diff --git a/salt/common/tools/sbin/so-minion b/salt/common/tools/sbin/so-minion index 2f506863d..4145b16b1 100755 --- a/salt/common/tools/sbin/so-minion +++ b/salt/common/tools/sbin/so-minion @@ -163,12 +163,11 @@ function add_idh_to_minion() { function add_logstash_to_minion() { # Create the logstash advanced pillar printf '%s\n'\ - "logstash_settings:"\ - " ls_host: '$LSHOSTNAME'"\ - " ls_pipeline_batch_size: 125"\ - " ls_input_threads: 1"\ - " lsheap: $LSHEAP"\ - " ls_pipeline_workers: $CPUCORES"\ + "logstash:"\ + " config:"\ + " pipeline_x_workers: $CPUCORES"\ + " settings:"\ + " lsheap: $LSHEAP"\ " " >> $PILLARFILE } diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml deleted file mode 100644 index 4eb297c78..000000000 --- a/salt/firewall/soc_firewall.yaml +++ /dev/null @@ -1,456 +0,0 @@ -firewall: - hostgroups: - analyst: &hostgroupsettings - description: List of IP or CIDR blocks to allow access to this hostgroup. - helplink: firewall.html - multiline: True - regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ - regexFailureMessage: You must enter a valid IP address or CIDR. - anywhere: &hostgroupsettingsadv - description: List of IP or CIDR blocks to allow access to this hostgroup. - helplink: firewall.html - multiline: True - advanced: True - regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ - regexFailureMessage: You must enter a valid IP address or CIDR. - beats_endpoint: *hostgroupsettings - beats_endpoint_ssl: *hostgroupsettings - dockernet: *hostgroupsettingsadv - elastic_agent_endpoint: *hostgroupsettings - elasticsearch_rest: *hostgroupsettingsadv - endgame: *hostgroupsettingsadv - eval: *hostgroupsettings - fleet: *hostgroupsettings - heavynodes: *hostgroupsettings - idh: *hostgroupsettings - localhost: *hostgroupsettingsadv - manager: *hostgroupsettings - receivers: *hostgroupsettings - searchnodes: *hostgroupsettings - securityonion_desktops: *hostgroupsettings - self: *hostgroupsettingsadv - sensors: *hostgroupsettings - standalone: *hostgroupsettings - strelka_frontend: *hostgroupsettings - syslog: *hostgroupsettings - customhostgroup1: &customhostgroupsettings - description: List of IP or CIDR blocks to allow to this hostgroup. - helpLink: firewall.html - advanced: True - multiline: True - regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ - regexFailureMessage: You must enter a valid IP address or CIDR. - customhostgroup2: *customhostgroupsettings - customhostgroup3: *customhostgroupsettings - customhostgroup4: *customhostgroupsettings - customhostgroup5: *customhostgroupsettings - customhostgroup6: *customhostgroupsettings - customhostgroup7: *customhostgroupsettings - customhostgroup8: *customhostgroupsettings - customhostgroup9: *customhostgroupsettings - customhostgroup10: *customhostgroupsettings - - portgroups: - all: - tcp: &tcpsettings - description: List of TCP ports for this port group. - helplink: firewall.html - advanced: True - multiline: True - udp: &udpsettings - description: List of UDP ports for this port group. - helplink: firewall.html - advanced: True - multiline: True - agrules: - tcp: *tcpsettings - udp: *udpsettings - beats_5044: - tcp: *tcpsettings - udp: *udpsettings - beats_5644: - tcp: *tcpsettings - udp: *udpsettings - beats_5066: - tcp: *tcpsettings - udp: *udpsettings - beats_5056: - tcp: *tcpsettings - udp: *udpsettings - docker_registry: - tcp: *tcpsettings - udp: *udpsettings - elasticsearch_node: - tcp: *tcpsettings - udp: *udpsettings - elasticsearch_rest: - tcp: *tcpsettings - udp: *udpsettings - elastic_agent_control: - tcp: *tcpsettings - udp: *udpsettings - elastic_agent_data: - tcp: *tcpsettings - udp: *udpsettings - endgame: - tcp: *tcpsettings - udp: *udpsettings - influxdb: - tcp: *tcpsettings - udp: *udpsettings - kibana: - tcp: *tcpsettings - udp: *udpsettings - mysql: - tcp: *tcpsettings - udp: *udpsettings - nginx: - tcp: *tcpsettings - udp: *udpsettings - playbook: - tcp: *tcpsettings - udp: *udpsettings - redis: - tcp: *tcpsettings - udp: *udpsettings - salt_manager: - tcp: *tcpsettings - udp: *udpsettings - sensoroni: - tcp: *tcpsettings - udp: *udpsettings - ssh: - tcp: *tcpsettings - udp: *udpsettings - strelka_frontend: - tcp: *tcpsettings - udp: *udpsettings - syslog: - tcp: *tcpsettings - udp: *udpsettings - yum: - tcp: *tcpsettings - udp: *udpsettings - role: - eval: - chain: - DOCKER-USER: - hostgroups: - eval: - portgroups: &portgroupsdocker - description: Portgroups to add access to the docker containers for this role. - advanced: True - multiline: True - helpLink: firewall.html - sensors: - portgroups: *portgroupsdocker - searchnodes: - portgroups: *portgroupsdocker - heavynodes: - portgroups: *portgroupsdocker - self: - portgroups: *portgroupsdocker - beats_endpoint: - portgroups: *portgroupsdocker - beats_endpoint_ssl: - portgroups: *portgroupsdocker - elasticsearch_rest: - portgroups: *portgroupsdocker - elastic_agent_endpoint: - portgroups: *portgroupsdocker - strelka_frontend: - portgroups: *portgroupsdocker - syslog: - portgroups: *portgroupsdocker - analyst: - portgroups: *portgroupsdocker - INPUT: - hostgroups: - anywhere: - portgroups: &portgroupshost - description: Portgroups to add access to the host. - advacned: True - multiline: True - helpLink - dockernet: - portgroups: - localhost: - portgroups: - fleet: - chain: - DOCKER-USER: - hostgroups: - sensors: - portgroups: - elastic_agent_endpoint: - portgroups: - INPUT: - hostgroups: - anywhere: - portgroups: - dockernet: - portgroups: - localhost: - portgroups: - standalone: - portgroups: - sensors: - portgroups: - searchnodes: - portgroups: - heavynodes: - portgroups: - manager: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - sensors: - portgroups: - searchnodes: - portgroups: - heavynodes: - portgroups: - self: - portgroups: - syslog: - portgroups: - beats_endpoint: - portgroups: - beats_endpoint_ssl: - portgroups: - elasticsearch_rest: - portgroups: - elastic_agent_endpoint: - portgroups: - endgame: - portgroups: - analyst: - portgroups: - custom1: - portgroups: - custom2: - - INPUT: - hostgroups: - anywhere: - portgroups: - dockernet: - portgroups: - localhost: - portgroups: - sensors: - portgroups: - searchnodes: - portgroups: - heavynodes: - portgroups: - managersearch: - chain: - DOCKER-USER: - hostgroups: - managersearch: - portgroups: - sensors: - portgroups: - searchnodes: - portgroups: - heavynodes: - portgroups: - self: - portgroups: - beats_endpoint: - portgroups: - beats_endpoint_ssl: - portgroups: - elasticsearch_rest: - portgroups: - elastic_agent_endpoint: - portgroups: - endgame: - portgroups: - syslog: - portgroups: - analyst: - portgroups: - INPUT: - hostgroups: - anywhere: - portgroups: - dockernet: - portgroups: - localhost: - portgroups: - sensors: - portgroups: - searchnodes: - portgroups: - heavynodes: - portgroups: - standalone: - chain: - DOCKER-USER: - hostgroups: - localhost: - portgroups: - standalone: - portgroups: - fleet: - portgroups: - sensors: - portgroups: - searchnodes: - portgroups: - heavynodes: - portgroups: - self: - portgroups: - beats_endpoint: - portgroups: - beats_endpoint_ssl: - portgroups: - elasticsearch_rest: - portgroups: - elastic_agent_endpoint: - portgroups: - endgame: - portgroups: - strelka_frontend: - portgroups: - syslog: - portgroups: - analyst: - portgroups: - INPUT: - hostgroups: - anywhere: - portgroups: - dockernet: - portgroups: - fleet: - portgroups: - localhost: - portgroups: - standalone: - portgroups: - sensors: - portgroups: - searchnodes: - portgroups: - heavynodes: - portgroups: - searchnode: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - dockernet: - portgroups: - elasticsearch_rest: - portgroups: - searchnodes: - portgroups: - self: - portgroups: - INPUT: - hostgroups: - anywhere: - portgroups: - dockernet: - portgroups: - localhost: - portgroups: - sensor: - chain: - DOCKER-USER: - hostgroups: - self: - portgroups: - strelka_frontend: - portgroups: - INPUT: - hostgroups: - anywhere: - portgroups: - dockernet: - portgroups: - localhost: - portgroups: - heavynode: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - dockernet: - portgroups: - elasticsearch_rest: - portgroups: - self: - portgroups: - strelka_frontend: - portgroups: - INPUT: - hostgroups: - anywhere: - portgroups: - dockernet: - portgroups: - localhost: - portgroups: - import: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - sensors: - portgroups: - searchnodes: - portgroups: - beats_endpoint: - portgroups: - beats_endpoint_ssl: - portgroups: - elasticsearch_rest: - portgroups: - elastic_agent_endpoint: - portgroups: - analyst: - portgroups: - INPUT: - hostgroups: - anywhere: - portgroups: - dockernet: - portgroups: - localhost: - portgroups: - receiver: - chain: - DOCKER-USER: - hostgroups: - sensors: - portgroups: - searchnodes: - portgroups: - self: - portgroups: - syslog: - portgroups: - beats_endpoint: - portgroups: - beats_endpoint_ssl: - portgroups: - endgame: - portgroups: - INPUT: - hostgroups: - anywhere: - portgroups: - dockernet: - portgroups: - localhost: - portgroups: diff --git a/salt/logstash/defaults.yaml b/salt/logstash/defaults.yaml new file mode 100644 index 000000000..a14b47e5c --- /dev/null +++ b/salt/logstash/defaults.yaml @@ -0,0 +1,28 @@ +logstash: + assigned_pipelines: + roles: + fleet: + - so/0012_input_elastic_agent.conf + - so/9806_output_lumberjack_fleet.conf.jinja + manager: + - so/0011_input_endgame.conf + - so/0012_input_elastic_agent.conf + - so/0013_input_lumberjack_fleet.conf + - so/9999_output_redis.conf.jinja + receiver: + - so/0011_input_endgame.conf + - so/0012_input_elastic_agent.conf + - so/9999_output_redis.conf.jinja + search: + - so/0900_input_redis.conf.jinja + - so/9805_output_elastic_agent.conf.jinja + - so/9900_output_endgame.conf.jinja + settings: + lsheap: 500m + config: + http_x_host: 0.0.0.0 + path_x_logs: /var/log/logstash + pipeline_x_workers: 1 + pipeline_x_batch_x_size: 125 + pipeline_x_ecs_compatibility: disabled + diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 7f3aef0aa..caabd10ea 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -11,7 +11,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} # Logstash Section - Decide which pillar to use -{% set lsheap = salt['pillar.get']('logstash_settings:lsheap') %} +{% set lsheap = salt['pillar.get']('logstash:settings:lsheap') %} {% if GLOBALS.role in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} {% set nodetype = GLOBALS.role %} {% endif %} diff --git a/salt/logstash/soc_logstash.yaml b/salt/logstash/soc_logstash.yaml new file mode 100644 index 000000000..8e764b0c5 --- /dev/null +++ b/salt/logstash/soc_logstash.yaml @@ -0,0 +1,39 @@ +logstash: + assigned_pipelines: + roles: + reciever: &assigned_pipelines + description: List of pipelines assigned to this role. + advanced: True + helpLink: logstash.html + multiline: True + fleet: *assigned_pipelines + manager: *assigned_pipelines + nodes: *assigned_pipelines + search: *assigned_pipelines + settings: + lsheap: + description: Heap size to use for logstash + helpLink: logstash.html + global: False + config: + http_x_host: + description: Host interface to listen to connections. + helpLink: logstash.html + readonly: True + path_x_logs: + description: Path inside the container to wrote logs. + helpLink: logstash.html + readonly: True + pipeline_x_workers: + description: Number of worker threads to process events in logstash. + helpLink: logstash.html + global: False + pipeline_x_batch_x_size: + description: Logstash batch size. + helpLink: logstash.html + global: False + pipeline_x_ecs_compatibility: + description: Sets ECS compatibility. This is set per pipeline so you should never need to change this. + helpLink: logstash.html + readonly: True +