trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added Malcolm

Browse Source
This commit is contained in:
Trinitor
2021-08-06 10:35:01 +02:00
parent f043730066
commit 70f1922e80
751 changed files with 195277 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
Vagrant/resources/malcolm/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.sh Executable file
View File

@@ -0,0 +1,22 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
PROCESS_DIR=${FILEBEAT_ZEEK_DIR:-/data/zeek/}
UPLOAD_DIR="${PROCESS_DIR}/upload"
mkdir -p "$UPLOAD_DIR"
# as new zeek log archives are closed for writing in /data/zeek/upload, move them to /data/zeek for processing
inotifywait -m -e close_write --format '%w%f' "${UPLOAD_DIR}" | while read NEWFILE
do
FILEMIME=$(file -b --mime-type "$NEWFILE")
if ( echo "$FILEMIME" | grep --quiet -P "(application/gzip|application/x-gzip|application/x-7z-compressed|application/x-bzip2|application/x-cpio|application/x-lzip|application/x-lzma|application/x-rar-compressed|application/x-tar|application/x-xz|application/zip)" ); then
# looks like this is a compressed file, we're assuming it's a zeek log archive to be processed by filebeat
sleep 0.1 && chown ${PUID:-${DEFAULT_UID}}:${PGID:-${DEFAULT_GID}} "$NEWFILE" && (>&2 mv -v "$NEWFILE" "$PROCESS_DIR/")
else
# unhandled file type uploaded, delete it
sleep 0.1 && chown ${PUID:-${DEFAULT_UID}}:${PGID:-${DEFAULT_GID}} && (>&2 rm "$NEWFILE") && echo "Removed \"$NEWFILE\", unhandled file type \"$FILEMIME\""
fi
done