From 378d37d74ebb0530fd070eddde2a196c01fab6e5 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 14 Oct 2025 12:44:51 -0500 Subject: [PATCH 1/3] add event.module to elasticsearch server logs --- salt/elasticsearch/defaults.yaml | 64 +++++++++++++++++++ salt/elasticsearch/files/ingest/global@custom | 1 + salt/elasticsearch/soc_elasticsearch.yaml | 1 + salt/manager/tools/sbin/soup | 2 + 4 files changed, 68 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 23eee8df0..592f47a2b 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1991,6 +1991,70 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-elasticsearch_x_server: + index_sorting: false + index_template: + composed_of: + - logs-elasticsearch.server@package + - logs-elasticsearch.server@custom + - so-fleet_integrations.ip_mappings-1 + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + ignore_missing_component_templates: + - logs-elasticsearch.server@custom + index_patterns: + - logs-elasticsearch.server-* + priority: 501 + template: + mappings: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + settings: + index: + lifecycle: + name: so-logs-elasticsearch.server-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-endpoint_x_actions: index_sorting: false index_template: diff --git a/salt/elasticsearch/files/ingest/global@custom b/salt/elasticsearch/files/ingest/global@custom index c92c15612..8e48eb0b9 100644 --- a/salt/elasticsearch/files/ingest/global@custom +++ b/salt/elasticsearch/files/ingest/global@custom @@ -23,6 +23,7 @@ { "set": { "if": "ctx.event?.module == 'fim'", "override": true, "field": "event.module", "value": "file_integrity" } }, { "rename": { "if": "ctx.winlog?.provider_name == 'Microsoft-Windows-Windows Defender'", "ignore_missing": true, "field": "winlog.event_data.Threat Name", "target_field": "winlog.event_data.threat_name" } }, { "set": { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } }, + { "set": { "if": "ctx.event?.dataset != null && ctx.event?.dataset == 'elasticsearch.server'", "field": "event.module", "value":"elasticsearch" }}, {"append": {"field":"related.ip","value":["{{source.ip}}","{{destination.ip}}"],"allow_duplicates":false,"if":"ctx?.event?.dataset == 'endpoint.events.network' && ctx?.source?.ip != null","ignore_failure":true}}, {"foreach": {"field":"host.ip","processor":{"append":{"field":"related.ip","value":"{{_ingest._value}}","allow_duplicates":false}},"if":"ctx?.event?.module == 'endpoint' && ctx?.host?.ip != null","ignore_missing":true, "description":"Extract IPs from Elastic Agent events (host.ip) and adds them to related.ip"}}, { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp", "datastream_dataset_temp" ], "ignore_missing": true, "ignore_failure": true } } diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index c268cc493..097a53296 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -392,6 +392,7 @@ elasticsearch: so-logs-elastic_agent_x_metricbeat: *indexSettings so-logs-elastic_agent_x_osquerybeat: *indexSettings so-logs-elastic_agent_x_packetbeat: *indexSettings + so-logs-elasticsearch_x_server: *indexSettings so-metrics-endpoint_x_metadata: *indexSettings so-metrics-endpoint_x_metrics: *indexSettings so-metrics-endpoint_x_policy: *indexSettings diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 8c607963f..952645c61 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -627,6 +627,8 @@ post_to_2.4.190() { update_default_logstash_output fi fi + # Apply new elasticsearch.server index template + rollover_index "logs-elasticsearch.server-default" POSTVERSION=2.4.190 } From 2baf2478da38822a2c91b725b20ff5db7b6d51d4 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 14 Oct 2025 12:47:03 -0500 Subject: [PATCH 2/3] add additional elasticsearch log output in json format for elasticsearch log integration to parse --- .../elasticsearch-logs.json | 2 +- salt/elasticsearch/files/log4j2.properties | 21 +++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/elasticsearch-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/elasticsearch-logs.json index a2aaf5e0a..0c74a7fd5 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/elasticsearch-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/elasticsearch-logs.json @@ -40,7 +40,7 @@ "enabled": true, "vars": { "paths": [ - "/opt/so/log/elasticsearch/*.log" + "/opt/so/log/elasticsearch/*.json" ] } }, diff --git a/salt/elasticsearch/files/log4j2.properties b/salt/elasticsearch/files/log4j2.properties index 014fa61a1..0a337e751 100644 --- a/salt/elasticsearch/files/log4j2.properties +++ b/salt/elasticsearch/files/log4j2.properties @@ -23,5 +23,26 @@ appender.rolling.strategy.action.condition.type = IfFileName appender.rolling.strategy.action.condition.glob = *.gz appender.rolling.strategy.action.condition.nested_condition.type = IfLastModified appender.rolling.strategy.action.condition.nested_condition.age = 7D + +appender.rolling_json.type = RollingFile +appender.rolling_json.name = rolling_json +appender.rolling_json.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.json +appender.rolling_json.layout.type = ECSJsonLayout +appender.rolling_json.layout.dataset = elasticsearch.server +appender.rolling_json.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}-%i.json.gz +appender.rolling_json.policies.type = Policies +appender.rolling_json.policies.time.type = TimeBasedTriggeringPolicy +appender.rolling_json.policies.time.interval = 1 +appender.rolling_json.policies.time.modulate = true +appender.rolling_json.strategy.type = DefaultRolloverStrategy +appender.rolling_json.strategy.action.type = Delete +appender.rolling_json.strategy.action.basepath = /var/log/elasticsearch +appender.rolling_json.strategy.action.condition.type = IfFileName +appender.rolling_json.strategy.action.condition.glob = *.gz +appender.rolling_json.strategy.action.condition.nested_condition.type = IfLastModified +appender.rolling_json.strategy.action.condition.nested_condition.age = 7D + + rootLogger.level = info rootLogger.appenderRef.rolling.ref = rolling +rootLogger.appenderRef.rolling_json.ref = rolling_json From 3e22043ea6b6f7a691d986f5c4fb7176149ed1db Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 14 Oct 2025 15:08:51 -0500 Subject: [PATCH 3/3] es logging retention --- salt/elasticsearch/files/log4j2.properties | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/salt/elasticsearch/files/log4j2.properties b/salt/elasticsearch/files/log4j2.properties index 0a337e751..305069882 100644 --- a/salt/elasticsearch/files/log4j2.properties +++ b/salt/elasticsearch/files/log4j2.properties @@ -20,7 +20,7 @@ appender.rolling.strategy.type = DefaultRolloverStrategy appender.rolling.strategy.action.type = Delete appender.rolling.strategy.action.basepath = /var/log/elasticsearch appender.rolling.strategy.action.condition.type = IfFileName -appender.rolling.strategy.action.condition.glob = *.gz +appender.rolling.strategy.action.condition.glob = *.log.gz appender.rolling.strategy.action.condition.nested_condition.type = IfLastModified appender.rolling.strategy.action.condition.nested_condition.age = 7D @@ -29,19 +29,13 @@ appender.rolling_json.name = rolling_json appender.rolling_json.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.json appender.rolling_json.layout.type = ECSJsonLayout appender.rolling_json.layout.dataset = elasticsearch.server -appender.rolling_json.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}-%i.json.gz +appender.rolling_json.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}.json.gz appender.rolling_json.policies.type = Policies appender.rolling_json.policies.time.type = TimeBasedTriggeringPolicy appender.rolling_json.policies.time.interval = 1 appender.rolling_json.policies.time.modulate = true appender.rolling_json.strategy.type = DefaultRolloverStrategy -appender.rolling_json.strategy.action.type = Delete -appender.rolling_json.strategy.action.basepath = /var/log/elasticsearch -appender.rolling_json.strategy.action.condition.type = IfFileName -appender.rolling_json.strategy.action.condition.glob = *.gz -appender.rolling_json.strategy.action.condition.nested_condition.type = IfLastModified -appender.rolling_json.strategy.action.condition.nested_condition.age = 7D - +appender.rolling_json.strategy.max = 1 rootLogger.level = info rootLogger.appenderRef.rolling.ref = rolling