zeek jinja

salt/zeek/config.map.jinja

@@ -1,3 +1,10 @@
+{% import_yaml 'zeek/defaults.yaml' as zeek_defaults with context %}
+{% set zeek_pillar = pillar.zeek %}
+{% do ZEEKMERGED.zeek.config.node.update({'interface': pillar.sensor.interface})%} {# update this first so user can specify a differet interface with pillar.zeek.config.node.interface #}
+{% set ZEEKMERGED = salt['defaults.merge'](zeek_defaults, zeek_pillar, in_place=False) %}
+
+
+
 {% set ZEEKOPTIONS = {} %}
 {% set ENABLED = salt['pillar.get']('zeek:enabled', True) %}
 

salt/zeek/files/node.cfg

@@ -1,45 +0,0 @@
-{%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
-{%- if salt['pillar.get']('sensor:zeek_pins') or salt['pillar.get']('sensor:zeek_lbprocs') %}
-  {%- if salt['pillar.get']('sensor:zeek_proxies') %}
-    {%- set proxies =  salt['pillar.get']('sensor:zeek_proxies', '1') %}
-  {%- else %}
-    {%- if salt['pillar.get']('sensor:zeek_pins') %}
-      {%- set proxies = (salt['pillar.get']('sensor:zeek_pins')|length/10)|round(0, 'ceil')|int %}
-    {%- else %}
-      {%- set proxies = (salt['pillar.get']('sensor:zeek_lbprocs')/10)|round(0, 'ceil')|int %}
-    {%- endif %}
-  {%- endif %}
-[manager]
-type=manager
-host=localhost
-
-[logger]
-type=logger
-host=localhost
-
-[proxy]
-type=proxy
-host=localhost
-
-[worker-1]
-type=worker
-host=localhost
-interface=af_packet::{{ interface }}
-lb_method=custom
-  {%- if salt['pillar.get']('sensor:zeek_lbprocs') %}
-lb_procs={{ salt['pillar.get']('sensor:zeek_lbprocs', '1') }}
-    {%- else %}
-lb_procs={{ salt['pillar.get']('sensor:zeek_pins')|length }}
-  {%- endif %}
-  {%- if salt['pillar.get']('sensor:zeek_pins') %}
-pin_cpus={{ salt['pillar.get']('sensor:zeek_pins')|join(", ") }}
-  {%- endif %}
-af_packet_fanout_id=23
-af_packet_fanout_mode=AF_Packet::FANOUT_HASH
-af_packet_buffer_size={{ salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }}
-{%- else %}
-[zeeksa]
-type=standalone
-host=localhost
-interface={{ interface }}
-{%- endif %}

salt/zeek/files/node.cfg.jinja

@@ -0,0 +1,34 @@
+[manager]
+type=manager
+host=localhost
+
+[logger]
+type=logger
+host=localhost
+
+[proxy]
+type=proxy
+host=localhost
+
+[worker-1]
+type=worker
+host=localhost
+interface=af_packet::{{ ZEEKNODE.interface }}
+lb_method=custom
+  {%- if ZEEKNODE.lbprocs %}
+lb_procs={{ ZEEKNODE.lbprocs }}
+    {%- else %}
+lb_procs={{ ZEEKNODE.zeek_pins | length }}
+  {%- endif %}
+  {%- if ZEEKNODE.zeek_pins %}
+pin_cpus={{ ZEEKNODE.zeek_pins | join(", ") }}
+  {%- endif %}
+af_packet_fanout_id=23
+af_packet_fanout_mode=AF_Packet::FANOUT_HASH
+af_packet_buffer_size={{ ZEEKNODE.zeek_buffer }}
+{%- else %}
+[zeeksa]
+type=standalone
+host=localhost
+interface={{ ZEEKNODE.interface }}
+{%- endif %}

salt/zeek/init.sls

@@ -7,6 +7,7 @@
 {% if sls in allowed_states %}
 
 {% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %}
+{% from "zeek/config.map.jinja" import ZEEKMERGED with context %}
 
 {% set VERSION = salt['pillar.get']('global:soversion') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -15,8 +16,6 @@
 {% set BPF_STATUS = 0  %}
 {% set INTERFACE = salt['pillar.get']('sensor:interface') %}
 
-{% set ZEEK = salt['pillar.get']('zeek', {}) %}
-
 # Zeek Salt State
 
 # Add Zeek group
@@ -107,16 +106,18 @@ zeekctlcfg:
     - group: 939
     - template: jinja
     - defaults:
-        ZEEKCTL: {{ ZEEK.zeekctl | tojson }}
+        ZEEKCTL: {{ ZEEKMERGED.zeek.config.zeekctl | tojson }}
 
 # Sync node.cfg
 nodecfg:
   file.managed:
     - name: /opt/so/conf/zeek/node.cfg
-    - source: salt://zeek/files/node.cfg
+    - source: salt://zeek/files/node.cfg,jinja
     - user: 937
     - group: 939
     - template: jinja
+    - defaults:
+        ZEEKNODE: {{ ZEEKMERGED.zeek.config.node }}
 
 networkscfg:
   file.managed: