Merge pull request #6514 from Security-Onion-Solutions/ES0day2

Throw the log4j into the java options

salt/elasticsearch/init.sls

@@ -258,7 +258,7 @@ so-elasticsearch:
       {% if TRUECLUSTER is sameas false or (TRUECLUSTER is sameas true and not salt['pillar.get']('nodestab', {})) %}
       - discovery.type=single-node
       {% endif %}
-      - ES_JAVA_OPTS=-Xms{{ esheap }} -Xmx{{ esheap }} -Des.transport.cname_in_publish_address=true
+      - ES_JAVA_OPTS=-Xms{{ esheap }} -Xmx{{ esheap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
       ulimits:
       - memlock=-1:-1
       - nofile=65536:65536

salt/logstash/etc/log4j2.properties

@@ -34,3 +34,4 @@ rootLogger.level = info
 rootLogger.appenderRef.rolling.ref = rolling
 #rootLogger.level = ${sys:ls.log.level}
 #rootLogger.appenderRef.console.ref = ${sys:ls.log.format}_console
+log4j2.formatMsgNoLookups = true

salt/logstash/init.sls

@@ -156,7 +156,7 @@ so-logstash:
     - extra_hosts:
       - {{ EXTRAHOSTHOSTNAME }}:{{ EXTRAHOSTIP }}
     - environment:
-      - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
+      - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }} -Dlog4j2.formatMsgNoLookups=true
     - port_bindings:
   {% for BINDING in DOCKER_OPTIONS.port_bindings %}
       - {{ BINDING }}

salt/thehive/init.sls

@@ -95,7 +95,7 @@ so-thehive-es:
       - /opt/so/conf/thehive/etc/es/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
       - /opt/so/log/thehive:/var/log/elasticsearch:rw
     - environment:
-      - ES_JAVA_OPTS=-Xms512m -Xmx512m
+      - ES_JAVA_OPTS=-Xms512m -Xmx512m -Dlog4j2.formatMsgNoLookups=true
     - port_bindings:
       - 0.0.0.0:9400:9400
       - 0.0.0.0:9500:9500