CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update elastalert_indices_check() function to only delete Elastalert indices if major Elasticsearch version is less than 8

Browse Source 
Update elastalert_indices_check() function to only delete Elastalert indices if major Elasticsearch version is less than 8. Also clean up the output to only emit one notification regarding index deletion, and additional verbiage around function operation.
This commit is contained in:
weslambert
2022-08-18 09:11:38 -04:00
committed by GitHub
parent 3b8d8163b3
commit 5deda45b66
1 changed files with 46 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
salt/common/tools/sbin/soup
View File

@@ -387,12 +387,7 @@ clone_to_tmp() {
} }
elastalert_indices_check() { elastalert_indices_check() {
echo "Checking Elastalert indices for compatibility..."
# Stop Elastalert to prevent Elastalert indices from being re-created
if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then
so-elastalert-stop || true
fi
# Wait for ElasticSearch to initialize # Wait for ElasticSearch to initialize
echo -n "Waiting for ElasticSearch..." echo -n "Waiting for ElasticSearch..."
COUNT=0 COUNT=0
@@ -418,6 +413,14 @@ elastalert_indices_check() {
exit 1 exit 1
fi fi
MAJOR_ES_VERSION=$(so-elasticsearch-query / | jq -r .version.number | cut -d '.' -f1)
if [[ "$MAJOR_ES_VERSION" -lt "8" ]]; then
# Stop Elastalert to prevent Elastalert indices from being re-created
if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then
so-elastalert-stop || true
fi
# Check Elastalert indices # Check Elastalert indices
echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..."
CHECK_COUNT=0 CHECK_COUNT=0
@@ -431,10 +434,9 @@ elastalert_indices_check() {
COUNT=0 COUNT=0
ELASTALERT_INDICES_DELETED="no" ELASTALERT_INDICES_DELETED="no"
while [[ "$COUNT" -le 240 ]]; do while [[ "$COUNT" -le 240 ]]; do
RESPONSE=$(so-elasticsearch-query elastalert*) RESPONSE=$(so-elasticsearch-query "elastalert*")
if [[ "$RESPONSE" == "{}" ]]; then if [[ "$RESPONSE" == "{}" ]]; then
ELASTALERT_INDICES_DELETED="yes" ELASTALERT_INDICES_DELETED="yes"
echo "Elastalert indices successfully deleted."
break break
else else
((COUNT+=1)) ((COUNT+=1))
@@ -446,12 +448,17 @@ elastalert_indices_check() {
done done
# If we were unable to delete the Elastalert indices, exit the script # If we were unable to delete the Elastalert indices, exit the script
if [ "$ELASTALERT_INDICES_DELETED" == "no" ]; then if [ "$ELASTALERT_INDICES_DELETED" == "yes" ]; then
echo "Elastalert indices successfully deleted."
else
echo echo
echo -e "Unable to connect to delete Elastalert indices. Exiting." echo -e "Unable to connect to delete Elastalert indices. Exiting."
echo echo
exit 1 exit 1
fi fi
else
echo "Major Elasticsearch version is greater than 7...skipping Elastalert index maintenance."
fi
} }
enable_highstate() { enable_highstate() {