CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX: curator should exclude so-case* indices #7270

Browse Source
This commit is contained in:
doug
2022-02-22 17:00:52 -05:00
parent 9f7612b599
commit 1392fc37e8
1 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
salt/curator/files/bin/so-curator-closed-delete-delete
View File

@@ -34,9 +34,13 @@ overlimit() {
closedindices() { closedindices() {
INDICES=$({{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed 2> /dev/null) # If we can't query Elasticsearch, then immediately return false.
{{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed >/dev/null 2>&1
[ $? -eq 1 ] && return false [ $? -eq 1 ] && return false
echo ${INDICES} | grep -q -E "(logstash-|so-)" # First, get the list of closed indices using _cat/indices?h=index\&expand_wildcards=closed.
# Next, filter out any so-case indices.
# Finally, use grep's -q option to return true if there are any remaining logstash- or so- indices.
{{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -v "so-case" | grep -q -E "(logstash-|so-)"
} }
# Check for 2 conditions: # Check for 2 conditions:
@@ -47,9 +51,10 @@ while overlimit && closedindices; do
# We need to determine OLDEST_INDEX: # We need to determine OLDEST_INDEX:
# First, get the list of closed indices using _cat/indices?h=index\&expand_wildcards=closed. # First, get the list of closed indices using _cat/indices?h=index\&expand_wildcards=closed.
# Then, sort by date by telling sort to use hyphen as delimiter and then sort on the third field. # Next, filter out any so-case indices and only select the remaining logstash- or so- indices.
# Then, sort by date by telling sort to use hyphen as delimiter and sort on the third field.
# Finally, select the first entry in that sorted list. # Finally, select the first entry in that sorted list.
OLDEST_INDEX=$({{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1) OLDEST_INDEX=$({{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -v "so-case" | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1)
# Now that we've determined OLDEST_INDEX, ask Elasticsearch to delete it. # Now that we've determined OLDEST_INDEX, ask Elasticsearch to delete it.
{{ ELASTICCURL }} -XDELETE -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX} {{ ELASTICCURL }} -XDELETE -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX}