diff --git a/files/master b/files/master index ba107b939..f14c4194c 100644 --- a/files/master +++ b/files/master @@ -61,5 +61,3 @@ peer: reactor: - 'so/fleet': - salt://reactor/fleet.sls - - 'salt/beacon/*/zeek/': - - salt://reactor/zeek.sls diff --git a/pillar/healthcheck/eval.sls b/pillar/healthcheck/eval.sls index fbfa54e45..dd1a027e9 100644 --- a/pillar/healthcheck/eval.sls +++ b/pillar/healthcheck/eval.sls @@ -1,5 +1,5 @@ healthcheck: enabled: False - schedule: 60 + schedule: 300 checks: - zeek diff --git a/pillar/healthcheck/sensor.sls b/pillar/healthcheck/sensor.sls index fbfa54e45..dd1a027e9 100644 --- a/pillar/healthcheck/sensor.sls +++ b/pillar/healthcheck/sensor.sls @@ -1,5 +1,5 @@ healthcheck: enabled: False - schedule: 60 + schedule: 300 checks: - zeek diff --git a/salt/_beacons/zeek.py b/salt/_beacons/zeek.py index 0db9d3010..117c2b401 100644 --- a/salt/_beacons/zeek.py +++ b/salt/_beacons/zeek.py @@ -5,7 +5,7 @@ def status(): cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl status'" retval = __salt__['docker.run']('so-zeek', cmd) - logging.debug('zeekctl_module: zeekctl.status retval: %s' % retval) + logging.info('zeekctl_module: zeekctl.status retval: %s' % retval) return retval @@ -15,11 +15,11 @@ def beacon(config): retval = [] is_enabled = __salt__['healthcheck.is_enabled']() - logging.debug('zeek_beacon: healthcheck_is_enabled: %s' % is_enabled) + logging.info('zeek_beacon: healthcheck_is_enabled: %s' % is_enabled) if is_enabled: zeekstatus = status().lower().split(' ') - logging.debug('zeek_beacon: zeekctl.status: %s' % str(zeekstatus)) + logging.info('zeek_beacon: zeekctl.status: %s' % str(zeekstatus)) if 'stopped' in zeekstatus or 'crashed' in zeekstatus or 'error' in zeekstatus or 'error:' in zeekstatus: zeek_restart = True else: diff --git a/salt/_modules/healthcheck.py b/salt/_modules/healthcheck.py index 2dafa23d3..e5aedff00 100644 --- a/salt/_modules/healthcheck.py +++ b/salt/_modules/healthcheck.py @@ -3,7 +3,7 @@ import logging import sys -allowed_functions = ['is_enabled,zeek'] +allowed_functions = ['is_enabled', 'zeek'] states_to_apply = [] @@ -65,14 +65,18 @@ def run(checks=''): return retval +def send_event(tag, eventdata): + __salt__['event.send'](tag, eventdata[0]) + + def zeek(): calling_func = sys._getframe().f_back.f_code.co_name - logging.info('healthcheck_module: zeek function caller: %s' % calling_func) + logging.debug('healthcheck_module: zeek function caller: %s' % calling_func) retval = [] retcode = __salt__['zeekctl.status'](verbose=False) - logging.info('healthcheck_module: zeekctl.status retcode: %i' % retcode) + logging.debug('healthcheck_module: zeekctl.status retcode: %i' % retcode) if retcode: zeek_restart = True if calling_func != 'beacon': @@ -86,5 +90,6 @@ def zeek(): retval.append({'zeek_restart': zeek_restart}) + send_event('so/healthcheck/zeek', retval) __salt__['telegraf.send']('healthcheck zeek_restart=%s' % str(zeek_restart)) return retval diff --git a/salt/_modules/zeekctl.py b/salt/_modules/zeekctl.py index 40f6130e8..ab3cb37d3 100644 --- a/salt/_modules/zeekctl.py +++ b/salt/_modules/zeekctl.py @@ -142,7 +142,7 @@ def status(verbose=True): retval = __salt__['docker.run']('so-zeek', cmd) if not verbose: retval = __context__['retcode'] - logging.info('zeekctl_module: zeekctl.status_NOTVERBOSE retval: %s' % retval) + logging.info('zeekctl_module: zeekctl.status retval: %s' % retval) return retval diff --git a/salt/common/grafana/grafana_dashboards/eval/eval.json b/salt/common/grafana/grafana_dashboards/eval/eval.json index f012bf3e8..9d00efe2f 100644 --- a/salt/common/grafana/grafana_dashboards/eval/eval.json +++ b/salt/common/grafana/grafana_dashboards/eval/eval.json @@ -859,7 +859,7 @@ "timeFrom": null, "timeRegions": [], "timeShift": null, - "title": "Zeek Restarts", + "title": "Zeek Restarts via Healthcheck", "tooltip": { "shared": true, "sort": 0, diff --git a/salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json b/salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json index 914abcb6b..9663dfd79 100644 --- a/salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json +++ b/salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json @@ -2256,7 +2256,7 @@ "timeFrom": null, "timeRegions": [], "timeShift": null, - "title": "Zeek Restarts", + "title": "Zeek Restarts via Healthcheck", "tooltip": { "shared": true, "sort": 0, diff --git a/salt/healthcheck/init.sls b/salt/healthcheck/init.sls index 627603099..94f8028ba 100644 --- a/salt/healthcheck/init.sls +++ b/salt/healthcheck/init.sls @@ -1,9 +1,6 @@ -### This state isn't used for anything. It was written to handle healthcheck scheduling, -### but we handle that with beacons now. - {% set CHECKS = salt['pillar.get']('healthcheck:checks', {}) %} {% set ENABLED = salt['pillar.get']('healthcheck:enabled', False) %} -{% set SCHEDULE = salt['pillar.get']('healthcheck:schedule', 30) %} +{% set SCHEDULE = salt['pillar.get']('healthcheck:schedule', 300) %} {% if CHECKS and ENABLED %} {% set STATUS = ['present','enabled'] %} @@ -21,7 +18,7 @@ healthcheck_schedule_{{ STATUS[0] }}: schedule.{{ STATUS[0] }}: - name: healthcheck - function: healthcheck.run - - minutes: {{ SCHEDULE }} + - seconds: {{ SCHEDULE }} healthcheck_schedule_{{ STATUS[1] }}: schedule.{{ STATUS[1] }}: diff --git a/salt/reactor/zeek.sls b/salt/reactor/zeek.sls index c22d6f94d..f2e26b095 100644 --- a/salt/reactor/zeek.sls +++ b/salt/reactor/zeek.sls @@ -6,7 +6,7 @@ local = salt.client.LocalClient() def run(): minionid = data['id'] - zeek_restart = data['zeek_restart'] + zeek_restart = data['data']['zeek_restart'] logging.info('zeek_reactor: zeek_need_restarted:%s on:%s' % (zeek_restart, minionid)) if zeek_restart: diff --git a/salt/top.sls b/salt/top.sls index dd4e825db..1dc06098e 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -37,7 +37,7 @@ base: - firewall - pcap - suricata - - salt.beacons + - healthcheck {%- if BROVER != 'SURICATA' %} - zeek {%- endif %} @@ -60,7 +60,7 @@ base: - soc - firewall - idstools - - salt.beacons + - healthcheck {%- if FLEETMASTER or FLEETNODE %} - mysql {%- endif %}