From c835c523a922bfac316627a1ede797aaf6f3511d Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 30 May 2023 02:54:39 +0000 Subject: [PATCH 01/15] Elastic Fleet integration update improvements --- salt/elasticfleet/config.sls | 28 ++++++++++ salt/elasticfleet/enabled.sls | 4 ++ .../sbin/so-elastic-fleet-agent-policy-view | 6 +-- .../so-elastic-fleet-integration-policy-list | 6 +-- .../so-elastic-fleet-integration-policy-load | 52 ++++++++++++++----- 5 files changed, 76 insertions(+), 20 deletions(-) diff --git a/salt/elasticfleet/config.sls b/salt/elasticfleet/config.sls index 29aa7eb30..4becb6dab 100644 --- a/salt/elasticfleet/config.sls +++ b/salt/elasticfleet/config.sls @@ -51,6 +51,34 @@ eastatedir: - group: 939 - makedirs: True +eaintegrationsdir: + file.directory: + - name: /opt/so/conf/elastic-fleet/integrations + - user: 947 + - group: 939 + - makedirs: True + +eadynamicintegration: + file.recurse: + - name: /opt/so/conf/elastic-fleet/integrations + - source: salt://elasticfleet/files/integrations-dynamic + - user: 947 + - group: 939 + - template: jinja + +eaintegration: + file.recurse: + - name: /opt/so/conf/elastic-fleet/integrations + - source: salt://elasticfleet/files/integrations + - user: 947 + - group: 939 +ea-integrations-load: + file.absent: + - name: /opt/so/state/eaintegrations.txt + - onchanges: + - file: eaintegration + - file: eadynamicintegration + {% else %} {{sls}}_state_not_allowed: diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index a3982e760..1c36594e2 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -47,6 +47,10 @@ so-elastic-fleet: - FLEET_CA=/etc/pki/tls/certs/intca.crt {% endif %} +so-elastic-fleet-integrations: + cmd.run: + - name: /usr/sbin/so-elastic-fleet-integration-policy-load + delete_so-elastic-fleet_so-status.disabled: file.uncomment: - name: /opt/so/conf/so-status/so-status.conf diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-view b/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-view index 5e5b62de0..f82ec1664 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-view +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-view @@ -9,11 +9,9 @@ POLICY_ID=$1 # Let's snag a cookie from Kibana -SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') - -echo "Viewing agent policy $POLICY_ID" +SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') # View agent policy -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies/$POLICY_ID/full" | jq +curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -H "kbn-xsrf: true" -L -X GET "localhost:5601/api/fleet/agent_policies/$POLICY_ID" | jq echo diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-list b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-list index 9dffc613c..86338a312 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-list +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-list @@ -7,11 +7,9 @@ . /usr/sbin/so-common # Let's snag a cookie from Kibana -SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') - -echo "Setting up default Security Onion package policies for Elastic Agent..." +SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') # List configured package policies -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/package_policies" | jq +curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' | jq echo diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load index a65e29244..719748fb8 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load @@ -6,16 +6,44 @@ . /usr/sbin/so-common -# Initial Endpoints -for INTEGRATION in /opt/so/saltstack/default/salt/elasticfleet/files/integrations/endpoints-initial/*.json -do - printf "\n\nInitial Endpoint Policy - Loading $INTEGRATION\n" - elastic_fleet_integration_create "@$INTEGRATION" -done +RETURN_CODE=0 + +if [ ! -f /opt/so/state/eaintegrations.txt ]; then + # Initial Endpoints + for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json + do + printf "\n\nInitial Endpoints Policy - Loading $INTEGRATION\n" + elastic_fleet_integration_check "endpoints-initial" "$INTEGRATION" + + + if [ -n "$INTEGRATION_ID" ]; then + if [ "$NAME" != "elastic-defend-endpoints" ]; then + printf "\n\nIntegration $NAME exists - Updating integration\n" + elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION" + fi + else + printf "\n\nIntegration does not exist - Creating integration\n" + elastic_fleet_integration_create "@$INTEGRATION" + fi + done + + # Grid Nodes + for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/grid-nodes/*.json + do + printf "\n\nGrid Nodes Policy - Loading $INTEGRATION\n" + elastic_fleet_integration_check "so-grid-nodes" "$INTEGRATION" + if [ -n "$INTEGRATION_ID" ]; then + printf "\n\nIntegration $NAME exists - Updating integration\n" + elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION" + else + printf "\n\nIntegration does not exist - Creating integration\n" + elastic_fleet_integration_create "@$INTEGRATION" + fi + done + if [[ "$RETURN_CODE" != "1" ]]; then + touch /opt/so/state/eaintegrations.txt + fi +else + exit $RETURN_CODE +fi -# Grid Nodes -for INTEGRATION in /opt/so/saltstack/default/salt/elasticfleet/files/integrations/grid-nodes/*.json -do - printf "\n\nGrid Nodes Policy - Loading $INTEGRATION\n" - elastic_fleet_integration_create "@$INTEGRATION" -done \ No newline at end of file From 799e92e595ed5d411c6b000c417a027a6b4e2783 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 30 May 2023 02:56:23 +0000 Subject: [PATCH 02/15] Add files --- .../grid-nodes/import-zeek-logs.json | 32 ++++++++++++++++++ .../grid-nodes/zeek-logs.json | 33 +++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json create mode 100644 salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json diff --git a/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json new file mode 100644 index 000000000..c7e37f97f --- /dev/null +++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json @@ -0,0 +1,32 @@ +{% set EXCLUDED_LOGS = salt['pillar.get']('zeek:logging:excluded', {}) %} +{%- raw -%} +{ + "package": { + "name": "log", + "version": "" + }, + "name": "import-zeek-logs", + "namespace": "so", + "description": "Zeek Import logs", + "policy_id": "so-grid-nodes", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/nsm/import/*/zeek/logs/*.log" + ], + "data_stream.dataset": "import", + "tags": [], + "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"import.file\").slice(0,-4);\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", + "custom": "exclude_files: [\"{%- endraw -%}{{ EXCLUDED_LOGS | join('|') }}{%- raw -%}$\"]\n" + } + } + } + } + } +} +{%- endraw -%} diff --git a/salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json new file mode 100644 index 000000000..076549523 --- /dev/null +++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json @@ -0,0 +1,33 @@ +{% set EXCLUDED_LOGS = salt['pillar.get']('zeek:logging:excluded', {}) %} +{%- raw -%} +{ + "package": { + "name": "log", + "version": "" + }, + "id": "zeek-logs", + "name": "zeek-logs", + "namespace": "so", + "description": "Zeek logs", + "policy_id": "so-grid-nodes", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/nsm/zeek/logs/current/*.log" + ], + "data_stream.dataset": "zeek", + "tags": [], + "processors": "- dissect:\n tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", + "custom": "exclude_files: [\"{%- endraw -%}{{ EXCLUDED_LOGS | join('|') }}{%- raw -%}.log$\"]\n" + } + } + } + } + } +} +{%- endraw -%} From ef5b63337b65b073ff31fa5184c4965f60ae55a8 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 30 May 2023 02:58:00 +0000 Subject: [PATCH 03/15] Add check for integration existence and integration update functionality --- salt/common/tools/sbin/so-common | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index ddb85f654..e580c1917 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -167,6 +167,27 @@ elastic_fleet_integration_create() { curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" } +elastic_fleet_integration_check() { + + AGENT_POLICY=$1 + + JSON_STRING=$2 + + NAME=$(jq -r .name $JSON_STRING) + + INTEGRATION_ID=$(/usr/sbin/so-elastic-fleet-agent-policy-view "$AGENT_POLICY" | jq -r '.item.package_policies[] | select(.name=="'"$NAME"'") | .id') + +} + +elastic_fleet_integration_update() { + + UPDATE_ID=$1 + + JSON_STRING=$2 + + curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/package_policies/$UPDATE_ID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" +} + elastic_fleet_policy_create() { NAME=$1 From e910f04beb71afe34ccbf37ba3f188b2cede0cb1 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 30 May 2023 03:10:52 +0000 Subject: [PATCH 04/15] Add default description and Zeek log exclusions for Elastic Fleet --- salt/zeek/defaults.yaml | 15 +++++++++++++++ salt/zeek/soc_zeek.yaml | 5 +++-- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index ca3168b8b..3b9b71647 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -104,3 +104,18 @@ zeek: - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc - application/vnd.openxmlformats-officedocument: doc + logging: + excluded: + - broker + - capture_loss + - ecat_arp_info + - known_hosts + - known_services + - loaded_scripts + - ntp + - packet_filter + - reporter + - stats + - stderr + - stdout + diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index 8410d4e75..0385e90a9 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -3,8 +3,9 @@ zeek: description: You can enable or disable ZEEK on all sensors or a single sensor. helpLink: zeek.html logging: - enabled: - description: This is a list of Zeek logs that will be shipped through the pipeline. If you remove a log from this list, it will still persist on the sensor. + excluded: + description: This is a list of Zeek logs that are excluded from being shipped through the data processing pipeline. If you remove a log from this list, it will be attempt to be ingested. If an ingest node pipeline is not available to process the logs, you may experience errors. + forcedType: "[]string" helpLink: zeek.html config: local: From 79014a53ece0d59ca2decc3dadf0ad88ba9018d9 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 30 May 2023 12:35:32 +0000 Subject: [PATCH 05/15] Remove extra lines --- .../tools/sbin/so-elastic-fleet-integration-policy-load | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load index 719748fb8..2bd7970da 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load @@ -14,8 +14,6 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then do printf "\n\nInitial Endpoints Policy - Loading $INTEGRATION\n" elastic_fleet_integration_check "endpoints-initial" "$INTEGRATION" - - if [ -n "$INTEGRATION_ID" ]; then if [ "$NAME" != "elastic-defend-endpoints" ]; then printf "\n\nIntegration $NAME exists - Updating integration\n" From 53b4f7bd5cba5cdd4a4aca350f0b0f1c7f9fb040 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 30 May 2023 14:05:11 +0000 Subject: [PATCH 06/15] Add spacing --- salt/elasticfleet/config.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticfleet/config.sls b/salt/elasticfleet/config.sls index 4becb6dab..ec030ea1f 100644 --- a/salt/elasticfleet/config.sls +++ b/salt/elasticfleet/config.sls @@ -72,6 +72,7 @@ eaintegration: - source: salt://elasticfleet/files/integrations - user: 947 - group: 939 + ea-integrations-load: file.absent: - name: /opt/so/state/eaintegrations.txt From 97c53d70a48271728066143b87e2a44cfc048ad7 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 30 May 2023 14:05:40 +0000 Subject: [PATCH 07/15] Remove integrations --- .../grid-nodes/import-zeek-logs.json | 29 ------------------- .../integrations/grid-nodes/zeek-logs.json | 29 ------------------- 2 files changed, 58 deletions(-) delete mode 100644 salt/elasticfleet/files/integrations/grid-nodes/import-zeek-logs.json delete mode 100644 salt/elasticfleet/files/integrations/grid-nodes/zeek-logs.json diff --git a/salt/elasticfleet/files/integrations/grid-nodes/import-zeek-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/import-zeek-logs.json deleted file mode 100644 index 75c0f02e2..000000000 --- a/salt/elasticfleet/files/integrations/grid-nodes/import-zeek-logs.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "package": { - "name": "log", - "version": "" - }, - "name": "import-zeek-logs", - "namespace": "so", - "description": "Zeek Import logs", - "policy_id": "so-grid-nodes", - "inputs": { - "logs-logfile": { - "enabled": true, - "streams": { - "log.log": { - "enabled": true, - "vars": { - "paths": [ - "/nsm/import/*/zeek/logs/*.log" - ], - "data_stream.dataset": "import", - "tags": [], - "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"import.file\").slice(0,-4);\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", - "custom": "exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"]\n" - } - } - } - } - } -} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/zeek-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/zeek-logs.json deleted file mode 100644 index 03543b124..000000000 --- a/salt/elasticfleet/files/integrations/grid-nodes/zeek-logs.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "package": { - "name": "log", - "version": "" - }, - "name": "zeek-logs", - "namespace": "so", - "description": "Zeek logs", - "policy_id": "so-grid-nodes", - "inputs": { - "logs-logfile": { - "enabled": true, - "streams": { - "log.log": { - "enabled": true, - "vars": { - "paths": [ - "/nsm/zeek/logs/current/*.log" - ], - "data_stream.dataset": "zeek", - "tags": [], - "processors": "- dissect:\n tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", - "custom": "exclude_files: [\"broker|capture_loss|ecat_arp_info|known_hosts|known_services|loaded_scripts|ntp|packet_filter|reporter|stats|stderr|stdout.log$\"]\n" - } - } - } - } - } -} From b4b87e5620f318a77b81a6e0f43c3b2f6bbf462e Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 30 May 2023 15:43:31 +0000 Subject: [PATCH 08/15] Only provide JSON output --- .../tools/sbin/so-elastic-fleet-agent-policy-list | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-list b/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-list index d81067a7e..174f3cb78 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-list +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-list @@ -9,9 +9,7 @@ # Let's snag a cookie from Kibana SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') -echo "Setting up default Security Onion package policies for Elastic Agent..." - # List configured agent policies -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies" | jq +curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies" | jq echo From 9035fa3037b8487f4b3d50c8ab598efdd89296c6 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 30 May 2023 15:46:00 +0000 Subject: [PATCH 09/15] Don't load Elasticsearch integration --- .../tools/sbin/so-elastic-fleet-integration-policy-load | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load index 2bd7970da..92b20c5bf 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load @@ -35,7 +35,9 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION" else printf "\n\nIntegration does not exist - Creating integration\n" - elastic_fleet_integration_create "@$INTEGRATION" + if [ "$NAME" != "elasticsearch-logs" ]; then + elastic_fleet_integration_create "@$INTEGRATION" + fi fi done if [[ "$RETURN_CODE" != "1" ]]; then From 36a7f541608c603a5bf16b06d3481ae6899fddbc Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 30 May 2023 16:46:38 +0000 Subject: [PATCH 10/15] Add extension --- .../files/integrations-dynamic/grid-nodes/import-zeek-logs.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json index c7e37f97f..738477da7 100644 --- a/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json +++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json @@ -22,7 +22,7 @@ "data_stream.dataset": "import", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"import.file\").slice(0,-4);\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", - "custom": "exclude_files: [\"{%- endraw -%}{{ EXCLUDED_LOGS | join('|') }}{%- raw -%}$\"]\n" + "custom": "exclude_files: [\"{%- endraw -%}{{ EXCLUDED_LOGS | join('|') }}{%- raw -%}.log$\"]\n" } } } From b9d692eb0e2017aaf9d8d5d00acf3aa0eafa8dc0 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 30 May 2023 17:08:52 +0000 Subject: [PATCH 11/15] Remove default value --- .../files/integrations-dynamic/grid-nodes/import-zeek-logs.json | 2 +- .../files/integrations-dynamic/grid-nodes/zeek-logs.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json index 738477da7..5a440344d 100644 --- a/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json +++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json @@ -1,4 +1,4 @@ -{% set EXCLUDED_LOGS = salt['pillar.get']('zeek:logging:excluded', {}) %} +{% set EXCLUDED_LOGS = salt['pillar.get']('zeek:logging:excluded') %} {%- raw -%} { "package": { diff --git a/salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json index 076549523..c18fc89f9 100644 --- a/salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json +++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json @@ -1,4 +1,4 @@ -{% set EXCLUDED_LOGS = salt['pillar.get']('zeek:logging:excluded', {}) %} +{% set EXCLUDED_LOGS = salt['pillar.get']('zeek:logging:excluded') %} {%- raw -%} { "package": { From e5117a343d9b10b28cb7c4aec4f7b1b068d2ad00 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 30 May 2023 17:10:17 +0000 Subject: [PATCH 12/15] Change description --- salt/zeek/soc_zeek.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index 0385e90a9..2879d0214 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -4,7 +4,7 @@ zeek: helpLink: zeek.html logging: excluded: - description: This is a list of Zeek logs that are excluded from being shipped through the data processing pipeline. If you remove a log from this list, it will be attempt to be ingested. If an ingest node pipeline is not available to process the logs, you may experience errors. + description: This is a list of Zeek logs that are excluded from being shipped through the data processing pipeline. If you remove a log from this list, Elastic Agent will attempt to process it. If an ingest node pipeline is not available to process the logs, you may experience errors. forcedType: "[]string" helpLink: zeek.html config: From b6e090f29f82f318a87c81dd1fb94514a87f053c Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 30 May 2023 18:43:56 +0000 Subject: [PATCH 13/15] Move Elastic Fleet logic in so-common to so-elastic-fleet-common --- .../sbin/so-elastic-fleet-agent-policy-delete | 2 +- .../sbin/so-elastic-fleet-agent-policy-list | 2 +- .../sbin/so-elastic-fleet-agent-policy-view | 2 +- .../tools/sbin/so-elastic-fleet-common | 79 +++++++++++++++++++ .../sbin/so-elastic-fleet-data-streams-list | 2 +- ...astic-fleet-integration-policy-bulk-delete | 2 +- ...so-elastic-fleet-integration-policy-delete | 2 +- .../so-elastic-fleet-integration-policy-list | 2 +- .../so-elastic-fleet-integration-policy-load | 2 +- .../tools/sbin/so-elastic-fleet-restart | 2 +- .../tools/sbin/so-elastic-fleet-start | 2 +- .../tools/sbin/so-elastic-fleet-stop | 2 +- .../so-elastic-agent-gen-installers | 2 +- .../tools/sbin_jinja/so-elastic-fleet-setup | 2 +- 14 files changed, 92 insertions(+), 13 deletions(-) create mode 100755 salt/elasticfleet/tools/sbin/so-elastic-fleet-common diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-delete b/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-delete index 70b483424..d603f750f 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-delete +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-delete @@ -4,7 +4,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common POLICY_ID=$1 diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-list b/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-list index 174f3cb78..6a51db6b6 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-list +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-list @@ -4,7 +4,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common # Let's snag a cookie from Kibana SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-view b/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-view index f82ec1664..9b1e2ed65 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-view +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-view @@ -4,7 +4,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common POLICY_ID=$1 diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common new file mode 100755 index 000000000..e56ee7f0a --- /dev/null +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common @@ -0,0 +1,79 @@ +#!/bin/bash +# +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +DEFAULT_SALT_DIR=/opt/so/saltstack/default + +if [ -z $NOROOT ]; then + # Check for prerequisites + if [ "$(id -u)" -ne 0 ]; then + echo "This script must be run using sudo!" + exit 1 + fi +fi + +# Ensure /usr/sbin is in path +if ! echo "$PATH" | grep -q "/usr/sbin"; then + export PATH="$PATH:/usr/sbin" +fi + +# Define a banner to separate sections +banner="=========================================================================" + +elastic_fleet_integration_check() { + + AGENT_POLICY=$1 + + JSON_STRING=$2 + + NAME=$(jq -r .name $JSON_STRING) + + INTEGRATION_ID=$(/usr/sbin/so-elastic-fleet-agent-policy-view "$AGENT_POLICY" | jq -r '.item.package_policies[] | select(.name=="'"$NAME"'") | .id') + +} + +elastic_fleet_integration_create() { + + JSON_STRING=$1 + + curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" +} + +elastic_fleet_integration_update() { + + UPDATE_ID=$1 + + JSON_STRING=$2 + + curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/package_policies/$UPDATE_ID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" +} + +elastic_fleet_policy_create() { + + NAME=$1 + DESC=$2 + FLEETSERVER=$3 + TIMEOUT=$4 + + JSON_STRING=$( jq -n \ + --arg NAME "$NAME" \ + --arg DESC "$DESC" \ + --arg TIMEOUT $TIMEOUT \ + --arg FLEETSERVER "$FLEETSERVER" \ + '{"name": $NAME,"id":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":$TIMEOUT,"has_fleet_server":$FLEETSERVER}' + ) + # Create Fleet Policy + curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/agent_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" + +} + +elastic_fleet_policy_update() { + + POLICYID=$1 + JSON_STRING=$2 + + curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/$POLICYID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" +} diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-data-streams-list b/salt/elasticfleet/tools/sbin/so-elastic-fleet-data-streams-list index b3e35fdba..451c23f3d 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-data-streams-list +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-data-streams-list @@ -4,7 +4,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common # Let's snag a cookie from Kibana SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete index ac600ab40..8bf50ecee 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete @@ -4,7 +4,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common POLICY_ID=$1 diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-delete b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-delete index ded8da808..d4155e821 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-delete +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-delete @@ -4,7 +4,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common POLICY_ID=$1 diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-list b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-list index 86338a312..6696ede25 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-list +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-list @@ -4,7 +4,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common # Let's snag a cookie from Kibana SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load index 92b20c5bf..771d923ef 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load @@ -4,7 +4,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common RETURN_CODE=0 diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-restart b/salt/elasticfleet/tools/sbin/so-elastic-fleet-restart index e3c38b409..7f7d9676c 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-restart +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-restart @@ -7,6 +7,6 @@ -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common /usr/sbin/so-restart elastic-fleet $1 diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-start b/salt/elasticfleet/tools/sbin/so-elastic-fleet-start index 5ae7d21a1..7350e6c57 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-start +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-start @@ -7,6 +7,6 @@ -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common /usr/sbin/so-start elastic-fleet $1 diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-stop b/salt/elasticfleet/tools/sbin/so-elastic-fleet-stop index f3fc3b923..29174c2ae 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-stop +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-stop @@ -7,6 +7,6 @@ -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common /usr/sbin/so-stop elastic-fleet $1 diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers index 84a519d37..d72bfeec2 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers @@ -8,7 +8,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common #FLEETHOST="https://{{ GLOBALS.manager_ip }}:8220" diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup index c81d69282..8a3981ef4 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup @@ -6,7 +6,7 @@ # this file except in compliance with the Elastic License 2.0. {% from 'vars/globals.map.jinja' import GLOBALS %} -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common printf "\n### Create ES Token ###\n" ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/service_tokens" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq -r .value) From e4b4bbcfdcdbfd116bba8fa55a16e642a7af862b Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 30 May 2023 19:51:13 +0000 Subject: [PATCH 14/15] Use ZEEKMERGED from zeek/config.map.jinja --- .../integrations-dynamic/grid-nodes/import-zeek-logs.json | 4 ++-- .../files/integrations-dynamic/grid-nodes/zeek-logs.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json index 5a440344d..dc94afbaa 100644 --- a/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json +++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json @@ -1,4 +1,4 @@ -{% set EXCLUDED_LOGS = salt['pillar.get']('zeek:logging:excluded') %} +{% from 'zeek/config.map.jinja' import ZEEKMERGED %} {%- raw -%} { "package": { @@ -22,7 +22,7 @@ "data_stream.dataset": "import", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"import.file\").slice(0,-4);\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", - "custom": "exclude_files: [\"{%- endraw -%}{{ EXCLUDED_LOGS | join('|') }}{%- raw -%}.log$\"]\n" + "custom": "exclude_files: [\"{%- endraw -%}{{ ZEEKMERGED.logging.excluded | join('|') }}{%- raw -%}.log$\"]\n" } } } diff --git a/salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json index c18fc89f9..5e2ed4f9b 100644 --- a/salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json +++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json @@ -1,4 +1,4 @@ -{% set EXCLUDED_LOGS = salt['pillar.get']('zeek:logging:excluded') %} +{% from 'zeek/config.map.jinja' import ZEEKMERGED %} {%- raw -%} { "package": { @@ -23,7 +23,7 @@ "data_stream.dataset": "zeek", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", - "custom": "exclude_files: [\"{%- endraw -%}{{ EXCLUDED_LOGS | join('|') }}{%- raw -%}.log$\"]\n" + "custom": "exclude_files: [\"{%- endraw -%}{{ ZEEKMERGED.logging.excluded | join('|') }}{%- raw -%}.log$\"]\n" } } } From f3be63051b11a613e796944e4f1357fdcb23066b Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 30 May 2023 20:48:43 +0000 Subject: [PATCH 15/15] Remove Fleet configuration --- salt/common/tools/sbin/so-common | 56 -------------------------------- 1 file changed, 56 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index e580c1917..523a1b230 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -160,62 +160,6 @@ disable_fastestmirror() { sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf } -elastic_fleet_integration_create() { - - JSON_STRING=$1 - - curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" -} - -elastic_fleet_integration_check() { - - AGENT_POLICY=$1 - - JSON_STRING=$2 - - NAME=$(jq -r .name $JSON_STRING) - - INTEGRATION_ID=$(/usr/sbin/so-elastic-fleet-agent-policy-view "$AGENT_POLICY" | jq -r '.item.package_policies[] | select(.name=="'"$NAME"'") | .id') - -} - -elastic_fleet_integration_update() { - - UPDATE_ID=$1 - - JSON_STRING=$2 - - curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/package_policies/$UPDATE_ID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" -} - -elastic_fleet_policy_create() { - - NAME=$1 - DESC=$2 - FLEETSERVER=$3 - TIMEOUT=$4 - - JSON_STRING=$( jq -n \ - --arg NAME "$NAME" \ - --arg DESC "$DESC" \ - --arg TIMEOUT $TIMEOUT \ - --arg FLEETSERVER "$FLEETSERVER" \ - '{"name": $NAME,"id":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":$TIMEOUT,"has_fleet_server":$FLEETSERVER}' - ) - # Create Fleet Policy - curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/agent_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" - -} - -elastic_fleet_policy_update() { - - POLICYID=$1 - JSON_STRING=$2 - - curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/$POLICYID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" -} - - elastic_license() { read -r -d '' message <<- EOM