work on idaholab#19, assigning severity to certain types of events

docker-compose-standalone.yml

@@ -229,6 +229,7 @@ services:
       - 9600
     volumes:
       - ./logstash/certs/logstash.keystore:/usr/share/logstash/config/logstash.keystore:rw
+      - ./logstash/maps/malcolm_severity.yaml:/etc/logstash/maps/malcolm_severity.yaml:ro
       - ./nginx/ca-trust:/usr/share/logstash/ca-trust:ro
       - ./logstash/certs/ca.crt:/certs/ca.crt:ro
       - ./logstash/certs/server.crt:/certs/server.crt:ro

docker-compose.yml

@@ -242,6 +242,7 @@ services:
     volumes:
       - ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml:ro
       - ./logstash/pipelines:/usr/share/logstash/malcolm-pipelines.available:ro
+      - ./logstash/maps/malcolm_severity.yaml:/etc/logstash/maps/malcolm_severity.yaml:ro
       - ./logstash/certs/logstash.keystore:/usr/share/logstash/config/logstash.keystore:rw
       - ./nginx/ca-trust:/usr/share/logstash/ca-trust:ro
       - ./logstash/certs/ca.crt:/certs/ca.crt:ro

logstash/pipelines/enrichment/19_severity.conf

@@ -1,6 +1,6 @@
 filter {
 
-  # see malcolm_event_categories_severity.yaml for mappings to severity scores
+  # see malcolm_severity.yaml for mappings to severity scores
 
   # identify cross-segment traffic based on previously-populated tag
   if ("cross_segment" in [tags]) {
@@ -267,7 +267,7 @@ filter {
     id => "ruby_calculate_final_severity_score"
     # pre-load severity score mapping in init outside of processing pipeline
     init => "
-      require 'yaml'; $severityMappings = YAML.load(File.read('/etc/malcolm_event_categories_severity.yaml'))
+      require 'yaml'; $severityMappings = YAML.load(File.read('/etc/malcolm_severity.yaml'))
     "
     # to calculate severity:
     # - look up list of severity_tags against severity score mapping (generate hash), ignoring <= 0 or missing (nil) values

malcolm-iso/build.sh

@@ -96,6 +96,7 @@ if [ -d "$WORKDIR" ]; then
   mkdir -p "$MALCOLM_DEST_DIR/nginx/certs/"
   mkdir -p "$MALCOLM_DEST_DIR/htadmin/"
   mkdir -p "$MALCOLM_DEST_DIR/logstash/certs/"
+  mkdir -p "$MALCOLM_DEST_DIR/logstash/maps/"
   mkdir -p "$MALCOLM_DEST_DIR/filebeat/certs/"
   mkdir -p "$MALCOLM_DEST_DIR/elasticsearch/nodes/"
   mkdir -p "$MALCOLM_DEST_DIR/elasticsearch-backup/"
@@ -130,6 +131,7 @@ if [ -d "$WORKDIR" ]; then
   cp ./scripts/malcolm_common.py "$MALCOLM_DEST_DIR/scripts/"
   cp ./README.md "$MALCOLM_DEST_DIR/"
   cp ./logstash/certs/*.conf "$MALCOLM_DEST_DIR/logstash/certs/"
+  cp ./logstash/maps/malcolm_severity.yaml "$MALCOLM_DEST_DIR/logstash/maps/"
   touch "$MALCOLM_DEST_DIR"/firstrun
   popd >/dev/null 2>&1
 

scripts/malcolm_appliance_packager.sh

@@ -65,6 +65,7 @@ if mkdir "$DESTDIR"; then
   mkdir $VERBOSE -p "$DESTDIR/nginx/ca-trust/"
   mkdir $VERBOSE -p "$DESTDIR/htadmin/"
   mkdir $VERBOSE -p "$DESTDIR/logstash/certs/"
+  mkdir $VERBOSE -p "$DESTDIR/logstash/maps/"
   mkdir $VERBOSE -p "$DESTDIR/filebeat/certs/"
   mkdir $VERBOSE -p "$DESTDIR/elasticsearch/nodes/"
   mkdir $VERBOSE -p "$DESTDIR/elasticsearch-backup/"
@@ -89,6 +90,7 @@ if mkdir "$DESTDIR"; then
   cp $VERBOSE ./scripts/malcolm_common.py "$DESTDIR/scripts/"
   cp $VERBOSE ./README.md "$DESTDIR/"
   cp $VERBOSE ./logstash/certs/*.conf "$DESTDIR/logstash/certs/"
+  cp $VERBOSE ./logstash/maps/malcolm_severity.yaml "$DESTDIR/logstash/maps/"
   pushd "$DESTDIR" >/dev/null 2>&1
   pushd "./scripts" >/dev/null 2>&1
   ln -s ./control.py auth_setup