From 41a4321b032701649680b31a2080a880719037e4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 30 Jun 2023 11:26:55 -0400 Subject: [PATCH] configure logrotate through soc --- salt/common/cron/common-rotate | 2 - salt/common/cron/sensor-rotate | 2 - salt/common/files/log-rotate.conf | 35 -- salt/common/files/sensor-rotate.conf | 22 -- salt/common/init.sls | 48 --- salt/logrotate/defaults.yaml | 461 ++++++++++++------------ salt/logrotate/etc/rotate.conf.jinja | 8 + salt/logrotate/etc/rotate.config.jinja | 0 salt/logrotate/init.sls | 31 ++ salt/logrotate/soc_logrotate.yaml | 29 ++ salt/logrotate/tools/sbin/common-rotate | 2 + salt/top.sls | 1 + 12 files changed, 300 insertions(+), 341 deletions(-) delete mode 100644 salt/common/cron/common-rotate delete mode 100644 salt/common/cron/sensor-rotate delete mode 100644 salt/common/files/log-rotate.conf delete mode 100644 salt/common/files/sensor-rotate.conf create mode 100644 salt/logrotate/etc/rotate.conf.jinja delete mode 100644 salt/logrotate/etc/rotate.config.jinja create mode 100644 salt/logrotate/init.sls create mode 100644 salt/logrotate/soc_logrotate.yaml create mode 100644 salt/logrotate/tools/sbin/common-rotate diff --git a/salt/common/cron/common-rotate b/salt/common/cron/common-rotate deleted file mode 100644 index 63b8e2b5d..000000000 --- a/salt/common/cron/common-rotate +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -/usr/sbin/logrotate -f /opt/so/conf/log-rotate.conf > /dev/null 2>&1 diff --git a/salt/common/cron/sensor-rotate b/salt/common/cron/sensor-rotate deleted file mode 100644 index 94cebf75d..000000000 --- a/salt/common/cron/sensor-rotate +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -/usr/sbin/logrotate -f /opt/so/conf/sensor-rotate.conf > /dev/null 2>&1 diff --git a/salt/common/files/log-rotate.conf b/salt/common/files/log-rotate.conf deleted file mode 100644 index a312f7870..000000000 --- a/salt/common/files/log-rotate.conf +++ /dev/null @@ -1,35 +0,0 @@ -{%- set logrotate_conf = salt['pillar.get']('logrotate:conf') %} -{%- set group_conf = salt['pillar.get']('logrotate:group_conf') %} - - -/opt/so/log/idstools/*.log -/opt/so/log/nginx/*.log -/opt/so/log/soc/*.log -/opt/so/log/kratos/*.log -/opt/so/log/kibana/*.log -/opt/so/log/influxdb/*.log -/opt/so/log/elastalert/*.log -/opt/so/log/soctopus/*.log -/opt/so/log/curator/*.log -/opt/so/log/fleet/*.log -/opt/so/log/suricata/*.log -/opt/so/log/mysql/*.log -/opt/so/log/telegraf/*.log -/opt/so/log/redis/*.log -/opt/so/log/sensoroni/*.log -/opt/so/log/stenographer/*.log -/opt/so/log/salt/so-salt-minion-check -/opt/so/log/salt/minion -/opt/so/log/salt/master -/nsm/idh/*.log -{ - {{ logrotate_conf | indent(width=4) }} -} - -# Playbook's log directory needs additional configuration -# because Playbook requires a more permissive directory -/opt/so/log/playbook/*.log -{ - {{ logrotate_conf | indent(width=4) }} - {{ group_conf | indent(width=4) }} -} diff --git a/salt/common/files/sensor-rotate.conf b/salt/common/files/sensor-rotate.conf deleted file mode 100644 index cefd3944e..000000000 --- a/salt/common/files/sensor-rotate.conf +++ /dev/null @@ -1,22 +0,0 @@ -/opt/so/log/sensor_clean.log -{ - daily - rotate 2 - missingok - nocompress - create - sharedscripts -} - -/nsm/strelka/log/strelka.log -{ - daily - rotate 14 - missingok - copytruncate - compress - create - extension .log - dateext - dateyesterday -} \ No newline at end of file diff --git a/salt/common/init.sls b/salt/common/init.sls index c23e82543..d2dfef3be 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -151,56 +151,8 @@ so-sensor-clean: - daymonth: '*' - month: '*' - dayweek: '*' - -sensorrotatescript: - file.managed: - - name: /usr/local/bin/sensor-rotate - - source: salt://common/cron/sensor-rotate - - mode: 755 - -sensorrotateconf: - file.managed: - - name: /opt/so/conf/sensor-rotate.conf - - source: salt://common/files/sensor-rotate.conf - - mode: 644 - -sensor-rotate: - cron.present: - - name: /usr/local/bin/sensor-rotate - - identifier: sensor-rotate - - user: root - - minute: '1' - - hour: '0' - - daymonth: '*' - - month: '*' - - dayweek: '*' - {% endif %} -commonlogrotatescript: - file.managed: - - name: /usr/local/bin/common-rotate - - source: salt://common/cron/common-rotate - - mode: 755 - -commonlogrotateconf: - file.managed: - - name: /opt/so/conf/log-rotate.conf - - source: salt://common/files/log-rotate.conf - - template: jinja - - mode: 644 - -common-rotate: - cron.present: - - name: /usr/local/bin/common-rotate - - identifier: common-rotate - - user: root - - minute: '1' - - hour: '0' - - daymonth: '*' - - month: '*' - - dayweek: '*' - # Create the status directory sostatusdir: file.directory: diff --git a/salt/logrotate/defaults.yaml b/salt/logrotate/defaults.yaml index 6d0fa7dc7..841094d84 100644 --- a/salt/logrotate/defaults.yaml +++ b/salt/logrotate/defaults.yaml @@ -1,233 +1,230 @@ logrotate: - common: - config: - /opt/so/log/idstools/*.log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/nginx/*.log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/soc/*.log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/kratos/*.log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/kibana/*.log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/influxdb/*.log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/elastalert/*.log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/soctopus/*.log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/curator/*.log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/fleet/*.log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/suricata/*.log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/mysql/*.log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/telegraf/*.log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/redis/*.log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/sensoroni/*.log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/stenographer/*.log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/salt/so-salt-minion-check: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/salt/minion: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/salt/master: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /nsm/idh/*.log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/playbook/*.log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - - su root socore - /nsm/strelka/log/strelka.log: - - daily - - rotate 14 - - missingok - - copytruncate - - compress - - create - - extension .log - - dateext - - dateyesterday - /opt/so/log/sensor_clean.log: - - daily - - rotate 2 - - missingok - - nocompress - - create - - sharedscripts - - sensor: + config: + /opt/so/log/idstools/*.log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/nginx/*.log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/soc/*.log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/kratos/*.log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/kibana/*.log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/influxdb/*.log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/elastalert/*.log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/soctopus/*.log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/curator/*.log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/fleet/*.log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/suricata/*.log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/mysql/*.log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/telegraf/*.log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/redis/*.log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/sensoroni/*.log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/stenographer/*.log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/salt/so-salt-minion-check: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/salt/minion: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/salt/master: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /nsm/idh/*.log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/playbook/*.log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + - su root socore + /nsm/strelka/log/strelka.log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/sensor_clean.log: + - daily + - rotate 2 + - missingok + - nocompress + - create + - sharedscripts diff --git a/salt/logrotate/etc/rotate.conf.jinja b/salt/logrotate/etc/rotate.conf.jinja new file mode 100644 index 000000000..60852af38 --- /dev/null +++ b/salt/logrotate/etc/rotate.conf.jinja @@ -0,0 +1,8 @@ +{%- for file, opts in CONFIG.items() %} +{{ file }} +{ +{%- for opt in opts %} + {{ opt }} +{%- endfor %} +} +{%- endfor %} diff --git a/salt/logrotate/etc/rotate.config.jinja b/salt/logrotate/etc/rotate.config.jinja deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/logrotate/init.sls b/salt/logrotate/init.sls new file mode 100644 index 000000000..1b096f9db --- /dev/null +++ b/salt/logrotate/init.sls @@ -0,0 +1,31 @@ +{% from 'logrotate/map.jinja' import LOGROTATEMERGED %} + +logrotateconfdir: + file.directory: + - name: /opt/so/conf/logrotate + +commonlogrotatescript: + file.managed: + - name: /usr/local/bin/common-rotate + - source: salt://logrotate/tools/sbin/common-rotate + - mode: 755 + +commonlogrotateconf: + file.managed: + - name: /opt/so/conf/logrotate/common-rotate.conf + - source: salt://logrotate/etc/rotate.conf.jinja + - template: jinja + - mode: 644 + - defaults: + CONFIG: {{ LOGROTATEMERGED.config }} + +common-rotate: + cron.present: + - name: /usr/local/bin/common-rotate + - identifier: common-rotate + - user: root + - minute: '1' + - hour: '0' + - daymonth: '*' + - month: '*' + - dayweek: '*' diff --git a/salt/logrotate/soc_logrotate.yaml b/salt/logrotate/soc_logrotate.yaml new file mode 100644 index 000000000..a300ec38e --- /dev/null +++ b/salt/logrotate/soc_logrotate.yaml @@ -0,0 +1,29 @@ +logrotate: + config: + /opt/so/log/idstools/*.log: &rotateopts + description: List of logrotate options for this file. + advanced: True + multiline: True + forcedType: "[]string" + /opt/so/log/nginx/*.log: *rotateopts + /opt/so/log/soc/*.log: *rotateopts + /opt/so/log/kratos/*.log: *rotateopts + /opt/so/log/kibana/*.log: *rotateopts + /opt/so/log/influxdb/*.log: *rotateopts + /opt/so/log/elastalert/*.log: *rotateopts + /opt/so/log/soctopus/*.log: *rotateopts + /opt/so/log/curator/*.log: *rotateopts + /opt/so/log/fleet/*.log: *rotateopts + /opt/so/log/suricata/*.log: *rotateopts + /opt/so/log/mysql/*.log: *rotateopts + /opt/so/log/telegraf/*.log: *rotateopts + /opt/so/log/redis/*.log: *rotateopts + /opt/so/log/sensoroni/*.log: *rotateopts + /opt/so/log/stenographer/*.log: *rotateopts + /opt/so/log/salt/so-salt-minion-check: *rotateopts + /opt/so/log/salt/minion: *rotateopts + /opt/so/log/salt/master: *rotateopts + /nsm/idh/*.log: *rotateopts + /opt/so/log/playbook/*.log: *rotateopts + /nsm/strelka/log/strelka.log: *rotateopts + /opt/so/log/sensor_clean.log: *rotateopts diff --git a/salt/logrotate/tools/sbin/common-rotate b/salt/logrotate/tools/sbin/common-rotate new file mode 100644 index 000000000..14c3536da --- /dev/null +++ b/salt/logrotate/tools/sbin/common-rotate @@ -0,0 +1,2 @@ +#!/bin/bash +/usr/sbin/logrotate -f /opt/so/conf/logrotate/common-rotate.conf > /dev/null 2>&1 diff --git a/salt/top.sls b/salt/top.sls index e53791673..e53895324 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -14,6 +14,7 @@ base: - repo.client - ntp - schedule + - logrotate 'not G@saltversion:{{saltversion}}': - match: compound