diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index c28d7ccca..aca8496f5 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -545,6 +545,22 @@ retry() { return $exitcode } +rollover_index() { + idx=$1 + exists=$(so-elasticsearch-query $idx -o /dev/null -w "%{http_code}") + if [[ $exists -eq 200 ]]; then + rollover=$(so-elasticsearch-query $idx/_rollover -o /dev/null -w "%{http_code}" -XPOST) + + if [[ $rollover -eq 200 ]]; then + echo "Successfully triggered rollover for $idx..." + else + echo "Could not trigger rollover for $idx..." + fi + else + echo "Could not find index $idx..." + fi +} + run_check_net_err() { local cmd=$1 local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 49d4ced94..6a9d50a08 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -119,7 +119,7 @@ elasticsearch: ignore_missing_component_templates: [] index_patterns: - so-case* - priority: 500 + priority: 501 template: mappings: date_detection: false @@ -131,8 +131,6 @@ elasticsearch: match_mapping_type: string settings: index: - lifecycle: - name: so-case-logs mapping: total_fields: limit: 1500 @@ -143,14 +141,7 @@ elasticsearch: sort: field: '@timestamp' order: desc - policy: - phases: - hot: - actions: {} - min_age: 0ms so-common: - close: 30 - delete: 365 index_sorting: false index_template: composed_of: @@ -214,7 +205,9 @@ elasticsearch: - common-settings - common-dynamic-mappings - winlog-mappings - data_stream: {} + data_stream: + allow_custom_routing: false + hidden: false ignore_missing_component_templates: [] index_patterns: - logs-*-so* @@ -274,7 +267,7 @@ elasticsearch: ignore_missing_component_templates: [] index_patterns: - so-detection* - priority: 500 + priority: 501 template: mappings: date_detection: false @@ -286,8 +279,6 @@ elasticsearch: match_mapping_type: string settings: index: - lifecycle: - name: so-detection-logs mapping: total_fields: limit: 1500 @@ -298,11 +289,6 @@ elasticsearch: sort: field: '@timestamp' order: desc - policy: - phases: - hot: - actions: {} - min_age: 0ms sos-backup: index_sorting: false index_template: @@ -462,7 +448,7 @@ elasticsearch: ignore_missing_component_templates: [] index_patterns: - endgame* - priority: 500 + priority: 501 template: mappings: date_detection: false @@ -510,8 +496,6 @@ elasticsearch: priority: 50 min_age: 30d so-idh: - close: 30 - delete: 365 index_sorting: false index_template: composed_of: @@ -568,8 +552,8 @@ elasticsearch: - common-dynamic-mappings ignore_missing_component_templates: [] index_patterns: - - so-idh-* - priority: 500 + - logs-idh-so* + priority: 501 template: mappings: date_detection: false @@ -679,11 +663,13 @@ elasticsearch: - common-dynamic-mappings - winlog-mappings - hash-mappings - data_stream: {} + data_stream: + allow_custom_routing: false + hidden: false ignore_missing_component_templates: [] index_patterns: - logs-import-so* - priority: 500 + priority: 501 template: mappings: date_detection: false @@ -738,7 +724,7 @@ elasticsearch: ignore_missing_component_templates: [] index_patterns: - so-ip* - priority: 500 + priority: 501 template: mappings: date_detection: false @@ -753,19 +739,12 @@ elasticsearch: mapping: total_fields: limit: 1500 - lifecycle: - name: so-ip-mappings-logs number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc - policy: - phases: - hot: - actions: {} - min_age: 0ms so-items: index_sorting: false index_template: @@ -774,7 +753,7 @@ elasticsearch: ignore_missing_component_templates: [] index_patterns: - .items-default-** - priority: 500 + priority: 501 template: mappings: date_detection: false @@ -853,8 +832,6 @@ elasticsearch: priority: 50 min_age: 30d so-kratos: - close: 30 - delete: 365 index_sorting: false index_template: composed_of: @@ -875,7 +852,7 @@ elasticsearch: ignore_missing_component_templates: [] index_patterns: - logs-kratos-so* - priority: 500 + priority: 501 template: mappings: date_detection: false @@ -923,8 +900,6 @@ elasticsearch: priority: 50 min_age: 30d so-hydra: - close: 30 - delete: 365 index_sorting: false index_template: composed_of: @@ -985,7 +960,7 @@ elasticsearch: ignore_missing_component_templates: [] index_patterns: - logs-hydra-so* - priority: 500 + priority: 501 template: mappings: date_detection: false @@ -1040,7 +1015,7 @@ elasticsearch: ignore_missing_component_templates: [] index_patterns: - .lists-default-** - priority: 500 + priority: 501 template: mappings: date_detection: false @@ -1526,6 +1501,9 @@ elasticsearch: - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false ignore_missing_component_templates: - logs-elastic_agent.cloudbeat@custom index_patterns: @@ -1761,6 +1739,9 @@ elasticsearch: - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false ignore_missing_component_templates: - logs-elastic_agent.heartbeat@custom index_patterns: @@ -3020,8 +3001,6 @@ elasticsearch: priority: 50 min_age: 30d so-logs-soc: - close: 30 - delete: 365 index_sorting: false index_template: composed_of: @@ -3076,11 +3055,13 @@ elasticsearch: - dtc-user_agent-mappings - common-settings - common-dynamic-mappings - data_stream: {} + data_stream: + allow_custom_routing: false + hidden: false ignore_missing_component_templates: [] index_patterns: - logs-soc-so* - priority: 500 + priority: 501 template: mappings: date_detection: false @@ -3670,10 +3651,13 @@ elasticsearch: - vulnerability-mappings - common-settings - common-dynamic-mappings + data_stream: + allow_custom_routing: false + hidden: false ignore_missing_component_templates: [] index_patterns: - logs-logstash-default* - priority: 500 + priority: 501 template: mappings: date_detection: false @@ -3973,8 +3957,8 @@ elasticsearch: - common-dynamic-mappings ignore_missing_component_templates: [] index_patterns: - - logs-redis-default* - priority: 500 + - logs-redis.log* + priority: 501 template: mappings: date_detection: false @@ -4085,11 +4069,13 @@ elasticsearch: - common-settings - common-dynamic-mappings - hash-mappings - data_stream: {} + data_stream: + allow_custom_routing: false + hidden: false ignore_missing_component_templates: [] index_patterns: - logs-strelka-so* - priority: 500 + priority: 501 template: mappings: date_detection: false @@ -4199,11 +4185,13 @@ elasticsearch: - common-settings - common-dynamic-mappings - hash-mappings - data_stream: {} + data_stream: + allow_custom_routing: false + hidden: false ignore_missing_component_templates: [] index_patterns: - logs-suricata-so* - priority: 500 + priority: 501 template: mappings: date_detection: false @@ -4313,11 +4301,13 @@ elasticsearch: - common-settings - common-dynamic-mappings - hash-mappings - data_stream: {} + data_stream: + allow_custom_routing: false + hidden: false ignore_missing_component_templates: [] index_patterns: - logs-suricata.alerts-* - priority: 500 + priority: 501 template: mappings: date_detection: false @@ -4427,11 +4417,13 @@ elasticsearch: - vulnerability-mappings - common-settings - common-dynamic-mappings - data_stream: {} + data_stream: + allow_custom_routing: false + hidden: false ignore_missing_component_templates: [] index_patterns: - logs-syslog-so* - priority: 500 + priority: 501 template: mappings: date_detection: false @@ -4543,11 +4535,13 @@ elasticsearch: - common-settings - common-dynamic-mappings - hash-mappings - data_stream: {} + data_stream: + allow_custom_routing: false + hidden: false ignore_missing_component_templates: [] index_patterns: - logs-zeek-so* - priority: 500 + priority: 501 template: mappings: date_detection: false diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index cdc61094d..3a4edc170 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -403,7 +403,15 @@ migrate_pcap_to_suricata() { } post_to_3.0.0() { - echo "Nothing to apply" + for idx in "logs-idh-so" "logs-redis.log-default"; do + rollover_index "$idx" + done + + # Remove ILM for so-case and so-detection indices + for idx in "so-case" "so-casehistory" "so-detection" "so-detectionhistory"; do + so-elasticsearch-query $idx/_ilm/remove -XPOST + done + POSTVERSION=3.0.0 }