PREP-STEP 2: Tune Configurations
Non-TFPlenum *Beat configuration tuningβ
note
- If config files came from the package downloaded from TFPlenum, then the following procedure is not necessary, as TFPlenum already directs the configs to point to the DIP External IP at
5045/TCP - If you are employing a vanilla CVA/H DIP that has not been built IAW 262COS-DIP-SOP-001 - CVAH DIP Setup then you must uncomment the
ssl.certificate_authorities,ssl.certificate, andssl.keylines β otherwise they must remain excluded/commented out - The reason why the above
ssl.*configs are excluded is because deployed agents will not be able to reconnect to Logstash if the DIP is rebuilt, as the certificates will all be re-created
For each ******beat.yml configuration file:
- Delete/comment out all
output.*sections - Ensure they are all to outputting to Logstash pointed at the DIP External IP at
5045/TCPsuch as with the following config lines: (replace<DIP_EXTERNAL_IP>with the actual IP)output.logstash:
hosts: ["<DIP_EXTERNAL_IP>:5045"]
#ssl.certificate_authorities: ["${path.home}/ca.crt"]
#ssl.certificate: "${path.home}/tls.crt"
#ssl.key: "${path.home}/tls.key"
ssl.enabled: true
ssl.verification_mode: "none"
Sysmon configuration tuningβ
info
Sysmon configurations can be tuned IAW 262COS-HA-AID-001 - Sysmon Config Tuning
CVA/H DIPs built IAW 262COS-DIP-SOP-001 - CVAH DIP Setup include a 262COS/DOK developed sysmonconfig.xml that is a combination of SwiftOnSecurity configurations, olafhartong configurations, and NIPR specific tunings. It is not recommended to modify the configuration until after the initial Sysmon deployment, where logging can be analyzed to identify the need for additional tuning.