search

Graylog2 / fpm-recipes

Graylog package build recipes
http://docs.graylog.org/en/latest/pages/installation/operating_system_packages.html
18 stars 19 forks source link

Update paths for Illuminate 1.7. #112

Closed malcyon closed 2 years ago

malcyon commented 2 years ago

Update paths for Illuminate lookup files.

See Graylog2/graylog-project-illuminate#160.

malcyon commented 2 years ago

Updated paths for the files in the package:

donald@laptop:~/src/fpm-recipes/recipes/graylog-illuminate/pkg$ dpkg-deb -c ./graylog-illuminate_1.7.0-1_amd64.deb
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./usr/
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./usr/share/
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./usr/share/doc/
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./usr/share/doc/graylog-illuminate/
-rw-r--r-- 0/0             154 2021-07-22 09:20 ./usr/share/doc/graylog-illuminate/changelog.gz
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./usr/share/graylog-illuminate/
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_paloalto/
-rw-r--r-- 0/0          440923 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_paloalto/illuminate_paloalto9_spotlight.json
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_events/
-rw-r--r-- 0/0           10138 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_events/illuminate_events_spotlight_20201216.json
-rw-r--r-- 0/0            8128 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_events/illuminate_events_spotlight_windows_20200923.json
-rw-r--r-- 0/0            6323 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_events/illuminate_events_spotlight_core_20200923.json
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_windows/
-rw-r--r-- 0/0          444333 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_windows/illuminate_windows_spotlight.json
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_o365/
-rw-r--r-- 0/0          171664 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_o365/illuminate_o365_spotlight.json
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_sysmon/
-rw-r--r-- 0/0          757029 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_sysmon/illuminate_sysmon_spotlight.json
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_okta/
-rw-r--r-- 0/0          164581 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_okta/illuminate_okta_spotlight.json
-rw-r--r-- 0/0          164595 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_okta/illuminate_o365_spotlight
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_core/
-rw-r--r-- 0/0          487599 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_core/illuminate_core.json
-rwxr-xr-x 0/0            1951 2021-07-22 09:20 ./usr/share/graylog-illuminate/upload-content-packs.sh
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./etc/
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./etc/graylog/
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./etc/graylog/illuminate/
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./etc/graylog/illuminate/sysmon/
-rw-r--r-- 0/0            2719 2021-07-22 09:20 ./etc/graylog/illuminate/sysmon/sysmon_dns_resultcodes.csv
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./etc/graylog/illuminate/core/
-rw-r--r-- 0/0              29 2021-07-22 09:20 ./etc/graylog/illuminate/core/static_devices.csv.default
-rw-r--r-- 0/0            6554 2021-07-22 09:20 ./etc/graylog/illuminate/core/category_map.csv
-rw-r--r-- 0/0              99 2021-07-22 09:20 ./etc/graylog/illuminate/core/severity_map.csv
-rw-r--r-- 0/0             877 2021-07-22 09:20 ./etc/graylog/illuminate/core/static_accounts.csv.default
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./etc/graylog/illuminate/okta/
-rw-r--r-- 0/0          101704 2021-07-22 09:20 ./etc/graylog/illuminate/okta/vendor_events.csv
-rw-r--r-- 0/0             148 2021-07-22 09:20 ./etc/graylog/illuminate/okta/event_outcome_codes.csv
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./etc/graylog/illuminate/paloalto/
-rw-r--r-- 0/0             172 2021-07-22 09:20 ./etc/graylog/illuminate/paloalto/pa_alert_severity.csv
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./etc/graylog/illuminate/o365/
-rw-r--r-- 0/0             442 2021-07-22 09:20 ./etc/graylog/illuminate/o365/email_logon_type.csv
-rw-r--r-- 0/0           62865 2021-07-22 09:20 ./etc/graylog/illuminate/o365/vendor_events.csv
-rw-r--r-- 0/0            4104 2021-07-22 09:20 ./etc/graylog/illuminate/o365/record_type_map.csv
-rw-r--r-- 0/0             357 2021-07-22 09:20 ./etc/graylog/illuminate/o365/user_map.csv
-rw-r--r-- 0/0             186 2021-07-22 09:20 ./etc/graylog/illuminate/o365/event_outcome_codes.csv
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/
-rw-r--r-- 0/0             311 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/README.md
-rwxr-xr-x 0/0            9860 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/apply_template.sh
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v6/
-rw-r--r-- 0/0           29305 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v6/illuminate_schema.json
-rw-r--r-- 0/0             627 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v6/illuminate_query.json
-rw-r--r-- 0/0             309 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v6/illuminate_message_template.json
-rw-r--r-- 0/0            1610 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v6/illuminate_sysmon.json
-rw-r--r-- 0/0            1284 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/template.options
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v7/
-rw-r--r-- 0/0           27804 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v7/illuminate_schema.json
-rw-r--r-- 0/0             564 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v7/illuminate_query.json
-rw-r--r-- 0/0             274 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v7/illuminate_message_template.json
-rw-r--r-- 0/0            1596 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v7/illuminate_sysmon.json
drwxr-xr-x 0/0               0 2021-07-22 09:20 ./etc/graylog/illuminate/windows/
-rw-r--r-- 0/0             236 2021-07-22 09:20 ./etc/graylog/illuminate/windows/kerberos_preauth_types.csv
-rw-r--r-- 0/0             246 2021-07-22 09:20 ./etc/graylog/illuminate/windows/windows_logon_types.csv
-rw-r--r-- 0/0             229 2021-07-22 09:20 ./etc/graylog/illuminate/windows/well_known_sid_domains.csv
-rw-r--r-- 0/0             160 2021-07-22 09:20 ./etc/graylog/illuminate/windows/kerberos_encryption_types.csv
-rw-r--r-- 0/0            3921 2021-07-22 09:20 ./etc/graylog/illuminate/windows/well_known_sids.csv
-rw-r--r-- 0/0             931 2021-07-22 09:20 ./etc/graylog/illuminate/windows/winsec_event_code_type_code_map.csv
-rw-r--r-- 0/0            4294 2021-07-22 09:20 ./etc/graylog/illuminate/windows/kerberos_error_codes.csv
-rw-r--r-- 0/0            9573 2021-07-22 09:20 ./etc/graylog/illuminate/windows/windows_ntstatus_error_codes.csv
malcyon commented 2 years ago

I'm not that familiar with the recipe.rb file, but it looks like only the first part of some of the directory commands was updated? For example, shouldn't the line etc('graylog/illuminate/core').install Dir['graylog_illuminate_core/*'] instead be etc('graylog/illuminate/core').install Dir['graylog/illuminate/core/*']? If these are for the lookups?

Yet, you're right. I didn't catch it because my filesystem still had the old files in the temp directory, so it was able to still pick up the old files.

It should be fixed now.

malcyon commented 2 years ago

illuminate_package_contents.txt

This is what it looks like on the filesystem after installing the deb package.