Add other third party rest api integrations

- aws
- nginx
- system
- windows
- winlog
- zeek

packages/aws/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.6.4"
+  changes:
+    - description: Add support for Splunk authorization tokens
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1147
 - version: "0.6.3"
   changes:
     - description: Fix bug in Third Party ingest pipeline

packages/aws/data_stream/cloudtrail/agent/stream/httpjson.yml.hbs

@@ -1,7 +1,13 @@
 config_version: 2
 interval: {{interval}}
+{{#unless token}}
+{{#if username}}
+{{#if password}}
 auth.basic.user: {{username}}
 auth.basic.password: {{password}}
+{{/if}}
+{{/if}}
+{{/unless}}
 cursor:
   index_earliest:
     value: '[[.last_event.result.max_indextime]]'
@@ -27,6 +33,15 @@ request.transforms:
   - set:
       target: header.Content-Type
       value: application/x-www-form-urlencoded
+{{#unless username}}
+{{#unless password}}
+{{#if token}}
+  - set:
+      target: header.Authorization
+      value: {{token}}
+{{/if}}
+{{/unless}}
+{{/unless}}
 response.decode_as: application/x-ndjson
 response.split:
   target: body.result._raw

packages/aws/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: aws
 title: AWS
-version: 0.6.3
+version: 0.6.4
 license: basic
 description: AWS Integration
 type: integration
@@ -254,18 +254,49 @@ policy_templates:
             type: text
             title: Splunk REST API Username
             show_user: true
-            required: true
+            required: false
           - name: password
             type: password
             title: Splunk REST API Password
-            required: true
             show_user: true
+            required: false
+          - name: token
+            type: password
+            title: Splunk Authorization Token
+            description: |
+              Bearer Token or Session Key, e.g. "Bearer eyJFd3e46..."
+              or "Splunk 192fd3e...".  Cannot be used with username
+              and password.
+            show_user: true
+            required: false
           - name: ssl
             type: yaml
             title: SSL Configuration
             multi: false
             required: false
             show_user: false
             description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+            default: |
+              #certificate_authorities:
+              #  - |
+              #    -----BEGIN CERTIFICATE-----
+              #    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+              #    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+              #    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+              #    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+              #    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+              #    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+              #    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+              #    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+              #    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+              #    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+              #    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+              #    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+              #    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+              #    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+              #    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+              #    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+              #    sxSmbIUfc2SGJGCJD4I=
+              #    -----END CERTIFICATE-----
 owner:
   github: elastic/integrations

packages/nginx/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.6.2"
+  changes:
+    - description: Add support for Splunk authorization tokens
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1147
 - version: "0.6.1"
   changes:
     - description: Fix bug in Third Party REST API ingest pipeline

packages/nginx/data_stream/access/agent/stream/httpjson.yml.hbs

@@ -1,7 +1,13 @@
 config_version: 2
 interval: {{interval}}
+{{#unless token}}
+{{#if username}}
+{{#if password}}
 auth.basic.user: {{username}}
 auth.basic.password: {{password}}
+{{/if}}
+{{/if}}
+{{/unless}}
 cursor:
   index_earliest:
     value: '[[.last_event.result.max_indextime]]'
@@ -27,6 +33,15 @@ request.transforms:
   - set:
       target: header.Content-Type
       value: application/x-www-form-urlencoded
+{{#unless username}}
+{{#unless password}}
+{{#if token}}
+  - set:
+      target: header.Authorization
+      value: {{token}}
+{{/if}}
+{{/unless}}
+{{/unless}}
 response.decode_as: application/x-ndjson
 response.split:
   target: body.result._raw

packages/nginx/data_stream/error/agent/stream/httpjson.yml.hbs

@@ -1,7 +1,13 @@
 config_version: 2
 interval: {{interval}}
+{{#unless token}}
+{{#if username}}
+{{#if password}}
 auth.basic.user: {{username}}
 auth.basic.password: {{password}}
+{{/if}}
+{{/if}}
+{{/unless}}
 cursor:
   index_earliest:
     value: '[[.last_event.result.max_indextime]]'
@@ -27,6 +33,15 @@ request.transforms:
   - set:
       target: header.Content-Type
       value: application/x-www-form-urlencoded
+{{#unless username}}
+{{#unless password}}
+{{#if token}}
+  - set:
+      target: header.Authorization
+      value: {{token}}
+{{/if}}
+{{/unless}}
+{{/unless}}
 response.decode_as: application/x-ndjson
 response.split:
   target: body.result._raw

packages/nginx/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: nginx
 title: Nginx
-version: 0.6.1
+version: 0.6.2
 license: basic
 description: Nginx Integration
 type: integration
@@ -52,19 +52,50 @@ policy_templates:
             type: text
             title: Splunk REST API Username
             show_user: true
-            required: true
+            required: false
           - name: password
             type: password
             title: Splunk REST API Password
-            required: true
             show_user: true
+            required: false
+          - name: token
+            type: password
+            title: Splunk Authorization Token
+            description: |
+              Bearer Token or Session Key, e.g. "Bearer eyJFd3e46..."
+              or "Splunk 192fd3e...".  Cannot be used with username
+              and password.
+            show_user: true
+            required: false
           - name: ssl
             type: yaml
             title: SSL Configuration
             description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
             multi: false
             required: false
             show_user: false
+            default: |
+              #certificate_authorities:
+              #  - |
+              #    -----BEGIN CERTIFICATE-----
+              #    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+              #    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+              #    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+              #    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+              #    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+              #    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+              #    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+              #    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+              #    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+              #    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+              #    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+              #    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+              #    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+              #    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+              #    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+              #    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+              #    sxSmbIUfc2SGJGCJD4I=
+              #    -----END CERTIFICATE-----
       - type: nginx/metrics
         vars:
           - name: hosts

packages/system/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.13.5"
+  changes:
+    - description: Add support for Splunk authorization tokens
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1147
 - version: "0.13.4"
   changes:
     - description: Use `wildcard` type for relevant ECS fields in `security` stream.

packages/system/data_stream/application/agent/stream/httpjson.yml.hbs

@@ -1,7 +1,13 @@
 config_version: "2"
 interval: {{interval}}
+{{#unless token}}
+{{#if username}}
+{{#if password}}
 auth.basic.user: {{username}}
 auth.basic.password: {{password}}
+{{/if}}
+{{/if}}
+{{/unless}}
 cursor:
   index_earliest:
     value: '[[.last_event.result.max_indextime]]'
@@ -28,6 +34,15 @@ request.transforms:
   - set:
       target: header.Content-Type
       value: application/x-www-form-urlencoded
+{{#unless username}}
+{{#unless password}}
+{{#if token}}
+  - set:
+      target: header.Authorization
+      value: {{token}}
+{{/if}}
+{{/unless}}
+{{/unless}}
 response.decode_as: application/x-ndjson
 tags:
 {{#each tags as |tag i|}}

packages/system/data_stream/security/agent/stream/httpjson.yml.hbs

@@ -1,7 +1,13 @@
 config_version: "2"
 interval: {{interval}}
+{{#unless token}}
+{{#if username}}
+{{#if password}}
 auth.basic.user: {{username}}
 auth.basic.password: {{password}}
+{{/if}}
+{{/if}}
+{{/unless}}
 cursor:
   index_earliest:
     value: '[[.last_event.result.max_indextime]]'
@@ -28,6 +34,15 @@ request.transforms:
   - set:
       target: header.Content-Type
       value: application/x-www-form-urlencoded
+{{#unless username}}
+{{#unless password}}
+{{#if token}}
+  - set:
+      target: header.Authorization
+      value: {{token}}
+{{/if}}
+{{/unless}}
+{{/unless}}
 response.decode_as: application/x-ndjson
 tags:
 {{#each tags as |tag i|}}

packages/system/data_stream/system/agent/stream/httpjson.yml.hbs

@@ -1,7 +1,13 @@
 config_version: "2"
 interval: {{interval}}
+{{#unless token}}
+{{#if username}}
+{{#if password}}
 auth.basic.user: {{username}}
 auth.basic.password: {{password}}
+{{/if}}
+{{/if}}
+{{/unless}}
 cursor:
   index_earliest:
     value: '[[.last_event.result.max_indextime]]'
@@ -28,6 +34,15 @@ request.transforms:
   - set:
       target: header.Content-Type
       value: application/x-www-form-urlencoded
+{{#unless username}}
+{{#unless password}}
+{{#if token}}
+  - set:
+      target: header.Authorization
+      value: {{token}}
+{{/if}}
+{{/unless}}
+{{/unless}}
 response.decode_as: application/x-ndjson
 tags:
 {{#each tags as |tag i|}}

packages/system/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: system
 title: System
-version: 0.13.4
+version: 0.13.5
 license: basic
 description: System Integration
 type: integration
@@ -71,12 +71,21 @@ policy_templates:
             type: text
             title: Splunk REST API Username
             show_user: true
-            required: true
+            required: false
           - name: password
             type: password
             title: Splunk REST API Password
-            required: true
             show_user: true
+            required: false
+          - name: token
+            type: password
+            title: Splunk Authorization Token
+            description: |
+              Bearer Token or Session Key, e.g. "Bearer eyJFd3e46..."
+              or "Splunk 192fd3e...".  Cannot be used with username
+              and password.
+            show_user: true
+            required: false
           - name: preserve_original_event
             required: true
             show_user: true
@@ -92,5 +101,27 @@ policy_templates:
             multi: false
             required: false
             show_user: false
+            default: |
+              #certificate_authorities:
+              #  - |
+              #    -----BEGIN CERTIFICATE-----
+              #    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+              #    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+              #    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+              #    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+              #    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+              #    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+              #    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+              #    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+              #    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+              #    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+              #    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+              #    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+              #    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+              #    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+              #    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+              #    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+              #    sxSmbIUfc2SGJGCJD4I=
+              #    -----END CERTIFICATE-----
 owner:
   github: elastic/integrations