CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1277 from Security-Onion-Solutions/issue/968

Browse Source 
Issue/968
This commit is contained in:
Josh Patterson
2020-09-01 15:43:22 -04:00
committed by GitHub
parent 6cd0d16b91 08ca2055dc
commit 7fa083069d
10 changed files with 858 additions and 796 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
salt/_modules/healthcheck.py
View File

@@ -2,6 +2,8 @@
import logging import logging
import sys import sys
from time import time
from os.path import getsize
allowed_functions = ['is_enabled', 'zeek'] allowed_functions = ['is_enabled', 'zeek']
states_to_apply = [] states_to_apply = []
@@ -85,8 +87,21 @@ def zeek():
else: else:
zeek_restart = 0 zeek_restart = 0
__salt__['telegraf.send']('healthcheck zeek_restart=%i' % zeek_restart) #__salt__['telegraf.send']('healthcheck zeek_restart=%i' % zeek_restart)
# write out to file in /nsm/zeek/logs/ for telegraf to read for zeek restart
try:
if getsize("/nsm/zeek/logs/zeek_restart.log") >= 1000000:
openmethod = "w"
else:
openmethod = "a"
except FileNotFoundError:
openmethod = "a"
influxtime = int(time() * 1000000000)
with open("/nsm/zeek/logs/zeek_restart.log", openmethod) as f:
f.write('healthcheck zeek_restart=%i %i\n' % (zeek_restart, influxtime))
if calling_func == 'execute' and zeek_restart: if calling_func == 'execute' and zeek_restart:
apply_states() apply_states()

64
salt/grafana/dashboards/eval/eval.json
View File

@@ -3860,70 +3860,6 @@
"value": "{{ MONINT }}" "value": "{{ MONINT }}"
} }
] ]
},
{
"alias": "Outbound",
"dsType": "influxdb",
"groupBy": [
{
"params": [
"$Interval"
],
"type": "time"
},
{
"params": [
"null"
],
"type": "fill"
}
],
"measurement": "net",
"orderByTime": "ASC",
"policy": "default",
"query": "SELECT 8 * derivative(mean(\"bytes_sent\"),1s) FROM \"net\" WHERE \"host\" = 'JumpHost' AND \"interface\" = 'eth0' AND $timeFilter GROUP BY time($interval) fill(null)",
"rawQuery": false,
"refId": "B",
"resultFormat": "time_series",
"select": [
[
{
"params": [
"bytes_sent"
],
"type": "field"
},
{
"params": [],
"type": "mean"
},
{
"params": [
"1s"
],
"type": "derivative"
},
{
"params": [
"*8"
],
"type": "math"
}
]
],
"tags": [
{
"key": "host",
"operator": "=",
"value": "{{ SERVERNAME }}"
},
{
"condition": "AND",
"key": "interface",
"operator": "=",
"value": "{{ MONINT }}"
}
]
} }
], ],
"thresholds": [], "thresholds": [],

266
salt/grafana/dashboards/manager/manager.json
View File

@@ -583,7 +583,7 @@
"timeFrom": null, "timeFrom": null,
"timeRegions": [], "timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "{{ SERVERNAME }} - REDIS Unparsed Queue", "title": "{{ SERVERNAME }} - Redis Queue",
"tooltip": { "tooltip": {
"shared": true, "shared": true,
"sort": 0, "sort": 0,
@@ -621,134 +621,6 @@
"alignLevel": null "alignLevel": null
} }
}, },
{
"aliasColors": {},
"bars": false,
"cacheTimeout": null,
"dashLength": 10,
"dashes": false,
"datasource": "InfluxDB",
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 5,
"w": 4,
"x": 20,
"y": 0
},
"hiddenSeries": false,
"id": 21,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": false,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "connected",
"options": {
"dataLinks": []
},
"percentage": false,
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"dsType": "influxdb",
"groupBy": [
{
"params": [
"$Interval"
],
"type": "time"
},
{
"params": [
"null"
],
"type": "fill"
}
],
"measurement": "redisqueue",
"orderByTime": "ASC",
"policy": "default",
"refId": "A",
"resultFormat": "time_series",
"select": [
[
{
"params": [
"parsed"
],
"type": "field"
},
{
"params": [],
"type": "mean"
}
]
],
"tags": [
{
"key": "host",
"operator": "=",
"value": "{{ SERVERNAME }}"
}
]
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "{{ SERVERNAME }} - REDIS Parsed Queue",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"decimals": 0,
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{ {
"cacheTimeout": null, "cacheTimeout": null,
"datasource": "InfluxDB", "datasource": "InfluxDB",
@@ -1351,7 +1223,7 @@
"timeFrom": null, "timeFrom": null,
"timeRegions": [], "timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "{{ SERVERNAME }} - REDIS CPU Usage", "title": "{{ SERVERNAME }} - Redis CPU Usage",
"tooltip": { "tooltip": {
"shared": true, "shared": true,
"sort": 0, "sort": 0,
@@ -1485,7 +1357,7 @@
"timeFrom": null, "timeFrom": null,
"timeRegions": [], "timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "{{ SERVERNAME }} - REDIS Memory Usage", "title": "{{ SERVERNAME }} - Redis Memory Usage",
"tooltip": { "tooltip": {
"shared": true, "shared": true,
"sort": 0, "sort": 0,
@@ -4043,6 +3915,138 @@
"align": false, "align": false,
"alignLevel": null "alignLevel": null
} }
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "InfluxDB",
"fieldConfig": {
"defaults": {
"custom": {}
},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 5,
"w": 4,
"x": 20,
"y": 5
},
"hiddenSeries": false,
"id": 40,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": false,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"nullPointMode": "connected",
"options": {
"dataLinks": []
},
"percentage": false,
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"groupBy": [
{
"params": [
"$__interval"
],
"type": "time"
},
{
"params": [
"null"
],
"type": "fill"
}
],
"measurement": "influxsize",
"orderByTime": "ASC",
"policy": "autogen",
"refId": "A",
"resultFormat": "time_series",
"select": [
[
{
"params": [
"kbytes"
],
"type": "field"
},
{
"params": [],
"type": "mean"
}
]
],
"tags": [
{
"key": "host",
"operator": "=",
"value": "{{ SERVERNAME }}"
}
]
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "{{ SERVERNAME }} - InfluxDB Size",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"$$hashKey": "object:526",
"format": "deckbytes",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"$$hashKey": "object:527",
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
} }
], ],
"refresh": false, "refresh": false,

264
salt/grafana/dashboards/managersearch/managersearch.json
View File

@@ -588,7 +588,7 @@
"timeFrom": null, "timeFrom": null,
"timeRegions": [], "timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "{{ SERVERNAME }} - REDIS Unparsed Queue", "title": "{{ SERVERNAME }} - Redis Queue",
"tooltip": { "tooltip": {
"shared": true, "shared": true,
"sort": 0, "sort": 0,
@@ -627,132 +627,6 @@
"alignLevel": null "alignLevel": null
} }
}, },
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "InfluxDB",
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 5,
"w": 4,
"x": 20,
"y": 0
},
"hiddenSeries": false,
"id": 51,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": false,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"nullPointMode": "connected",
"options": {
"dataLinks": []
},
"percentage": false,
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"groupBy": [
{
"params": [
"$__interval"
],
"type": "time"
},
{
"params": [
"null"
],
"type": "fill"
}
],
"measurement": "redisqueue",
"orderByTime": "ASC",
"policy": "default",
"refId": "A",
"resultFormat": "time_series",
"select": [
[
{
"params": [
"parsed"
],
"type": "field"
},
{
"params": [],
"type": "mean"
}
]
],
"tags": [
{
"key": "host",
"operator": "=",
"value": "{{ SERVERNAME }}"
}
]
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "{{ SERVERNAME }} - REDIS Parsed Queue",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"$$hashKey": "object:1367",
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"$$hashKey": "object:1368",
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{ {
"cacheTimeout": null, "cacheTimeout": null,
"datasource": "InfluxDB", "datasource": "InfluxDB",
@@ -1352,7 +1226,7 @@
"timeFrom": null, "timeFrom": null,
"timeRegions": [], "timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "{{ SERVERNAME }} - REDIS CPU Usage", "title": "{{ SERVERNAME }} - Redis CPU Usage",
"tooltip": { "tooltip": {
"shared": true, "shared": true,
"sort": 0, "sort": 0,
@@ -1485,7 +1359,7 @@
"timeFrom": null, "timeFrom": null,
"timeRegions": [], "timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "{{ SERVERNAME }} - REDIS Memory Usage", "title": "{{ SERVERNAME }} - Redis Memory Usage",
"tooltip": { "tooltip": {
"shared": true, "shared": true,
"sort": 0, "sort": 0,
@@ -4787,6 +4661,138 @@
"align": false, "align": false,
"alignLevel": null "alignLevel": null
} }
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "InfluxDB",
"fieldConfig": {
"defaults": {
"custom": {}
},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 5,
"w": 4,
"x": 20,
"y": 5
},
"hiddenSeries": false,
"id": 57,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": false,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"nullPointMode": "connected",
"options": {
"dataLinks": []
},
"percentage": false,
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"groupBy": [
{
"params": [
"$__interval"
],
"type": "time"
},
{
"params": [
"null"
],
"type": "fill"
}
],
"measurement": "influxsize",
"orderByTime": "ASC",
"policy": "autogen",
"refId": "A",
"resultFormat": "time_series",
"select": [
[
{
"params": [
"kbytes"
],
"type": "field"
},
{
"params": [],
"type": "mean"
}
]
],
"tags": [
{
"key": "host",
"operator": "=",
"value": "{{ SERVERNAME }}"
}
]
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "{{ SERVERNAME }} - InfluxDB Size",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"$$hashKey": "object:140",
"format": "deckbytes",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"$$hashKey": "object:141",
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
} }
], ],
"refresh": false, "refresh": false,

64
salt/grafana/dashboards/sensor_nodes/sensor.json
View File

@@ -3420,70 +3420,6 @@
"value": "{{ MONINT }}" "value": "{{ MONINT }}"
} }
] ]
},
{
"alias": "OutBound",
"dsType": "influxdb",
"groupBy": [
{
"params": [
"$Interval"
],
"type": "time"
},
{
"params": [
"null"
],
"type": "fill"
}
],
"measurement": "net",
"orderByTime": "ASC",
"policy": "default",
"query": "SELECT 8 * derivative(mean(\"bytes_sent\"),1s) FROM \"net\" WHERE \"host\" = 'JumpHost' AND \"interface\" = 'eth0' AND $timeFilter GROUP BY time($interval) fill(null)",
"rawQuery": false,
"refId": "B",
"resultFormat": "time_series",
"select": [
[
{
"params": [
"bytes_sent"
],
"type": "field"
},
{
"params": [],
"type": "mean"
},
{
"params": [
"1s"
],
"type": "derivative"
},
{
"params": [
"*8"
],
"type": "math"
}
]
],
"tags": [
{
"key": "host",
"operator": "=",
"value": "{{ SERVERNAME }}"
},
{
"condition": "AND",
"key": "interface",
"operator": "=",
"value": "{{ MONINT }}"
}
]
} }
], ],
"thresholds": [], "thresholds": [],

955
salt/grafana/dashboards/standalone/standalone.json
View File

File diff suppressed because it is too large Load Diff

5
salt/telegraf/etc/telegraf.conf
View File

@@ -754,6 +754,11 @@
# ## more about them here: # ## more about them here:
# ## https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_INPUT.md # ## https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_INPUT.md
# data_format = "influx" # data_format = "influx"
{% if salt['pillar.get']('healthcheck:enabled', 'False') %}
[[inputs.file]]
files = ["/host/nsm/zeek/logs/zeek_restart.log"]
data_format = "influx"
{% endif %}
# # Count files in a directory # # Count files in a directory

6
salt/telegraf/scripts/broloss.sh
View File

@@ -4,14 +4,14 @@ ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2)
declare RESULT=($ZEEKLOG) declare RESULT=($ZEEKLOG)
CURRENTDROP=${RESULT[3]} CURRENTDROP=${RESULT[3]}
PASTDROP=${RESULT[9]} PASTDROP=${RESULT[9]}
DROPPED=$(($CURRENTDROP - $PASTDROP)) DROPPED=$((CURRENTDROP - PASTDROP))
if [ $DROPPED == 0 ]; then if [ $DROPPED == 0 ]; then
LOSS=0 LOSS=0
echo "brodrop drop=0" echo "brodrop drop=0"
else else
CURRENTPACKETS=${RESULT[5]} CURRENTPACKETS=${RESULT[5]}
PASTPACKETS=${RESULT[11]} PASTPACKETS=${RESULT[11]}
TOTAL=$(($CURRENTPACKETS - $PASTPACKETS)) TOTAL=$((CURRENTPACKETS - PASTPACKETS))
LOSS=$(echo $DROPPED $TOTAL / p | dc) LOSS=$(echo $DROPPED $TOTAL / p | dc)
echo "brodrop drop=$LOSS" echo "brodrop drop=$LOSS"
fi fi

4
salt/telegraf/scripts/influxdbsize.sh
View File

@@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
INFLUXSIZE=$(du -s -B1 /host/nsm/influxdb | awk {'print $1'}) INFLUXSIZE=$(du -s -k /host/nsm/influxdb | awk {'print $1'})
echo "influxsize bytes=$INFLUXSIZE" echo "influxsize kbytes=$INFLUXSIZE"

7
salt/top.sls
View File

@@ -158,7 +158,6 @@ base:
{%- if FLEETMANAGER or FLEETNODE %} {%- if FLEETMANAGER or FLEETNODE %}
- fleet - fleet
- fleet.install_package - fleet.install_package
- redis
{%- endif %} {%- endif %}
- soctopus - soctopus
{%- if THEHIVE != 0 %} {%- if THEHIVE != 0 %}
@@ -197,6 +196,7 @@ base:
- wazuh - wazuh
{%- endif %} {%- endif %}
- logstash - logstash
- redis
- kibana - kibana
- pcap - pcap
- suricata - suricata
@@ -211,7 +211,6 @@ base:
- elastalert - elastalert
{%- if FLEETMANAGER or FLEETNODE %} {%- if FLEETMANAGER or FLEETNODE %}
- fleet - fleet
- redis
- fleet.install_package - fleet.install_package
{%- endif %} {%- endif %}
- utility - utility
@@ -319,6 +318,7 @@ base:
- wazuh - wazuh
{%- endif %} {%- endif %}
- logstash - logstash
- redis
- curator - curator
- kibana - kibana
- elastalert - elastalert
@@ -327,7 +327,6 @@ base:
- schedule - schedule
{%- if FLEETMANAGER or FLEETNODE %} {%- if FLEETMANAGER or FLEETNODE %}
- fleet - fleet
- redis
- fleet.install_package - fleet.install_package
{%- endif %} {%- endif %}
- soctopus - soctopus
@@ -356,6 +355,7 @@ base:
- wazuh - wazuh
{%- endif %} {%- endif %}
- logstash - logstash
- redis
- curator - curator
- filebeat - filebeat
{%- if STRELKA %} {%- if STRELKA %}
@@ -363,7 +363,6 @@ base:
{%- endif %} {%- endif %}
{%- if FLEETMANAGER or FLEETNODE %} {%- if FLEETMANAGER or FLEETNODE %}
- fleet.install_package - fleet.install_package
- redis
{%- endif %} {%- endif %}
- pcap - pcap
- suricata - suricata