fix defaults for logstash

salt/common/tools/sbin/so-minion

@@ -163,12 +163,11 @@ function add_idh_to_minion() {
 function add_logstash_to_minion() {
 	# Create the logstash advanced pillar
 	printf '%s\n'\
-		"logstash_settings:"\
+		"logstash:"\
-		"  ls_host: '$LSHOSTNAME'"\
+		"  config:"\
-		"  ls_pipeline_batch_size: 125"\
+		"    pipeline_x_workers: $CPUCORES"\
-		"  ls_input_threads: 1"\
+		"  settings:"\
-		"  lsheap: $LSHEAP"\
+		"    lsheap: $LSHEAP"\
-		"  ls_pipeline_workers: $CPUCORES"\
 		"  " >> $PILLARFILE
 }
 

salt/firewall/soc_firewall.yaml

@@ -1,456 +0,0 @@
-firewall:
-  hostgroups:
-    analyst: &hostgroupsettings
-      description: List of IP or CIDR blocks to allow access to this hostgroup.
-      helplink: firewall.html
-      multiline: True
-      regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
-      regexFailureMessage: You must enter a valid IP address or CIDR.
-    anywhere: &hostgroupsettingsadv
-      description: List of IP or CIDR blocks to allow access to this hostgroup.
-      helplink: firewall.html
-      multiline: True
-      advanced: True
-      regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
-      regexFailureMessage: You must enter a valid IP address or CIDR.
-    beats_endpoint: *hostgroupsettings
-    beats_endpoint_ssl: *hostgroupsettings
-    dockernet: *hostgroupsettingsadv
-    elastic_agent_endpoint: *hostgroupsettings
-    elasticsearch_rest: *hostgroupsettingsadv
-    endgame: *hostgroupsettingsadv
-    eval: *hostgroupsettings
-    fleet: *hostgroupsettings
-    heavynodes: *hostgroupsettings
-    idh: *hostgroupsettings
-    localhost: *hostgroupsettingsadv
-    manager: *hostgroupsettings
-    receivers: *hostgroupsettings
-    searchnodes: *hostgroupsettings
-    securityonion_desktops: *hostgroupsettings
-    self: *hostgroupsettingsadv
-    sensors: *hostgroupsettings
-    standalone: *hostgroupsettings
-    strelka_frontend: *hostgroupsettings
-    syslog: *hostgroupsettings
-    customhostgroup1: &customhostgroupsettings
-      description: List of IP or CIDR blocks to allow to this hostgroup.
-      helpLink: firewall.html
-      advanced: True
-      multiline: True
-      regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
-      regexFailureMessage: You must enter a valid IP address or CIDR.
-    customhostgroup2: *customhostgroupsettings
-    customhostgroup3: *customhostgroupsettings
-    customhostgroup4: *customhostgroupsettings
-    customhostgroup5: *customhostgroupsettings
-    customhostgroup6: *customhostgroupsettings
-    customhostgroup7: *customhostgroupsettings
-    customhostgroup8: *customhostgroupsettings
-    customhostgroup9: *customhostgroupsettings
-    customhostgroup10: *customhostgroupsettings
-
-  portgroups:
-    all:
-      tcp: &tcpsettings
-        description: List of TCP ports for this port group.
-        helplink: firewall.html
-        advanced: True
-        multiline: True
-      udp: &udpsettings
-        description: List of UDP ports for this port group.
-        helplink: firewall.html
-        advanced: True
-        multiline: True
-    agrules:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    beats_5044:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    beats_5644:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    beats_5066:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    beats_5056:
-      tcp: *tcpsettings
-      udp: *udpsettings 
-    docker_registry:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    elasticsearch_node:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    elasticsearch_rest:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    elastic_agent_control:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    elastic_agent_data:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    endgame:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    influxdb:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    kibana:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    mysql:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    nginx:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    playbook:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    redis:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    salt_manager:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    sensoroni:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    ssh:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    strelka_frontend:
-      tcp: *tcpsettings
-      udp: *udpsettings 
-    syslog:
-      tcp: *tcpsettings
-      udp: *udpsettings
-    yum:
-      tcp: *tcpsettings
-      udp: *udpsettings
-  role:
-    eval:
-      chain:
-        DOCKER-USER:
-          hostgroups:
-            eval:
-              portgroups: &portgroupsdocker
-                description: Portgroups to add access to the docker containers for this role.
-                advanced: True
-                multiline: True
-                helpLink: firewall.html
-            sensors:
-              portgroups: *portgroupsdocker
-            searchnodes:
-              portgroups: *portgroupsdocker
-            heavynodes:
-              portgroups: *portgroupsdocker
-            self:
-              portgroups: *portgroupsdocker
-            beats_endpoint: 
-              portgroups: *portgroupsdocker
-            beats_endpoint_ssl:
-              portgroups: *portgroupsdocker
-            elasticsearch_rest:
-              portgroups: *portgroupsdocker
-            elastic_agent_endpoint:
-              portgroups: *portgroupsdocker
-            strelka_frontend:
-              portgroups: *portgroupsdocker
-            syslog:
-              portgroups: *portgroupsdocker
-            analyst:
-              portgroups: *portgroupsdocker
-        INPUT:
-          hostgroups:
-            anywhere:
-              portgroups: &portgroupshost
-                description: Portgroups to add access to the host.
-                advacned: True
-                multiline: True
-                helpLink
-            dockernet:
-              portgroups:
-            localhost:
-              portgroups:
-    fleet:
-      chain:
-        DOCKER-USER:
-          hostgroups:
-            sensors:
-              portgroups:
-            elastic_agent_endpoint:
-              portgroups:
-        INPUT:
-          hostgroups:
-            anywhere:
-              portgroups:
-            dockernet:
-              portgroups:
-            localhost:
-              portgroups:
-            standalone:
-              portgroups:
-            sensors:
-              portgroups:
-            searchnodes:
-              portgroups:
-            heavynodes:
-              portgroups:
-    manager:
-      chain:
-        DOCKER-USER:
-          hostgroups:
-            manager:
-              portgroups:                
-            sensors:
-              portgroups:
-            searchnodes:
-              portgroups:
-            heavynodes:
-              portgroups:
-            self:
-              portgroups:
-            syslog:
-              portgroups:
-            beats_endpoint:
-              portgroups:
-            beats_endpoint_ssl:
-              portgroups:
-            elasticsearch_rest:
-              portgroups:
-            elastic_agent_endpoint:
-              portgroups:
-            endgame:
-              portgroups:
-            analyst:
-              portgroups:
-            custom1:
-              portgroups:
-            custom2:
-
-        INPUT:
-          hostgroups:
-            anywhere:
-              portgroups:
-            dockernet:
-              portgroups:
-            localhost:
-              portgroups:
-            sensors:
-              portgroups:
-            searchnodes:
-              portgroups:
-            heavynodes:
-              portgroups:
-    managersearch:
-      chain:
-        DOCKER-USER:
-          hostgroups:
-            managersearch:
-              portgroups:
-            sensors:
-              portgroups:
-            searchnodes:
-              portgroups:
-            heavynodes:
-              portgroups:
-            self:
-              portgroups:
-            beats_endpoint:
-              portgroups:
-            beats_endpoint_ssl:
-              portgroups:
-            elasticsearch_rest:
-              portgroups:
-            elastic_agent_endpoint:
-              portgroups:
-            endgame:
-              portgroups:
-            syslog:
-              portgroups:
-            analyst:
-              portgroups:
-        INPUT:
-          hostgroups:
-            anywhere:
-              portgroups:
-            dockernet:
-              portgroups:
-            localhost:
-              portgroups:
-            sensors:
-              portgroups:
-            searchnodes:
-              portgroups:
-            heavynodes:
-              portgroups:
-    standalone:
-      chain:
-        DOCKER-USER:
-          hostgroups:
-            localhost:
-              portgroups:
-            standalone:
-              portgroups:
-            fleet:
-              portgroups:
-            sensors:
-              portgroups:
-            searchnodes:
-              portgroups:
-            heavynodes:
-              portgroups:
-            self:
-              portgroups:
-            beats_endpoint:
-              portgroups:
-            beats_endpoint_ssl:
-              portgroups:
-            elasticsearch_rest:
-              portgroups:
-            elastic_agent_endpoint:
-              portgroups:
-            endgame:
-              portgroups:
-            strelka_frontend:
-              portgroups:
-            syslog:
-              portgroups:
-            analyst:
-              portgroups:
-        INPUT:
-          hostgroups:
-            anywhere:
-              portgroups:
-            dockernet:
-              portgroups:
-            fleet:
-              portgroups:
-            localhost:
-              portgroups:
-            standalone:
-              portgroups:
-            sensors:
-              portgroups:
-            searchnodes:
-              portgroups:
-            heavynodes:
-              portgroups:
-    searchnode:
-      chain:
-        DOCKER-USER:
-          hostgroups:
-            manager:
-              portgroups:
-            dockernet:
-              portgroups:
-            elasticsearch_rest:
-              portgroups:
-            searchnodes:
-              portgroups:
-            self:
-              portgroups:
-        INPUT:
-          hostgroups:
-            anywhere:
-              portgroups:
-            dockernet:
-              portgroups:
-            localhost:
-              portgroups:
-    sensor:
-      chain:
-        DOCKER-USER:
-          hostgroups:
-            self:
-              portgroups:
-            strelka_frontend:
-              portgroups:
-        INPUT:
-          hostgroups:
-            anywhere:
-              portgroups:
-            dockernet:
-              portgroups:
-            localhost:
-              portgroups:
-    heavynode:
-      chain:
-        DOCKER-USER:
-          hostgroups:
-            manager:
-              portgroups:
-            dockernet:
-              portgroups:
-            elasticsearch_rest:
-              portgroups:
-            self:
-              portgroups:
-            strelka_frontend:
-              portgroups:
-        INPUT:
-          hostgroups:
-            anywhere:
-              portgroups:
-            dockernet:
-              portgroups:
-            localhost:
-              portgroups:
-    import:
-      chain:
-        DOCKER-USER:
-          hostgroups:
-            manager:
-              portgroups:
-            sensors:
-              portgroups:
-            searchnodes:
-              portgroups:
-            beats_endpoint:
-              portgroups:
-            beats_endpoint_ssl:
-              portgroups:
-            elasticsearch_rest:
-              portgroups:
-            elastic_agent_endpoint:
-              portgroups:
-            analyst:
-              portgroups:
-        INPUT:
-          hostgroups:
-            anywhere:
-              portgroups:
-            dockernet:
-              portgroups:
-            localhost:
-              portgroups:
-    receiver:
-      chain:
-        DOCKER-USER:
-          hostgroups:
-            sensors:
-              portgroups:
-            searchnodes:
-              portgroups:
-            self:
-              portgroups:
-            syslog:
-              portgroups:
-            beats_endpoint:
-              portgroups:
-            beats_endpoint_ssl:
-              portgroups:
-            endgame:
-              portgroups:
-        INPUT:
-          hostgroups:
-            anywhere:
-              portgroups:
-            dockernet:
-              portgroups:
-            localhost:
-              portgroups:

salt/logstash/defaults.yaml

@@ -0,0 +1,28 @@
+logstash:
+  assigned_pipelines:
+    roles:
+      fleet:
+        - so/0012_input_elastic_agent.conf     
+        - so/9806_output_lumberjack_fleet.conf.jinja
+      manager:
+        - so/0011_input_endgame.conf
+        - so/0012_input_elastic_agent.conf
+        - so/0013_input_lumberjack_fleet.conf
+        - so/9999_output_redis.conf.jinja        
+      receiver:
+        - so/0011_input_endgame.conf
+        - so/0012_input_elastic_agent.conf
+        - so/9999_output_redis.conf.jinja
+      search:
+        - so/0900_input_redis.conf.jinja
+        - so/9805_output_elastic_agent.conf.jinja
+        - so/9900_output_endgame.conf.jinja
+  settings:
+    lsheap: 500m
+  config:
+    http_x_host: 0.0.0.0
+    path_x_logs: /var/log/logstash
+    pipeline_x_workers: 1
+    pipeline_x_batch_x_size: 125
+    pipeline_x_ecs_compatibility: disabled
+

salt/logstash/init.sls

@@ -11,7 +11,7 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 
 # Logstash Section - Decide which pillar to use
-{% set lsheap = salt['pillar.get']('logstash_settings:lsheap') %}
+{% set lsheap = salt['pillar.get']('logstash:settings:lsheap') %}
 {% if GLOBALS.role in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %}
     {% set nodetype = GLOBALS.role  %}
 {% endif %}

salt/logstash/soc_logstash.yaml

@@ -0,0 +1,39 @@
+logstash:
+  assigned_pipelines:
+    roles:
+      reciever: &assigned_pipelines
+        description: List of pipelines assigned to this role.
+        advanced: True
+        helpLink: logstash.html
+        multiline: True
+      fleet: *assigned_pipelines
+      manager: *assigned_pipelines
+      nodes: *assigned_pipelines
+      search: *assigned_pipelines
+  settings:
+    lsheap: 
+      description: Heap size to use for logstash
+      helpLink: logstash.html
+      global: False
+  config:
+    http_x_host: 
+      description: Host interface to listen to connections.
+      helpLink: logstash.html
+      readonly: True
+    path_x_logs: 
+      description: Path inside the container to wrote logs.
+      helpLink: logstash.html
+      readonly: True
+    pipeline_x_workers: 
+      description: Number of worker threads to process events in logstash.
+      helpLink: logstash.html
+      global: False
+    pipeline_x_batch_x_size: 
+      description: Logstash batch size.
+      helpLink: logstash.html
+      global: False
+    pipeline_x_ecs_compatibility: 
+      description: Sets ECS compatibility. This is set per pipeline so you should never need to change this.
+      helpLink: logstash.html
+      readonly: True
+