From 0a40bfcb887f21a9cd7c57e2d3864ed87a9102d6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 14 Sep 2022 11:00:22 -0400 Subject: [PATCH] Change how pcap is written to the minion file --- salt/common/tools/sbin/so-minion | 7 ------- salt/pcap/defaults.yaml | 11 +++++++++++ salt/pcap/soc_pcap.yaml | 8 ++++---- 3 files changed, 15 insertions(+), 11 deletions(-) create mode 100644 salt/pcap/defaults.yaml diff --git a/salt/common/tools/sbin/so-minion b/salt/common/tools/sbin/so-minion index 24544940c..58f04ab77 100755 --- a/salt/common/tools/sbin/so-minion +++ b/salt/common/tools/sbin/so-minion @@ -168,13 +168,6 @@ function add_sensor_to_minion() { echo " config:" >> $PILLARFILE echo " af-packet:" >> $PILLARFILE echo " threads: $CORECOUNT" >> $PILLARFILE - echo "steno:" >> $PILLARFILE - echo " stenopin: False" >> $PILLARFILE - echo " stenopins:" >> $PILLARFILE - echo " - 3" >> $PILLARFILE - echo " enabled: True" >> $PILLARFILE - echo " disks:" >> $PILLARFILE - echo " - '/some/path'" >> $PILLARFILE } function createSTANDALONE() { diff --git a/salt/pcap/defaults.yaml b/salt/pcap/defaults.yaml new file mode 100644 index 000000000..bb93ec6cc --- /dev/null +++ b/salt/pcap/defaults.yaml @@ -0,0 +1,11 @@ +pcap: + enabled: True + config: + maxdirectoryfiles: 30000 + diskfreepercentage: 10 + blocks: 2048 + preallocate_file_mb: 4096 + aiops: 128 + stenopin: False + stenopins: [] + disks: [] \ No newline at end of file diff --git a/salt/pcap/soc_pcap.yaml b/salt/pcap/soc_pcap.yaml index 515dd346b..68eb0f083 100644 --- a/salt/pcap/soc_pcap.yaml +++ b/salt/pcap/soc_pcap.yaml @@ -1,9 +1,9 @@ pcap: + enabled: + description: Enable or Disable Stenographer on all sensors or a single sensor config: - enabled: - description: Enable or Disable Stenographer on all sensors or a single sensor - maxfiles: - description: The maximum number of packet/index files to create before cleaning old ones up. + maxdirectoryfiles: + description: The maximum number of packet/index files to create before deleting old files. The default is about 8 days regardless of free space. diskfreepercentage: description: The disk space percent to always keep free for pcap blocks: