CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-06-04 17:35:56 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15632 from Security-Onion-Solutions/reyesj2-15601

Browse Source 
fix global override settings affecting non-data stream indices
This commit is contained in:
Jorge Reyes
2026-03-18 10:51:17 -05:00
committed by GitHub
parent 5fb396fc09 a52e5d0474
commit 20c4da50b1
3 changed files with 78 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files
salt/common/tools/sbin/so-common
+16
View File
@@ -545,6 +545,22 @@ retry() {
return $exitcode
}
rollover_index() {
idx=$1
exists=$(so-elasticsearch-query $idx -o /dev/null -w "%{http_code}")
if [[ $exists -eq 200 ]]; then
rollover=$(so-elasticsearch-query $idx/_rollover -o /dev/null -w "%{http_code}" -XPOST)
if [[ $rollover -eq 200 ]]; then
echo "Successfully triggered rollover for $idx..."
else
echo "Could not trigger rollover for $idx..."
fi
else
echo "Could not find index $idx..."
fi
}
run_check_net_err() {
local cmd=$1
local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable
salt/elasticsearch/defaults.yaml
+53 -59
View File
@@ -119,7 +119,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- so-case*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -131,8 +131,6 @@ elasticsearch:
match_mapping_type: string
settings:
index:
lifecycle:
name: so-case-logs
mapping:
total_fields:
limit: 1500
@@ -143,14 +141,7 @@ elasticsearch:
sort:
field: '@timestamp'
order: desc
policy:
phases:
hot:
actions: {}
min_age: 0ms
so-common:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
@@ -214,7 +205,9 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
- winlog-mappings
data_stream: {}
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-*-so*
@@ -274,7 +267,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- so-detection*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -286,8 +279,6 @@ elasticsearch:
match_mapping_type: string
settings:
index:
lifecycle:
name: so-detection-logs
mapping:
total_fields:
limit: 1500
@@ -298,11 +289,6 @@ elasticsearch:
sort:
field: '@timestamp'
order: desc
policy:
phases:
hot:
actions: {}
min_age: 0ms
sos-backup:
index_sorting: false
index_template:
@@ -462,7 +448,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- endgame*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -510,8 +496,6 @@ elasticsearch:
priority: 50
min_age: 30d
so-idh:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
@@ -568,8 +552,8 @@ elasticsearch:
- common-dynamic-mappings
ignore_missing_component_templates: []
index_patterns:
- so-idh-*
priority: 500
- logs-idh-so*
priority: 501
template:
mappings:
date_detection: false
@@ -679,11 +663,13 @@ elasticsearch:
- common-dynamic-mappings
- winlog-mappings
- hash-mappings
data_stream: {}
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-import-so*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -738,7 +724,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- so-ip*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -753,19 +739,12 @@ elasticsearch:
mapping:
total_fields:
limit: 1500
lifecycle:
name: so-ip-mappings-logs
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
policy:
phases:
hot:
actions: {}
min_age: 0ms
so-items:
index_sorting: false
index_template:
@@ -774,7 +753,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- .items-default-**
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -853,8 +832,6 @@ elasticsearch:
priority: 50
min_age: 30d
so-kratos:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
@@ -875,7 +852,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- logs-kratos-so*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -923,8 +900,6 @@ elasticsearch:
priority: 50
min_age: 30d
so-hydra:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
@@ -985,7 +960,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- logs-hydra-so*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -1040,7 +1015,7 @@ elasticsearch:
ignore_missing_component_templates: []
index_patterns:
- .lists-default-**
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -1526,6 +1501,9 @@ elasticsearch:
- so-fleet_integrations.ip_mappings-1
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-elastic_agent.cloudbeat@custom
index_patterns:
@@ -1761,6 +1739,9 @@ elasticsearch:
- so-fleet_integrations.ip_mappings-1
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-elastic_agent.heartbeat@custom
index_patterns:
@@ -3020,8 +3001,6 @@ elasticsearch:
priority: 50
min_age: 30d
so-logs-soc:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
@@ -3076,11 +3055,13 @@ elasticsearch:
- dtc-user_agent-mappings
- common-settings
- common-dynamic-mappings
data_stream: {}
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-soc-so*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -3670,10 +3651,13 @@ elasticsearch:
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-logstash-default*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -3973,8 +3957,8 @@ elasticsearch:
- common-dynamic-mappings
ignore_missing_component_templates: []
index_patterns:
- logs-redis-default*
priority: 500
- logs-redis.log*
priority: 501
template:
mappings:
date_detection: false
@@ -4085,11 +4069,13 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
- hash-mappings
data_stream: {}
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-strelka-so*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -4199,11 +4185,13 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
- hash-mappings
data_stream: {}
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-suricata-so*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -4313,11 +4301,13 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
- hash-mappings
data_stream: {}
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-suricata.alerts-*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -4427,11 +4417,13 @@ elasticsearch:
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
data_stream: {}
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-syslog-so*
priority: 500
priority: 501
template:
mappings:
date_detection: false
@@ -4543,11 +4535,13 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
- hash-mappings
data_stream: {}
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-zeek-so*
priority: 500
priority: 501
template:
mappings:
date_detection: false
salt/manager/tools/sbin/soup
+9 -1
View File
@@ -403,7 +403,15 @@ migrate_pcap_to_suricata() {
}
post_to_3.0.0() {
echo "Nothing to apply"
for idx in "logs-idh-so" "logs-redis.log-default"; do
rollover_index "$idx"
done
# Remove ILM for so-case and so-detection indices
for idx in "so-case" "so-casehistory" "so-detection" "so-detectionhistory"; do
so-elasticsearch-query $idx/_ilm/remove -XPOST
done
POSTVERSION=3.0.0
}