add modules to be used in monitoring - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/90

2025-12-06 09:12:45 +01:00 · 2020-03-24 17:27:55 -04:00
parent bc76739f6e
commit 7e6c70aff2
6 changed files with 48 additions and 2 deletions
--- a/salt/_modules/healthcheck.py
+++ b/salt/_modules/healthcheck.py
@@ -0,0 +1,22 @@
+#!py
+
+import logging
+
+def docker_restart(container, state):
+  stopdocker = __salt__['docker.rm'](container, 'force=True')
+  __salt__['state.apply'](state)
+  
+
+
+def zeek():
+
+  retcode = __salt__['zeekctl.status'](verbose=False)
+  logging.info('zeekctl.status retcode: %i' % retcode)
+  if retcode:
+    docker_restart('so-zeek', 'zeek')
+    zeek_restarted = True
+  else:
+    zeek_restarted = False
+
+  __salt__['telegraf.send']('healthcheck zeek_restarted: %s' % str(zeek_restarted))
+  return 'zeek_restarted: %s' % str(zeek_restarted)
--- a/salt/_modules/telegraf.py
+++ b/salt/_modules/telegraf.py
@@ -0,0 +1,16 @@
+#!py
+
+import logging
+import socket
+
+
+def send(data):
+
+  mainint = __salt__['pillar.get']('node:mainint')
+  mainip = __salt__['grains.get']('ip_interfaces').get(mainint)[0]
+  dstport = 8094
+
+  sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+  sent = sock.sendto(data.encode('utf-8'), (mainip, dstport))
+
+  return sent
--- a/salt/_modules/zeekctl.py
+++ b/salt/_modules/zeekctl.py
@@ -134,10 +134,13 @@ def start():
 return retval


-def status():
+def status(verbose=True):

 cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl status'"
 retval = __salt__['docker.run']('so-zeek', cmd)
+ if not verbose:
+   retval = __context__['retcode']
+
 return retval


--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -187,6 +187,8 @@ so-telegraf:
      - HOST_SYS=/host/sys
      - HOST_MOUNT_PREFIX=/host
    - network_mode: host
+    - port_bindings:
+      - 127.0.0.1:8094:8094
    - binds:
      - /opt/so/log/telegraf:/var/log/telegraf:rw
      - /opt/so/conf/telegraf/etc/telegraf.conf:/etc/telegraf/telegraf.conf:ro
--- a/salt/common/telegraf/etc/telegraf.conf
+++ b/salt/common/telegraf/etc/telegraf.conf
@@ -2053,6 +2053,9 @@
 #   ## more about them here:
 #   ## https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_INPUT.md
 #   # data_format = "influx"
+[[inputs.socket_listener]]
+  service_address = "udp://:8094"
+  data_format = "influx"


 # # Statsd UDP/TCP Server
--- a/salt/common/telegraf/scripts/influxdbsize.sh
+++ b/salt/common/telegraf/scripts/influxdbsize.sh
@@ -1,5 +1,5 @@
 #!/bin/bash

-INFLUXSIZE=$(du -s -B1 /host/nsm/influxdb | awk {'print $1'}
+INFLUXSIZE=$(du -s -B1 /host/nsm/influxdb | awk {'print $1'})

 echo "influxsize bytes=$INFLUXSIZE"