From 392305e4edf251f208de175af404dac338ac2f5f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 10 Nov 2021 09:01:42 -0500 Subject: [PATCH] add engame changes that were missing from merge somehow --- pillar/elasticsearch/manager.sls | 1 + pillar/elasticsearch/search.sls | 1 + pillar/logstash/init.sls | 1 + pillar/logstash/manager.sls | 1 + pillar/logstash/search.sls | 1 + .../curator/files/action/so-endgame-close.yml | 29 +++++++++++++++++++ .../files/action/so-endgame-delete.yml | 27 +++++++++++++++++ salt/curator/files/action/so-endgame-warm.yml | 23 +++++++++++++++ 8 files changed, 84 insertions(+) create mode 100644 salt/curator/files/action/so-endgame-close.yml create mode 100644 salt/curator/files/action/so-endgame-delete.yml create mode 100644 salt/curator/files/action/so-endgame-warm.yml diff --git a/pillar/elasticsearch/manager.sls b/pillar/elasticsearch/manager.sls index 84ff89a23..8e31ca84e 100644 --- a/pillar/elasticsearch/manager.sls +++ b/pillar/elasticsearch/manager.sls @@ -2,6 +2,7 @@ elasticsearch: templates: - so/so-beats-template.json.jinja - so/so-common-template.json.jinja + - so/so-endgame-template.json.jinja - so/so-firewall-template.json.jinja - so/so-flow-template.json.jinja - so/so-ids-template.json.jinja diff --git a/pillar/elasticsearch/search.sls b/pillar/elasticsearch/search.sls index 84ff89a23..8e31ca84e 100644 --- a/pillar/elasticsearch/search.sls +++ b/pillar/elasticsearch/search.sls @@ -2,6 +2,7 @@ elasticsearch: templates: - so/so-beats-template.json.jinja - so/so-common-template.json.jinja + - so/so-endgame-template.json.jinja - so/so-firewall-template.json.jinja - so/so-flow-template.json.jinja - so/so-ids-template.json.jinja diff --git a/pillar/logstash/init.sls b/pillar/logstash/init.sls index c2dfd9cfd..4e96b400d 100644 --- a/pillar/logstash/init.sls +++ b/pillar/logstash/init.sls @@ -1,6 +1,7 @@ logstash: docker_options: port_bindings: + - 0.0.0.0:3765:3765 - 0.0.0.0:5044:5044 - 0.0.0.0:5644:5644 - 0.0.0.0:6050:6050 diff --git a/pillar/logstash/manager.sls b/pillar/logstash/manager.sls index 6f3ba495b..fc0788824 100644 --- a/pillar/logstash/manager.sls +++ b/pillar/logstash/manager.sls @@ -5,5 +5,6 @@ logstash: config: - so/0009_input_beats.conf - so/0010_input_hhbeats.conf + - so/0011_input_endgame.conf - so/9999_output_redis.conf.jinja \ No newline at end of file diff --git a/pillar/logstash/search.sls b/pillar/logstash/search.sls index 55b2070ce..a0ddf946e 100644 --- a/pillar/logstash/search.sls +++ b/pillar/logstash/search.sls @@ -14,3 +14,4 @@ logstash: - so/9600_output_ossec.conf.jinja - so/9700_output_strelka.conf.jinja - so/9800_output_logscan.conf.jinja + - so/9900_output_endgame.conf.jinja diff --git a/salt/curator/files/action/so-endgame-close.yml b/salt/curator/files/action/so-endgame-close.yml new file mode 100644 index 000000000..4c4d38341 --- /dev/null +++ b/salt/curator/files/action/so-endgame-close.yml @@ -0,0 +1,29 @@ +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-endgame:close', 30) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: close + description: >- + Close Endgame indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-endgame.*|so-endgame.*|endgame.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/so-endgame-delete.yml b/salt/curator/files/action/so-endgame-delete.yml new file mode 100644 index 000000000..53d34b6d6 --- /dev/null +++ b/salt/curator/files/action/so-endgame-delete.yml @@ -0,0 +1,27 @@ +{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:delete', 365) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: delete_indices + description: >- + Delete Endgame indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-endgame.*|so-endgame.*|endgame.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: diff --git a/salt/curator/files/action/so-endgame-warm.yml b/salt/curator/files/action/so-endgame-warm.yml new file mode 100644 index 000000000..4856a3928 --- /dev/null +++ b/salt/curator/files/action/so-endgame-warm.yml @@ -0,0 +1,23 @@ +{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:warm', 7) -%} +actions: + 1: + action: allocation + description: "Apply shard allocation filtering rules to the specified indices" + options: + key: box_type + value: warm + allocation_type: require + wait_for_completion: true + timeout_override: + continue_if_exception: false + disable_action: false + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-endgame.*|so-endgame.*|endgame.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ WARM_DAYS }}