From a323aeb8fad1a0d55272ffc45b60b875c465dfef Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 16 Jun 2021 14:23:58 -0400 Subject: [PATCH 1/7] Allow so-elastic-auth to run before common even though the script has dependency on a common-provided script (benign error). This is needed first since common will need to know if auth is enabled --- salt/common/tools/sbin/so-elastic-auth | 2 +- setup/so-setup | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-auth b/salt/common/tools/sbin/so-elastic-auth index d4b8057a3..9e2843b5c 100644 --- a/salt/common/tools/sbin/so-elastic-auth +++ b/salt/common/tools/sbin/so-elastic-auth @@ -15,7 +15,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -. /usr/sbin/so-common +. /usr/sbin/so-common 2> /dev/null ES_AUTH_PILLAR=${ELASTIC_AUTH_PILLAR:-/opt/so/saltstack/local/pillar/elasticsearch/auth.sls} ES_USERS_FILE=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users} diff --git a/setup/so-setup b/setup/so-setup index f5f32f3d4..34802fef9 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -751,6 +751,10 @@ echo "1" > /root/accept_changes set_progress_str 60 "$(print_salt_state_apply 'manager')" salt-call state.apply -l info manager >> $setup_log 2>&1 + + echo "Executing so-elastic-auth..." >> $setup_log 2>&1 + ELASTIC_AUTH_SKIP_HIGHSTATE=true bash /opt/so/saltstack/default/salt/common/tools/sbin/so-elastic-auth >> $setup_log 2>&1 + echo "Finished so-elastic-auth..." >> $setup_log 2>&1 fi set_progress_str 61 "$(print_salt_state_apply 'firewall')" @@ -770,10 +774,6 @@ echo "1" > /root/accept_changes fi if [[ $is_manager || $is_helix || $is_import ]]; then - echo "Executing so-elastic-auth..." >> $setup_log 2>&1 - ELASTIC_AUTH_SKIP_HIGHSTATE=true bash /usr/sbin/so-elastic-auth >> $setup_log 2>&1 - echo "Finished so-elastic-auth..." >> $setup_log 2>&1 - set_progress_str 63 "$(print_salt_state_apply 'idstools')" create_local_nids_rules >> $setup_log 2>&1 salt-call state.apply -l info idstools >> $setup_log 2>&1 From fefd2677fb7122997da835b7be883a4edaf352af Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 16 Jun 2021 14:26:26 -0400 Subject: [PATCH 2/7] Only include so-common if available. It only is used for requiring root, but since this script is needed before common is installed, we can safely assume that it's being run as root already (during the install) --- salt/common/tools/sbin/so-elastic-auth | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elastic-auth b/salt/common/tools/sbin/so-elastic-auth index 9e2843b5c..f6c19d76f 100644 --- a/salt/common/tools/sbin/so-elastic-auth +++ b/salt/common/tools/sbin/so-elastic-auth @@ -15,7 +15,9 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -. /usr/sbin/so-common 2> /dev/null +if [ -f "/usr/sbin/so-common" ]; then + . /usr/sbin/so-common +fi ES_AUTH_PILLAR=${ELASTIC_AUTH_PILLAR:-/opt/so/saltstack/local/pillar/elasticsearch/auth.sls} ES_USERS_FILE=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users} From 703988b3761bcfa1610309de94002d23f58fb7ae Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 16 Jun 2021 14:28:20 -0400 Subject: [PATCH 3/7] Fix merge issue in soup --- salt/common/tools/sbin/soup | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index b5229fca1..64c8de66b 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -779,12 +779,6 @@ main() { verify_latest_update_script echo "" - echo "Stopping Salt Master service." - systemctl stop salt-master - echo "" - - upgrade_to_2.3.50_repo - echo "Generating new repo archive" generate_and_clean_tarballs if [ -f /usr/sbin/so-image-common ]; then @@ -837,7 +831,7 @@ main() { systemctl stop salt-master echo "" - preupgrade_changes_2.3.50_repo + upgrade_to_2.3.50_repo # Does salt need upgraded. If so update it. if [[ $UPGRADESALT -eq 1 ]]; then From 2d342082694b3547dfa14f50325bdffe11e33902 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 16 Jun 2021 17:52:22 -0400 Subject: [PATCH 4/7] Elastic auth: Fun with Salt --- salt/common/tools/sbin/so-airgap-hotfixapply | 0 salt/common/tools/sbin/so-airgap-hotfixdownload | 0 salt/common/tools/sbin/so-elastic-auth | 9 +++++++-- salt/common/tools/sbin/so-elasticsearch-query | 0 salt/common/tools/sbin/so-elasticsearch-wait | 5 +++++ salt/common/tools/sbin/so-influxdb-clean | 0 salt/common/tools/sbin/so-influxdb-migrate | 0 salt/common/tools/sbin/so-pcap-export | 0 salt/curator/files/curator.yml | 2 ++ salt/elastalert/defaults.yaml | 11 ++++------- salt/elastalert/init.sls | 11 ++--------- salt/filebeat/etc/filebeat.yml | 11 ++++------- salt/filebeat/etc/module-setup.yml | 11 ++++------- salt/kibana/etc/kibana.yml | 11 ++++------- .../pipelines/config/so/9000_output_zeek.conf.jinja | 11 ++++------- .../pipelines/config/so/9002_output_import.conf.jinja | 11 ++++------- .../pipelines/config/so/9004_output_flow.conf.jinja | 11 ++++------- .../pipelines/config/so/9033_output_snort.conf.jinja | 11 ++++------- .../pipelines/config/so/9034_output_syslog.conf.jinja | 11 ++++------- .../config/so/9050_output_filebeatmodules.conf.jinja | 11 ++++------- .../config/so/9100_output_osquery.conf.jinja | 11 ++++------- .../so/9101_output_osquery_livequery.conf.jinja | 11 ++++------- .../config/so/9200_output_firewall.conf.jinja | 11 ++++------- .../config/so/9400_output_suricata.conf.jinja | 11 ++++------- .../pipelines/config/so/9500_output_beats.conf.jinja | 11 ++++------- .../pipelines/config/so/9600_output_ossec.conf.jinja | 11 ++++------- .../config/so/9700_output_strelka.conf.jinja | 11 ++++------- salt/salt/helper-packages.sls | 7 ------- salt/salt/map.jinja | 2 -- salt/soctopus/files/templates/es-generic.template | 11 ++++------- salt/soctopus/files/templates/generic.template | 11 ++++------- salt/soctopus/files/templates/osquery.template | 11 ++++------- salt/telegraf/etc/telegraf.conf | 11 ++++------- 33 files changed, 100 insertions(+), 167 deletions(-) mode change 100644 => 100755 salt/common/tools/sbin/so-airgap-hotfixapply mode change 100644 => 100755 salt/common/tools/sbin/so-airgap-hotfixdownload mode change 100644 => 100755 salt/common/tools/sbin/so-elastic-auth mode change 100644 => 100755 salt/common/tools/sbin/so-elasticsearch-query create mode 100755 salt/common/tools/sbin/so-elasticsearch-wait mode change 100644 => 100755 salt/common/tools/sbin/so-influxdb-clean mode change 100644 => 100755 salt/common/tools/sbin/so-influxdb-migrate mode change 100644 => 100755 salt/common/tools/sbin/so-pcap-export diff --git a/salt/common/tools/sbin/so-airgap-hotfixapply b/salt/common/tools/sbin/so-airgap-hotfixapply old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-airgap-hotfixdownload b/salt/common/tools/sbin/so-airgap-hotfixdownload old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-elastic-auth b/salt/common/tools/sbin/so-elastic-auth old mode 100644 new mode 100755 index f6c19d76f..663dbb9f6 --- a/salt/common/tools/sbin/so-elastic-auth +++ b/salt/common/tools/sbin/so-elastic-auth @@ -29,12 +29,17 @@ if ! grep -q "enabled: " "$ES_AUTH_PILLAR"; then exit 1 fi +function restart() { + so-elastic-stop + salt-call state.highstate queue=True +} + if [[ "$authEnable" == "true" ]]; then if grep -q "enabled: False" "$ES_AUTH_PILLAR"; then sed -i 's/enabled: False/enabled: True/g' "$ES_AUTH_PILLAR" if [[ -z "$ELASTIC_AUTH_SKIP_HIGHSTATE" ]]; then echo "Applying highstate - this may take a few minutes..." - salt-call state.highstate queue=True + restart fi echo "Elastic auth is now enabled." if grep -q "argon" "$ES_USERS_FILE"; then @@ -50,7 +55,7 @@ elif [[ "$authEnable" == "false" ]]; then sed -i 's/enabled: True/enabled: False/g' "$ES_AUTH_PILLAR" if [[ -z "$ELASTIC_AUTH_SKIP_HIGHSTATE" ]]; then echo "Applying highstate - this may take a few minutes..." - salt-call state.highstate queue=True + restart fi echo "Elastic auth is now disabled." else diff --git a/salt/common/tools/sbin/so-elasticsearch-query b/salt/common/tools/sbin/so-elasticsearch-query old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-elasticsearch-wait b/salt/common/tools/sbin/so-elasticsearch-wait new file mode 100755 index 000000000..f56aafcd3 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-wait @@ -0,0 +1,5 @@ +#!/bin/bash + +. /usr/sbin/so-common + +wait_for_web_response "https://localhost:9200/_cat/indices/.kibana*" "green open" 300 "{{ ELASTICCURL }}" diff --git a/salt/common/tools/sbin/so-influxdb-clean b/salt/common/tools/sbin/so-influxdb-clean old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-influxdb-migrate b/salt/common/tools/sbin/so-influxdb-migrate old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-pcap-export b/salt/common/tools/sbin/so-pcap-export old mode 100644 new mode 100755 diff --git a/salt/curator/files/curator.yml b/salt/curator/files/curator.yml index 0215fbeeb..bdde14fc1 100644 --- a/salt/curator/files/curator.yml +++ b/salt/curator/files/curator.yml @@ -18,8 +18,10 @@ client: hosts: - {{elasticsearch}} port: 9200 +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username: {{ ES_USER }} password: {{ ES_PASS }} +{% endif %} url_prefix: use_ssl: True certificate: diff --git a/salt/elastalert/defaults.yaml b/salt/elastalert/defaults.yaml index b65d718ac..9bfb4f188 100644 --- a/salt/elastalert/defaults.yaml +++ b/salt/elastalert/defaults.yaml @@ -1,10 +1,5 @@ -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} elastalert: config: rules_folder: /opt/elastalert/rules/ @@ -26,8 +21,10 @@ elastalert: use_ssl: true verify_certs: false #es_send_get_body_as: GET +{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} es_username: {{ ES_USER }} es_password: {{ ES_PASS }} +{%- endif %} writeback_index: elastalert_status alert_time_limit: days: 2 diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 1487f2cf8..5fc52eebf 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -103,15 +103,8 @@ elastaconf: - template: jinja wait_for_elasticsearch: - module.run: - - http.wait_for_successful_query: - - url: 'https://{{MANAGER}}:9200/_cat/indices/.kibana*' - - wait_for: 180 - - status: - - 200 - - 401 - - status_type: list - - verify_ssl: False + cmd.run: + - name: so-elasticsearch-wait so-elastalert: docker_container.running: diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index ba7bb0520..2a86b486f 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -3,13 +3,8 @@ {%- else %} {%- set MANAGER = salt['grains.get']('master') %} {%- endif %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} {%- set HOSTNAME = salt['grains.get']('host', '') %} {%- set ZEEKVER = salt['pillar.get']('global:mdengine', 'COMMUNITY') %} @@ -272,8 +267,10 @@ output.{{ type }}: output.elasticsearch: enabled: true hosts: ["https://{{ MANAGER }}:9200"] +{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username: "{{ ES_USER }}" password: "{{ ES_PASS }}" +{%- endif %} ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"] pipelines: - pipeline: "%{[module]}.%{[dataset]}" diff --git a/salt/filebeat/etc/module-setup.yml b/salt/filebeat/etc/module-setup.yml index 50bda9cf4..6c2f91d18 100644 --- a/salt/filebeat/etc/module-setup.yml +++ b/salt/filebeat/etc/module-setup.yml @@ -3,17 +3,14 @@ {%- else %} {%- set MANAGER = salt['grains.get']('master') %} {%- endif %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output.elasticsearch: enabled: true hosts: ["https://{{ MANAGER }}:9200"] +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username: "{{ ES_USER }}" password: "{{ ES_PASS }}" +{% endif %} ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"] diff --git a/salt/kibana/etc/kibana.yml b/salt/kibana/etc/kibana.yml index efe62cc11..6fcafe68f 100644 --- a/salt/kibana/etc/kibana.yml +++ b/salt/kibana/etc/kibana.yml @@ -1,21 +1,18 @@ --- # Default Kibana configuration from kibana-docker. {%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} server.name: kibana server.host: "0" server.basePath: /kibana elasticsearch.hosts: [ "https://{{ ES }}:9200" ] elasticsearch.ssl.verificationMode: none #kibana.index: ".kibana" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} elasticsearch.username: {{ ES_USER }} elasticsearch.password: {{ ES_PASS }} +{% endif %} #xpack.monitoring.ui.container.elasticsearch.enabled: true elasticsearch.requestTimeout: 90000 logging.dest: /var/log/kibana/kibana.log diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja index c3e567645..670dcf49e 100644 --- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja @@ -3,20 +3,17 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [module] =~ "zeek" and "import" not in [tags] { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" +{% endif %} index => "so-zeek" template_name => "so-zeek" template => "/templates/so-zeek-template.json" diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja index 709b1a0f9..1ebaa1082 100644 --- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja +++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja @@ -3,20 +3,17 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if "import" in [tags] { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" +{% endif %} index => "so-import" template_name => "so-import" template => "/templates/so-import-template.json" diff --git a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja index a98aaad26..affa32d1a 100644 --- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja +++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja @@ -3,19 +3,16 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [event_type] == "sflow" { elasticsearch { hosts => "{{ ES }}" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" +{% endif %} index => "so-flow" template_name => "so-flow" template => "/templates/so-flow-template.json" diff --git a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja index d31f2f00c..ea603b016 100644 --- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja +++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja @@ -3,19 +3,16 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [event_type] == "ids" and "import" not in [tags] { elasticsearch { hosts => "{{ ES }}" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" +{% endif %} index => "so-ids" template_name => "so-ids" template => "/templates/so-ids-template.json" diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja index 6527c7160..ab8508bf3 100644 --- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja +++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja @@ -3,20 +3,17 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [module] =~ "syslog" { elasticsearch { pipeline => "%{module}" hosts => "{{ ES }}" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" +{% endif %} index => "so-syslog" template_name => "so-syslog" template => "/templates/so-syslog-template.json" diff --git a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja index 61aa4879a..56c8a311b 100644 --- a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja +++ b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja @@ -3,21 +3,18 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [metadata][pipeline] { elasticsearch { id => "filebeat_modules_metadata_pipeline" pipeline => "%{[metadata][pipeline]}" hosts => "{{ ES }}" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" +{% endif %} index => "so-%{[event][module]}-%{+YYYY.MM.dd}" template_name => "so-common" template => "/templates/so-common-template.json" diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja index 8d6095ea3..b997ea7be 100644 --- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja @@ -3,20 +3,17 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [module] =~ "osquery" and "live_query" not in [dataset] { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" +{% endif %} index => "so-osquery" template_name => "so-osquery" template => "/templates/so-osquery-template.json" diff --git a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja index 0045db734..fce35b5a4 100644 --- a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja @@ -4,13 +4,8 @@ {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} {%- set FEATURES = salt['pillar.get']('elastic:features', False) %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} filter { if [type] =~ "live_query" { @@ -37,8 +32,10 @@ output { elasticsearch { pipeline => "osquery.live_query" hosts => "{{ ES }}" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" +{% endif %} index => "so-osquery" template_name => "so-osquery" template => "/templates/so-osquery-template.json" diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja index f89ef7674..e82dbb4f8 100644 --- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja +++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja @@ -3,19 +3,16 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [dataset] =~ "firewall" { elasticsearch { hosts => "{{ ES }}" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" +{% endif %} index => "so-firewall" template_name => "so-firewall" template => "/templates/so-firewall-template.json" diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index 251aa5ff1..34e2bab7c 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -3,20 +3,17 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [module] =~ "suricata" and "import" not in [tags] { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" +{% endif %} index => "so-ids" template_name => "so-ids" template => "/templates/so-ids-template.json" diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index cf8427f0b..2ad403ab9 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -3,20 +3,17 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if "beat-ext" in [tags] and "import" not in [tags] { elasticsearch { pipeline => "beats.common" hosts => "{{ ES }}" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" +{% endif %} index => "so-beats" template_name => "so-beats" template => "/templates/so-beats-template.json" diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index 69a7e7309..6e03d8c72 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -3,20 +3,17 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [module] =~ "ossec" { elasticsearch { pipeline => "%{module}" hosts => "{{ ES }}" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" +{% endif %} index => "so-ossec" template_name => "so-ossec" template => "/templates/so-ossec-template.json" diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index bdcce2cae..007f1370e 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -3,20 +3,17 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [module] =~ "strelka" { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" +{% endif %} index => "so-strelka" template_name => "so-strelka" template => "/templates/so-strelka-template.json" diff --git a/salt/salt/helper-packages.sls b/salt/salt/helper-packages.sls index c26cdc7c0..32480c163 100644 --- a/salt/salt/helper-packages.sls +++ b/salt/salt/helper-packages.sls @@ -1,10 +1,3 @@ -{% from 'salt/map.jinja' import PYINOTIFYPACKAGE with context%} -{% from 'salt/map.jinja' import PYTHONINSTALLER with context%} - patch_package: pkg.installed: - name: patch - -pyinotify: - {{PYTHONINSTALLER}}.installed: - - name: {{ PYINOTIFYPACKAGE }} diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index 4b9577319..3ef334752 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -11,7 +11,6 @@ {% set PYTHON3INFLUX= 'influxdb == ' ~ PYTHONINFLUXVERSION %} {% set PYTHON3INFLUXDEPS= ['certifi', 'chardet', 'python-dateutil', 'pytz', 'requests'] %} {% set PYTHONINSTALLER = 'pip' %} - {% set PYINOTIFYPACKAGE = 'pyinotify' %} {% else %} {% set SPLITCHAR = '-' %} {% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep -q salt ; echo $?', python_shell=True) %} @@ -22,7 +21,6 @@ {% set PYTHON3INFLUX= 'securityonion-python3-influxdb' %} {% set PYTHON3INFLUXDEPS= ['python36-certifi', 'python36-chardet', 'python36-dateutil', 'python36-pytz', 'python36-requests'] %} {% set PYTHONINSTALLER = 'pkg' %} - {% set PYINOTIFYPACKAGE = 'securityonion-python3-pyinotify' %} {% endif %} {% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split(SPLITCHAR)[0] %} diff --git a/salt/soctopus/files/templates/es-generic.template b/salt/soctopus/files/templates/es-generic.template index 08f1c796f..9b5ace95a 100644 --- a/salt/soctopus/files/templates/es-generic.template +++ b/salt/soctopus/files/templates/es-generic.template @@ -1,16 +1,13 @@ {% set ES = salt['pillar.get']('global:managerip', '') %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} alert: modules.so.playbook-es.PlaybookESAlerter elasticsearch_host: "{{ ES }}:9200" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} elasticsearch_user: "{{ ES_USER }}" elasticsearch_pass: "{{ ES_PASS }}" +{% endif %} play_title: "" play_url: "https://{{ ES }}/playbook/issues/6000" sigma_level: "" diff --git a/salt/soctopus/files/templates/generic.template b/salt/soctopus/files/templates/generic.template index 8fad2827d..d3736f894 100644 --- a/salt/soctopus/files/templates/generic.template +++ b/salt/soctopus/files/templates/generic.template @@ -1,18 +1,15 @@ {% set es = salt['pillar.get']('global:url_base', '') %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} alert: - "modules.so.playbook-es.PlaybookESAlerter" elasticsearch_host: "{{ es }}:9200" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} elasticsearch_user: "{{ ES_USER }}" elasticsearch_pass: "{{ ES_PASS }}" +{% endif %} play_title: "" play_id: "" event.module: "playbook" diff --git a/salt/soctopus/files/templates/osquery.template b/salt/soctopus/files/templates/osquery.template index ad55626c2..328a7e275 100644 --- a/salt/soctopus/files/templates/osquery.template +++ b/salt/soctopus/files/templates/osquery.template @@ -1,18 +1,15 @@ {% set es = salt['pillar.get']('global:url_base', '') %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} alert: - "modules.so.playbook-es.PlaybookESAlerter" elasticsearch_host: "{{ es }}:9200" +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} elasticsearch_user: "{{ ES_USER }}" elasticsearch_pass: "{{ ES_PASS }}" +{% endif %} play_title: "" event.module: "playbook" event.dataset: "alert" diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index e93fa45fb..44e78ecda 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -14,13 +14,8 @@ # for numbers and booleans they should be plain (ie, $INT_VAR, $BOOL_VAR) {%- set MANAGER = salt['grains.get']('master') %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} {% set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') %} {% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %} {% set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} @@ -627,8 +622,10 @@ {% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %} [[inputs.elasticsearch]] servers = ["https://{{ MANAGER }}:9200"] +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username = "{{ ES_USER }}" password = "{{ ES_PASS }}" +{% endif %} insecure_skip_verify = true {% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %} [[inputs.elasticsearch]] From 059b016c62058b820b59bbb3f7866e132d1af6b7 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 16 Jun 2021 21:48:31 -0400 Subject: [PATCH 5/7] Fix require statement --- salt/elastalert/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 5fc52eebf..f3f4af3f9 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -121,7 +121,7 @@ so-elastalert: - extra_hosts: - {{MANAGER_URL}}:{{MANAGER_IP}} - require: - - module: wait_for_elasticsearch + - cmd: wait_for_elasticsearch - watch: - file: elastaconf From 2a5198cae41fb15ac179c82d015f6ff83fa86695 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 17 Jun 2021 08:49:21 -0400 Subject: [PATCH 6/7] change perms to resolve error about module-setup.yml being 660 --- salt/filebeat/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 1517226a3..5b84851a2 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -84,7 +84,7 @@ filebeatmoduleconfsync: - source: salt://filebeat/etc/module-setup.yml - user: root - group: root - - mode: 660 + - mode: 640 - template: jinja sodefaults_module_conf: From 8cd2bc7c13cce240cab39441edd99f4329b5bb1f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 17 Jun 2021 09:37:21 -0400 Subject: [PATCH 7/7] adding so-eval to ES_INCLUDED_NODES --- salt/filebeat/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 5b84851a2..0cbbf0594 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -23,7 +23,7 @@ {% set MANAGERIP = salt['pillar.get']('global:managerip', '') %} {% from 'filebeat/map.jinja' import THIRDPARTY with context %} {% from 'filebeat/map.jinja' import SO with context %} -{% set ES_INCLUDED_NODES = ['so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %} +{% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %} #only include elastic state for certain nodes {% if grains.role in ES_INCLUDED_NODES %}