From a60ef339309915e031f5fceeef0dfda2510ed2dc Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 17 Mar 2022 21:01:03 +0000 Subject: [PATCH 01/28] Reorganize FB module management --- salt/filebeat/etc/module_config.yml.jinja | 18 +--------------- salt/filebeat/init.sls | 26 +++++------------------ salt/filebeat/map.jinja | 21 ++++++++++++++---- salt/filebeat/modules.map.jinja | 18 ++++++++++++++++ 4 files changed, 41 insertions(+), 42 deletions(-) create mode 100644 salt/filebeat/modules.map.jinja diff --git a/salt/filebeat/etc/module_config.yml.jinja b/salt/filebeat/etc/module_config.yml.jinja index 733d47c7e..5d8782c01 100644 --- a/salt/filebeat/etc/module_config.yml.jinja +++ b/salt/filebeat/etc/module_config.yml.jinja @@ -1,18 +1,2 @@ # DO NOT EDIT THIS FILE -{%- if MODULES.modules is iterable and MODULES.modules is not string and MODULES.modules|length > 0%} - {%- for module in MODULES.modules.keys() %} -- module: {{ module }} - {%- for fileset in MODULES.modules[module] %} - {{ fileset }}: - enabled: {{ MODULES.modules[module][fileset].enabled|string|lower }} - {#- only manage the settings if the fileset is enabled #} - {%- if MODULES.modules[module][fileset].enabled %} - {%- for var, value in MODULES.modules[module][fileset].items() %} - {%- if var|lower != 'enabled' %} - {{ var }}: {{ value }} - {%- endif %} - {%- endfor %} - {%- endif %} - {%- endfor %} - {%- endfor %} -{% endif %} +{{ MODULES|yaml(False) }} diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 82622c4b2..473cb7171 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -18,8 +18,8 @@ {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set LOCALHOSTNAME = salt['grains.get']('host') %} {% set MANAGER = salt['grains.get']('master') %} -{% from 'filebeat/map.jinja' import THIRDPARTY with context %} -{% from 'filebeat/map.jinja' import SO with context %} +{% from 'filebeat/modules.map.jinja' import THIRDPARTY with context %} +{% from 'filebeat/modules.map.jinja' import MODULESENABLED with context %} {% from 'filebeat/map.jinja' import FILEBEAT_EXTRA_HOSTS with context %} {% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %} @@ -88,21 +88,13 @@ filebeatmoduleconf: - template: jinja - show_changes: False -sodefaults_module_conf: +merged_module_conf: file.managed: - - name: /opt/so/conf/filebeat/modules/securityonion.yml + - name: /opt/so/conf/filebeat/modules/modules.yml - source: salt://filebeat/etc/module_config.yml.jinja - template: jinja - defaults: - MODULES: {{ SO }} - -thirdparty_module_conf: - file.managed: - - name: /opt/so/conf/filebeat/modules/thirdparty.yml - - source: salt://filebeat/etc/module_config.yml.jinja - - template: jinja - - defaults: - MODULES: {{ THIRDPARTY }} + MODULES: {{ MODULESENABLED }} so-filebeat: docker_container.running: @@ -127,14 +119,6 @@ so-filebeat: - 0.0.0.0:514:514/udp - 0.0.0.0:514:514/tcp - 0.0.0.0:5066:5066/tcp -{% for module in THIRDPARTY.modules.keys() %} - {% for submodule in THIRDPARTY.modules[module] %} - {% if THIRDPARTY.modules[module][submodule].enabled and THIRDPARTY.modules[module][submodule]["var.syslog_port"] is defined %} - - {{ THIRDPARTY.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}/tcp - - {{ THIRDPARTY.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}/udp - {% endif %} - {% endfor %} -{% endfor %} - watch: - file: filebeatconf - require: diff --git a/salt/filebeat/map.jinja b/salt/filebeat/map.jinja index f12714176..b42707e05 100644 --- a/salt/filebeat/map.jinja +++ b/salt/filebeat/map.jinja @@ -1,9 +1,22 @@ {% import_yaml 'filebeat/thirdpartydefaults.yaml' as TPDEFAULTS %} -{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %} - {% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %} -{% set SO = SODEFAULTS.securityonion_filebeat %} -{#% set SO = salt['pillar.get']('filebeat:third_party_filebeat', default=SODEFAULTS.third_party_filebeat, merge=True) %#} +{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %} +{% set SO = salt['pillar.get']('filebeat:securityonion_filebeat', default=SODEFAULTS.securityonion_filebeat, merge=True) %} +{% set MODULESMERGED = salt['defaults.merge'](SO, THIRDPARTY, in_place=False) %} + +{% set MODULESENABLED = [] %} +{% for module in MODULESMERGED.modules.keys() %} + {% set ENABLEDFILESETS = {} %} + {% for fileset in MODULESMERGED.modules[module] %} + {% if MODULESMERGED.modules[module][fileset].get('enabled', False) %} + {% do ENABLEDFILESETS.update({'module': module, fileset: MODULESMERGED.modules[module][fileset]}) %} + {% endif %} + {% endfor %} + {% if ENABLEDFILESETS|length > 0 %} + {% do MODULESENABLED.append(ENABLEDFILESETS) %} + {% endif %} +{% endfor %} +{{ MODULESENABLED }} {% set role = grains.role %} {% set FILEBEAT_EXTRA_HOSTS = [] %} diff --git a/salt/filebeat/modules.map.jinja b/salt/filebeat/modules.map.jinja new file mode 100644 index 000000000..c4a0a6db7 --- /dev/null +++ b/salt/filebeat/modules.map.jinja @@ -0,0 +1,18 @@ +{% import_yaml 'filebeat/thirdpartydefaults.yaml' as TPDEFAULTS %} +{% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %} +{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %} +{% set SO = salt['pillar.get']('filebeat:securityonion_filebeat', default=SODEFAULTS.securityonion_filebeat, merge=True) %} +{% set MODULESMERGED = salt['defaults.merge'](SO, THIRDPARTY, in_place=False) %} + +{% set MODULESENABLED = [] %} +{% for module in MODULESMERGED.modules.keys() %} + {% set ENABLEDFILESETS = {} %} + {% for fileset in MODULESMERGED.modules[module] %} + {% if MODULESMERGED.modules[module][fileset].get('enabled', False) %} + {% do ENABLEDFILESETS.update({'module': module, fileset: MODULESMERGED.modules[module][fileset]}) %} + {% endif %} + {% endfor %} + {% if ENABLEDFILESETS|length > 0 %} + {% do MODULESENABLED.append(ENABLEDFILESETS) %} + {% endif %} +{% endfor %} From 09892a815b0ea40d6cb9e656db1cd899c7ad4f51 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 17 Mar 2022 21:06:07 +0000 Subject: [PATCH 02/28] Add back bind mounts and remove THIRDPARTY --- salt/filebeat/init.sls | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 473cb7171..9163547b0 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -18,7 +18,7 @@ {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set LOCALHOSTNAME = salt['grains.get']('host') %} {% set MANAGER = salt['grains.get']('master') %} -{% from 'filebeat/modules.map.jinja' import THIRDPARTY with context %} +{% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} {% from 'filebeat/modules.map.jinja' import MODULESENABLED with context %} {% from 'filebeat/map.jinja' import FILEBEAT_EXTRA_HOSTS with context %} {% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %} @@ -119,6 +119,7 @@ so-filebeat: - 0.0.0.0:514:514/udp - 0.0.0.0:514:514/tcp - 0.0.0.0:5066:5066/tcp + - watch: - file: filebeatconf - require: @@ -128,7 +129,14 @@ so-filebeat: - x509: conf_filebeat_crt - x509: conf_filebeat_key - x509: trusttheca - +{% for module in MODULESMERGED.modules.keys() %} + {% for submodule in MODULESMERGED.modules[module] %} + {% if MODULESMERGED.modules[module][submodule].enabled and MODULESMERGED.modules[module][submodule]["var.syslog_port"] is defined %} + - {{ MODULESMERGED.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}/tcp + - {{ MODULESMERGED.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}/udp + {% endif %} + {% endfor %} +{% endfor %} {% if grains.role in ES_INCLUDED_NODES %} run_module_setup: cmd.run: From 6e2aaa009829edec90d981a49eabce5861324713 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 17 Mar 2022 21:08:57 +0000 Subject: [PATCH 03/28] Clean up original map file --- salt/filebeat/map.jinja | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/salt/filebeat/map.jinja b/salt/filebeat/map.jinja index b42707e05..a93eedce0 100644 --- a/salt/filebeat/map.jinja +++ b/salt/filebeat/map.jinja @@ -1,23 +1,3 @@ -{% import_yaml 'filebeat/thirdpartydefaults.yaml' as TPDEFAULTS %} -{% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %} -{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %} -{% set SO = salt['pillar.get']('filebeat:securityonion_filebeat', default=SODEFAULTS.securityonion_filebeat, merge=True) %} -{% set MODULESMERGED = salt['defaults.merge'](SO, THIRDPARTY, in_place=False) %} - -{% set MODULESENABLED = [] %} -{% for module in MODULESMERGED.modules.keys() %} - {% set ENABLEDFILESETS = {} %} - {% for fileset in MODULESMERGED.modules[module] %} - {% if MODULESMERGED.modules[module][fileset].get('enabled', False) %} - {% do ENABLEDFILESETS.update({'module': module, fileset: MODULESMERGED.modules[module][fileset]}) %} - {% endif %} - {% endfor %} - {% if ENABLEDFILESETS|length > 0 %} - {% do MODULESENABLED.append(ENABLEDFILESETS) %} - {% endif %} -{% endfor %} -{{ MODULESENABLED }} - {% set role = grains.role %} {% set FILEBEAT_EXTRA_HOSTS = [] %} {% set mainint = salt['pillar.get']('host:mainint') %} From 712a92aa39e443ba67b5ec9dc2c10b7011b4bfc2 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 17 Mar 2022 21:18:03 -0400 Subject: [PATCH 04/28] Switch from log input to filestream input --- salt/filebeat/etc/filebeat.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index e29b1a583..b918fa7d2 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -113,7 +113,7 @@ filebeat.inputs: fields_under_root: true {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %} -- type: log +- type: filestream paths: - /logs/logscan/alerts.log fields: @@ -130,7 +130,7 @@ filebeat.inputs: {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %} {%- if ZEEKVER != 'SURICATA' %} {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %} -- type: log +- type: filestream paths: - /nsm/zeek/logs/current/{{ LOGNAME }}.log fields: @@ -145,7 +145,7 @@ filebeat.inputs: clean_removed: true close_removed: false -- type: log +- type: filestream paths: - /nsm/import/*/zeek/logs/{{ LOGNAME }}.log fields: @@ -169,7 +169,7 @@ filebeat.inputs: {%- endfor %} {%- endif %} -- type: log +- type: filestream paths: - /nsm/suricata/eve*.json fields: @@ -185,7 +185,7 @@ filebeat.inputs: clean_removed: false close_removed: false -- type: log +- type: filestream paths: - /nsm/import/*/suricata/eve*.json fields: @@ -207,7 +207,7 @@ filebeat.inputs: clean_removed: false close_removed: false {%- if STRELKAENABLED == 1 %} -- type: log +- type: filestream paths: - /nsm/strelka/log/strelka.log fields: @@ -228,7 +228,7 @@ filebeat.inputs: {%- if WAZUHENABLED == 1 %} -- type: log +- type: filestream paths: - /wazuh/archives/archives.json fields: @@ -246,7 +246,7 @@ filebeat.inputs: {%- if FLEETMANAGER or FLEETNODE %} -- type: log +- type: filestream paths: - /nsm/osquery/fleet/result.log fields: @@ -265,7 +265,7 @@ filebeat.inputs: {%- endif %} {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %} -- type: log +- type: filestream paths: - /logs/kratos/kratos.log fields: @@ -295,7 +295,7 @@ filebeat.inputs: {%- endif %} {%- if grains.role == 'so-idh' %} -- type: log +- type: filestream paths: - /nsm/idh/opencanary.log fields: From 7128b046365a4dda76947478251979a5be3ae1da Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 17 Mar 2022 21:20:41 -0400 Subject: [PATCH 05/28] Remove indices.query.bool.max_clause_count because it is dynamically allocated in Elastic 8 --- salt/elasticsearch/defaults.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index f2bb90792..2ca2f463e 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -53,9 +53,6 @@ elasticsearch: script: max_compilations_rate: 20000/1m indices: - query: - bool: - max_clause_count: 3500 id_field_data: enabled: false logger: From 99430fddebb49ca015ddc396399f46e80c70f8ef Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 17 Mar 2022 21:24:39 -0400 Subject: [PATCH 06/28] Update from search.remote to cluster.remote for Elastic 8 --- salt/utility/bin/eval | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/utility/bin/eval b/salt/utility/bin/eval index eba0df039..e96fc9a78 100644 --- a/salt/utility/bin/eval +++ b/salt/utility/bin/eval @@ -28,4 +28,4 @@ fi echo "Applying cross cluster search config..." {{ ELASTICCURL }} -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings \ -H 'Content-Type: application/json' \ - -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ grains.host }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" + -d "{\"persistent\": {\"cluster\": {\"remote\": {\"{{ grains.host }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" From c659a443b032c26f0d144805f1ff4187bc2d425d Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 17 Mar 2022 21:25:10 -0400 Subject: [PATCH 07/28] Update from search.remote to cluster.remote for Elastic 8 --- salt/utility/bin/crossthestreams | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/utility/bin/crossthestreams b/salt/utility/bin/crossthestreams index 0b2d17918..38222bbec 100644 --- a/salt/utility/bin/crossthestreams +++ b/salt/utility/bin/crossthestreams @@ -30,13 +30,13 @@ fi echo "Applying cross cluster search config..." {{ ELASTICCURL }} -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings \ -H 'Content-Type: application/json' \ - -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ MANAGER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" + -d "{\"persistent\": {\"cluster\": {\"remote\": {\"{{ MANAGER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" # Add all the search nodes to cross cluster searching. {%- if TRUECLUSTER is sameas false %} {%- if salt['pillar.get']('nodestab', {}) %} {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} -{{ ELASTICCURL }} -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"{{ SN }}": {"skip_unavailable": "true", "seeds": ["{{ SN.split('_')|first }}:9300"]}}}}}' +{{ ELASTICCURL }} -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"cluster": {"remote": {"{{ SN }}": {"skip_unavailable": "true", "seeds": ["{{ SN.split('_')|first }}:9300"]}}}}}' {%- endfor %} {%- endif %} {%- endif %} From 5ec5b9a2ee7044ea119ab47fdcd10aa850c365a3 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Mar 2022 10:14:13 -0400 Subject: [PATCH 08/28] Remove older module config files --- salt/filebeat/init.sls | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 9163547b0..ea04c0311 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -95,6 +95,14 @@ merged_module_conf: - template: jinja - defaults: MODULES: {{ MODULESENABLED }} + +so_module_conf_remove: + file.absent: + - name: /opt/so/conf/filebeat/modules/securityonion.yml + +thirdyparty_module_conf_remove: + file.absent: + - name: /opt/so/conf/filebeat/modules/thirdparty.yml so-filebeat: docker_container.running: From 6f294cc0c24aafb4b09280c5ea160ed3e96f5203 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Mar 2022 11:54:08 -0400 Subject: [PATCH 09/28] Change Kibana user role from superuser to kibana_system for Elastic 8 --- salt/common/tools/sbin/so-user | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index b1a717ce8..2d4e1076d 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -238,7 +238,7 @@ function syncElastic() { syncElasticSystemUser "$authPillarJson" "so_monitor_user" "$usersTmpFile" syncElasticSystemRole "$authPillarJson" "so_elastic_user" "superuser" "$rolesTmpFile" - syncElasticSystemRole "$authPillarJson" "so_kibana_user" "superuser" "$rolesTmpFile" + syncElasticSystemRole "$authPillarJson" "so_kibana_user" "kibana_system" "$rolesTmpFile" syncElasticSystemRole "$authPillarJson" "so_logstash_user" "superuser" "$rolesTmpFile" syncElasticSystemRole "$authPillarJson" "so_beats_user" "superuser" "$rolesTmpFile" syncElasticSystemRole "$authPillarJson" "so_monitor_user" "remote_monitoring_collector" "$rolesTmpFile" From e0374be4aac338aa3b5a6e2ccc19f9c1671af72f Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Mar 2022 11:57:33 -0400 Subject: [PATCH 10/28] Update version from 7.16.2 to 8.1.0 for Kibana config --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index e2bd5fe2f..f516945f9 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.1","id": "7.17.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.1","id": "8.1.0","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From cb0d4acd57a99a3304c73c9eb934ccfc3cea996f Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Mar 2022 14:46:28 -0400 Subject: [PATCH 11/28] Remove X-Pack ML entry for Elastic 8 --- salt/kibana/defaults.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index eae767386..1fbc47640 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -28,7 +28,5 @@ kibana: security: showInsecureClusterWarning: False xpack: - ml: - enabled: False security: secureCookies: True From a9ea99daa8f257589ed47cf34b0337cef83808ba Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Mar 2022 15:09:50 -0400 Subject: [PATCH 12/28] Switch from so_elastic user to so_kibana user for Elastic 8 --- salt/kibana/config.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/config.map.jinja b/salt/kibana/config.map.jinja index d595092de..cadfcab4e 100644 --- a/salt/kibana/config.map.jinja +++ b/salt/kibana/config.map.jinja @@ -2,7 +2,7 @@ {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} {% if salt['pillar.get']('elasticsearch:auth:enabled', False) %} - {% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass')}) %} + {% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %} {% else %} {% do KIBANACONFIG.kibana.config.xpack.update({'security': {'authc': {'providers': {'anonymous': {'anonymous1': {'order': 0, 'credentials': 'elasticsearch_anonymous_user'}}}}}}) %} {% endif %} From d111c08fb30134fdd63539f96d2b728744171542 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 18 Mar 2022 21:45:33 +0000 Subject: [PATCH 13/28] Update Curator commands with new Filebeat module variables --- salt/curator/files/bin/so-curator-close | 9 +++------ salt/curator/files/bin/so-curator-cluster-close | 8 ++------ salt/curator/files/bin/so-curator-cluster-delete | 8 ++------ salt/curator/files/bin/so-curator-cluster-warm | 8 ++------ 4 files changed, 9 insertions(+), 24 deletions(-) diff --git a/salt/curator/files/bin/so-curator-close b/salt/curator/files/bin/so-curator-close index f445d7e6b..25a19c671 100644 --- a/salt/curator/files/bin/so-curator-close +++ b/salt/curator/files/bin/so-curator-close @@ -23,8 +23,8 @@ read lastPID < $lf # if lastPID is not null and a process with that pid exists , exit [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit echo $$ > $lf -{% from 'filebeat/map.jinja' import THIRDPARTY with context %} -{% from 'filebeat/map.jinja' import SO with context %} + +{% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} /usr/sbin/so-curator-closed-delete > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-close.yml > /dev/null 2>&1; @@ -36,9 +36,6 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1; -{% for INDEX in THIRDPARTY.modules.keys() -%} -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-close.yml > /dev/null 2>&1; -{% endfor -%} -{% for INDEX in SO.modules.keys() -%} +{% for INDEX in MODULESMERGED.modules.keys() -%} docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-close.yml > /dev/null 2>&1{% if not loop.last %};{% endif %} {% endfor -%} diff --git a/salt/curator/files/bin/so-curator-cluster-close b/salt/curator/files/bin/so-curator-cluster-close index 833cef335..0da245516 100644 --- a/salt/curator/files/bin/so-curator-cluster-close +++ b/salt/curator/files/bin/so-curator-cluster-close @@ -24,8 +24,7 @@ read lastPID < $lf [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit echo $$ > $lf -{% from 'filebeat/map.jinja' import THIRDPARTY with context %} -{% from 'filebeat/map.jinja' import SO with context %} +{% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-close.yml > /dev/null 2>&1; @@ -36,9 +35,6 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1; -{% for INDEX in THIRDPARTY.modules.keys() -%} -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-close.yml > /dev/null 2>&1; -{% endfor -%} -{% for INDEX in SO.modules.keys() -%} +{% for INDEX in MODULESMERGED.modules.keys() -%} docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-close.yml > /dev/null 2>&1{% if not loop.last %};{% endif %} {% endfor -%} diff --git a/salt/curator/files/bin/so-curator-cluster-delete b/salt/curator/files/bin/so-curator-cluster-delete index e70c4eb02..313a0c311 100644 --- a/salt/curator/files/bin/so-curator-cluster-delete +++ b/salt/curator/files/bin/so-curator-cluster-delete @@ -24,8 +24,7 @@ read lastPID < $lf [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit echo $$ > $lf -{% from 'filebeat/map.jinja' import THIRDPARTY with context %} -{% from 'filebeat/map.jinja' import SO with context %} +{% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-delete.yml > /dev/null 2>&1; @@ -36,9 +35,6 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-delete.yml > /dev/null 2>&1; -{% for INDEX in THIRDPARTY.modules.keys() -%} -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-delete.yml > /dev/null 2>&1; -{% endfor -%} -{% for INDEX in SO.modules.keys() -%} +{% for INDEX in MODULESMERGED.modules.keys() -%} docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-delete.yml > /dev/null 2>&1{% if not loop.last %};{% endif %} {% endfor -%} diff --git a/salt/curator/files/bin/so-curator-cluster-warm b/salt/curator/files/bin/so-curator-cluster-warm index 7279c6d41..1a6791bac 100644 --- a/salt/curator/files/bin/so-curator-cluster-warm +++ b/salt/curator/files/bin/so-curator-cluster-warm @@ -24,8 +24,7 @@ read lastPID < $lf [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit echo $$ > $lf -{% from 'filebeat/map.jinja' import THIRDPARTY with context %} -{% from 'filebeat/map.jinja' import SO with context %} +{% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-warm.yml > /dev/null 2>&1; @@ -36,9 +35,6 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-warm.yml > /dev/null 2>&1; -{% for INDEX in THIRDPARTY.modules.keys() -%} -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-warm.yml > /dev/null 2>&1; -{% endfor -%} -{% for INDEX in SO.modules.keys() -%} +{% for INDEX in MODULESMERGED.modules.keys() -%} docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-warm.yml > /dev/null 2>&1{% if not loop.last %};{% endif %} {% endfor -%} From 543bf9a7a76930ccacac90087c234ce7ff080814 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 18 Mar 2022 22:07:21 +0000 Subject: [PATCH 14/28] Update Kibana version to 8 --- salt/kibana/bin/so-kibana-config-load | 2 +- salt/kibana/files/config_saved_objects.ndjson | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 4752925b4..d1ac21533 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -59,7 +59,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.17.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.1.0" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index f516945f9..d844e2e44 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.1","id": "8.1.0","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.1.0","id": "8.1.0","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From 59a2ac38f5a4cf34f743365e010c519abd09e5e8 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 18 Mar 2022 22:12:09 +0000 Subject: [PATCH 15/28] Disable FB module load for now --- salt/filebeat/init.sls | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index ea04c0311..bb96e0adb 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -146,14 +146,14 @@ so-filebeat: {% endfor %} {% endfor %} {% if grains.role in ES_INCLUDED_NODES %} -run_module_setup: - cmd.run: - - name: /usr/sbin/so-filebeat-module-setup - - require: - - file: filebeatmoduleconf - - docker_container: so-filebeat - - onchanges: - - docker_container: so-elasticsearch +#run_module_setup: +# cmd.run: +# - name: /usr/sbin/so-filebeat-module-setup +# - require: +# - file: filebeatmoduleconf +# - docker_container: so-filebeat +# - onchanges: +# - docker_container: so-elasticsearch {% endif %} append_so-filebeat_so-status.conf: From c97847f0e2fd274fd0fee543f2ecb03eb9062533 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Sat, 19 Mar 2022 03:43:34 +0000 Subject: [PATCH 16/28] Remove Threat Intel Recored Future fileset --- salt/filebeat/thirdpartydefaults.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/filebeat/thirdpartydefaults.yaml b/salt/filebeat/thirdpartydefaults.yaml index 3be8bb901..be775731e 100644 --- a/salt/filebeat/thirdpartydefaults.yaml +++ b/salt/filebeat/thirdpartydefaults.yaml @@ -259,8 +259,6 @@ third_party_filebeat: enabled: false anomalithreatstream: enabled: false - recordedfuture: - enabled: false zscaler: zia: enabled: false From 2e7d3146500f568e4f8b83a91f924b9ed8d7ad92 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Sat, 19 Mar 2022 03:43:55 +0000 Subject: [PATCH 17/28] Remove Cyberark module --- salt/filebeat/thirdpartydefaults.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/salt/filebeat/thirdpartydefaults.yaml b/salt/filebeat/thirdpartydefaults.yaml index be775731e..48411cad9 100644 --- a/salt/filebeat/thirdpartydefaults.yaml +++ b/salt/filebeat/thirdpartydefaults.yaml @@ -74,12 +74,6 @@ third_party_filebeat: enabled: false amp: enabled: false - cyberark: - corepas: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9527 cylance: protect: enabled: false From a18b38de4da36de0f470f7c79775dc38c094ab0d Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Sat, 19 Mar 2022 03:54:41 +0000 Subject: [PATCH 18/28] Update so-filebeat-module-setup to use new load style to avoid having to explicitly enabled filesets --- .../tools/sbin/so-filebeat-module-setup | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/salt/common/tools/sbin/so-filebeat-module-setup b/salt/common/tools/sbin/so-filebeat-module-setup index bb6ff86a6..c4133c217 100755 --- a/salt/common/tools/sbin/so-filebeat-module-setup +++ b/salt/common/tools/sbin/so-filebeat-module-setup @@ -49,19 +49,20 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then fi echo "Testing to see if the pipelines are already applied" ESVER=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" |jq .version.number |tr -d \") -PIPELINES=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"/_ingest/pipeline/filebeat-$ESVER-suricata-eve-pipeline | jq . | wc -c) +PIPELINES=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"/_ingest/pipeline/filebeat-$ESVER-elasticsearch-server-pipeline | jq . | wc -c) -if [[ "$PIPELINES" -lt 5 ]]; then +if [[ "$PIPELINES" -lt 5 ]] || [ "$2" != "--force" ]; then echo "Setting up ingest pipeline(s)" - - for MODULE in activemq apache auditd aws azure barracuda bluecoat cef checkpoint cisco coredns crowdstrike cyberark cylance elasticsearch envoyproxy f5 fortinet gcp google_workspace googlecloud gsuite haproxy ibmmq icinga iis imperva infoblox iptables juniper kafka kibana logstash microsoft mongodb mssql mysql nats netscout nginx o365 okta osquery panw postgresql rabbitmq radware redis santa snort snyk sonicwall sophos squid suricata system threatintel tomcat traefik zeek zscaler - do - echo "Loading $MODULE" - docker exec -i so-filebeat filebeat setup modules -pipelines -modules $MODULE -c $FB_MODULE_YML - sleep 2 - done +{% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} +{% for module in MODULESMERGED.modules.keys() %} + {% for fileset in MODULESMERGED.modules[module] %} + {#% if MODULESMERGED.modules[module][fileset].get('enabled', False) %#} + echo "{{ module }}.{{ fileset}}" + docker exec -i so-filebeat filebeat setup --pipelines --modules {{ module }} -M "{{ module }}.{{ fileset }}.enabled=true" -c $FB_MODULE_YML + sleep 0.5 + {#% endif %#} + {% endfor %} +{% endfor %} else exit 0 fi - - From 1a6ef0cc6b7bdc6671a8c0ab1691c380c289d888 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Sat, 19 Mar 2022 03:55:40 +0000 Subject: [PATCH 19/28] Re-enable FB module load --- salt/filebeat/init.sls | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index bb96e0adb..ea04c0311 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -146,14 +146,14 @@ so-filebeat: {% endfor %} {% endfor %} {% if grains.role in ES_INCLUDED_NODES %} -#run_module_setup: -# cmd.run: -# - name: /usr/sbin/so-filebeat-module-setup -# - require: -# - file: filebeatmoduleconf -# - docker_container: so-filebeat -# - onchanges: -# - docker_container: so-elasticsearch +run_module_setup: + cmd.run: + - name: /usr/sbin/so-filebeat-module-setup + - require: + - file: filebeatmoduleconf + - docker_container: so-filebeat + - onchanges: + - docker_container: so-elasticsearch {% endif %} append_so-filebeat_so-status.conf: From faeaa948c899f684e96537049c3e23a1e845beda Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Sat, 19 Mar 2022 04:31:48 +0000 Subject: [PATCH 20/28] Remove extra Salt logic and clean up output format of resultant script --- salt/common/tools/sbin/so-filebeat-module-setup | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/so-filebeat-module-setup b/salt/common/tools/sbin/so-filebeat-module-setup index c4133c217..945c3c58a 100755 --- a/salt/common/tools/sbin/so-filebeat-module-setup +++ b/salt/common/tools/sbin/so-filebeat-module-setup @@ -54,15 +54,13 @@ PIPELINES=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_ if [[ "$PIPELINES" -lt 5 ]] || [ "$2" != "--force" ]; then echo "Setting up ingest pipeline(s)" {% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} -{% for module in MODULESMERGED.modules.keys() %} - {% for fileset in MODULESMERGED.modules[module] %} - {#% if MODULESMERGED.modules[module][fileset].get('enabled', False) %#} +{%- for module in MODULESMERGED.modules.keys() %} + {%- for fileset in MODULESMERGED.modules[module] %} echo "{{ module }}.{{ fileset}}" docker exec -i so-filebeat filebeat setup --pipelines --modules {{ module }} -M "{{ module }}.{{ fileset }}.enabled=true" -c $FB_MODULE_YML sleep 0.5 - {#% endif %#} {% endfor %} -{% endfor %} +{%- endfor %} else exit 0 fi From b2c26807a3caca16db429c74e670b64cd8876f00 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 21 Mar 2022 09:30:25 -0400 Subject: [PATCH 21/28] Add xpack.reporting.kibanaServer.hostname to defaults file --- salt/kibana/defaults.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 1fbc47640..de78fc12c 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -29,4 +29,7 @@ kibana: showInsecureClusterWarning: False xpack: security: - secureCookies: True + secureCookies: true + reporting: + kibanaServer: + hostname: localhost From 9afa9496231e96e24631f86e6ad3c9a9f3250bce Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 21 Mar 2022 12:38:12 -0400 Subject: [PATCH 22/28] Don't rotate Filebeat log on startup --- salt/filebeat/etc/filebeat.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index b918fa7d2..73b158702 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -63,6 +63,9 @@ logging.files: # automatically rotated rotateeverybytes: 10485760 # = 10MB + # Rotate on startup + rotateonstartup: False + # Number of rotated log files to keep. Oldest files will be deleted first. keepfiles: 7 From bb9d6673ec419767fdad0e6937c818372f0c0780 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 21 Mar 2022 12:38:50 -0400 Subject: [PATCH 23/28] Fix casing --- salt/filebeat/etc/filebeat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 73b158702..3ac570e89 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -64,7 +64,7 @@ logging.files: rotateeverybytes: 10485760 # = 10MB # Rotate on startup - rotateonstartup: False + rotateonstartup: false # Number of rotated log files to keep. Oldest files will be deleted first. keepfiles: 7 From 47f74fa5c62c9c86f1ebace9a97e4483ad2e9f9c Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 8 Jun 2022 14:58:05 -0400 Subject: [PATCH 24/28] Temporarily downgrade version for merge --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 4d7c69da1..73c2d9a0f 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -59,7 +59,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.2.0" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.17.4" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From aadf391e5abd7cb7cb8cc2eaabfcf81849b28019 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 8 Jun 2022 14:59:01 -0400 Subject: [PATCH 25/28] Temporarily downgrade version for merge --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index a0765d57a..44a1d0157 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.2.0","id": "8.2.0","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.4","id": "7.17.4","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From 11e3576e0d792e0c8d56d49249c3963f88eeead5 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 8 Jun 2022 15:07:07 -0400 Subject: [PATCH 26/28] Update Elastic version to 8.2.2 --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 44a1d0157..435cedfe0 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.4","id": "7.17.4","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.2.2","id": "8.2.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From 151a42734cbf1c751fb29bdeb56faa9a60d2bede Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 8 Jun 2022 15:07:45 -0400 Subject: [PATCH 27/28] Update Elastic version to 8.2.2 --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 73c2d9a0f..dcb66355f 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -59,7 +59,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.17.4" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.2.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From 959cec1845eb6ee5f02441bde8ec055373d5fbd4 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 14 Jun 2022 11:40:11 -0400 Subject: [PATCH 28/28] Delete Elastalert indices before upgrading to Elastic 8 --- salt/common/tools/sbin/soup | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 2e76bd9ef..592c11d98 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -422,8 +422,9 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.3.80 ]] && up_to_2.3.90 [[ "$INSTALLEDVERSION" == 2.3.90 || "$INSTALLEDVERSION" == 2.3.91 ]] && up_to_2.3.100 [[ "$INSTALLEDVERSION" == 2.3.100 ]] && up_to_2.3.110 - [[ "$INSTALLEDVERISON" == 2.3.110 ]] && up_to_2.3.120 - [[ "$INSTALLEDVERISON" == 2.3.120 ]] && up_to_2.3.130 + [[ "$INSTALLEDVERSION" == 2.3.110 ]] && up_to_2.3.120 + [[ "$INSTALLEDVERSION" == 2.3.120 ]] && up_to_2.3.130 + [[ "$INSTALLEDVERSION" == 2.3.130 ]] && up_to_2.3.140 true } @@ -780,6 +781,37 @@ up_to_2.3.130() { rm -f /opt/so/conf/navigator/layers/nav_layer_playbook.json } +up_to_2.3.140() { + ## Deleting Elastalert indices to prevent issues with upgrade to Elastic 8 ## + echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." + # Wait for ElasticSearch to initialize + echo -n "Waiting for ElasticSearch..." + COUNT=0 + ELASTICSEARCH_CONNECTED="no" + while [[ "$COUNT" -le 240 ]]; do + so-elasticsearch-query -k --output /dev/null + if [ $? -eq 0 ]; then + ELASTICSEARCH_CONNECTED="yes" + echo "connected!" + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi + done + if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then + echo + echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" + echo + exit 1 + fi + + # Delete Elastalert indices + for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do so-elasticsearch-query $i -XDELETE; done + ## +} + verify_upgradespace() { CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//') if [ "$CURRENTSPACE" -lt "10" ]; then