diff --git a/pillar/docker/config.sls b/pillar/docker/config.sls index 423910b4c..a9eebaf2b 100644 --- a/pillar/docker/config.sls +++ b/pillar/docker/config.sls @@ -1,4 +1,5 @@ -{% set OSQUERY = salt['pillar.get']('master:osquery', '0') %} +{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%} +{%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%} {% set WAZUH = salt['pillar.get']('master:wazuh', '0') %} {% set THEHIVE = salt['pillar.get']('master:thehive', '0') %} {% set PLAYBOOK = salt['pillar.get']('master:playbook', '0') %} @@ -7,7 +8,6 @@ {% set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} {% set GRAFANA = salt['pillar.get']('master:grafana', '0') %} - eval: containers: - so-core @@ -20,7 +20,7 @@ eval: - so-soc - so-kratos - so-idstools - {% if OSQUERY != '0' %} + {% if FLEETMASTER %} - so-mysql - so-fleet - so-redis @@ -100,7 +100,7 @@ master_search: - so-elastalert - so-filebeat - so-soctopus - {% if OSQUERY != '0' %} + {% if FLEETMASTER %} - so-mysql - so-fleet - so-redis @@ -143,7 +143,7 @@ master: - so-kibana - so-elastalert - so-filebeat - {% if OSQUERY != '0' %} + {% if FLEETMASTER %} - so-mysql - so-fleet - so-redis @@ -199,4 +199,13 @@ warm_node: - so-core - so-telegraf - so-elasticsearch - +fleet: + containers: + {% if FLEETNODE %} + - so-mysql + - so-fleet + - so-redis + - so-filebeat + - so-core + - so-telegraf + {% endif %} \ No newline at end of file diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 575d8162c..47fd6a0a6 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -148,5 +148,4 @@ so-elasticsearch-pipelines: so-elasticsearch-templates: cmd.run: - name: /usr/sbin/so-elasticsearch-templates - - cwd: / - + - cwd: /opt/so \ No newline at end of file diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 1ec78226d..7fa8dab3e 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -7,8 +7,8 @@ {%- set HOSTNAME = salt['grains.get']('host', '') %} {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} -{%- set WAZUHENABLED = salt['pillar.get']('master:wazuh_enabled', '0') %} -{%- set STRELKAENABLED = salt['pillar.get']('master:strelka_enabled', '0') %} +{%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '0') %} +{%- set STRELKAENABLED = salt['pillar.get']('static:strelka_enabled', '0') %} {%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%} {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%} @@ -110,6 +110,26 @@ filebeat.inputs: fields_under_root: true clean_removed: false close_removed: false + + {%- if STRELKAENABLED == '1' %} + + - type: log + paths: + - /nsm/strelka/log/strelka.log + fields: + module: strelka + category: file + dataset: file + + processors: + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + + fields_under_root: true + clean_removed: false + close_removed: false + + {%- endif %} {%- endif %} {%- if WAZUHENABLED == '1' %} @@ -160,25 +180,6 @@ filebeat.inputs: {%- endif %} -{%- if STRELKAENABLED == '1' %} - - - type: log - paths: - - /nsm/strelka/log/strelka.log - fields: - module: strelka - category: file - dataset: file - - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - - fields_under_root: true - clean_removed: false - close_removed: false - -{%- endif %} #----------------------------- Elasticsearch/Logstash output --------------------------------- {%- if grains['role'] == "so-eval" %} output.elasticsearch: diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 9f6913c11..de6961c04 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -32,8 +32,8 @@ sleep 30s # Sub our IP for placholders for i in FLEETPLACEHOLDER PCAPPLACEHOLDER SOCTOPUSPLACEHOLDER PLACEHOLDER; do - sed -i "s/$i/{{ MASTER }}/g" /opt/so/saltstack/salt/kibana/saved_objects.ndjson + sed "s/$i/{{ MASTER }}/g" /opt/so/conf/kibana/saved_objects.ndjson.template > /opt/so/conf/kibana/saved_objects.ndjson done # Load saved objects -curl -X POST "localhost:5601/api/saved_objects/_import" -H "kbn-xsrf: true" --form file=@/opt/so/saltstack/salt/kibana/saved_objects.ndjson +curl -X POST "localhost:5601/api/saved_objects/_import" -H "kbn-xsrf: true" --form file=@/opt/so/conf/kibana/saved_objects.ndjson > /dev/null 2>&1 diff --git a/salt/kibana/saved_objects.ndjson b/salt/kibana/files/saved_objects.ndjson similarity index 100% rename from salt/kibana/saved_objects.ndjson rename to salt/kibana/files/saved_objects.ndjson diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 8fc5e0683..0f0fa987e 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -59,7 +59,19 @@ synckibanacustom: - user: 932 - group: 939 -# File.Recurse for custom saved dashboards +kibanabin: + file.managed: + - name: /usr/sbin/so-kibana-config-load + - source: salt://kibana/bin/so-kibana-config-load + - mode: 755 + - template: jinja + +kibanadashtemplate: + file.managed: + - name: /opt/so/conf/kibana/saved_objects.ndjson.template + - source: salt://kibana/files/saved_objects.ndjson + - user: 932 + - group: 939 # Start the kibana docker so-kibana: @@ -80,12 +92,12 @@ so-kibana: - 0.0.0.0:5601:5601 so-kibana-config-load: - cmd.script: - - shell: /bin/bash - - runas: socore + cmd.run: + - name: /usr/sbin/so-kibana-config-load - cwd: /opt/so - - source: salt://kibana/bin/so-kibana-config-load - - template: jinja + - onchanges: + - file: kibanadashtemplate + # Keep the setting correct #KibanaHappy: @@ -93,4 +105,4 @@ so-kibana-config-load: # - shell: /bin/bash # - runas: socore # - source: salt://kibana/bin/keepkibanahappy.sh -# - template: jinja +# - template: jinja \ No newline at end of file diff --git a/salt/top.sls b/salt/top.sls index 559c33ef9..a03c2e1e2 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -1,12 +1,12 @@ {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') -%} -{%- set WAZUH = salt['pillar.get']('master:wazuh', '0') -%} +{%- set WAZUH = salt['pillar.get']('static:wazuh', '0') -%} {%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%} {%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%} {%- set FREQSERVER = salt['pillar.get']('master:freq', '0') -%} {%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%} {%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%} {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%} -{%- set STRELKA = salt['pillar.get']('master:strelka', '0') -%} +{%- set STRELKA = salt['pillar.get']('static:strelka', '0') -%} base: diff --git a/setup/so-functions b/setup/so-functions index 021f43ed2..00a9c9ac9 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -865,10 +865,8 @@ master_pillar() { #echo " fleetpass: $FLEETPASS" >> $PILLARFILE echo " grafana: $GRAFANA" >> $PILLARFILE echo " osquery: $OSQUERY" >> $PILLARFILE - echo " wazuh: $WAZUH" >> $PILLARFILE echo " thehive: $THEHIVE" >> $PILLARFILE echo " playbook: $PLAYBOOK" >> $PILLARFILE - echo " strelka: $STRELKA" >> $PILLARFILE echo "" >> $PILLARFILE echo "kratos:" >> $PILLARFILE if [[ $REDIRECTINFO == 'OTHER' ]]; then @@ -913,6 +911,8 @@ master_static() { echo " fleet_hostname: N/A" >> /opt/so/saltstack/pillar/static.sls echo " fleet_ip: N/A" >> /opt/so/saltstack/pillar/static.sls echo " sensoronikey: $SENSORONIKEY" >> /opt/so/saltstack/pillar/static.sls + echo " strelka: $STRELKA" >> /opt/so/saltstack/pillar/static.sls + echo " wazuh: $WAZUH" >> /opt/so/saltstack/pillar/static.sls if [[ $MASTERUPDATES == 'MASTER' ]]; then echo " masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls else