def install_zeek(configuration_directory, install_directory, capture_network_interfaces, download_zeek_archive=True, stdout=True, verbose=False): """ Install Zeek :param configuration_directory: Path to the configuration directory (E.G /etc/dynamite/zeek) :param install_directory: Path to the install directory (E.G /opt/dynamite/zeek/) :param capture_network_interfaces: A list of network interfaces to capture on (E.G ["mon0", "mon1"]) :param download_zeek_archive: If True, download the Zeek archive from a mirror :param stdout: Print the output to console :param verbose: Include detailed debug messages """ log_level = logging.INFO if verbose: log_level = logging.DEBUG logger = get_logger('ZEEK', level=log_level, stdout=stdout) zeek_profiler = zeek_profile.ProcessProfiler() if zeek_profiler.is_installed(): logger.error("Zeek is already installed.") raise zeek_exceptions.AlreadyInstalledZeekError() zeek_installer = InstallManager(configuration_directory, install_directory, capture_network_interfaces=capture_network_interfaces, download_zeek_archive=download_zeek_archive, stdout=stdout, verbose=verbose) zeek_installer.setup_zeek() zeek_installer.setup_dynamite_zeek_scripts()
def __init__(self, stdout, verbose, status): execution_strategy.BaseExecStrategy.__init__( self, strategy_name="agent_stop", strategy_description="Stop Agent processes.", functions=( utilities.create_dynamite_environment_file, filebeat_process.stop, ), arguments=( # utilities.create_dynamite_environment_file {}, # filebeat_process.stop { "stdout": bool(stdout), "verbose": bool(verbose) }, ), return_formats=(None, None)) if zeek_profile.ProcessProfiler().is_installed(): self.add_function(func=zeek_process.stop, argument_dict={ "stdout": bool(stdout), "verbose": bool(verbose) }) if suricata_profile.ProcessProfiler().is_installed(): self.add_function(func=suricata_process.stop, argument_dict={ "stdout": bool(stdout), "verbose": bool(verbose) }) if status: self.add_function(get_agent_status, {"pretty_print_status": True}, return_format="text")
def __init__(self, prompt_user, stdout, verbose): execution_strategy.BaseExecStrategy.__init__( self, strategy_name="agent_uninstall", strategy_description="Uninstall Agent.", functions=( utilities.create_dynamite_environment_file, prompt_agent_uninstall, ), arguments=( # utilities.create_dynamite_environment_file {}, # prompt_user { "prompt_user": bool(prompt_user), "stdout": bool(stdout), }, ), return_formats=( None, None, )) if filebeat_profile.ProcessProfiler().is_installed(): self.add_function(func=filebeat_install.uninstall_filebeat, argument_dict={ 'prompt_user': False, 'stdout': bool(stdout), 'verbose': bool(verbose) }) if zeek_profile.ProcessProfiler().is_installed(): self.add_function(func=zeek_install.uninstall_zeek, argument_dict={ 'prompt_user': False, 'stdout': bool(stdout), 'verbose': bool(verbose) }) if suricata_profile.ProcessProfiler().is_installed(): self.add_function(func=suricata_install.uninstall_suricata, argument_dict={ 'prompt_user': False, 'stdout': bool(stdout), 'verbose': bool(verbose) }) if get_installed_agent_analyzers(): self.add_function(func=log_message, argument_dict={ "msg": '*** Agent uninstalled successfully. ***', 'stdout': bool(stdout), 'verbose': bool(verbose) }) else: self.add_function(func=log_message, argument_dict={ "msg": '*** Agent is not installed. ***', 'stdout': bool(stdout), 'verbose': bool(verbose) })
def get_installed_agent_analyzers(): zeek_profiler = zeek_profile.ProcessProfiler() suricata_profiler = suricata_profile.ProcessProfiler() filebeat_profiler = filebeat_profile.ProcessProfiler() agent_analyzers = [] if zeek_profiler.is_installed(): agent_analyzers.append('Zeek') if suricata_profiler.is_installed(): agent_analyzers.append('Suricata') if filebeat_profiler.is_installed(): agent_analyzers.append('Filebeat') return agent_analyzers
def stop(self) -> bool: """Stop agent processes Returns: True, if successful """ filebeat_res, suricata_res, zeek_res = True, True, True if not filebeat_profile.ProcessProfiler().is_installed(): self.logger.error('You must install Filebeat to run this command.') return False filebeat_res = filebeat_process.ProcessManager().stop() if suricata_profile.ProcessProfiler().is_installed(): suricata_res = suricata_process.ProcessManager().stop() if zeek_profile.ProcessProfiler().is_installed(): zeek_res = zeek_process.ProcessManager().stop() return filebeat_res and zeek_res and suricata_res
def actionHighlighted(self, act_on_this, keypress): zeek_installed, suricata_installed, filebeat_installed = zeek_profile.ProcessProfiler().is_installed(), \ suricata_profile.ProcessProfiler().is_installed(), \ filebeat_profile.ProcessProfiler().is_installed() app_mapping = {} if filebeat_installed: if zeek_installed and suricata_installed: app_mapping = zeek_and_suricata_mapping elif zeek_installed: app_mapping = zeek_only_mapping elif suricata_installed: app_mapping = suricata_only_mapping npyscreen.notify_wait(act_on_this, form_color='GOODHL') app_mapping[act_on_this]().run() exit(0)
def create(self): zeek_installed, suricata_installed, filebeat_installed = zeek_profile.ProcessProfiler().is_installed(), \ suricata_profile.ProcessProfiler().is_installed(), \ filebeat_profile.ProcessProfiler().is_installed() app_mapping = {} if filebeat_installed: if zeek_installed and suricata_installed: app_mapping = zeek_and_suricata_mapping elif zeek_installed: app_mapping = zeek_only_mapping elif suricata_installed: app_mapping = suricata_only_mapping self.add(AgentConfigMultiSelect, values=sorted(app_mapping.keys()), max_height=5)
def uninstall(self) -> None: """Uninstall Zeek, Suricata and Filebeat from this instance. Returns: None """ from dynamite_nsm.services.zeek import profile as zeek_profile from dynamite_nsm.services.suricata import profile as suricata_profile filebeat_install.UninstallManager(self.stdout, self.verbose).uninstall() if zeek_profile.ProcessProfiler().is_installed(): zeek_install.UninstallManager(purge_config=True, stdout=self.stdout, verbose=self.verbose).uninstall() if suricata_profile.ProcessProfiler().is_installed(): suricata_install.UninstallManager( purge_config=True, stdout=self.stdout, verbose=self.verbose).uninstall()
def __init__(self, stdout: Optional[bool] = True, verbose: Optional[bool] = False, pretty_print_status: Optional[bool] = False): """Manage Zeek processes and sub-processes Args: stdout: Print output to console verbose: Include detailed debug messages pretty_print_status: If true, status will be printed in a tabular form """ self.environment_variables = utilities.get_environment_file_dict() self.install_directory = self.environment_variables.get('ZEEK_HOME') process.BaseProcessManager.__init__( self, 'zeek.service', 'zeek.process', log_path=None, stdout=stdout, verbose=verbose, pretty_print_status=pretty_print_status) if not zeek_profile.ProcessProfiler().is_installed(): raise general_exceptions.CallProcessError("Zeek is not installed.")
def get_agent_status(verbose=False, pretty_print_status=True): zeek_profiler = zeek_profile.ProcessProfiler() suricata_profiler = suricata_profile.ProcessProfiler() status_tables = "\n" agent_status = {} filebeat_status = filebeat_process.ProcessManager( verbose=verbose, pretty_print_status=pretty_print_status).status() status_tables += filebeat_status + '\n\n' agent_status.update({'filebeat': filebeat_status}) if zeek_profiler.is_installed(): zeek_status = zeek_process.ProcessManager( verbose=verbose, pretty_print_status=pretty_print_status).status() status_tables += zeek_status + '\n\n' agent_status.update({'zeek': zeek_status}) if suricata_profiler.is_installed(): suricata_status = suricata_process.ProcessManager( verbose=verbose, pretty_print_status=pretty_print_status).status() status_tables += suricata_status + '\n\n' agent_status.update({'suricata': suricata_status}) if pretty_print_status: return status_tables return agent_status
def __init__(self, stdout=True, verbose=False, pretty_print_status=False): self.environment_variables = utilities.get_environment_file_dict() self.install_directory = self.environment_variables.get('ZEEK_HOME') try: process.BaseProcessManager.__init__( self, 'zeek.service', 'zeek', log_path=None, pid_file=None, stdout=stdout, verbose=verbose, pretty_print_status=pretty_print_status) except general_exceptions.CallProcessError: raise zeek_exceptions.CallZeekProcessError( "Could not find systemctl.") if not zeek_profile.ProcessProfiler().is_installed(): self.logger.error( "Zeek is not installed. Install it with 'dynamite agent install -h'" ) raise zeek_exceptions.CallZeekProcessError( "Zzeek is not installed.")
def get_available_cpus(self) -> list: """Get the CPU core numbers that are not currently being utilized Returns: A list of available CPUs """ zeek_profiler = zeek_profile.ProcessProfiler() suricata_profiler = suricata_profile.ProcessProfiler() available_cpus = [c for c in range(0, utilities.get_cpu_core_count())] reserved_cpus = [] zeek_cpus = [] suricata_cpus = [] if zeek_profiler.is_installed(): zeek_node_config_mng = zeek_config.NodeConfigManager( install_directory=self.zeek_install_directory, stdout=self.stdout, verbose=self.verbose) for worker in zeek_node_config_mng.workers: zeek_cpus.extend(worker.pinned_cpus) if suricata_profiler.is_installed(): suricata_config_mng = suricata_config.ConfigManager( configuration_directory=self.suricata_configuration_directory, stdout=self.stdout, verbose=self.verbose) if suricata_config_mng.threading.worker_cpu_set: suricata_cpus.extend( suricata_config_mng.threading.worker_cpu_set) if suricata_config_mng.threading.receive_cpu_set: suricata_cpus.extend( suricata_config_mng.threading.receive_cpu_set) if suricata_config_mng.threading.management_cpu_set: suricata_cpus.extend( suricata_config_mng.threading.management_cpu_set) reserved_cpus.extend(suricata_cpus) reserved_cpus.extend(zeek_cpus) return list(set([c for c in available_cpus if c not in reserved_cpus]))
def __init__(self, stdout, verbose, status): execution_strategy.BaseExecStrategy.__init__( self, strategy_name="agent_restart", strategy_description="Restart Agent processes.") self.add_function(func=filebeat_process.stop, argument_dict={ 'stdout': bool(stdout), 'verbose': bool(verbose) }) self.add_function(func=filebeat_process.start, argument_dict={'stdout': bool(stdout)}) if zeek_profile.ProcessProfiler().is_installed(): self.add_function(func=zeek_process.stop, argument_dict={ 'stdout': bool(stdout), 'verbose': bool(verbose) }) self.add_function(func=zeek_process.start, argument_dict={ 'stdout': bool(stdout), 'verbose': bool(verbose) }) if suricata_profile.ProcessProfiler().is_installed(): self.add_function(func=suricata_process.stop, argument_dict={ 'stdout': bool(stdout), 'verbose': bool(verbose) }) self.add_function(func=suricata_process.start, argument_dict={ 'stdout': bool(stdout), 'verbose': bool(verbose) }) if status: self.add_function(get_agent_status, {"pretty_print_status": True}, return_format="text")
def uninstall_zeek(prompt_user=True, stdout=True, verbose=False): """ Uninstall Zeek :param prompt_user: Print a warning before continuing :param stdout: Print the output to console :param verbose: Include detailed debug messages """ log_level = logging.INFO if verbose: log_level = logging.DEBUG logger = get_logger('ZEEK', level=log_level, stdout=stdout) logger.info("Uninstalling Zeek.") env_file = os.path.join(const.CONFIG_PATH, 'environment') environment_variables = utilities.get_environment_file_dict() zeek_profiler = zeek_profile.ProcessProfiler() if not zeek_profiler.is_installed(): logger.error("Zeek is not installed. Cannot uninstall.") raise zeek_exceptions.UninstallZeekError("Zeek is not installed.") if prompt_user: sys.stderr.write('\n\033[93m[-] WARNING! Removing Zeek Will Remove Critical Agent Functionality.\033[0m\n') resp = utilities.prompt_input('\033[93m[?] Are you sure you wish to continue? ([no]|yes): \033[0m') while resp not in ['', 'no', 'yes']: resp = utilities.prompt_input('\033[93m[?] Are you sure you wish to continue? ([no]|yes): \033[0m') if resp != 'yes': if stdout: sys.stdout.write('\n[+] Exiting\n') exit(0) if zeek_profiler.is_running(): try: zeek_process.ProcessManager().stop() except zeek_exceptions.CallZeekProcessError as e: logger.error("Could not kill Zeek process. Cannot uninstall.") logger.debug("Could not kill Zeek process. Cannot uninstall; {}".format(e)) raise zeek_exceptions.UninstallZeekError("Could not kill Zeek process; {}".format(e)) install_directory = environment_variables.get('ZEEK_HOME') config_directory = environment_variables.get('ZEEK_SCRIPTS') try: with open(env_file) as env_fr: env_lines = '' for line in env_fr.readlines(): if 'ZEEK_HOME' in line: continue elif 'ZEEK_SCRIPTS' in line: continue elif 'PF_RING_HOME' in line: continue elif line.strip() == '': continue env_lines += line.strip() + '\n' with open(env_file, 'w') as env_fw: env_fw.write(env_lines) if zeek_profiler.is_installed(): shutil.rmtree(install_directory, ignore_errors=True) shutil.rmtree(config_directory, ignore_errors=True) except Exception as e: logger.error("General error occurred while attempting to uninstall Zeek.") logger.debug("General error occurred while attempting to uninstall Zeek; {}".format(e)) raise zeek_exceptions.UninstallZeekError( "General error occurred while attempting to uninstall Zeek; {}".format(e)) try: sysctl = systemctl.SystemCtl() except general_exceptions.CallProcessError: raise zeek_exceptions.UninstallZeekError("Could not find systemctl.") sysctl.uninstall_and_disable('zeek')
def status(self) -> Optional[Union[Dict, str]]: """Get the status of a processes Returns: A dictionary containing process status or a tabulated string if `pretty_print` is True. """ if not filebeat_profile.ProcessProfiler().is_installed(): self.logger.error('You must install filebeat to run this command.') return None agent_status = {} filebeat_status, zeek_status, suricata_status = {}, {}, {} filebeat_status = filebeat_process.ProcessManager().status() agent_status.update({ 'filebeat': { 'running': filebeat_status.get('running'), 'enabled_on_startup': filebeat_status.get('enabled_on_startup') } }) if zeek_profile.ProcessProfiler().is_installed(): zeek_status = zeek_process.ProcessManager().status() agent_status.update({ 'zeek': { 'running': zeek_status.get('running'), 'enabled_on_startup': zeek_status.get('enabled_on_startup') } }) if suricata_profile.ProcessProfiler().is_installed(): suricata_status = suricata_process.ProcessManager().status() agent_status.update({ 'suricata': { 'running': suricata_status.get('running'), 'enabled_on_startup': suricata_status.get('enabled_on_startup') } }) if self.pretty_print_status: colorize = utilities.PrintDecorations.colorize child_services = [ ['Service', 'Running', 'Enabled on Startup'], [ 'filebeat', colorize('yes', 'green') if filebeat_status.get('running') else colorize('no', 'red'), colorize('yes', 'green') if filebeat_status.get('enabled_on_startup') else colorize( 'no', 'red') ] ] if zeek_status: child_services.append([ 'zeek', colorize('yes', 'green') if zeek_status.get('running') else colorize('no', 'red'), colorize('yes', 'green') if zeek_status.get('enabled_on_startup') else colorize( 'no', 'red') ]) if suricata_status: child_services.append([ 'suricata', colorize('yes', 'green') if zeek_status.get('running') else colorize('no', 'red'), colorize('yes', 'green') if zeek_status.get('enabled_on_startup') else colorize( 'no', 'red') ]) return tabulate.tabulate(child_services, tablefmt='fancy_grid') return agent_status
def optimize(self, available_cpus: Optional[List[int]] = None) -> None: """Apply the best CPU-affinity related configurations to Zeek and Suricata Returns: None """ zeek_profiler = zeek_profile.ProcessProfiler() suricata_profiler = suricata_profile.ProcessProfiler() if not available_cpus: available_cpus = [ c for c in range(0, utilities.get_cpu_core_count()) ] self.logger.info(f'{len(available_cpus)} CPU cores detected.') if zeek_profiler.is_attached_to_network( ) and suricata_profiler.is_attached_to_network(): self.logger.info( 'Both Zeek and Suricata are installed. Allocating 60% of resources to Zeek, ' '30% to Suricata, and 10% to Kernel.') kern_alloc, zeek_alloc, suricata_alloc = .1, .6, .3 elif zeek_profiler.is_attached_to_network(): self.logger.info( 'Only Zeek is installed. Allocating 90% of resources to it and 10% to Kernel.' ) kern_alloc, zeek_alloc, suricata_alloc = .1, .9, 0 elif suricata_profiler.is_attached_to_network(): self.logger.info( 'Only Suricata is installed. Allocating 90% of resources to it and 10% to Kernel.' ) kern_alloc, zeek_alloc, suricata_alloc = .1, 0, .9 else: self.logger.error( 'Neither Zeek nor Suricata is installed. You must install at least one of these in order ' 'to run this command.') return None if len(available_cpus) > 4: round_func = math.ceil else: round_func = math.floor kern_cpu_count = math.ceil(kern_alloc * len(available_cpus)) zeek_cpu_count = round_func(zeek_alloc * len(available_cpus)) suricata_cpu_count = round_func(suricata_alloc * len(available_cpus)) zeek_cpus = [ c for c in available_cpus[kern_cpu_count:kern_cpu_count + zeek_cpu_count] ] suricata_cpus = [ c for c in available_cpus[kern_cpu_count + zeek_cpu_count:kern_cpu_count + zeek_cpu_count + suricata_cpu_count] ] if zeek_profiler.is_attached_to_network(): zeek_node_config_mng = zeek_config.NodeConfigManager( install_directory=self.zeek_install_directory, stdout=self.stdout, verbose=self.verbose) zeek_node_config_mng.workers = zeek_node_config_mng.get_optimal_zeek_worker_config( zeek_profiler.get_attached_interfaces(), available_cpus=tuple(zeek_cpus)) zeek_node_config_mng.commit() if suricata_profiler.is_attached_to_network(): suricata_config_mng = suricata_config.ConfigManager( configuration_directory=self.suricata_configuration_directory, stdout=self.stdout, verbose=self.verbose) suricata_config_mng.threading = suricata_config_mng.get_optimal_suricata_threading_config( available_cpus=tuple(suricata_cpus)) suricata_config_mng.runmode = 'workers' for suricata_iface in suricata_config_mng.af_packet_interfaces: suricata_iface.threads = round_func( len(suricata_config_mng.threading.worker_cpu_set) / len(suricata_profiler.get_attached_interfaces())) suricata_iface.cluster_type = 'cluster_qm' suricata_config_mng.commit()
def setup(self, targets: List[str], target_type: Optional[str] = 'elasticsearch', monitor_log_paths: Optional[List[str]] = None, agent_tag: Optional[str] = None) -> None: """Setup Filebeat Args: targets: A list of Elasticsearch/Kafka/Logstash targets to forward events to (E.G ["192.168.0.9 5044", ...]) target_type: The target type; current supported: elasticsearch (default), logstash, kafka, redis monitor_log_paths: A tuple of log paths to monitor agent_tag: A friendly name for the agent (defaults to the hostname with no spaces and _agt suffix) Returns: None """ from dynamite_nsm.services.zeek import profile as zeek_profile from dynamite_nsm.services.suricata import profile as suricata_profile sysctl = systemctl.SystemCtl() zeek_log_root, suricata_log_root = None, None # Directory setup self.logger.debug(f'Creating directory: {self.install_directory}') utilities.makedirs(self.install_directory) utilities.makedirs(f'{self.install_directory}/logs') self.logger.info('Installing files and directories.') self.copy_filebeat_files_and_directories() self.copy_file_or_directory_to_destination(f'{const.DEFAULT_CONFIGS}/filebeat/filebeat.yml', self.install_directory) # Overwrite with dynamite default configurations self.copy_file_or_directory_to_destination(f'{const.DEFAULT_CONFIGS}/filebeat/module/', self.install_directory) self.copy_file_or_directory_to_destination(f'{const.DEFAULT_CONFIGS}/filebeat/modules.d/', self.install_directory) filebeat_config = config.ConfigManager(self.install_directory, verbose=self.verbose, stdout=self.stdout) if target_type == 'elasticsearch': filebeat_config.switch_to_elasticsearch_target() filebeat_config.elasticsearch_targets.target_strings = targets self.logger.info(f'Enabling Elasticsearch connector: ' f'{filebeat_config.elasticsearch_targets.target_strings}') elif target_type == 'logstash': filebeat_config.switch_to_logstash_target() filebeat_config.logstash_targets.target_strings = targets elif target_type == 'kafka': filebeat_config.switch_to_kafka_target() filebeat_config.kafka_targets.target_strings = targets elif target_type == 'redis': filebeat_config.switch_to_redis_target() filebeat_config.redis_targets.target_strings = targets filebeat_config.input_logs = misc_filebeat_objs.InputLogs( monitor_log_paths=[] ) filebeat_config.field_processors.originating_agent_tag = agent_tag if not monitor_log_paths: environ = utilities.get_environment_file_dict() zeek_log_root = f'{environ.get("ZEEK_HOME", "")}/logs/current/' suricata_log_root = environ.get('SURICATA_LOGS', '') zeek_profiler = zeek_profile.ProcessProfiler() suricata_profiler = suricata_profile.ProcessProfiler() if zeek_profiler.is_installed(): self.logger.info(f'Zeek installation found; monitoring: {zeek_log_root}*.log') filebeat_config.input_logs.monitor_log_paths.append(f'{zeek_log_root}*.log') if suricata_profiler.is_installed(): self.logger.info(f'Suricata installation found; monitoring: {suricata_log_root}/eve.json') filebeat_config.input_logs.monitor_log_paths.append(f'{suricata_log_root}/eve.json') else: filebeat_config.input_logs = misc_filebeat_objs.InputLogs( monitor_log_paths=monitor_log_paths ) self.logger.info(f'Monitoring Paths = {filebeat_config.input_logs.monitor_log_paths}') if not agent_tag: filebeat_config.field_processors.originating_agent_tag = utilities.get_default_agent_tag() self.logger.info(f'Agent Tag = {filebeat_config.field_processors.originating_agent_tag}') self.logger.debug(filebeat_config.elasticsearch_targets.get_raw()) filebeat_config.commit() self.logger.info('Applying configuration.') # Fix Permissions self.logger.info('Installing modules.') filebeat_config.patch_modules(zeek_log_directory=zeek_log_root, suricata_log_directory=suricata_log_root) # Setting up permissions self.logger.info('Setting up file permissions.') config_file = f'{self.install_directory}/filebeat.yml' utilities.set_ownership_of_file(self.install_directory, user='******', group='dynamite') utilities.set_permissions_of_file(f'{self.install_directory}/modules.d/', unix_permissions_integer='go-w') utilities.set_permissions_of_file(f'{self.install_directory}/module/', unix_permissions_integer='go-w') utilities.set_ownership_of_file(config_file, user='******', group='dynamite') utilities.set_permissions_of_file(config_file, unix_permissions_integer=644) filebeat_config.enable_ecs_normalization() # Install and enable service self.logger.info(f'Installing service -> {const.DEFAULT_CONFIGS}/systemd/filebeat.service') sysctl.install_and_enable(f'{const.DEFAULT_CONFIGS}/systemd/filebeat.service') # Update environment file self.create_update_filebeat_environment_variables()
def __init__(self, capture_network_interfaces, targets, kafka_topic=None, kafka_username=None, kafka_password=None, agent_analyzers=('zeek', 'suricata'), tag=None, stdout=True, verbose=False): execution_strategy.BaseExecStrategy.__init__( self, strategy_name="agent_install", strategy_description= "Install Zeek and/or Suricata along with FileBeat.", functions=(utilities.create_dynamite_environment_file, ), arguments=({}, ), return_formats=(None, )) if not zeek_profile.ProcessProfiler().is_installed( ) and 'zeek' in agent_analyzers: self.add_function(func=zeek_install.install_zeek, argument_dict={ 'configuration_directory': '/etc/dynamite/zeek/', 'install_directory': '/opt/dynamite/zeek', 'capture_network_interfaces': list(capture_network_interfaces), 'download_zeek_archive': True, 'stdout': bool(stdout), 'verbose': bool(verbose) }) else: self.add_function(func=log_message, argument_dict={ "msg": 'Skipping Zeek installation.', 'stdout': bool(stdout), 'verbose': bool(verbose) }, return_format=None) if not suricata_profile.ProcessProfiler().is_installed( ) and 'suricata' in agent_analyzers: self.add_function(func=suricata_install.install_suricata, argument_dict={ 'configuration_directory': '/etc/dynamite/suricata/', 'install_directory': '/opt/dynamite/suricata/', 'log_directory': '/opt/dynamite/suricata/logs/', 'capture_network_interfaces': list(capture_network_interfaces), 'download_suricata_archive': True, 'stdout': bool(stdout), 'verbose': bool(verbose) }) else: self.add_function(func=log_message, argument_dict={ "msg": 'Skipping Suricata installation.', 'stdout': bool(stdout), 'verbose': bool(verbose) }, return_format=None) if not filebeat_profile.ProcessProfiler().is_installed(): filebeat_args = { 'targets': list(targets), 'kafka_topic': kafka_topic, 'kafka_username': kafka_username, 'kafka_password': kafka_password, 'agent_tag': tag, 'install_directory': '/opt/dynamite/filebeat/', 'download_filebeat_archive': True, 'stdout': bool(stdout) } monitor_log_paths = [] if 'zeek' in agent_analyzers: monitor_log_paths.append( "/opt/dynamite/zeek/logs/current/*.log") if 'suricata' in agent_analyzers: monitor_log_paths.append( '/opt/dynamite/suricata/logs/eve.json') filebeat_args.update({'monitor_log_paths': monitor_log_paths}) self.add_function(func=filebeat_install.install_filebeat, argument_dict=filebeat_args) else: self.add_function( func=log_message, argument_dict={ "msg": 'Skipping Filebeat installation; already installed', 'stdout': bool(stdout), 'verbose': bool(verbose) }, return_format=None) self.add_function(func=log_message, argument_dict={ "msg": '*** Agent installed successfully. ***', 'verbose': bool(verbose) }) self.add_function(func=log_message, argument_dict={ "msg": 'Next, Start your agent: ' '\'dynamite agent start\'.', 'stdout': bool(stdout), 'verbose': bool(verbose) }, return_format=None)