Merge pull request #10 from AtlasInsideCorp/dev

Dev

Author: osmontero

beats.go

@@ -22,8 +22,8 @@ func startBeat() {
 		case "windows":
 			runOnce.Do(func() {
 				result, err := execute(
-					filepath.Join(path, "beats", "windows", "winlogbeat", "winlogbeat.exe"),
-					filepath.Join(path, "beats", "windows", "winlogbeat"),
+					filepath.Join(path, "beats", "winlogbeat", "winlogbeat.exe"),
+					filepath.Join(path, "beats", "winlogbeat"),
 					"--strict.perms=false",
 					"-c",
 					"winlogbeat.yml",
@@ -59,7 +59,7 @@ func configureBeat(ip string) error {
 
 	switch runtime.GOOS {
 	case "windows":
-		configFile := filepath.Join(path, "beats", "windows", "winlogbeat", "winlogbeat.yml")
+		configFile := filepath.Join(path, "beats", "winlogbeat", "winlogbeat.yml")
 		templateFile := filepath.Join(path, "templates", "winlogbeat.yml")
 		err := generateFromTemplate(config, templateFile, configFile)
 		if err != nil {

bitmap.ico

@@ -1,12 +1,18 @@
 package main
 
 import (
+	"errors"
 	"os/exec"
 )
 
 func execute(c string, dir string, arg ...string) (string, bool) {
 	cmd := exec.Command(c, arg...)
+	
 	cmd.Dir = dir
+	if errors.Is(cmd.Err, exec.ErrDot) {
+		cmd.Err = nil
+	}
+
 	out, err := cmd.Output()
 	if err != nil {
 		return string(out[:]) + err.Error(), true

cmd.go

@@ -1,22 +1,30 @@
-winlogbeat.event_logs:
- - name: Application
-   ignore_older: 72h
- - name: Security
- - name: System
-
-#==================== Elasticsearch template setting ==========================
-setup.template.settings:
- index.number_of_shards: 3
-
-#----------------------------- Logstash output --------------------------------
-output.logstash:
- hosts: ['{{ .IP }}:5044']
- ssl.certificate_authorities: ['{{.CA}}']
- ssl.certificate: '{{.ClientCert}}'
- ssl.key: '{{.ClientKey}}'
- ssl.verification_mode: none
-
-#================================ Processors =====================================
-processors:
- - add_host_metadata: ~
- - add_cloud_metadata: ~
+winlogbeat.event_logs:
+  - name: Application
+    ignore_older: 72h
+  - name: System
+  - name: Security
+  - name: Microsoft-Windows-Sysmon/Operational
+  - name: Windows PowerShell
+    event_id: 400, 403, 600, 800
+  - name: Microsoft-Windows-PowerShell/Operational
+    event_id: 4103, 4104, 4105, 4106
+  - name: ForwardedEvents
+    tags: [forwarded]
+
+#==================== Elasticsearch template setting ==========================
+setup.template.settings:
+ index.number_of_shards: 3
+
+#----------------------------- Logstash output --------------------------------
+output.logstash:
+ hosts: ['{{ .IP }}:5044']
+ ssl.certificate_authorities: ['{{.CA}}']
+ ssl.certificate: '{{.ClientCert}}'
+ ssl.key: '{{.ClientKey}}'
+ ssl.verification_mode: none
+
+#================================ Processors =====================================
+processors:
+  - add_host_metadata:
+      when.not.contains.tags: forwarded
+  - add_cloud_metadata: ~