Closed malcyon closed 2 years ago
Updated paths for the files in the package:
donald@laptop:~/src/fpm-recipes/recipes/graylog-illuminate/pkg$ dpkg-deb -c ./graylog-illuminate_1.7.0-1_amd64.deb
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./usr/
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./usr/share/
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./usr/share/doc/
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./usr/share/doc/graylog-illuminate/
-rw-r--r-- 0/0 154 2021-07-22 09:20 ./usr/share/doc/graylog-illuminate/changelog.gz
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./usr/share/graylog-illuminate/
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_paloalto/
-rw-r--r-- 0/0 440923 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_paloalto/illuminate_paloalto9_spotlight.json
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_events/
-rw-r--r-- 0/0 10138 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_events/illuminate_events_spotlight_20201216.json
-rw-r--r-- 0/0 8128 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_events/illuminate_events_spotlight_windows_20200923.json
-rw-r--r-- 0/0 6323 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_events/illuminate_events_spotlight_core_20200923.json
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_windows/
-rw-r--r-- 0/0 444333 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_windows/illuminate_windows_spotlight.json
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_o365/
-rw-r--r-- 0/0 171664 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_o365/illuminate_o365_spotlight.json
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_sysmon/
-rw-r--r-- 0/0 757029 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_sysmon/illuminate_sysmon_spotlight.json
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_okta/
-rw-r--r-- 0/0 164581 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_okta/illuminate_okta_spotlight.json
-rw-r--r-- 0/0 164595 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_okta/illuminate_o365_spotlight
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_core/
-rw-r--r-- 0/0 487599 2021-07-22 09:20 ./usr/share/graylog-illuminate/content_packs/illuminate_core/illuminate_core.json
-rwxr-xr-x 0/0 1951 2021-07-22 09:20 ./usr/share/graylog-illuminate/upload-content-packs.sh
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./etc/
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./etc/graylog/
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./etc/graylog/illuminate/
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./etc/graylog/illuminate/sysmon/
-rw-r--r-- 0/0 2719 2021-07-22 09:20 ./etc/graylog/illuminate/sysmon/sysmon_dns_resultcodes.csv
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./etc/graylog/illuminate/core/
-rw-r--r-- 0/0 29 2021-07-22 09:20 ./etc/graylog/illuminate/core/static_devices.csv.default
-rw-r--r-- 0/0 6554 2021-07-22 09:20 ./etc/graylog/illuminate/core/category_map.csv
-rw-r--r-- 0/0 99 2021-07-22 09:20 ./etc/graylog/illuminate/core/severity_map.csv
-rw-r--r-- 0/0 877 2021-07-22 09:20 ./etc/graylog/illuminate/core/static_accounts.csv.default
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./etc/graylog/illuminate/okta/
-rw-r--r-- 0/0 101704 2021-07-22 09:20 ./etc/graylog/illuminate/okta/vendor_events.csv
-rw-r--r-- 0/0 148 2021-07-22 09:20 ./etc/graylog/illuminate/okta/event_outcome_codes.csv
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./etc/graylog/illuminate/paloalto/
-rw-r--r-- 0/0 172 2021-07-22 09:20 ./etc/graylog/illuminate/paloalto/pa_alert_severity.csv
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./etc/graylog/illuminate/o365/
-rw-r--r-- 0/0 442 2021-07-22 09:20 ./etc/graylog/illuminate/o365/email_logon_type.csv
-rw-r--r-- 0/0 62865 2021-07-22 09:20 ./etc/graylog/illuminate/o365/vendor_events.csv
-rw-r--r-- 0/0 4104 2021-07-22 09:20 ./etc/graylog/illuminate/o365/record_type_map.csv
-rw-r--r-- 0/0 357 2021-07-22 09:20 ./etc/graylog/illuminate/o365/user_map.csv
-rw-r--r-- 0/0 186 2021-07-22 09:20 ./etc/graylog/illuminate/o365/event_outcome_codes.csv
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/
-rw-r--r-- 0/0 311 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/README.md
-rwxr-xr-x 0/0 9860 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/apply_template.sh
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v6/
-rw-r--r-- 0/0 29305 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v6/illuminate_schema.json
-rw-r--r-- 0/0 627 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v6/illuminate_query.json
-rw-r--r-- 0/0 309 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v6/illuminate_message_template.json
-rw-r--r-- 0/0 1610 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v6/illuminate_sysmon.json
-rw-r--r-- 0/0 1284 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/template.options
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v7/
-rw-r--r-- 0/0 27804 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v7/illuminate_schema.json
-rw-r--r-- 0/0 564 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v7/illuminate_query.json
-rw-r--r-- 0/0 274 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v7/illuminate_message_template.json
-rw-r--r-- 0/0 1596 2021-07-22 09:20 ./etc/graylog/illuminate/elastic_template/v7/illuminate_sysmon.json
drwxr-xr-x 0/0 0 2021-07-22 09:20 ./etc/graylog/illuminate/windows/
-rw-r--r-- 0/0 236 2021-07-22 09:20 ./etc/graylog/illuminate/windows/kerberos_preauth_types.csv
-rw-r--r-- 0/0 246 2021-07-22 09:20 ./etc/graylog/illuminate/windows/windows_logon_types.csv
-rw-r--r-- 0/0 229 2021-07-22 09:20 ./etc/graylog/illuminate/windows/well_known_sid_domains.csv
-rw-r--r-- 0/0 160 2021-07-22 09:20 ./etc/graylog/illuminate/windows/kerberos_encryption_types.csv
-rw-r--r-- 0/0 3921 2021-07-22 09:20 ./etc/graylog/illuminate/windows/well_known_sids.csv
-rw-r--r-- 0/0 931 2021-07-22 09:20 ./etc/graylog/illuminate/windows/winsec_event_code_type_code_map.csv
-rw-r--r-- 0/0 4294 2021-07-22 09:20 ./etc/graylog/illuminate/windows/kerberos_error_codes.csv
-rw-r--r-- 0/0 9573 2021-07-22 09:20 ./etc/graylog/illuminate/windows/windows_ntstatus_error_codes.csv
I'm not that familiar with the recipe.rb file, but it looks like only the first part of some of the directory commands was updated? For example, shouldn't the line
etc('graylog/illuminate/core').install Dir['graylog_illuminate_core/*']
instead beetc('graylog/illuminate/core').install Dir['graylog/illuminate/core/*']
? If these are for the lookups?
Yet, you're right. I didn't catch it because my filesystem still had the old files in the temp directory, so it was able to still pick up the old files.
It should be fixed now.
illuminate_package_contents.txt
This is what it looks like on the filesystem after installing the deb package.
Update paths for Illuminate lookup files.
See Graylog2/graylog-project-illuminate#160.