Merge pull request #14569 from Security-Onion-Solutions/reyesj2/fix-225

fix storage metrics on stig installs
2025-12-06 09:12:45 +01:00 · 2025-04-23 15:38:14 -05:00
parent 69c904548c e27a0d8f7a
commit 46779513de
3 changed files with 10 additions and 5 deletions
--- a/salt/influxdb/templates/alarm_nsm_disk.json
+++ b/salt/influxdb/templates/alarm_nsm_disk.json
@@ -5,10 +5,10 @@
    "name": "alarm-nsm-disk"
  },
  "spec": {
-    "description": "Percent used space on the root partition of at least one node has exceeded the alarm threshold.",
+    "description": "Percent used space on the nsm partition of at least one node has exceeded the alarm threshold.",
    "every": "1m0s",
    "name": "NSM Disk High Usage",
-    "query": "from(bucket: \"telegraf/so_short_term\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n  |> filter(fn: (r) => r[\"path\"] == \"/\")\n  |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n  |> aggregateWindow(every: 1m, fn: max, createEmpty: false)\n  |> yield(name: \"max\")",
+    "query": "from(bucket: \"telegraf/so_short_term\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n  |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n  |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n  |> aggregateWindow(every: 1m, fn: max, createEmpty: false)\n  |> yield(name: \"max\")",
    "status": "active",
    "statusMessageTemplate": "Check: ${ r._check_name } is: ${ r._level }",
    "thresholds": [
--- a/salt/telegraf/enabled.sls
+++ b/salt/telegraf/enabled.sls
@@ -20,7 +20,6 @@ so-telegraf:
    - user: 939
    - group_add: 939,920
    - environment:
-      - HOST_PROC=/host/proc
      - HOST_ETC=/host/etc
      - HOST_SYS=/host/sys
      - HOST_MOUNT_PREFIX=/host
@@ -38,7 +37,7 @@ so-telegraf:
      - /opt/so/conf/telegraf/node_config.json:/etc/telegraf/node_config.json:ro
      - /var/run/utmp:/var/run/utmp:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - /:/host/root:ro
+      - /:/host:ro
      - /sys:/host/sys:ro
      - /proc:/host/proc:ro
      - /nsm:/host/nsm:ro
--- a/salt/telegraf/etc/telegraf.conf
+++ b/salt/telegraf/etc/telegraf.conf
@@ -113,7 +113,13 @@
 [[inputs.disk]]
  ## By default stats will be gathered for all mount points.
  ## Set mount_points will restrict the stats to only the specified mount points.
-  #mount_points = ["/", "/host/nsm"]
+  mount_points = ["/host",
+                  "/host/nsm",
+                  "/host/var",
+                  "/host/var/log",
+                  "/host/var/log/audit",
+                  "/host/var/tmp"
+                 ]

  ## Ignore mount points by filesystem type.
  #ignore_fs = ["tmpfs", "devtmpfs", "devfs", "overlay", "aufs", "squashfs"]