From 9b973e07e298affc1ce4e9a6ed0d7d0f26a25ff9 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 08:49:43 -0400 Subject: [PATCH 01/16] Add files via upload --- .../alarm_high_redis_memory_usage.json | 27 +++++++++++++++++++ .../templates/alarm_low_monitor_traffic.json | 21 +++++++++++++++ .../templates/alarm_pcap_retention.json | 27 +++++++++++++++++++ .../templates/alarm_steno_packet_loss.json | 26 ++++++++++++++++++ .../templates/alarm_suricata_packet_loss.json | 26 ++++++++++++++++++ .../templates/alarm_zeek_packet_loss.json | 26 ++++++++++++++++++ 6 files changed, 153 insertions(+) create mode 100644 salt/influxdb/templates/alarm_high_redis_memory_usage.json create mode 100644 salt/influxdb/templates/alarm_low_monitor_traffic.json create mode 100644 salt/influxdb/templates/alarm_pcap_retention.json create mode 100644 salt/influxdb/templates/alarm_steno_packet_loss.json create mode 100644 salt/influxdb/templates/alarm_suricata_packet_loss.json create mode 100644 salt/influxdb/templates/alarm_zeek_packet_loss.json diff --git a/salt/influxdb/templates/alarm_high_redis_memory_usage.json b/salt/influxdb/templates/alarm_high_redis_memory_usage.json new file mode 100644 index 000000000..98f4d206c --- /dev/null +++ b/salt/influxdb/templates/alarm_high_redis_memory_usage.json @@ -0,0 +1,27 @@ +[{ + "apiVersion": "influxdata.com/v2alpha1", + "kind": "CheckThreshold", + "metadata": { + "name": "high-redis-memory" + }, + "spec": { + "every": "1m", + "name": "High Redis Memory Usage", + "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"redisqueue\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"mem_used\")\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", + "status": "active", + "statusMessageTemplate": "The amount of available memory for Redis on the ${r.host} node has reached the ${r._level} threshold. The current percent of used memory is ${r.mem_used}.", + "thresholds": [ + { + "level": "WARN", + "type": "greater", + "value": 80 + }, + { + "level": "CRIT", + "type": "greater", + "value": 90 + } + ] + } +}] + diff --git a/salt/influxdb/templates/alarm_low_monitor_traffic.json b/salt/influxdb/templates/alarm_low_monitor_traffic.json new file mode 100644 index 000000000..910b13803 --- /dev/null +++ b/salt/influxdb/templates/alarm_low_monitor_traffic.json @@ -0,0 +1,21 @@ +[{ + "apiVersion": "influxdata.com/v2alpha1", + "kind": "CheckThreshold", + "metadata": { + "name": "monitor-interface-traffic" + }, + "spec": { + "every": "1m", + "name": "Low Traffic Volume on Monitor Interface", + "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"net\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"bytes_recv\")\n |\u003e filter(fn: (r) =\u003e r[\"interface\"] == \"bond0\")\n |\u003e derivative(unit: 1s, nonNegative: true)\n |\u003e map(fn: (r) =\u003e ({r with \"_value\": r._value * 8.0 / 1000000.0}))\n |\u003e yield(name: \"nonnegative derivative\")", + "status": "active", + "statusMessageTemplate": "Interface ${r.interface} on node ${r.host} has reached the ${r._level} threshold. The current volume of traffic on interface ${r.interface} is ${r.bytes_recv}MB/s.", + "thresholds": [ + { + "level": "CRIT", + "type": "lesser", + "value": 5 + } + ] + } +}] diff --git a/salt/influxdb/templates/alarm_pcap_retention.json b/salt/influxdb/templates/alarm_pcap_retention.json new file mode 100644 index 000000000..0964906c7 --- /dev/null +++ b/salt/influxdb/templates/alarm_pcap_retention.json @@ -0,0 +1,27 @@ +[{ + "apiVersion": "influxdata.com/v2alpha1", + "kind": "CheckThreshold", + "metadata": { + "name": "alarm-pcap-retention" + }, + "spec": { + "description": "Percent used space on the root partition of at least one node has exceeded the alarm threshold.", + "every": "1m0s", + "name": "Low PCAP Retention", + "query": "from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)})) |\u003e map(fn: (r) =\u003e ({r with _value: int(v: r._value)}))\n |> aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")", + "status": "active", + "statusMessageTemplate": "PCAP retention on node ${r.host} has reached the ${r._level} threshold. Node ${r.host} currently has approximately ${r.seconds} days of PCAP data.", + "thresholds": [ + { + "level": "CRIT", + "type": "lesser", + "value": 1 + }, + { + "level": "WARN", + "type": "lesser", + "value": 3 + } + ] + } +}] \ No newline at end of file diff --git a/salt/influxdb/templates/alarm_steno_packet_loss.json b/salt/influxdb/templates/alarm_steno_packet_loss.json new file mode 100644 index 000000000..967b7ff92 --- /dev/null +++ b/salt/influxdb/templates/alarm_steno_packet_loss.json @@ -0,0 +1,26 @@ +[{ + "apiVersion": "influxdata.com/v2alpha1", + "kind": "CheckThreshold", + "metadata": { + "name": "steno-packet-loss" + }, + "spec": { + "every": "1m", + "name": "Stenographer Packet Loss", + "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"stenodrop\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"drop\")\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", + "status": "active", + "statusMessageTemplate": "Stenographer Packet Loss on node ${r.host} has reached the ${ r._level } threshold. The current packet loss is ${ r.drop }%.", + "thresholds": [ + { + "level": "CRIT", + "type": "greater", + "value": 5 + }, + { + "level": "WARN", + "type": "greater", + "value": 3 + } + ] + } +}] diff --git a/salt/influxdb/templates/alarm_suricata_packet_loss.json b/salt/influxdb/templates/alarm_suricata_packet_loss.json new file mode 100644 index 000000000..48bda0ff3 --- /dev/null +++ b/salt/influxdb/templates/alarm_suricata_packet_loss.json @@ -0,0 +1,26 @@ +[{ + "apiVersion": "influxdata.com/v2alpha1", + "kind": "CheckThreshold", + "metadata": { + "name": "suricata-packet-loss" + }, + "spec": { + "every": "1m", + "name": "Suricata Packet Loss", + "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"suridrop\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"drop\")\n |\u003e map(fn: (r) =\u003e ({r with \"_value\": r._value * 100.0}))\n |\u003e map(fn: (r) =\u003e ({ r with _value: int(v: r._value) }))\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", + "status": "active", + "statusMessageTemplate": "Suricata packet loss on node ${r.host} has reached the ${ r._level } threshold. The current packet loss is ${ r.drop }%.", + "thresholds": [ + { + "level": "CRIT", + "type": "greater", + "value": 5 + }, + { + "level": "WARN", + "type": "greater", + "value": 3 + } + ] + } +}] diff --git a/salt/influxdb/templates/alarm_zeek_packet_loss.json b/salt/influxdb/templates/alarm_zeek_packet_loss.json new file mode 100644 index 000000000..33e19ea5b --- /dev/null +++ b/salt/influxdb/templates/alarm_zeek_packet_loss.json @@ -0,0 +1,26 @@ +[{ + "apiVersion": "influxdata.com/v2alpha1", + "kind": "CheckThreshold", + "metadata": { + "name": "zeek-packet-loss" + }, + "spec": { + "every": "1m", + "name": "Zeek Packet Loss", + "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"zeekdrop\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"drop\")\n |\u003e map(fn: (r) =\u003e ({r with \"_value\": r._value * 100.0}))\n |\u003e map(fn: (r) =\u003e ({ r with _value: int(v: r._value) }))\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", + "status": "active", + "statusMessageTemplate": "Zeek Packet Loss on node ${r.host} has reached the ${ r._level } threshold. The current packet loss is ${ r.drop }%.", + "thresholds": [ + { + "level": "CRIT", + "type": "greater", + "value": 5 + }, + { + "level": "WARN", + "type": "greater", + "value": 3 + } + ] + } +}] From 839275814c23b09b3a844b8b8067a0d1b96556fb Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 08:51:49 -0400 Subject: [PATCH 02/16] Update redis.sh - Added percent of used memory. --- salt/telegraf/scripts/redis.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/telegraf/scripts/redis.sh b/salt/telegraf/scripts/redis.sh index c730885d4..dba893c87 100644 --- a/salt/telegraf/scripts/redis.sh +++ b/salt/telegraf/scripts/redis.sh @@ -11,8 +11,9 @@ if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then UNPARSED=$(redis-cli llen logstash:unparsed | awk '{print $1}') PARSED=$(redis-cli llen logstash:parsed | awk '{print $1}') - - echo "redisqueue unparsed=$UNPARSED,parsed=$PARSED" + MEM_USED=$(redis-cli info memory | grep used_memory_peak_perc | cut -d ":" -f2 | sed "s/%//") + + echo "redisqueue unparsed=$UNPARSED,parsed=$PARSED,mem_used=$MEM_USED" fi From 645555b990a9618093975ff6a248692672bdbe7f Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 10:10:44 -0400 Subject: [PATCH 03/16] Update alarm_zeek_packet_loss.json --- .../templates/alarm_zeek_packet_loss.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/salt/influxdb/templates/alarm_zeek_packet_loss.json b/salt/influxdb/templates/alarm_zeek_packet_loss.json index 33e19ea5b..a236be521 100644 --- a/salt/influxdb/templates/alarm_zeek_packet_loss.json +++ b/salt/influxdb/templates/alarm_zeek_packet_loss.json @@ -12,15 +12,15 @@ "statusMessageTemplate": "Zeek Packet Loss on node ${r.host} has reached the ${ r._level } threshold. The current packet loss is ${ r.drop }%.", "thresholds": [ { - "level": "CRIT", - "type": "greater", - "value": 5 - }, - { - "level": "WARN", - "type": "greater", - "value": 3 - } + "level": "CRIT", + "type": "greater", + "value": 5 + }, + { + "level": "WARN", + "type": "greater", + "value": 3 + } ] } }] From ef4f2491f398e730c601470e3e48d503e2e79065 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 10:12:44 -0400 Subject: [PATCH 04/16] Update alarm_high_redis_memory_usage.json --- salt/influxdb/templates/alarm_high_redis_memory_usage.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/influxdb/templates/alarm_high_redis_memory_usage.json b/salt/influxdb/templates/alarm_high_redis_memory_usage.json index 98f4d206c..ebb0f9f4a 100644 --- a/salt/influxdb/templates/alarm_high_redis_memory_usage.json +++ b/salt/influxdb/templates/alarm_high_redis_memory_usage.json @@ -5,6 +5,7 @@ "name": "high-redis-memory" }, "spec": { + "description": "Percent of Redis memory used.", "every": "1m", "name": "High Redis Memory Usage", "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"redisqueue\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"mem_used\")\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", From 13c9142814d6088ed7d4efb242ce454a40ad8c6d Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 10:21:43 -0400 Subject: [PATCH 05/16] Update alarm_low_monitor_traffic.json --- salt/influxdb/templates/alarm_low_monitor_traffic.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/influxdb/templates/alarm_low_monitor_traffic.json b/salt/influxdb/templates/alarm_low_monitor_traffic.json index 910b13803..831a721ed 100644 --- a/salt/influxdb/templates/alarm_low_monitor_traffic.json +++ b/salt/influxdb/templates/alarm_low_monitor_traffic.json @@ -5,6 +5,7 @@ "name": "monitor-interface-traffic" }, "spec": { + "description": "Triggers when the volume of network traffic received on the monitor interface, per sensor, falls below a defined threshold. To tune this alert, modify the value in MBs for the appropriate alert level.", "every": "1m", "name": "Low Traffic Volume on Monitor Interface", "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"net\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"bytes_recv\")\n |\u003e filter(fn: (r) =\u003e r[\"interface\"] == \"bond0\")\n |\u003e derivative(unit: 1s, nonNegative: true)\n |\u003e map(fn: (r) =\u003e ({r with \"_value\": r._value * 8.0 / 1000000.0}))\n |\u003e yield(name: \"nonnegative derivative\")", From e91dd29cb267acc45f285fe5781041cbe7c59e6d Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 10:25:22 -0400 Subject: [PATCH 06/16] Update alarm_high_redis_memory_usage.json --- salt/influxdb/templates/alarm_high_redis_memory_usage.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/influxdb/templates/alarm_high_redis_memory_usage.json b/salt/influxdb/templates/alarm_high_redis_memory_usage.json index ebb0f9f4a..fe99ad430 100644 --- a/salt/influxdb/templates/alarm_high_redis_memory_usage.json +++ b/salt/influxdb/templates/alarm_high_redis_memory_usage.json @@ -5,7 +5,7 @@ "name": "high-redis-memory" }, "spec": { - "description": "Percent of Redis memory used.", + "description": "Triggers when the average percent of used memory for Redis reaches a defined threshold. To tune this alert, modify the value for the appropriate alert level.", "every": "1m", "name": "High Redis Memory Usage", "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"redisqueue\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"mem_used\")\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", From 592c67d1f2621841036f6177711331e1f140ccfe Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 10:29:15 -0400 Subject: [PATCH 07/16] Update alarm_pcap_retention.json --- salt/influxdb/templates/alarm_pcap_retention.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/influxdb/templates/alarm_pcap_retention.json b/salt/influxdb/templates/alarm_pcap_retention.json index 0964906c7..969d462c9 100644 --- a/salt/influxdb/templates/alarm_pcap_retention.json +++ b/salt/influxdb/templates/alarm_pcap_retention.json @@ -5,7 +5,7 @@ "name": "alarm-pcap-retention" }, "spec": { - "description": "Percent used space on the root partition of at least one node has exceeded the alarm threshold.", + "description": "Triggers when the PCAP retention (in days), falls below the defined threshold. To tune this alert, modify the value for the appropriate alert level.", "every": "1m0s", "name": "Low PCAP Retention", "query": "from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)})) |\u003e map(fn: (r) =\u003e ({r with _value: int(v: r._value)}))\n |> aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")", @@ -24,4 +24,4 @@ } ] } -}] \ No newline at end of file +}] From 1e9e2facde804771501b748d42998c3a4e216d43 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 10:29:53 -0400 Subject: [PATCH 08/16] Update alarm_low_monitor_traffic.json --- salt/influxdb/templates/alarm_low_monitor_traffic.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/influxdb/templates/alarm_low_monitor_traffic.json b/salt/influxdb/templates/alarm_low_monitor_traffic.json index 831a721ed..167ae1b5a 100644 --- a/salt/influxdb/templates/alarm_low_monitor_traffic.json +++ b/salt/influxdb/templates/alarm_low_monitor_traffic.json @@ -5,7 +5,7 @@ "name": "monitor-interface-traffic" }, "spec": { - "description": "Triggers when the volume of network traffic received on the monitor interface, per sensor, falls below a defined threshold. To tune this alert, modify the value in MBs for the appropriate alert level.", + "description": "Triggers when the volume of network traffic (in MBs) received on the monitor interface, per sensor, falls below a defined threshold. To tune this alert, modify the value in MBs for the appropriate alert level.", "every": "1m", "name": "Low Traffic Volume on Monitor Interface", "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"net\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"bytes_recv\")\n |\u003e filter(fn: (r) =\u003e r[\"interface\"] == \"bond0\")\n |\u003e derivative(unit: 1s, nonNegative: true)\n |\u003e map(fn: (r) =\u003e ({r with \"_value\": r._value * 8.0 / 1000000.0}))\n |\u003e yield(name: \"nonnegative derivative\")", From 2de95bcb637c767946f29e9976ac106b07d33b71 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 10:32:13 -0400 Subject: [PATCH 09/16] Update alarm_steno_packet_loss.json --- salt/influxdb/templates/alarm_steno_packet_loss.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/influxdb/templates/alarm_steno_packet_loss.json b/salt/influxdb/templates/alarm_steno_packet_loss.json index 967b7ff92..c5cfb4297 100644 --- a/salt/influxdb/templates/alarm_steno_packet_loss.json +++ b/salt/influxdb/templates/alarm_steno_packet_loss.json @@ -5,6 +5,7 @@ "name": "steno-packet-loss" }, "spec": { + "description": "Triggers when the average percent of packet loss is above the defined threshold. To tune this alert, modify the value for the appropriate alert level.", "every": "1m", "name": "Stenographer Packet Loss", "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"stenodrop\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"drop\")\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", From a84322f9b7c7c36167b24de1571ad78b917bc5fb Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 10:32:29 -0400 Subject: [PATCH 10/16] Update alarm_suricata_packet_loss.json --- salt/influxdb/templates/alarm_suricata_packet_loss.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/influxdb/templates/alarm_suricata_packet_loss.json b/salt/influxdb/templates/alarm_suricata_packet_loss.json index 48bda0ff3..8a4c3f5cf 100644 --- a/salt/influxdb/templates/alarm_suricata_packet_loss.json +++ b/salt/influxdb/templates/alarm_suricata_packet_loss.json @@ -5,6 +5,7 @@ "name": "suricata-packet-loss" }, "spec": { + "description": "Triggers when the average percent of packet loss is above the defined threshold. To tune this alert, modify the value for the appropriate alert level." "every": "1m", "name": "Suricata Packet Loss", "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"suridrop\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"drop\")\n |\u003e map(fn: (r) =\u003e ({r with \"_value\": r._value * 100.0}))\n |\u003e map(fn: (r) =\u003e ({ r with _value: int(v: r._value) }))\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", From 5b2d91b5b51bc1d6024f0312cff76edda6bc7300 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 10:32:53 -0400 Subject: [PATCH 11/16] Update alarm_zeek_packet_loss.json --- salt/influxdb/templates/alarm_zeek_packet_loss.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/influxdb/templates/alarm_zeek_packet_loss.json b/salt/influxdb/templates/alarm_zeek_packet_loss.json index a236be521..cebd1dc50 100644 --- a/salt/influxdb/templates/alarm_zeek_packet_loss.json +++ b/salt/influxdb/templates/alarm_zeek_packet_loss.json @@ -5,6 +5,7 @@ "name": "zeek-packet-loss" }, "spec": { + "description": "Triggers when the average percent of packet loss is above the defined threshold. To tune this alert, modify the value for the appropriate alert level." "every": "1m", "name": "Zeek Packet Loss", "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"zeekdrop\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"drop\")\n |\u003e map(fn: (r) =\u003e ({r with \"_value\": r._value * 100.0}))\n |\u003e map(fn: (r) =\u003e ({ r with _value: int(v: r._value) }))\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", From 766f4dd661f9483e6a5508252e6a145c58082660 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 22 May 2023 16:02:08 -0400 Subject: [PATCH 12/16] Add Elastic Defend Integration --- .../elastic-defend-endpoints.json | 28 +++++++++++++++++++ .../soctopus/files/templates/generic.template | 10 +++++++ 2 files changed, 38 insertions(+) create mode 100644 salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json diff --git a/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json b/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json new file mode 100644 index 000000000..7d7f5bb35 --- /dev/null +++ b/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json @@ -0,0 +1,28 @@ +{ + "name": "elastic-defend-endpoints", + "namespace": "default", + "description": "", + "package": { + "name": "endpoint", + "title": "Elastic Defend", + "version": "" + }, + "enabled": true, + "policy_id": "endpoints-initial", + "vars": {}, + "inputs": [{ + "type": "endpoint", + "enabled": true, + "streams": [], + "config": { + "integration_config": { + "value": { + "type": "endpoint", + "endpointConfig": { + "preset": "DataCollection" + } + } + } + } + }] +} \ No newline at end of file diff --git a/salt/soctopus/files/templates/generic.template b/salt/soctopus/files/templates/generic.template index 035d38b24..74b40bef9 100644 --- a/salt/soctopus/files/templates/generic.template +++ b/salt/soctopus/files/templates/generic.template @@ -12,3 +12,13 @@ play_url: "https://{{ GLOBALS.url_base }}/playbook/issues/6000" kibana_pivot: "https://{{ GLOBALS.url_base }}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{[_id]}'),sort:!('@timestamp',desc))" soc_pivot: "https://{{ GLOBALS.url_base }}/#/hunt" sigma_level: "" + +index: '.ds-logs-*' +name: EQL +priority: 3 +realert: + minutes: 0 +type: any +filter: +- query: + query_string: From 502277b1b7456300eed950d85919558acd24f3d0 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 23 May 2023 16:38:37 -0400 Subject: [PATCH 13/16] Hash check, use url base --- .../sbin_jinja/so-elastic-agent-gen-installers | 6 +++--- .../tools/sbin_jinja/so-elastic-fleet-setup | 11 +++++++++-- setup/so-functions | 14 +++++++++++++- 3 files changed, 25 insertions(+), 6 deletions(-) diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers index 2dd92d21b..b241eedb6 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers @@ -10,12 +10,12 @@ . /usr/sbin/so-common -FLEETHOST="https://{{ GLOBALS.manager_ip }}:8220" +#FLEETHOST="https://{{ GLOBALS.manager_ip }}:8220" for i in {1..30} do - ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints")) | .api_key') - #FLEETHOST=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts' | jq -r '.items[].host_urls[]' | paste -sd ',') + ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key') + FLEETHOST=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts' | jq -r '.items[].host_urls[]' | paste -sd ',') if [[ $FLEETHOST ]] && [[ $ENROLLMENTOKEN ]]; then break; else sleep 10; fi done if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]]; then printf "\nFleet Host URL or Enrollment Token empty - exiting..." && exit; fi diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup index 6ad97a223..02c60165c 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup @@ -35,9 +35,16 @@ curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fl printf "\n\n" {%- endif %} +# Add Manager IP & URL Base to Fleet Host URLs printf "\nAdd SO-Manager Fleet URL\n" +if [ "{{ GLOBALS.manager_ip }}" = "{{ GLOBALS.url_base }}" ]; then + JSON_STRING=$( jq -n '{"fleet_server_hosts":["https://{{ GLOBALS.url_base }}:8220"]}') +else + JSON_STRING=$( jq -n '{"fleet_server_hosts":["https://{{ GLOBALS.url_base }}:8220", "https://{{ GLOBALS.manager_ip }}:8220"]}') +fi + ## This array replaces whatever URLs are currently configured -curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/settings" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"fleet_server_hosts":["https://{{ GLOBALS.manager_ip }}:8220", "https://{{ GLOBALS.manager }}:8220"]}' +curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/settings" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" printf "\n\n" @@ -74,7 +81,7 @@ curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fl ### Finalization ### # Query for Enrollment Tokens for default policies -ENDPOINTSENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-default")) | .api_key') +ENDPOINTSENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key') GRIDNODESENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("so-grid-nodes")) | .api_key') # Store needed data in minion pillar diff --git a/setup/so-functions b/setup/so-functions index 09e219cfd..937c4e494 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -972,7 +972,19 @@ download_elastic_agent_artifacts() { else logCmd "mkdir -p /nsm/elastic-fleet/artifacts/beats/elastic-agent/" logCmd "curl --retry 5 --retry-delay 60 https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$SOVERSION.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz" - logCmd "tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" + logCmd "curl --retry 5 --retry-delay 60 https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$version.md5 --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$version.md5" + + SOURCEHASH=$(md5sum /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz | awk '{ print $1 }') + HASH=$(cat /nsm/elastic-fleet/artifacts/elastic-agent_SO-$version.md5) + + if [[ "$HASH" == "$SOURCEHASH" ]]; then + info "Elastic Agent source hash is good." + else + info "Unable to download the Elastic Agent source files." + exit 1 + fi + + logCmd "tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" fi } From e1c361e555eea90e21e782928592074c72594a42 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 23 May 2023 16:50:40 -0400 Subject: [PATCH 14/16] Fix variable --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 937c4e494..86ff5f5b0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -972,10 +972,10 @@ download_elastic_agent_artifacts() { else logCmd "mkdir -p /nsm/elastic-fleet/artifacts/beats/elastic-agent/" logCmd "curl --retry 5 --retry-delay 60 https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$SOVERSION.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz" - logCmd "curl --retry 5 --retry-delay 60 https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$version.md5 --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$version.md5" + logCmd "curl --retry 5 --retry-delay 60 https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$SOVERSION.md5 --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.md5" SOURCEHASH=$(md5sum /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz | awk '{ print $1 }') - HASH=$(cat /nsm/elastic-fleet/artifacts/elastic-agent_SO-$version.md5) + HASH=$(cat /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.md5) if [[ "$HASH" == "$SOURCEHASH" ]]; then info "Elastic Agent source hash is good." From d9a9c8738cbf5db6c0c3ba12a5156c57ffcb7f66 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 24 May 2023 10:17:59 -0400 Subject: [PATCH 15/16] fix malformed alert templates --- .../templates/alarm_suricata_packet_loss.json | 2 +- .../templates/alarm_zeek_packet_loss.json | 22 +++++++++---------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/salt/influxdb/templates/alarm_suricata_packet_loss.json b/salt/influxdb/templates/alarm_suricata_packet_loss.json index 8a4c3f5cf..99fda6167 100644 --- a/salt/influxdb/templates/alarm_suricata_packet_loss.json +++ b/salt/influxdb/templates/alarm_suricata_packet_loss.json @@ -5,7 +5,7 @@ "name": "suricata-packet-loss" }, "spec": { - "description": "Triggers when the average percent of packet loss is above the defined threshold. To tune this alert, modify the value for the appropriate alert level." + "description": "Triggers when the average percent of packet loss is above the defined threshold. To tune this alert, modify the value for the appropriate alert level.", "every": "1m", "name": "Suricata Packet Loss", "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"suridrop\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"drop\")\n |\u003e map(fn: (r) =\u003e ({r with \"_value\": r._value * 100.0}))\n |\u003e map(fn: (r) =\u003e ({ r with _value: int(v: r._value) }))\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", diff --git a/salt/influxdb/templates/alarm_zeek_packet_loss.json b/salt/influxdb/templates/alarm_zeek_packet_loss.json index cebd1dc50..633ed5294 100644 --- a/salt/influxdb/templates/alarm_zeek_packet_loss.json +++ b/salt/influxdb/templates/alarm_zeek_packet_loss.json @@ -3,9 +3,9 @@ "kind": "CheckThreshold", "metadata": { "name": "zeek-packet-loss" - }, + }, "spec": { - "description": "Triggers when the average percent of packet loss is above the defined threshold. To tune this alert, modify the value for the appropriate alert level." + "description": "Triggers when the average percent of packet loss is above the defined threshold. To tune this alert, modify the value for the appropriate alert level.", "every": "1m", "name": "Zeek Packet Loss", "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"zeekdrop\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"drop\")\n |\u003e map(fn: (r) =\u003e ({r with \"_value\": r._value * 100.0}))\n |\u003e map(fn: (r) =\u003e ({ r with _value: int(v: r._value) }))\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", @@ -13,15 +13,15 @@ "statusMessageTemplate": "Zeek Packet Loss on node ${r.host} has reached the ${ r._level } threshold. The current packet loss is ${ r.drop }%.", "thresholds": [ { - "level": "CRIT", - "type": "greater", - "value": 5 - }, - { - "level": "WARN", - "type": "greater", - "value": 3 - } + "level": "CRIT", + "type": "greater", + "value": 5 + }, + { + "level": "WARN", + "type": "greater", + "value": 3 + } ] } }] From b3e0e688965db80e343113edd036e2ad89b4f53c Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 24 May 2023 11:27:41 -0400 Subject: [PATCH 16/16] Change Fleet Host URL API --- .../tools/sbin_jinja/so-elastic-agent-gen-installers | 2 +- salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers index b241eedb6..84a519d37 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers @@ -15,7 +15,7 @@ for i in {1..30} do ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key') - FLEETHOST=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts' | jq -r '.items[].host_urls[]' | paste -sd ',') + FLEETHOST=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default' | jq -r '.item.host_urls[]' | paste -sd ',') if [[ $FLEETHOST ]] && [[ $ENROLLMENTOKEN ]]; then break; else sleep 10; fi done if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]]; then printf "\nFleet Host URL or Enrollment Token empty - exiting..." && exit; fi diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup index 02c60165c..c81d69282 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup @@ -38,13 +38,13 @@ printf "\n\n" # Add Manager IP & URL Base to Fleet Host URLs printf "\nAdd SO-Manager Fleet URL\n" if [ "{{ GLOBALS.manager_ip }}" = "{{ GLOBALS.url_base }}" ]; then - JSON_STRING=$( jq -n '{"fleet_server_hosts":["https://{{ GLOBALS.url_base }}:8220"]}') + JSON_STRING=$( jq -n '{"id":"grid-default","name":"grid-default","is_default":true,"host_urls":["https://{{ GLOBALS.url_base }}:8220"]}') else - JSON_STRING=$( jq -n '{"fleet_server_hosts":["https://{{ GLOBALS.url_base }}:8220", "https://{{ GLOBALS.manager_ip }}:8220"]}') + JSON_STRING=$( jq -n '{"id":"grid-default","name":"grid-default","is_default":true,"host_urls":["https://{{ GLOBALS.url_base }}:8220", "https://{{ GLOBALS.manager_ip }}:8220"]}') fi ## This array replaces whatever URLs are currently configured -curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/settings" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" +curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/fleet_server_hosts" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" printf "\n\n"