From 2e61719ddea1b2cd4eaaa358dd4e6f112238d985 Mon Sep 17 00:00:00 2001
From: James Young <39607528+splunk-james@users.noreply.github.com>
Date: Fri, 6 Dec 2024 21:59:39 +1100
Subject: [PATCH 1/5] Create rsyslog_logrotate

updated rsyslog logrotate file to improve handing of large syslog file with daily rotation and compression
---
 configs/rsyslog_logrotate | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 configs/rsyslog_logrotate

diff --git a/configs/rsyslog_logrotate b/configs/rsyslog_logrotate
new file mode 100644
index 00000000..78ea516b
--- /dev/null
+++ b/configs/rsyslog_logrotate
@@ -0,0 +1,25 @@
+/var/log/syslog
+/var/log/mail.info
+/var/log/mail.warn
+/var/log/mail.err
+/var/log/mail.log
+/var/log/daemon.log
+/var/log/kern.log
+/var/log/auth.log
+/var/log/user.log
+/var/log/lpr.log
+/var/log/cron.log
+/var/log/debug
+/var/log/messages
+{
+        rotate 7
+        daily
+        missingok
+        notifempty
+        compress
+        delaycompress
+        sharedscripts
+        postrotate
+                /usr/lib/rsyslog/rsyslog-rotate
+        endscript
+}

From d6847cd6ed1e0567e9e1fc22b7a381d344de99da Mon Sep 17 00:00:00 2001
From: James Young <39607528+splunk-james@users.noreply.github.com>
Date: Fri, 6 Dec 2024 22:02:53 +1100
Subject: [PATCH 2/5] Create update_rsyslog_logrotate.yml

task for copying new rsylog logrotate config
---
 .../roles/linux_common/tasks/update_rsyslog_logrotate.yml    | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 terraform/ansible/roles/linux_common/tasks/update_rsyslog_logrotate.yml

diff --git a/terraform/ansible/roles/linux_common/tasks/update_rsyslog_logrotate.yml b/terraform/ansible/roles/linux_common/tasks/update_rsyslog_logrotate.yml
new file mode 100644
index 00000000..941d276d
--- /dev/null
+++ b/terraform/ansible/roles/linux_common/tasks/update_rsyslog_logrotate.yml
@@ -0,0 +1,5 @@
+- name: copy rsyslog logrotate config template
+  become: true
+  copy:
+    src: "../../configs/rsyslog_logrotate"
+    dest: "/etc/logrotate.d/rsyslog"

From e70680d4816412761641e6155c2a1852139f7c5a Mon Sep 17 00:00:00 2001
From: James Young <39607528+splunk-james@users.noreply.github.com>
Date: Fri, 6 Dec 2024 22:03:54 +1100
Subject: [PATCH 3/5] Update main.yml

include new task for update rsyslog logrotate
---
 terraform/ansible/roles/linux_common/tasks/main.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/terraform/ansible/roles/linux_common/tasks/main.yml b/terraform/ansible/roles/linux_common/tasks/main.yml
index ab791db2..5e5d1593 100644
--- a/terraform/ansible/roles/linux_common/tasks/main.yml
+++ b/terraform/ansible/roles/linux_common/tasks/main.yml
@@ -3,4 +3,5 @@
 #- include_tasks: update_packages.yml
 - include_tasks: disable-dnssec.yml
 - include_tasks: disable-autoupgrade.yml
-- include_tasks: update_sshd_config.yml
\ No newline at end of file
+- include_tasks: update_sshd_config.yml
+- include_tasks: update_rsyslog_logrotate.yml

From 8d7084082628cdbf8b935a28fd522307f5ea2a62 Mon Sep 17 00:00:00 2001
From: James Young <39607528+splunk-james@users.noreply.github.com>
Date: Sat, 7 Dec 2024 13:06:34 +1100
Subject: [PATCH 4/5] Update SysMonLinux-CatchAll.xml

to exclude excessive records for splunk UF moduinput journal file create
---
 configs/SysMonLinux-CatchAll.xml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/configs/SysMonLinux-CatchAll.xml b/configs/SysMonLinux-CatchAll.xml
index 4f19a899..eec4e08e 100644
--- a/configs/SysMonLinux-CatchAll.xml
+++ b/configs/SysMonLinux-CatchAll.xml
@@ -22,11 +22,13 @@
     </RuleGroup>
     <!-- Event ID 11 == FileCreate. Log every file creation -->
     <RuleGroup name="" groupRelation="or">
-      <FileCreate onmatch="exclude"/>
+      <FileCreate onmatch="exclude">
+            <TargetFilename condition="begin with">/opt/splunkforwarder/var/lib/splunk/modinputs/journald</TargetFilename> <!--Exclude Splunk Modinput Journal-->
+      </FileCreate>
     </RuleGroup>
     <!--Event ID 23 == FileDelete. Log all files being deleted -->
     <RuleGroup name="" groupRelation="or">
       <FileDelete onmatch="exclude"/>
     </RuleGroup>
   </EventFiltering>
-</Sysmon>
\ No newline at end of file
+</Sysmon>

From 00d4645e4b51785fb3be165925abb0ea4498df2f Mon Sep 17 00:00:00 2001
From: James Young <39607528+splunk-james@users.noreply.github.com>
Date: Mon, 9 Dec 2024 23:25:01 +1100
Subject: [PATCH 5/5] Update attack_range.py

---
 attack_range.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/attack_range.py b/attack_range.py
index 6e5a8993..c8cfdec2 100644
--- a/attack_range.py
+++ b/attack_range.py
@@ -24,7 +24,7 @@ def init(args):
                    _.-"       d$$$$
                  .' ..       d$$$$;
                 /  /P'      d$$$$P. |\\
-               /   "      .d$$$P' |\^"l
+               /   "      .d$$$P' |\\^"l
              .'           `T$P^\"\"\"\"\"  :
          ._.'      _.'                ;
       `-.-".-'-' ._.       _.-"    .-"
@@ -35,8 +35,8 @@ def init(args):
     ._.'-'`-'  ")/         /;/;
  `-.-"..--""   " /         /  ;
 .-" ..--""        -'          :
-..--""--.-"         (\      .-(\\
-  ..--""              `-\(\/;`
+..--""--.-"         (\\     .-(\\
+  ..--""              `-\\(\\/;`
     _.                      :
                             ;`-
                            :\\