CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 17:52:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

change how telegraf script determine if there is already and instance of the script already running

Browse Source
This commit is contained in:
m0duspwnens
2021-11-04 23:22:13 -04:00
parent 665732bd32
commit 0b28e89f3c
13 changed files with 71 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
salt/telegraf/scripts/beatseps.sh
View File

@@ -15,9 +15,8 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
THEGREP=$(ps -ef | grep $0 | grep -v $$ | grep -v grep) # if this script isn't already running
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
if [ ! "$THEGREP" ]; then
PREVCOUNTFILE='/tmp/beatseps.txt' PREVCOUNTFILE='/tmp/beatseps.txt'
EVENTCOUNTCURRENT="$(curl -s localhost:5066/stats | jq '.libbeat.output.events.acked')" EVENTCOUNTCURRENT="$(curl -s localhost:5066/stats | jq '.libbeat.output.events.acked')"
@@ -42,7 +41,6 @@ if [ ! "$THEGREP" ]; then
echo "fbstats eps=${EVENTS%%.*},failed=$FAILEDEVENTCOUNT" echo "fbstats eps=${EVENTS%%.*},failed=$FAILEDEVENTCOUNT"
fi fi
else
exit 0
fi fi
exit 0

11
salt/telegraf/scripts/checkfiles.sh
View File

@@ -15,13 +15,12 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
THEGREP=$(ps -ef | grep $0 | grep -v $$ | grep -v grep) # if this script isn't already running
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
if [ ! "$THEGREP" ]; then
FILES=$(ls -1x /host/nsm/strelka/unprocessed | wc -l) FILES=$(ls -1x /host/nsm/strelka/unprocessed | wc -l)
echo "faffiles files=$FILES" echo "faffiles files=$FILES"
else
exit 0
fi fi
exit 0

9
salt/telegraf/scripts/eps.sh
View File

@@ -15,9 +15,8 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
THEGREP=$(ps -ef | grep $0 | grep -v $$ | grep -v grep) # if this script isn't already running
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
if [ ! "$THEGREP" ]; then
PREVCOUNTFILE='/tmp/eps.txt' PREVCOUNTFILE='/tmp/eps.txt'
EVENTCOUNTCURRENT="$(curl -s localhost:9600/_node/stats | jq '.events.in')" EVENTCOUNTCURRENT="$(curl -s localhost:9600/_node/stats | jq '.events.in')"
@@ -40,7 +39,7 @@ if [ ! "$THEGREP" ]; then
echo "consumptioneps eps=${EVENTS%%.*}" echo "consumptioneps eps=${EVENTS%%.*}"
fi fi
else
exit 0
fi fi
exit 0

10
salt/telegraf/scripts/helixeps.sh
View File

@@ -15,9 +15,8 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
THEGREP=$(ps -ef | grep $0 | grep -v $$ | grep -v grep) # if this script isn't already running
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
if [ ! "$THEGREP" ]; then
PREVCOUNTFILE='/tmp/helixevents.txt' PREVCOUNTFILE='/tmp/helixevents.txt'
EVENTCOUNTCURRENT="$(curl -s localhost:9600/_node/stats | jq '.pipelines.helix.events.out')" EVENTCOUNTCURRENT="$(curl -s localhost:9600/_node/stats | jq '.pipelines.helix.events.out')"
@@ -39,6 +38,7 @@ if [ ! "$THEGREP" ]; then
echo "helixeps eps=${EVENTS%%.*}" echo "helixeps eps=${EVENTS%%.*}"
fi fi
else
exit 0
fi fi
exit 0

11
salt/telegraf/scripts/influxdbsize.sh
View File

@@ -15,13 +15,12 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
THEGREP=$(ps -ef | grep $0 | grep -v $$ | grep -v grep) # if this script isn't already running
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
if [ ! "$THEGREP" ]; then
INFLUXSIZE=$(du -s -k /host/nsm/influxdb | awk {'print $1'}) INFLUXSIZE=$(du -s -k /host/nsm/influxdb | awk {'print $1'})
echo "influxsize kbytes=$INFLUXSIZE" echo "influxsize kbytes=$INFLUXSIZE"
else
exit 0
fi fi
exit 0

10
salt/telegraf/scripts/oldpcap.sh
View File

@@ -15,9 +15,8 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
THEGREP=$(ps -ef | grep $0 | grep -v $$ | grep -v grep) # if this script isn't already running
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
if [ ! "$THEGREP" ]; then
# Get the data # Get the data
OLDPCAP=$(find /host/nsm/pcap -type f -exec stat -c'%n %Z' {} + | sort | grep -v "\." | head -n 1 | awk {'print $2'}) OLDPCAP=$(find /host/nsm/pcap -type f -exec stat -c'%n %Z' {} + | sort | grep -v "\." | head -n 1 | awk {'print $2'})
@@ -25,6 +24,7 @@ if [ ! "$THEGREP" ]; then
AGE=$(($DATE - $OLDPCAP)) AGE=$(($DATE - $OLDPCAP))
echo "pcapage seconds=$AGE" echo "pcapage seconds=$AGE"
else
exit 0
fi fi
exit 0

13
salt/telegraf/scripts/raid.sh
View File

@@ -15,17 +15,18 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
THEGREP=$(ps -ef | grep $0 | grep -v $$ | grep -v grep) # if this script isn't already running
RAIDLOG=/var/log/raid/status.log if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
RAIDSTATUS=$(cat /var/log/raid/status.log)
if [ ! "$THEGREP" ]; then RAIDLOG=/var/log/raid/status.log
RAIDSTATUS=$(cat /var/log/raid/status.log)
if [ -f "$RAIDLOG" ]; then if [ -f "$RAIDLOG" ]; then
echo "raid $RAIDSTATUS" echo "raid $RAIDSTATUS"
else else
exit 0 exit 0
fi fi
else
exit 0
fi fi
exit 0

10
salt/telegraf/scripts/redis.sh
View File

@@ -15,14 +15,14 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
THEGREP=$(ps -ef | grep $0 | grep -v $$ | grep -v grep) # if this script isn't already running
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
if [ ! "$THEGREP" ]; then
UNPARSED=$(redis-cli llen logstash:unparsed | awk '{print $1}') UNPARSED=$(redis-cli llen logstash:unparsed | awk '{print $1}')
PARSED=$(redis-cli llen logstash:parsed | awk '{print $1}') PARSED=$(redis-cli llen logstash:parsed | awk '{print $1}')
echo "redisqueue unparsed=$UNPARSED,parsed=$PARSED" echo "redisqueue unparsed=$UNPARSED,parsed=$PARSED"
else
exit 0
fi fi
exit 0

9
salt/telegraf/scripts/sostatus.sh
View File

@@ -14,9 +14,9 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
THEGREP=$(ps -ef | grep $0 | grep -v $$ | grep -v grep)
if [ ! "$THEGREP" ]; then # if this script isn't already running
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
SOSTATUSLOG=/var/log/sostatus/status.log SOSTATUSLOG=/var/log/sostatus/status.log
SOSTATUSSTATUS=$(cat /var/log/sostatus/status.log) SOSTATUSSTATUS=$(cat /var/log/sostatus/status.log)
@@ -26,6 +26,7 @@ if [ ! "$THEGREP" ]; then
else else
exit 0 exit 0
fi fi
else
exit 0
fi fi
exit 0

9
salt/telegraf/scripts/stenoloss.sh
View File

@@ -15,9 +15,8 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
THEGREP=$(ps -ef | grep $0 | grep -v $$ | grep -v grep) # if this script isn't already running
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
if [ ! "$THEGREP" ]; then
CHECKIT=$(grep "Thread 0" /var/log/stenographer/stenographer.log |tac |head -2|wc -l) CHECKIT=$(grep "Thread 0" /var/log/stenographer/stenographer.log |tac |head -2|wc -l)
STENOGREP=$(grep "Thread 0" /var/log/stenographer/stenographer.log |tac |head -2) STENOGREP=$(grep "Thread 0" /var/log/stenographer/stenographer.log |tac |head -2)
@@ -43,6 +42,6 @@ if [ ! "$THEGREP" ]; then
fi fi
fi fi
else
exit 0
fi fi
exit 0

10
salt/telegraf/scripts/suriloss.sh
View File

@@ -16,9 +16,8 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
THEGREP=$(ps -ef | grep $0 | grep -v $$ | grep -v grep) # if this script isn't already running
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
if [ ! "$THEGREP" ]; then
SURILOG=$(tac /var/log/suricata/stats.log | grep kernel | head -4) SURILOG=$(tac /var/log/suricata/stats.log | grep kernel | head -4)
CHECKIT=$(echo $SURILOG | grep -o 'drop' | wc -l) CHECKIT=$(echo $SURILOG | grep -o 'drop' | wc -l)
@@ -43,6 +42,7 @@ if [ ! "$THEGREP" ]; then
echo "suridrop drop=$LOSS" echo "suridrop drop=$LOSS"
fi fi
fi fi
else
echo "suridrop drop=0"
fi fi
exit 0

10
salt/telegraf/scripts/zeekcaptureloss.sh
View File

@@ -18,9 +18,8 @@
# This script returns the average of all the workers average capture loss to telegraf / influxdb in influx format include nanosecond precision timestamp # This script returns the average of all the workers average capture loss to telegraf / influxdb in influx format include nanosecond precision timestamp
THEGREP=$(ps -ef | grep $0 | grep -v $$ | grep -v grep) # if this script isn't already running
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
if [ ! "$THEGREP" ]; then
if [ -d "/host/nsm/zeek/spool/logger" ]; then if [ -d "/host/nsm/zeek/spool/logger" ]; then
WORKERS={{ salt['pillar.get']('sensor:zeek_lbprocs', salt['pillar.get']('sensor:zeek_pins') | length) }} WORKERS={{ salt['pillar.get']('sensor:zeek_lbprocs', salt['pillar.get']('sensor:zeek_pins') | length) }}
@@ -45,6 +44,7 @@ if [ ! "$THEGREP" ]; then
fi fi
echo "$CURRENTTS" > $LASTCAPTURELOSSLOG echo "$CURRENTTS" > $LASTCAPTURELOSSLOG
fi fi
else
exit 0
fi fi
exit 0

10
salt/telegraf/scripts/zeekloss.sh
View File

@@ -17,9 +17,8 @@
# This script returns the packets dropped by Zeek, but it isn't a percentage. $LOSS * 100 would be the percentage # This script returns the packets dropped by Zeek, but it isn't a percentage. $LOSS * 100 would be the percentage
THEGREP=$(ps -ef | grep $0 | grep -v $$ | grep -v grep) # if this script isn't already running
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
if [ ! "$THEGREP" ]; then
ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2) ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2)
declare RESULT=($ZEEKLOG) declare RESULT=($ZEEKLOG)
@@ -43,6 +42,7 @@ if [ ! "$THEGREP" ]; then
LOSS=$(echo 4 k $DROPPED $TOTAL / p | dc) LOSS=$(echo 4 k $DROPPED $TOTAL / p | dc)
echo "zeekdrop drop=$LOSS" echo "zeekdrop drop=$LOSS"
fi fi
else
exit 0
fi fi
exit 0