From 713e9ee215484bbb857a52fd6cafa5ec8ed02b84 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 20:10:41 +0000 Subject: [PATCH 01/15] Create initial template for ILM policy load script --- .../sbin/so-elasticsearch-ilm-policy-load | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsearch-ilm-policy-load diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load new file mode 100644 index 000000000..2780ab59e --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load @@ -0,0 +1,19 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +# Set up ILM policies +echo +echo "Setting up default Security Onion index lifecycle management policies..." + +# Zeek logs +echo +echo "Setting up Zeek ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-zeek-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "1gb", "max_age": "30d" } } } } } }' +echo From d6d01f8542aa50d37b03a01b87604995a5d63417 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:01:02 +0000 Subject: [PATCH 02/15] Add initial ILM policy view script --- .../tools/sbin/so-elasticsearch-ilm-policy-view | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsearch-ilm-policy-view diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-view b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-view new file mode 100644 index 000000000..d69e328fe --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-view @@ -0,0 +1,15 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +if [ "$1" == "" ]; then + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ilm/policy | jq . +else + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ilm/policy/$1 | jq .[] +fi From 80270550867d4f166c619b6d07cd8958425b38b9 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:09:42 +0000 Subject: [PATCH 03/15] Add initial ILM policy delete script --- .../tools/sbin/so-elasticsearch-ilm-policy-delete | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete new file mode 100644 index 000000000..108dd1178 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete @@ -0,0 +1,11 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X DELETE https://{{ NODEIP }}:9200/_ilm/policy/$1 From b38f4ca7661edb58d1dc815633d5a7dc03eee111 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:29:16 +0000 Subject: [PATCH 04/15] Add initial ILM service stop script --- salt/common/tools/sbin/so-elasticsaerch-ilm-stop | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsaerch-ilm-stop diff --git a/salt/common/tools/sbin/so-elasticsaerch-ilm-stop b/salt/common/tools/sbin/so-elasticsaerch-ilm-stop new file mode 100644 index 000000000..23c068918 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsaerch-ilm-stop @@ -0,0 +1,12 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +echo "Stopping ILM..." +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X POST https://{{ NODEIP }}:9200/_ilm/stop From 03849b0659f994c39a07791e4a9179c3e9fa42b8 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:29:38 +0000 Subject: [PATCH 05/15] Add initial ILM service start script --- salt/common/tools/sbin/so-elasticsaerch-ilm-start | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsaerch-ilm-start diff --git a/salt/common/tools/sbin/so-elasticsaerch-ilm-start b/salt/common/tools/sbin/so-elasticsaerch-ilm-start new file mode 100644 index 000000000..98dd38e9e --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsaerch-ilm-start @@ -0,0 +1,12 @@ +/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +echo "Starting ILM..." +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X POST https://{{ NODEIP }}:9200/_ilm/start From 1de3871ee9fd148cb54aa88d631a06c940b2d75c Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:30:25 +0000 Subject: [PATCH 06/15] Add initial ILM service restart script --- salt/common/tools/sbin/so-elasticsaerch-ilm-restart | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsaerch-ilm-restart diff --git a/salt/common/tools/sbin/so-elasticsaerch-ilm-restart b/salt/common/tools/sbin/so-elasticsaerch-ilm-restart new file mode 100644 index 000000000..7f422ed6e --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsaerch-ilm-restart @@ -0,0 +1,10 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +so-elasticsearch-ilm-stop +so-elasticsearch-ilm-start From 3e31bda2854a54767e633640353857c699b8872d Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:32:17 +0000 Subject: [PATCH 07/15] Fix typo in Elasticsearch portion of script names --- ...{so-elasticsaerch-ilm-restart => so-elasticsearch-ilm-restart} | 0 .../{so-elasticsaerch-ilm-start => so-elasticsearch-ilm-start} | 0 .../sbin/{so-elasticsaerch-ilm-stop => so-elasticsearch-ilm-stop} | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename salt/common/tools/sbin/{so-elasticsaerch-ilm-restart => so-elasticsearch-ilm-restart} (100%) rename salt/common/tools/sbin/{so-elasticsaerch-ilm-start => so-elasticsearch-ilm-start} (100%) rename salt/common/tools/sbin/{so-elasticsaerch-ilm-stop => so-elasticsearch-ilm-stop} (100%) diff --git a/salt/common/tools/sbin/so-elasticsaerch-ilm-restart b/salt/common/tools/sbin/so-elasticsearch-ilm-restart similarity index 100% rename from salt/common/tools/sbin/so-elasticsaerch-ilm-restart rename to salt/common/tools/sbin/so-elasticsearch-ilm-restart diff --git a/salt/common/tools/sbin/so-elasticsaerch-ilm-start b/salt/common/tools/sbin/so-elasticsearch-ilm-start similarity index 100% rename from salt/common/tools/sbin/so-elasticsaerch-ilm-start rename to salt/common/tools/sbin/so-elasticsearch-ilm-start diff --git a/salt/common/tools/sbin/so-elasticsaerch-ilm-stop b/salt/common/tools/sbin/so-elasticsearch-ilm-stop similarity index 100% rename from salt/common/tools/sbin/so-elasticsaerch-ilm-stop rename to salt/common/tools/sbin/so-elasticsearch-ilm-stop From 91d24d36f9a4f15fe91cb408042417f2514b9c28 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:34:15 +0000 Subject: [PATCH 08/15] Add initial ILM lifecycle status explanation script --- .../tools/sbin/so-elasticsearch-ilm-explain | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsearch-ilm-explain diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-explain b/salt/common/tools/sbin/so-elasticsearch-ilm-explain new file mode 100644 index 000000000..db31dcb0f --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-explain @@ -0,0 +1,15 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +if [ "$1" == "" ]; then + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_all/_ilm/explain | jq . +else + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/$1/_ilm/explain | jq .[] +fi From 1d6c03feb1a9cc0535f8c221c2d6fc600c9ff7a2 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:34:39 +0000 Subject: [PATCH 09/15] Rename initial ILM lifecycle status explanation script --- ...icsearch-ilm-explain => so-elasticsearch-ilm-lifecycle-status} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename salt/common/tools/sbin/{so-elasticsearch-ilm-explain => so-elasticsearch-ilm-lifecycle-status} (100%) diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-explain b/salt/common/tools/sbin/so-elasticsearch-ilm-lifecycle-status similarity index 100% rename from salt/common/tools/sbin/so-elasticsearch-ilm-explain rename to salt/common/tools/sbin/so-elasticsearch-ilm-lifecycle-status From b319b50fa17d49059e082aec4085d2c31ec635e9 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:39:33 +0000 Subject: [PATCH 10/15] Add initial ILM status script --- salt/common/tools/sbin/so-elasticsearch-ilm-status | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsearch-ilm-status diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-status b/salt/common/tools/sbin/so-elasticsearch-ilm-status new file mode 100644 index 000000000..8d78adc5b --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-status @@ -0,0 +1,11 @@ +/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ilm/status | jq . From 8a00521092895ab35b40913c36d2c589d3c1a3e6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 8 Feb 2023 17:19:20 -0500 Subject: [PATCH 11/15] ensure node_data is populated with self if logstash:nodes data doesnt exist, ie import node --- salt/logstash/map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/logstash/map.jinja b/salt/logstash/map.jinja index 5f0a7ea79..553144b45 100644 --- a/salt/logstash/map.jinja +++ b/salt/logstash/map.jinja @@ -1,7 +1,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% set REDIS_NODES = [] %} {% set LOGSTASH_NODES = [] %} -{% set node_data = salt['pillar.get']('logstash:nodes') %} +{% set node_data = salt['pillar.get']('logstash:nodes', {GLOBALS.role.split('-')[1]: {GLOBALS.hostname: {'ip': GLOBALS.node_ip}}}) %} {% for node_type, node_details in node_data.items() | sort %} {% if GLOBALS.role in ['so-searchnode', 'so-standalone', 'so-managersearch'] %} From 613793ad9b1100fbcaf9f4dd69516851fc062e59 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 9 Feb 2023 09:32:04 -0500 Subject: [PATCH 12/15] Temporarily use Elasticsearch output for Standalone installations --- salt/common/tools/sbin/so-elastic-fleet-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index 217d69036..9c25dde55 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -24,7 +24,7 @@ mkdir -p /opt/so/conf/elastic-fleet/certs cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs -{% if grains.role == 'so-import' %} +{% if grains.role in ['so-import', 'so-standalone'] %} # Add SO-Manager Elasticsearch Ouput ESCACRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/intca.crt) JSON_STRING=$( jq -n \ From b744dc0641665a58adf3a5c0de5c00cd23ada75e Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 9 Feb 2023 09:35:29 -0500 Subject: [PATCH 13/15] Add so-eval to list of modes using the Elasticsearch output for Elastic Agent and Fleet --- salt/common/tools/sbin/so-elastic-fleet-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index 9c25dde55..b82890faa 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -24,7 +24,7 @@ mkdir -p /opt/so/conf/elastic-fleet/certs cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs -{% if grains.role in ['so-import', 'so-standalone'] %} +{% if grains.role in ['so-import', 'so-standalone', 'so-eval'] %} # Add SO-Manager Elasticsearch Ouput ESCACRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/intca.crt) JSON_STRING=$( jq -n \ From bb6fc8da19ed48f94436459daab81391c6f15262 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 9 Feb 2023 15:51:58 +0000 Subject: [PATCH 14/15] Add policy templates for other logs --- .../sbin/so-elasticsearch-ilm-policy-load | 56 ++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load index 2780ab59e..78766953b 100644 --- a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load @@ -12,8 +12,62 @@ echo echo "Setting up default Security Onion index lifecycle management policies..." +# Elasticsearch logs +echo +echo "Setting up Elasticsearch ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-elasticsearch-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +echo + +# Import logs +echo +echo "Setting up Import ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-import-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +echo + +# Kibana logs +echo +echo "Setting up Kratos ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-kibana-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +echo + +# Kratos logs +echo +echo "Setting up Kratos ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-kratos-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +echo + +# Logstash logs +echo +echo "Setting up Logstash ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-logstash-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +echo + +# Redis logs +echo +echo "Setting up Redis ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-redis-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +echo + +# Strelka logs +echo +echo "Setting up Strelka ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-strelka-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +echo + +# Suricata logs +echo +echo "Setting up Suricata ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-suricata-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +echo + +# Syslog logs +echo +echo "Setting up Syslog ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-syslog-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +echo + # Zeek logs echo echo "Setting up Zeek ILM policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-zeek-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "1gb", "max_age": "30d" } } } } } }' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-zeek-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' echo From ee7f299e6d2859a471afd025621cae1160b2846a Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 9 Feb 2023 15:56:36 +0000 Subject: [PATCH 15/15] Fix typo - 'Kratos' to 'Kibana' --- salt/common/tools/sbin/so-elasticsearch-ilm-policy-load | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load index 78766953b..09cc6dc08 100644 --- a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load @@ -15,7 +15,7 @@ echo "Setting up default Security Onion index lifecycle management policies..." # Elasticsearch logs echo echo "Setting up Elasticsearch ILM policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-elasticsearch-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/elasticsearch-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' echo # Import logs @@ -26,7 +26,7 @@ echo # Kibana logs echo -echo "Setting up Kratos ILM policy..." +echo "Setting up Kibana ILM policy..." curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-kibana-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' echo