From 8e5fa9576ceee0d4a943747737e0011c26fbfaab Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 26 Sep 2025 11:32:25 -0500 Subject: [PATCH 1/2] create disabled so-manager_elasticsearch output policy first, update it then verify it is the only active output --- .../tools/sbin_jinja/so-elastic-fleet-setup | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup index ee74d1056..ab6757893 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup @@ -63,7 +63,7 @@ printf "\nAdd Manager Elasticsearch Output...\n" ESCACRT=$(openssl x509 -in "$INTCA" -outform DER | sha256sum | cut -d' ' -f1 | tr '[:lower:]' '[:upper:]') JSON_STRING=$(jq -n \ --arg ESCACRT "$ESCACRT" \ - '{"name":"so-manager_elasticsearch","id":"so-manager_elasticsearch","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200","https://{{ GLOBALS.manager }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ca_trusted_fingerprint": $ESCACRT}') + '{"name":"so-manager_elasticsearch","id":"so-manager_elasticsearch","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200","https://{{ GLOBALS.manager }}:9200"],"is_default":false,"is_default_monitoring":false,"config_yaml":"","ca_trusted_fingerprint": $ESCACRT}') if ! fleet_api "outputs" -XPOST -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"; then echo -e "\nFailed to create so-elasticsearch_manager policy..." @@ -71,6 +71,13 @@ if ! fleet_api "outputs" -XPOST -H 'kbn-xsrf: true' -H 'Content-Type: applicatio fi printf "\n\n" +# so-manager_elasticsearch should exist and be disabled. Now update it before checking its the only default policy +MANAGER_OUTPUT_ENABLED=$(echo "$JSON_STRING" | jq 'del(.id) | .is_default = true | .is_default_monitoring = true') +if ! curl -sK /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_elasticsearch" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$MANAGER_OUTPUT_ENABLED"; then + echo -e "\n failed to update so-manager_elasticsearch" + exit 1 +fi + # At this point there should only be two policies. fleet-default-output & so-manager_elasticsearch status "Verifying so-manager_elasticsearch policy is configured as the current default" @@ -79,7 +86,7 @@ if DEFAULTPOLICY=$(fleet_api "outputs/fleet-default-output"); then fleet_default=$(echo "$DEFAULTPOLICY" | jq -er '.item.is_default') fleet_default_monitoring=$(echo "$DEFAULTPOLICY" | jq -er '.item.is_default_monitoring') # Check that fleet-default-output isn't configured as a default for anything ( both variables return false ) - if [[ ! $fleet_default ]] && [[ ! $fleet_default_monitoring ]]; then + if [[ $fleet_default == "false" ]] && [[ $fleet_default_monitoring == "false" ]]; then echo -e "\nso-manager_elasticsearch is configured as the current default policy..." else echo -e "\nVerification of so-manager_elasticsearch policy failed... The default 'fleet-default-output' output is still active..." From e7752994804bee1f8eb9ba3d9094f1c73832f4b9 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Fri, 26 Sep 2025 15:43:49 -0400 Subject: [PATCH 2/2] so-user target minions with pillar elasticsearch:enabled:true --- salt/manager/tools/sbin/so-user | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/so-user b/salt/manager/tools/sbin/so-user index 92b3ba385..060dcf3a4 100755 --- a/salt/manager/tools/sbin/so-user +++ b/salt/manager/tools/sbin/so-user @@ -387,7 +387,7 @@ function syncElastic() { if [[ -z "$SKIP_STATE_APPLY" ]]; then echo "Elastic state will be re-applied to affected minions. This will run in the background and may take several minutes to complete." echo "Applying elastic state to elastic minions at $(date)" >> /opt/so/log/soc/sync.log 2>&1 - salt --async -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode' state.apply elasticsearch queue=True >> /opt/so/log/soc/sync.log 2>&1 + salt --async -C 'I@elasticsearch:enabled:true' state.apply elasticsearch queue=True >> /opt/so/log/soc/sync.log 2>&1 fi else echo "Newly generated users/roles files are incomplete; aborting."