configure logrotate through soc

salt/common/cron/common-rotate

@@ -1,2 +0,0 @@
-#!/bin/bash
-/usr/sbin/logrotate -f /opt/so/conf/log-rotate.conf > /dev/null 2>&1

salt/common/cron/sensor-rotate

@@ -1,2 +0,0 @@
-#!/bin/bash
-/usr/sbin/logrotate -f /opt/so/conf/sensor-rotate.conf > /dev/null 2>&1

salt/common/files/log-rotate.conf

@@ -1,35 +0,0 @@
-{%- set logrotate_conf = salt['pillar.get']('logrotate:conf') %}
-{%- set group_conf = salt['pillar.get']('logrotate:group_conf') %}
-
-
-/opt/so/log/idstools/*.log
-/opt/so/log/nginx/*.log
-/opt/so/log/soc/*.log
-/opt/so/log/kratos/*.log
-/opt/so/log/kibana/*.log
-/opt/so/log/influxdb/*.log
-/opt/so/log/elastalert/*.log
-/opt/so/log/soctopus/*.log
-/opt/so/log/curator/*.log
-/opt/so/log/fleet/*.log
-/opt/so/log/suricata/*.log
-/opt/so/log/mysql/*.log
-/opt/so/log/telegraf/*.log
-/opt/so/log/redis/*.log
-/opt/so/log/sensoroni/*.log
-/opt/so/log/stenographer/*.log
-/opt/so/log/salt/so-salt-minion-check
-/opt/so/log/salt/minion
-/opt/so/log/salt/master
-/nsm/idh/*.log
-{
-    {{ logrotate_conf | indent(width=4) }}
-}
-
-# Playbook's log directory needs additional configuration
-# because Playbook requires a more permissive directory
-/opt/so/log/playbook/*.log
-{
-    {{ logrotate_conf | indent(width=4) }}
-    {{ group_conf | indent(width=4) }}
-}

salt/common/files/sensor-rotate.conf

@@ -1,22 +0,0 @@
-/opt/so/log/sensor_clean.log
-{
-    daily
-    rotate 2
-    missingok
-    nocompress
-    create
-    sharedscripts
-}
-
-/nsm/strelka/log/strelka.log
-{
-    daily
-    rotate 14
-    missingok
-    copytruncate
-    compress
-    create
-    extension .log
-    dateext
-    dateyesterday
-}

salt/common/init.sls

@@ -151,56 +151,8 @@ so-sensor-clean:
     - daymonth: '*'
     - month: '*'
     - dayweek: '*'
-
-sensorrotatescript:
-  file.managed:
-    - name: /usr/local/bin/sensor-rotate
-    - source: salt://common/cron/sensor-rotate
-    - mode: 755
-
-sensorrotateconf:
-  file.managed:
-    - name: /opt/so/conf/sensor-rotate.conf
-    - source: salt://common/files/sensor-rotate.conf
-    - mode: 644
-
-sensor-rotate:
-  cron.present:
-    - name: /usr/local/bin/sensor-rotate
-    - identifier: sensor-rotate
-    - user: root
-    - minute: '1'
-    - hour: '0'
-    - daymonth: '*'
-    - month: '*'
-    - dayweek: '*'
-
 {% endif %}
 
-commonlogrotatescript:
-  file.managed:
-    - name: /usr/local/bin/common-rotate
-    - source: salt://common/cron/common-rotate
-    - mode: 755
-
-commonlogrotateconf:
-  file.managed:
-    - name: /opt/so/conf/log-rotate.conf
-    - source: salt://common/files/log-rotate.conf
-    - template: jinja
-    - mode: 644
-
-common-rotate:
-  cron.present:
-    - name: /usr/local/bin/common-rotate
-    - identifier: common-rotate
-    - user: root
-    - minute: '1'
-    - hour: '0'
-    - daymonth: '*'
-    - month: '*'
-    - dayweek: '*'
-
 # Create the status directory
 sostatusdir:
   file.directory:

salt/logrotate/defaults.yaml

@@ -1,233 +1,230 @@
 logrotate:
-  common:
+  config:
-    config:
+    /opt/so/log/idstools/*.log:
-      /opt/so/log/idstools/*.log:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/nginx/*.log:
-      /opt/so/log/nginx/*.log:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/soc/*.log:
-      /opt/so/log/soc/*.log:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/kratos/*.log:
-      /opt/so/log/kratos/*.log:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/kibana/*.log:
-      /opt/so/log/kibana/*.log:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/influxdb/*.log:
-      /opt/so/log/influxdb/*.log:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/elastalert/*.log:
-      /opt/so/log/elastalert/*.log:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/soctopus/*.log:
-      /opt/so/log/soctopus/*.log:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/curator/*.log:
-      /opt/so/log/curator/*.log:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/fleet/*.log:
-      /opt/so/log/fleet/*.log:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/suricata/*.log:
-      /opt/so/log/suricata/*.log:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/mysql/*.log:
-      /opt/so/log/mysql/*.log:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/telegraf/*.log:
-      /opt/so/log/telegraf/*.log:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/redis/*.log:
-      /opt/so/log/redis/*.log:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/sensoroni/*.log:
-      /opt/so/log/sensoroni/*.log:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/stenographer/*.log:
-      /opt/so/log/stenographer/*.log:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/salt/so-salt-minion-check:
-      /opt/so/log/salt/so-salt-minion-check:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/salt/minion:
-      /opt/so/log/salt/minion:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/salt/master:
-      /opt/so/log/salt/master:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /nsm/idh/*.log:
-      /nsm/idh/*.log:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/playbook/*.log:
-      /opt/so/log/playbook/*.log:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+      - su root socore
-        - su root socore
+    /nsm/strelka/log/strelka.log:
-      /nsm/strelka/log/strelka.log:
+      - daily
-        - daily
+      - rotate 14
-        - rotate 14
+      - missingok
-        - missingok
+      - copytruncate
-        - copytruncate
+      - compress
-        - compress
+      - create
-        - create
+      - extension .log
-        - extension .log
+      - dateext
-        - dateext
+      - dateyesterday
-        - dateyesterday
+    /opt/so/log/sensor_clean.log:
-      /opt/so/log/sensor_clean.log:
+      - daily
-        - daily
+      - rotate 2
-        - rotate 2
+      - missingok
-        - missingok
+      - nocompress
-        - nocompress
+      - create
-        - create
+      - sharedscripts
-        - sharedscripts
-      
-  sensor:

salt/logrotate/etc/rotate.conf.jinja

@@ -0,0 +1,8 @@
+{%- for file, opts in CONFIG.items() %}
+{{ file }}
+{
+{%-   for opt in opts %}
+  {{ opt }}
+{%-   endfor %}
+}
+{%- endfor %}

salt/logrotate/init.sls

@@ -0,0 +1,31 @@
+{% from 'logrotate/map.jinja' import LOGROTATEMERGED %}
+
+logrotateconfdir:
+  file.directory:
+    - name: /opt/so/conf/logrotate
+
+commonlogrotatescript:
+  file.managed:
+    - name: /usr/local/bin/common-rotate
+    - source: salt://logrotate/tools/sbin/common-rotate
+    - mode: 755
+
+commonlogrotateconf:
+  file.managed:
+    - name: /opt/so/conf/logrotate/common-rotate.conf
+    - source: salt://logrotate/etc/rotate.conf.jinja
+    - template: jinja
+    - mode: 644
+    - defaults:
+        CONFIG: {{ LOGROTATEMERGED.config }}
+
+common-rotate:
+  cron.present:
+    - name: /usr/local/bin/common-rotate
+    - identifier: common-rotate
+    - user: root
+    - minute: '1'
+    - hour: '0'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'

salt/logrotate/soc_logrotate.yaml

@@ -0,0 +1,29 @@
+logrotate:
+  config:
+    /opt/so/log/idstools/*.log: &rotateopts
+      description: List of logrotate options for this file.
+      advanced: True
+      multiline: True
+      forcedType: "[]string"
+    /opt/so/log/nginx/*.log: *rotateopts
+    /opt/so/log/soc/*.log: *rotateopts
+    /opt/so/log/kratos/*.log: *rotateopts
+    /opt/so/log/kibana/*.log: *rotateopts
+    /opt/so/log/influxdb/*.log: *rotateopts
+    /opt/so/log/elastalert/*.log: *rotateopts
+    /opt/so/log/soctopus/*.log: *rotateopts
+    /opt/so/log/curator/*.log: *rotateopts
+    /opt/so/log/fleet/*.log: *rotateopts
+    /opt/so/log/suricata/*.log: *rotateopts
+    /opt/so/log/mysql/*.log: *rotateopts
+    /opt/so/log/telegraf/*.log: *rotateopts
+    /opt/so/log/redis/*.log: *rotateopts
+    /opt/so/log/sensoroni/*.log: *rotateopts
+    /opt/so/log/stenographer/*.log: *rotateopts
+    /opt/so/log/salt/so-salt-minion-check: *rotateopts
+    /opt/so/log/salt/minion: *rotateopts
+    /opt/so/log/salt/master: *rotateopts
+    /nsm/idh/*.log: *rotateopts
+    /opt/so/log/playbook/*.log: *rotateopts
+    /nsm/strelka/log/strelka.log: *rotateopts
+    /opt/so/log/sensor_clean.log: *rotateopts

salt/logrotate/tools/sbin/common-rotate

@@ -0,0 +1,2 @@
+#!/bin/bash
+/usr/sbin/logrotate -f /opt/so/conf/logrotate/common-rotate.conf > /dev/null 2>&1

salt/top.sls

@@ -14,6 +14,7 @@ base:
     - repo.client
     - ntp
     - schedule
+    - logrotate
 
   'not G@saltversion:{{saltversion}}':
     - match: compound