From 713e9ee215484bbb857a52fd6cafa5ec8ed02b84 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 20:10:41 +0000 Subject: [PATCH 01/10] Create initial template for ILM policy load script --- .../sbin/so-elasticsearch-ilm-policy-load | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsearch-ilm-policy-load diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load new file mode 100644 index 000000000..2780ab59e --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load @@ -0,0 +1,19 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +# Set up ILM policies +echo +echo "Setting up default Security Onion index lifecycle management policies..." + +# Zeek logs +echo +echo "Setting up Zeek ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-zeek-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "1gb", "max_age": "30d" } } } } } }' +echo From d6d01f8542aa50d37b03a01b87604995a5d63417 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:01:02 +0000 Subject: [PATCH 02/10] Add initial ILM policy view script --- .../tools/sbin/so-elasticsearch-ilm-policy-view | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsearch-ilm-policy-view diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-view b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-view new file mode 100644 index 000000000..d69e328fe --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-view @@ -0,0 +1,15 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +if [ "$1" == "" ]; then + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ilm/policy | jq . +else + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ilm/policy/$1 | jq .[] +fi From 80270550867d4f166c619b6d07cd8958425b38b9 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:09:42 +0000 Subject: [PATCH 03/10] Add initial ILM policy delete script --- .../tools/sbin/so-elasticsearch-ilm-policy-delete | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete new file mode 100644 index 000000000..108dd1178 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete @@ -0,0 +1,11 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X DELETE https://{{ NODEIP }}:9200/_ilm/policy/$1 From b38f4ca7661edb58d1dc815633d5a7dc03eee111 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:29:16 +0000 Subject: [PATCH 04/10] Add initial ILM service stop script --- salt/common/tools/sbin/so-elasticsaerch-ilm-stop | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsaerch-ilm-stop diff --git a/salt/common/tools/sbin/so-elasticsaerch-ilm-stop b/salt/common/tools/sbin/so-elasticsaerch-ilm-stop new file mode 100644 index 000000000..23c068918 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsaerch-ilm-stop @@ -0,0 +1,12 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +echo "Stopping ILM..." +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X POST https://{{ NODEIP }}:9200/_ilm/stop From 03849b0659f994c39a07791e4a9179c3e9fa42b8 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:29:38 +0000 Subject: [PATCH 05/10] Add initial ILM service start script --- salt/common/tools/sbin/so-elasticsaerch-ilm-start | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsaerch-ilm-start diff --git a/salt/common/tools/sbin/so-elasticsaerch-ilm-start b/salt/common/tools/sbin/so-elasticsaerch-ilm-start new file mode 100644 index 000000000..98dd38e9e --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsaerch-ilm-start @@ -0,0 +1,12 @@ +/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +echo "Starting ILM..." +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X POST https://{{ NODEIP }}:9200/_ilm/start From 1de3871ee9fd148cb54aa88d631a06c940b2d75c Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:30:25 +0000 Subject: [PATCH 06/10] Add initial ILM service restart script --- salt/common/tools/sbin/so-elasticsaerch-ilm-restart | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsaerch-ilm-restart diff --git a/salt/common/tools/sbin/so-elasticsaerch-ilm-restart b/salt/common/tools/sbin/so-elasticsaerch-ilm-restart new file mode 100644 index 000000000..7f422ed6e --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsaerch-ilm-restart @@ -0,0 +1,10 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +so-elasticsearch-ilm-stop +so-elasticsearch-ilm-start From 3e31bda2854a54767e633640353857c699b8872d Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:32:17 +0000 Subject: [PATCH 07/10] Fix typo in Elasticsearch portion of script names --- ...{so-elasticsaerch-ilm-restart => so-elasticsearch-ilm-restart} | 0 .../{so-elasticsaerch-ilm-start => so-elasticsearch-ilm-start} | 0 .../sbin/{so-elasticsaerch-ilm-stop => so-elasticsearch-ilm-stop} | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename salt/common/tools/sbin/{so-elasticsaerch-ilm-restart => so-elasticsearch-ilm-restart} (100%) rename salt/common/tools/sbin/{so-elasticsaerch-ilm-start => so-elasticsearch-ilm-start} (100%) rename salt/common/tools/sbin/{so-elasticsaerch-ilm-stop => so-elasticsearch-ilm-stop} (100%) diff --git a/salt/common/tools/sbin/so-elasticsaerch-ilm-restart b/salt/common/tools/sbin/so-elasticsearch-ilm-restart similarity index 100% rename from salt/common/tools/sbin/so-elasticsaerch-ilm-restart rename to salt/common/tools/sbin/so-elasticsearch-ilm-restart diff --git a/salt/common/tools/sbin/so-elasticsaerch-ilm-start b/salt/common/tools/sbin/so-elasticsearch-ilm-start similarity index 100% rename from salt/common/tools/sbin/so-elasticsaerch-ilm-start rename to salt/common/tools/sbin/so-elasticsearch-ilm-start diff --git a/salt/common/tools/sbin/so-elasticsaerch-ilm-stop b/salt/common/tools/sbin/so-elasticsearch-ilm-stop similarity index 100% rename from salt/common/tools/sbin/so-elasticsaerch-ilm-stop rename to salt/common/tools/sbin/so-elasticsearch-ilm-stop From 91d24d36f9a4f15fe91cb408042417f2514b9c28 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:34:15 +0000 Subject: [PATCH 08/10] Add initial ILM lifecycle status explanation script --- .../tools/sbin/so-elasticsearch-ilm-explain | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsearch-ilm-explain diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-explain b/salt/common/tools/sbin/so-elasticsearch-ilm-explain new file mode 100644 index 000000000..db31dcb0f --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-explain @@ -0,0 +1,15 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +if [ "$1" == "" ]; then + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_all/_ilm/explain | jq . +else + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/$1/_ilm/explain | jq .[] +fi From 1d6c03feb1a9cc0535f8c221c2d6fc600c9ff7a2 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:34:39 +0000 Subject: [PATCH 09/10] Rename initial ILM lifecycle status explanation script --- ...icsearch-ilm-explain => so-elasticsearch-ilm-lifecycle-status} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename salt/common/tools/sbin/{so-elasticsearch-ilm-explain => so-elasticsearch-ilm-lifecycle-status} (100%) diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-explain b/salt/common/tools/sbin/so-elasticsearch-ilm-lifecycle-status similarity index 100% rename from salt/common/tools/sbin/so-elasticsearch-ilm-explain rename to salt/common/tools/sbin/so-elasticsearch-ilm-lifecycle-status From b319b50fa17d49059e082aec4085d2c31ec635e9 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:39:33 +0000 Subject: [PATCH 10/10] Add initial ILM status script --- salt/common/tools/sbin/so-elasticsearch-ilm-status | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsearch-ilm-status diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-status b/salt/common/tools/sbin/so-elasticsearch-ilm-status new file mode 100644 index 000000000..8d78adc5b --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-status @@ -0,0 +1,11 @@ +/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ilm/status | jq .