From 506baa854dd810e2694720a0f354688bef7747fc Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 25 Jan 2023 13:52:54 +0000 Subject: [PATCH 1/7] Configure Elasticsearch output if running Import Mode --- salt/common/tools/sbin/so-elastic-fleet-setup | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index 4e3d7639c..07fb4bc90 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -19,6 +19,12 @@ printf "\n" curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/settings" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"fleet_server_hosts":["https://{{ GLOBALS.manager_ip }}:8220"]}' printf "\n\n" +{% if grains.role == 'so-import' %} +# Add SO-Manager Elasticsearch Ouput +curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"name":"so-manager_elasticsearch","id":"so-manager_elasticsearch","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate_authorities":[ "/etc/pki/ca.crt" ]}} +printf "\n\n" + +{% else %} # Create Logstash Output payload mkdir -p /opt/so/conf/elastic-fleet/certs cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs @@ -30,12 +36,13 @@ JSON_STRING=$( jq -n \ --arg LOGSTASHCRT "$LOGSTASHCRT" \ --arg LOGSTASHKEY "$LOGSTASHKEY" \ --arg LOGSTASHCA "$LOGSTASHCA" \ - '{"name":"so-manager_logstash","id":"so-manager_logstash","type":"logstash","hosts":["{{ GLOBALS.manager_ip }}:5055"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate": $LOGSTASHCRT,"key": $LOGSTASHKEY,"certificate_authorities":[ $LOGSTASHCA ]}}' + '{"name":"so-manager_logstash","id":"so-manager_logstash","type":"logstash","hosts":["{{ GLOBALS.manager_ip }}:5055"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate": $LOGSTASHCRT,"key": $LOGSTASHKEY,"certificate_authorities":[ $LOGSTASHCA ]}}' ) # Add SO-Manager Logstash Ouput curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" printf "\n\n" +{%- endif %} # Add Elastic Fleet Integrations From 1414b75e0151b6fd2d90352f188540aa5315d577 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 25 Jan 2023 14:07:25 +0000 Subject: [PATCH 2/7] Allow 'elastic-fleet' state to be applied for Import Mode --- salt/top.sls | 1 + setup/so-setup | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index e29d3b081..4b8531f4d 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -344,6 +344,7 @@ base: - zeek - schedule - docker_clean + - elastic-fleet '*_receiver and G@saltversion:{{saltversion}}': - match: compound diff --git a/setup/so-setup b/setup/so-setup index 5088395f3..08b16dfb8 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -577,9 +577,9 @@ if ! [[ -f $install_opt_file ]]; then add_web_user info "Restarting SOC to pick up initial user" logCmd "so-soc-restart" - if [[ ! $is_import ]]; then - title "Setting up Elastic Fleet" - logCmd "so-elastic-fleet-setup" + title "Setting up Elastic Fleet" + logCmd "so-elastic-fleet-setup" + if [[ ! $is_import ]]; then title "Setting up Playbook" logCmd "so-playbook-reset" fi From c46b5e734b60898bebe480793a152feb5b23e6fa Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 25 Jan 2023 14:38:23 +0000 Subject: [PATCH 3/7] Add 'elastic-fleet' to the list of allowed states for Import Mode --- salt/allowed_states.map.jinja | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 2f6cc60a0..823b7b647 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -107,7 +107,8 @@ 'zeek', 'schedule', 'tcpreplay', - 'docker_clean' + 'docker_clean', + 'elastic-fleet' ], 'so-manager': [ 'salt.master', From 838beabae52b41bcb3dca7fc4ae78d8ce0c4b680 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 25 Jan 2023 15:58:06 +0000 Subject: [PATCH 4/7] Add missing single quote for Elastic Agent Elasticsearch output --- salt/common/tools/sbin/so-elastic-fleet-setup | 2 +- setup/so-setup | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index 07fb4bc90..d76da08ed 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -21,7 +21,7 @@ printf "\n\n" {% if grains.role == 'so-import' %} # Add SO-Manager Elasticsearch Ouput -curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"name":"so-manager_elasticsearch","id":"so-manager_elasticsearch","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate_authorities":[ "/etc/pki/ca.crt" ]}} +curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"name":"so-manager_elasticsearch","id":"so-manager_elasticsearch","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate_authorities":[ "/etc/pki/ca.crt" ]}}' printf "\n\n" {% else %} diff --git a/setup/so-setup b/setup/so-setup index 08b16dfb8..a9bb2f6b1 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -580,7 +580,7 @@ if ! [[ -f $install_opt_file ]]; then title "Setting up Elastic Fleet" logCmd "so-elastic-fleet-setup" if [[ ! $is_import ]]; then - title "Setting up Playbook" + title "Setting up Playbook" logCmd "so-playbook-reset" fi checkin_at_boot From 86a925e1c7606a8b3f05757bcb56edad2b583b4e Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 25 Jan 2023 16:09:12 +0000 Subject: [PATCH 5/7] Download Elastic Agent images for Import Mode --- salt/common/tools/sbin/so-image-common | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 3851d8b4a..0f03d891e 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -24,6 +24,8 @@ container_list() { if [ $MANAGERCHECK == 'so-import' ]; then TRUSTED_CONTAINERS=( + "so-elastic-agent" + "so-elastic-agent-builder" "so-elasticsearch" "so-filebeat" "so-idstools" From c3717dae672927b327016da0a2cde05ac7c62fae Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 25 Jan 2023 18:27:00 +0000 Subject: [PATCH 6/7] Add Elastic Fleet firewall configuration for Import Mode --- salt/firewall/assigned_hostgroups.map.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 6e249ec93..3b6f4a59a 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -436,6 +436,7 @@ role: - {{ portgroups.influxdb }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} + - {{ portgroups.elastic_agent_control }} sensors: portgroups: - {{ portgroups.beats_5044 }} @@ -453,6 +454,10 @@ role: elasticsearch_rest: portgroups: - {{ portgroups.elasticsearch_rest }} + elastic_agent_endpoint: + portgroups: + - {{ portgroups.elasticsearch_rest }} + - {{ portgroups.elastic_agent_control }} analyst: portgroups: - {{ portgroups.nginx }} From 5c58cda872da93c8e4179e912283ad241b18136f Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 25 Jan 2023 19:29:50 +0000 Subject: [PATCH 7/7] Move certificate configuration outside of conditional logic --- salt/common/tools/sbin/so-elastic-fleet-setup | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index d76da08ed..01968fcb4 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -19,6 +19,11 @@ printf "\n" curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/settings" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"fleet_server_hosts":["https://{{ GLOBALS.manager_ip }}:8220"]}' printf "\n\n" +# Configure certificates +mkdir -p /opt/so/conf/elastic-fleet/certs +cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs +cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs + {% if grains.role == 'so-import' %} # Add SO-Manager Elasticsearch Ouput curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"name":"so-manager_elasticsearch","id":"so-manager_elasticsearch","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate_authorities":[ "/etc/pki/ca.crt" ]}}' @@ -26,9 +31,6 @@ printf "\n\n" {% else %} # Create Logstash Output payload -mkdir -p /opt/so/conf/elastic-fleet/certs -cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs -cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs LOGSTASHCRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/elasticfleet.crt) LOGSTASHKEY=$(openssl rsa -in /opt/so/conf/elastic-fleet/certs/elasticfleet.key) LOGSTASHCA=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/intca.crt)