From 8125fe2bd2d50bc88c998eb04f3eacfa60913966 Mon Sep 17 00:00:00 2001
From: Random936 <randomdude936@gmail.com>
Date: Tue, 15 Apr 2025 11:50:46 -0700
Subject: [PATCH] Logging changes: new hdd, removed ideapad instance, graylog

---
 config/assets/suricata.yaml |  8 +++++---
 config/logging.nix          | 12 ++++++++----
 hardware/logging.nix        |  5 +++++
 3 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/config/assets/suricata.yaml b/config/assets/suricata.yaml
index 63b6042..dafe666 100644
--- a/config/assets/suricata.yaml
+++ b/config/assets/suricata.yaml
@@ -31,7 +31,7 @@ vars:
     TEREDO_PORTS: 3544
     SIP_PORTS: "[5060, 5061]"
 
-default-log-dir: /home/logging/logs
+default-log-dir: /mnt/logs/suricata
 classification-file: /etc/suricata/classification.config
 reference-config-file: /etc/suricata/reference.config
 default-rule-path: /etc/suricata/rules
@@ -58,12 +58,14 @@ outputs:
   - eve-log:
       enabled: yes
       filetype: regular
-      filename: eve.json
+      filename: eve-%Y-%m-%d.json
+      rotate-interval: day
       types:
         - alert:
             tagged-packets: yes
         - http:
             extended: yes
+            dump-all-headers: both
         - http2
         - dns:
             enabled: yes
@@ -94,7 +96,7 @@ outputs:
         - smtp
 
   - pcap-log:
-      enabled: yes
+      enabled: no
       filename: log.pcap
       limit: 1gb
       max-files: 200
diff --git a/config/logging.nix b/config/logging.nix
index 299ed56..d3917d2 100644
--- a/config/logging.nix
+++ b/config/logging.nix
@@ -99,10 +99,6 @@
             targets = [ "192.168.100.12" ];
             labels.instance = "r730xd-idrac";
           }
-          {
-            targets = [ "192.168.100.20" ];
-            labels.instance = "ideapad";
-          }
           {
             targets = [ "192.168.100.21" ];
             labels.instance = "r330-proxmox";
@@ -189,12 +185,20 @@
     ];
   };
 
+  services = {
+    graylog.enable = true;
+    mongodb.enable = true;
+    opensearch.enable = true;
+  };
+
+
   systemd.services.suricata = {
     description = "Suricata IDS/IPS";
     wantedBy = ["multi-user.target"];
     serviceConfig = {
       type = "simple";
       User = "logging";
+      ExecStartPre = "/run/current-system/sw/bin/ip link set enp6s19 up";
       ExecStart = "${pkgs.suricata}/bin/suricata -c /etc/suricata.yaml -i enp6s19";
       Restart = "on-failure";
       CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN";
diff --git a/hardware/logging.nix b/hardware/logging.nix
index 245625c..5f6d407 100644
--- a/hardware/logging.nix
+++ b/hardware/logging.nix
@@ -24,6 +24,11 @@
       options = [ "fmask=0022" "dmask=0022" ];
     };
 
+  fileSystems."/mnt/logs" = {
+    device = "/dev/disk/by-uuid/08247ec2-8e83-4bb0-b9fe-9e2a7ce3fe6c";
+    fsType = "ext4";
+  };
+
   swapDevices = [ ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking