Skip to main content

PREP-STEP 2: Tune Configurations


Non-TFPlenum *Beat configuration tuning​

note
  • If config files came from the package downloaded from TFPlenum, then the following procedure is not necessary, as TFPlenum already directs the configs to point to the DIP External IP at 5045/TCP
  • If you are employing a vanilla CVA/H DIP that has not been built IAW 262COS-DIP-SOP-001 - CVAH DIP Setup then you must uncomment the ssl.certificate_authorities, ssl.certificate, and ssl.key lines – otherwise they must remain excluded/commented out
  • The reason why the above ssl.* configs are excluded is because deployed agents will not be able to reconnect to Logstash if the DIP is rebuilt, as the certificates will all be re-created

For each ******beat.yml configuration file:

  1. Delete/comment out all output.* sections
  2. Ensure they are all to outputting to Logstash pointed at the DIP External IP at 5045/TCP such as with the following config lines: (replace <DIP_EXTERNAL_IP> with the actual IP)
    output.logstash:
    hosts: ["<DIP_EXTERNAL_IP>:5045"]
    #ssl.certificate_authorities: ["${path.home}/ca.crt"]
    #ssl.certificate: "${path.home}/tls.crt"
    #ssl.key: "${path.home}/tls.key"
    ssl.enabled: true
    ssl.verification_mode: "none"

Sysmon configuration tuning​

info

Sysmon configurations can be tuned IAW 262COS-HA-AID-001 - Sysmon Config Tuning

CVA/H DIPs built IAW 262COS-DIP-SOP-001 - CVAH DIP Setup include a 262COS/DOK developed sysmonconfig.xml that is a combination of SwiftOnSecurity configurations, olafhartong configurations, and NIPR specific tunings. It is not recommended to modify the configuration until after the initial Sysmon deployment, where logging can be analyzed to identify the need for additional tuning.