CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 17:52:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

manage telegraf scripts with a defaults file assigned per node type

Browse Source
This commit is contained in:
m0duspwnens
2023-08-07 11:18:35 -04:00
parent 9af2a731ca
commit 5278601e5d
6 changed files with 127 additions and 115 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
salt/telegraf/config.sls
View File

@@ -32,17 +32,16 @@ tgrafetsdir:
- name: /opt/so/conf/telegraf/scripts - name: /opt/so/conf/telegraf/scripts
- makedirs: True - makedirs: True
tgrafsyncscripts: {% for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
file.recurse: tgraf_sync_script_{{script}}:
- name: /opt/so/conf/telegraf/scripts file.managed:
- name: /opt/so/conf/telegraf/scripts/{{script}}
- user: root - user: root
- group: 939 - group: 939
- file_mode: 770 - mode: 770
- template: jinja - template: jinja
- source: salt://telegraf/scripts - source: salt://telegraf/scripts/{{script}}
{% if GLOBALS.md_engine == 'SURICATA' %} {% endfor %}
- exclude_pat: zeekcaptureloss.sh
{% endif %}
telegraf_sbin: telegraf_sbin:
file.recurse: file.recurse:

79
salt/telegraf/defaults.yaml
View File

@@ -9,3 +9,82 @@ telegraf:
flush_jitter: '0s' flush_jitter: '0s'
debug: 'false' debug: 'false'
quiet: 'false' quiet: 'false'
scripts:
eval:
- beatseps.sh
- checkfiles.sh
- influxdbsize.sh
- oldpcap.sh
- raid.sh
- redis.sh
- sostatus.sh
- stenoloss.sh
- suriloss.sh
- zeekcaptureloss.sh
- zeekloss.sh
standalone:
- beatseps.sh
- checkfiles.sh
- eps.sh
- influxdbsize.sh
- oldpcap.sh
- raid.sh
- redis.sh
- sostatus.sh
- stenoloss.sh
- suriloss.sh
- zeekcaptureloss.sh
- zeekloss.sh
manager:
- beatseps.sh
- influxdbsize.sh
- raid.sh
- redis.sh
- sostatus.sh
managersearch:
- beatseps.sh
- eps.sh
- influxdbsize.sh
- raid.sh
- redis.sh
- sostatus.sh
import:
- sostatus.sh
sensor:
- beatseps.sh
- checkfiles.sh
- oldpcap.sh
- raid.sh
- sostatus.sh
- stenoloss.sh
- suriloss.sh
- zeekcaptureloss.sh
- zeekloss.sh
heavynode:
- beatseps.sh
- checkfiles.sh
- eps.sh
- oldpcap.sh
- raid.sh
- redis.sh
- sostatus.sh
- stenoloss.sh
- suriloss.sh
- zeekcaptureloss.sh
- zeekloss.sh
idh:
- sostatus.sh
searchnode:
- beatseps.sh
- eps.sh
- raid.sh
- sostatus.sh
receiver:
- beatseps.sh
- eps.sh
- raid.sh
- redis.sh
- sostatus.sh
fleet:
- sostatus.sh
desktop: []

5
salt/telegraf/enabled.sls
View File

@@ -7,6 +7,7 @@
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'telegraf/map.jinja' import TELEGRAFMERGED %}
include: include:
@@ -67,8 +68,10 @@ so-telegraf:
{% endif %} {% endif %}
- watch: - watch:
- file: tgrafconf - file: tgrafconf
- file: tgrafsyncscripts
- file: node_config - file: node_config
{% for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
- file: tgraf_sync_script_{{script}}
{% endfor %}
- require: - require:
- file: tgrafconf - file: tgrafconf
- file: node_config - file: node_config

114
salt/telegraf/etc/telegraf.conf
View File

@@ -193,7 +193,7 @@
username = "{{ ES_USER }}" username = "{{ ES_USER }}"
password = "{{ ES_PASS }}" password = "{{ ES_PASS }}"
insecure_skip_verify = true insecure_skip_verify = true
{%- elif grains['role'] in ['so-searchnode', 'so-hotnode', 'so-warmnode'] %} {%- elif grains['role'] in ['so-searchnode'] %}
[[inputs.elasticsearch]] [[inputs.elasticsearch]]
servers = ["https://{{ NODEIP }}:9200"] servers = ["https://{{ NODEIP }}:9200"]
cluster_stats = false cluster_stats = false
@@ -244,6 +244,8 @@
{%- endif %} {%- endif %}
# # Read metrics from one or more commands that can output to stdout # # Read metrics from one or more commands that can output to stdout
{%- if 'sostatus.sh' in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
{%- do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('sostatus.sh') %}
[[inputs.exec]] [[inputs.exec]]
commands = [ commands = [
"/scripts/sostatus.sh" "/scripts/sostatus.sh"
@@ -251,122 +253,26 @@
data_format = "influx" data_format = "influx"
timeout = "15s" timeout = "15s"
interval = "60s" interval = "60s"
{%- endif %}
# ## Commands array {%- if TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] | length > 0 %}
{% if grains['role'] in ['so-manager'] %}
[[inputs.exec]] [[inputs.exec]]
commands = [ commands = [
"/scripts/redis.sh", {%- for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
"/scripts/influxdbsize.sh", "/scripts/{{script}}"{% if not loop.last %},{% endif %}
"/scripts/raid.sh", {%- endfor %}
"/scripts/beatseps.sh"
] ]
data_format = "influx" data_format = "influx"
## Timeout for each command to complete. ## Timeout for each command to complete.
timeout = "15s" timeout = "15s"
{% elif grains['role'] in ['so-managersearch'] %} {%- endif %}
[[inputs.exec]]
commands = [
"/scripts/redis.sh",
"/scripts/influxdbsize.sh",
"/scripts/eps.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
## Timeout for each command to complete.
timeout = "15s"
{% elif grains['role'] in ['so-searchnode', 'so-receiver'] %}
[[inputs.exec]]
commands = [
"/scripts/eps.sh",
"/scripts/raid.sh",
{% if grains.role == 'so-receiver' %}
"/scripts/redis.sh",
{% endif %}
"/scripts/beatseps.sh"
]
data_format = "influx"
## Timeout for each command to complete.
timeout = "15s"
{% elif grains['role'] == 'so-sensor' %}
[[inputs.exec]]
commands = [
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
{%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
{%- endif %}
"/scripts/oldpcap.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
timeout = "15s"
{% elif grains['role'] == 'so-heavynode' %}
[[inputs.exec]]
commands = [
"/scripts/redis.sh",
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
{%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
{%- endif %}
"/scripts/oldpcap.sh",
"/scripts/eps.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
timeout = "15s"
{% elif grains['role'] == 'so-standalone' %}
[[inputs.exec]]
commands = [
"/scripts/redis.sh",
"/scripts/influxdbsize.sh",
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
{%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
{%- endif %}
"/scripts/oldpcap.sh",
"/scripts/eps.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
timeout = "15s"
{% elif grains['role'] == 'so-eval' %}
[[inputs.exec]]
commands = [
"/scripts/redis.sh",
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
{%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
{%- endif %}
"/scripts/oldpcap.sh",
"/scripts/influxdbsize.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
timeout = "15s"
{% endif %}
{%- if salt['pillar.get']('healthcheck:enabled', False) %} {%- if salt['pillar.get']('healthcheck:enabled', False) %}
[[inputs.file]] [[inputs.file]]
files = ["/host/nsm/zeek/logs/zeek_restart.log"] files = ["/host/nsm/zeek/logs/zeek_restart.log"]
data_format = "influx" data_format = "influx"
{%- endif %} {%- endif %}
[[inputs.file]] [[inputs.file]]
files = ["/etc/telegraf/node_config.json"] files = ["/etc/telegraf/node_config.json"]
name_override = "node_config" name_override = "node_config"

8
salt/telegraf/map.jinja
View File

@@ -3,5 +3,13 @@
https://securityonion.net/license; you may not use this file except in compliance with the https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #} Elastic License 2.0. #}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'telegraf/defaults.yaml' as TELEGRAFDEFAULTS %} {% import_yaml 'telegraf/defaults.yaml' as TELEGRAFDEFAULTS %}
{% set TELEGRAFMERGED = salt['pillar.get']('telegraf', TELEGRAFDEFAULTS.telegraf, merge=True) %} {% set TELEGRAFMERGED = salt['pillar.get']('telegraf', TELEGRAFDEFAULTS.telegraf, merge=True) %}
{% from 'zeek/config.map.jinja' import ZEEKMERGED %}
{# if the md engine isn't zeek or zeek is disabled, dont run the zeek scripts for telegraf #}
{% if (GLOBALS.role in ['so-eval', 'so-standalone', 'so-sensor', 'so-heavynode']) and (GLOBALS.md_engine != 'ZEEK' or not ZEEKMERGED.enabled) %}
{% do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekloss.sh') %}
{% do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekcaptureloss.sh') %}
{% endif %}

19
salt/telegraf/soc_telegraf.yaml
View File

@@ -42,4 +42,21 @@ telegraf:
global: True global: True
advanced: True advanced: True
helpLink: telegraf.html helpLink: telegraf.html
scripts:
eval: &telegrafscripts
description: List of input.exec scripts to run for this node type. The script must be present in salt/telegraf/scripts.
forcedType: "[]string"
multiline: True
advanced: True
helpLink: telegraf.html
standalone: *telegrafscripts
manager: *telegrafscripts
managersearch: *telegrafscripts
import: *telegrafscripts
sensor: *telegrafscripts
heavynode: *telegrafscripts
idh: *telegrafscripts
searchnode: *telegrafscripts
receiver: *telegrafscripts
fleet: *telegrafscripts
desktop: *telegrafscripts