diff --git a/salt/zeek/config.map.jinja b/salt/zeek/config.map.jinja index a0f92463e..e321b3e3f 100644 --- a/salt/zeek/config.map.jinja +++ b/salt/zeek/config.map.jinja @@ -1,3 +1,10 @@ +{% import_yaml 'zeek/defaults.yaml' as zeek_defaults with context %} +{% set zeek_pillar = pillar.zeek %} +{% do ZEEKMERGED.zeek.config.node.update({'interface': pillar.sensor.interface})%} {# update this first so user can specify a differet interface with pillar.zeek.config.node.interface #} +{% set ZEEKMERGED = salt['defaults.merge'](zeek_defaults, zeek_pillar, in_place=False) %} + + + {% set ZEEKOPTIONS = {} %} {% set ENABLED = salt['pillar.get']('zeek:enabled', True) %} diff --git a/salt/zeek/files/node.cfg b/salt/zeek/files/node.cfg deleted file mode 100644 index 55f77982c..000000000 --- a/salt/zeek/files/node.cfg +++ /dev/null @@ -1,45 +0,0 @@ -{%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} -{%- if salt['pillar.get']('sensor:zeek_pins') or salt['pillar.get']('sensor:zeek_lbprocs') %} - {%- if salt['pillar.get']('sensor:zeek_proxies') %} - {%- set proxies = salt['pillar.get']('sensor:zeek_proxies', '1') %} - {%- else %} - {%- if salt['pillar.get']('sensor:zeek_pins') %} - {%- set proxies = (salt['pillar.get']('sensor:zeek_pins')|length/10)|round(0, 'ceil')|int %} - {%- else %} - {%- set proxies = (salt['pillar.get']('sensor:zeek_lbprocs')/10)|round(0, 'ceil')|int %} - {%- endif %} - {%- endif %} -[manager] -type=manager -host=localhost - -[logger] -type=logger -host=localhost - -[proxy] -type=proxy -host=localhost - -[worker-1] -type=worker -host=localhost -interface=af_packet::{{ interface }} -lb_method=custom - {%- if salt['pillar.get']('sensor:zeek_lbprocs') %} -lb_procs={{ salt['pillar.get']('sensor:zeek_lbprocs', '1') }} - {%- else %} -lb_procs={{ salt['pillar.get']('sensor:zeek_pins')|length }} - {%- endif %} - {%- if salt['pillar.get']('sensor:zeek_pins') %} -pin_cpus={{ salt['pillar.get']('sensor:zeek_pins')|join(", ") }} - {%- endif %} -af_packet_fanout_id=23 -af_packet_fanout_mode=AF_Packet::FANOUT_HASH -af_packet_buffer_size={{ salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }} -{%- else %} -[zeeksa] -type=standalone -host=localhost -interface={{ interface }} -{%- endif %} diff --git a/salt/zeek/files/node.cfg.jinja b/salt/zeek/files/node.cfg.jinja new file mode 100644 index 000000000..201a2ab6e --- /dev/null +++ b/salt/zeek/files/node.cfg.jinja @@ -0,0 +1,34 @@ +[manager] +type=manager +host=localhost + +[logger] +type=logger +host=localhost + +[proxy] +type=proxy +host=localhost + +[worker-1] +type=worker +host=localhost +interface=af_packet::{{ ZEEKNODE.interface }} +lb_method=custom + {%- if ZEEKNODE.lbprocs %} +lb_procs={{ ZEEKNODE.lbprocs }} + {%- else %} +lb_procs={{ ZEEKNODE.zeek_pins | length }} + {%- endif %} + {%- if ZEEKNODE.zeek_pins %} +pin_cpus={{ ZEEKNODE.zeek_pins | join(", ") }} + {%- endif %} +af_packet_fanout_id=23 +af_packet_fanout_mode=AF_Packet::FANOUT_HASH +af_packet_buffer_size={{ ZEEKNODE.zeek_buffer }} +{%- else %} +[zeeksa] +type=standalone +host=localhost +interface={{ ZEEKNODE.interface }} +{%- endif %} diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index b6f3231ae..e5bc34716 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -7,6 +7,7 @@ {% if sls in allowed_states %} {% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %} +{% from "zeek/config.map.jinja" import ZEEKMERGED with context %} {% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -15,8 +16,6 @@ {% set BPF_STATUS = 0 %} {% set INTERFACE = salt['pillar.get']('sensor:interface') %} -{% set ZEEK = salt['pillar.get']('zeek', {}) %} - # Zeek Salt State # Add Zeek group @@ -107,16 +106,18 @@ zeekctlcfg: - group: 939 - template: jinja - defaults: - ZEEKCTL: {{ ZEEK.zeekctl | tojson }} + ZEEKCTL: {{ ZEEKMERGED.zeek.config.zeekctl | tojson }} # Sync node.cfg nodecfg: file.managed: - name: /opt/so/conf/zeek/node.cfg - - source: salt://zeek/files/node.cfg + - source: salt://zeek/files/node.cfg,jinja - user: 937 - group: 939 - template: jinja + - defaults: + ZEEKNODE: {{ ZEEKMERGED.zeek.config.node }} networkscfg: file.managed: