for idaholab#415, work in progress on converting devices -> vms

mmguero-dev · Apr 26, 2024 · 41f8bd6 · 41f8bd6
1 parent df9123a
commit 41f8bd6
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 51 deletions.
diff --git a/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json b/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json
@@ -260,7 +260,7 @@
       "version": "WzMzNSwxXQ==",
       "attributes": {
         "title": "DHCP - IP to MAC Assignment",
-        "visState": "{\"title\":\"DHCP - IP to MAC Assignment\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dhcp.assigned_ip\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Assigned IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dhcp.mac\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MAC Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}",
+        "visState": "{\"title\":\"DHCP - IP to MAC Assignment\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dhcp.assigned_ip\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Assigned IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.mac\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MAC Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}",
         "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
         "description": "",
         "version": 1,
@@ -353,7 +353,7 @@
         "description": "",
         "hits": 0,
         "columns": [
-          "zeek.dhcp.mac",
+          "source.mac",
           "zeek.dhcp.assigned_ip",
           "destination.ip",
           "zeek.dhcp.host_name",

diff --git a/logstash/pipelines/enrichment/21_netbox.conf b/logstash/pipelines/enrichment/21_netbox.conf
@@ -63,38 +63,16 @@ filter {
       }
     }
 
-    if ([zeek][ntlm][hostname]) and ([source][ip]) {
-      ruby {
-        id => "ruby_netbox_enrich_ntlm_hostname_to_ip"
-        path => "/usr/share/logstash/malcolm-ruby/netbox_enrich.rb"
-        script_params => {
-          "lookup_type" => "ip_device"
-          "source" => "[source][ip]"
-          "source_hostname" => "[zeek][ntlm][hostname]"
-          "enabled_env" => "NETBOX_ENRICHMENT"
-          "verbose_env" => "NETBOX_ENRICHMENT_VERBOSE"
-          "debug_env" => "NETBOX_ENRICHMENT_DEBUG"
-          "lookup_site_env" => "NETBOX_DEFAULT_SITE"
-          "netbox_token_env" => "SUPERUSER_API_TOKEN"
-          "cache_size_env" => "NETBOX_CACHE_SIZE"
-          "cache_ttl_env" => "NETBOX_CACHE_TTL"
-          "autopopulate_env" => "NETBOX_AUTO_POPULATE"
-          "default_manuf_env" => "NETBOX_DEFAULT_MANUFACTURER"
-          "default_dtype_env" => "NETBOX_DEFAULT_DEVICE_TYPE"
-          "default_role_env" => "NETBOX_DEFAULT_ROLE"
-        }
-      }
-    }
+    if ([zeek][ntlm]) {
 
-    if ([zeek][ntlm]) and ([destination][ip]) {
-      if ([zeek][ntlm][server_nb_computer_name]) {
+      if ([zeek][ntlm][host]) and ([source][ip]) {
         ruby {
-          id => "ruby_netbox_enrich_ntlm_server_nb_computer_name_to_ip"
+          id => "ruby_netbox_enrich_ntlm_host_to_ip"
           path => "/usr/share/logstash/malcolm-ruby/netbox_enrich.rb"
           script_params => {
             "lookup_type" => "ip_device"
-            "source" => "[destination][ip]"
-            "source_hostname" => "[zeek][ntlm][server_nb_computer_name]"
+            "source" => "[source][ip]"
+            "source_hostname" => "[zeek][ntlm][host]"
             "enabled_env" => "NETBOX_ENRICHMENT"
             "verbose_env" => "NETBOX_ENRICHMENT_VERBOSE"
             "debug_env" => "NETBOX_ENRICHMENT_DEBUG"
@@ -108,31 +86,57 @@ filter {
             "default_role_env" => "NETBOX_DEFAULT_ROLE"
           }
         }
-      } else if ([zeek][ntlm][server_dns_computer_name]) {
-        ruby {
-          id => "ruby_netbox_enrich_ntlm_server_dns_computer_name_to_ip"
-          path => "/usr/share/logstash/malcolm-ruby/netbox_enrich.rb"
-          script_params => {
-            "lookup_type" => "ip_device"
-            "source" => "[destination][ip]"
-            "source_hostname" => "[zeek][ntlm][server_dns_computer_name]"
-            "enabled_env" => "NETBOX_ENRICHMENT"
-            "verbose_env" => "NETBOX_ENRICHMENT_VERBOSE"
-            "debug_env" => "NETBOX_ENRICHMENT_DEBUG"
-            "lookup_site_env" => "NETBOX_DEFAULT_SITE"
-            "netbox_token_env" => "SUPERUSER_API_TOKEN"
-            "cache_size_env" => "NETBOX_CACHE_SIZE"
-            "cache_ttl_env" => "NETBOX_CACHE_TTL"
-            "autopopulate_env" => "NETBOX_AUTO_POPULATE"
-            "default_manuf_env" => "NETBOX_DEFAULT_MANUFACTURER"
-            "default_dtype_env" => "NETBOX_DEFAULT_DEVICE_TYPE"
-            "default_role_env" => "NETBOX_DEFAULT_ROLE"
+      } # ([zeek][ntlm][host]) and ([source][ip])
+
+      if ([destination][ip]) {
+        if ([zeek][ntlm][server_nb_computer]) {
+          ruby {
+            id => "ruby_netbox_enrich_ntlm_server_nb_computer_to_ip"
+            path => "/usr/share/logstash/malcolm-ruby/netbox_enrich.rb"
+            script_params => {
+              "lookup_type" => "ip_device"
+              "source" => "[destination][ip]"
+              "source_hostname" => "[zeek][ntlm][server_nb_computer]"
+              "enabled_env" => "NETBOX_ENRICHMENT"
+              "verbose_env" => "NETBOX_ENRICHMENT_VERBOSE"
+              "debug_env" => "NETBOX_ENRICHMENT_DEBUG"
+              "lookup_site_env" => "NETBOX_DEFAULT_SITE"
+              "netbox_token_env" => "SUPERUSER_API_TOKEN"
+              "cache_size_env" => "NETBOX_CACHE_SIZE"
+              "cache_ttl_env" => "NETBOX_CACHE_TTL"
+              "autopopulate_env" => "NETBOX_AUTO_POPULATE"
+              "default_manuf_env" => "NETBOX_DEFAULT_MANUFACTURER"
+              "default_dtype_env" => "NETBOX_DEFAULT_DEVICE_TYPE"
+              "default_role_env" => "NETBOX_DEFAULT_ROLE"
+            }
+          }
+        } else if ([zeek][ntlm][server_dns_computer]) {
+          ruby {
+            id => "ruby_netbox_enrich_ntlm_server_dns_computer_to_ip"
+            path => "/usr/share/logstash/malcolm-ruby/netbox_enrich.rb"
+            script_params => {
+              "lookup_type" => "ip_device"
+              "source" => "[destination][ip]"
+              "source_hostname" => "[zeek][ntlm][server_dns_computer]"
+              "enabled_env" => "NETBOX_ENRICHMENT"
+              "verbose_env" => "NETBOX_ENRICHMENT_VERBOSE"
+              "debug_env" => "NETBOX_ENRICHMENT_DEBUG"
+              "lookup_site_env" => "NETBOX_DEFAULT_SITE"
+              "netbox_token_env" => "SUPERUSER_API_TOKEN"
+              "cache_size_env" => "NETBOX_CACHE_SIZE"
+              "cache_ttl_env" => "NETBOX_CACHE_TTL"
+              "autopopulate_env" => "NETBOX_AUTO_POPULATE"
+              "default_manuf_env" => "NETBOX_DEFAULT_MANUFACTURER"
+              "default_dtype_env" => "NETBOX_DEFAULT_DEVICE_TYPE"
+              "default_role_env" => "NETBOX_DEFAULT_ROLE"
+            }
           }
         }
-      }
-    }
+      } # [destination][ip]
+    } # ntlm
+
 
-    if ([zeek][dhcp][assigned_addr]) {
+    if ([zeek][dhcp][assigned_ip]) {
       if ([zeek][dhcp][client_fqdn]) {
         ruby {
           id => "ruby_netbox_enrich_dhcp_client_fqdn_to_ip"