 · 52770c1 · 52770c1
2 parents dffedb2 + d6ad960
commit 52770c1
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 6 deletions.
diff --git a/attack_range.py b/attack_range.py
@@ -24,7 +24,7 @@ def init(args):
                    _.-"       d$$$$
                  .' ..       d$$$$;
                 /  /P'      d$$$$P. |\\
-               /   "      .d$$$P' |\^"l
+               /   "      .d$$$P' |\\^"l
              .'           `T$P^\"\"\"\"\"  :
          ._.'      _.'                ;
       `-.-".-'-' ._.       _.-"    .-"
@@ -35,8 +35,8 @@ def init(args):
     ._.'-'`-'  ")/         /;/;
  `-.-"..--""   " /         /  ;
 .-" ..--""        -'          :
-..--""--.-"         (\      .-(\\
-  ..--""              `-\(\/;`
+..--""--.-"         (\\     .-(\\
+  ..--""              `-\\(\\/;`
     _.                      :
                             ;`-
                            :\\

diff --git a/configs/SysMonLinux-CatchAll.xml b/configs/SysMonLinux-CatchAll.xml
@@ -22,11 +22,13 @@
     </RuleGroup>
     <!-- Event ID 11 == FileCreate. Log every file creation -->
     <RuleGroup name="" groupRelation="or">
-      <FileCreate onmatch="exclude"/>
+      <FileCreate onmatch="exclude">
+            <TargetFilename condition="begin with">/opt/splunkforwarder/var/lib/splunk/modinputs/journald</TargetFilename> <!--Exclude Splunk Modinput Journal-->
+      </FileCreate>
     </RuleGroup>
     <!--Event ID 23 == FileDelete. Log all files being deleted -->
     <RuleGroup name="" groupRelation="or">
       <FileDelete onmatch="exclude"/>
     </RuleGroup>
   </EventFiltering>
-</Sysmon>
+</Sysmon>
diff --git a/configs/rsyslog_logrotate b/configs/rsyslog_logrotate
@@ -0,0 +1,25 @@
+/var/log/syslog
+/var/log/mail.info
+/var/log/mail.warn
+/var/log/mail.err
+/var/log/mail.log
+/var/log/daemon.log
+/var/log/kern.log
+/var/log/auth.log
+/var/log/user.log
+/var/log/lpr.log
+/var/log/cron.log
+/var/log/debug
+/var/log/messages
+{
+        rotate 7
+        daily
+        missingok
+        notifempty
+        compress
+        delaycompress
+        sharedscripts
+        postrotate
+                /usr/lib/rsyslog/rsyslog-rotate
+        endscript
+}
diff --git a/terraform/ansible/roles/linux_common/tasks/main.yml b/terraform/ansible/roles/linux_common/tasks/main.yml
@@ -3,4 +3,5 @@
 #- include_tasks: update_packages.yml
 - include_tasks: disable-dnssec.yml
 - include_tasks: disable-autoupgrade.yml
-- include_tasks: update_sshd_config.yml
+- include_tasks: update_sshd_config.yml
+- include_tasks: update_rsyslog_logrotate.yml
diff --git a/terraform/ansible/roles/linux_common/tasks/update_rsyslog_logrotate.yml b/terraform/ansible/roles/linux_common/tasks/update_rsyslog_logrotate.yml
@@ -0,0 +1,5 @@
+- name: copy rsyslog logrotate config template
+  become: true
+  copy:
+    src: "../../configs/rsyslog_logrotate"
+    dest: "/etc/logrotate.d/rsyslog"