From 8df9e020acef43c78940943d4b8b94804bb1aee7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 27 Jan 2021 15:35:29 -0500 Subject: [PATCH] pillarize elastalert https://github.com/Security-Onion-Solutions/securityonion/issues/1191 --- salt/elastalert/defaults.yaml | 48 +++++++++++++++++++ salt/elastalert/elastalert_config.map.jinja | 4 ++ .../files/elastalert_config.yaml.jinja | 3 ++ salt/elastalert/init.sls | 6 ++- 4 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 salt/elastalert/defaults.yaml create mode 100644 salt/elastalert/elastalert_config.map.jinja create mode 100644 salt/elastalert/files/elastalert_config.yaml.jinja diff --git a/salt/elastalert/defaults.yaml b/salt/elastalert/defaults.yaml new file mode 100644 index 000000000..2bfd03243 --- /dev/null +++ b/salt/elastalert/defaults.yaml @@ -0,0 +1,48 @@ +elastalert: + config: + rules_folder: /opt/elastalert/rules/ + scan_subdirectories: true + disable_rules_on_error: false + run_every: + minutes: 3 + buffer_time: + minutes: 10 + old_query_limit: + minutes: 5 + es_host: {{salt['pillar.get']('manager:mainip', '')}} + es_port: {{salt['pillar.get']('manager:es_port', '')}} + es_conn_timeout: 55 + max_query_size: 5000 + #aws_region: us-east-1 + #profile: test + #es_url_prefix: elasticsearch + #use_ssl: True + #verify_certs: True + #es_send_get_body_as: GET + #es_username: someusername + #es_password: somepassword + writeback_index: elastalert_status + alert_time_limit: + days: 2 + index_settings: + shards: 1 + replicas: 0 + logging: + version: 1 + incremental: false + disable_existing_loggers: false + formatters: + logline: + format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s' + handlers: + file: + class : logging.FileHandler + formatter: logline + level: INFO + filename: /var/log/elastalert/elastalert.log + loggers: + '': + level: INFO + handlers: + - file + propagate: false diff --git a/salt/elastalert/elastalert_config.map.jinja b/salt/elastalert/elastalert_config.map.jinja new file mode 100644 index 000000000..270872fee --- /dev/null +++ b/salt/elastalert/elastalert_config.map.jinja @@ -0,0 +1,4 @@ +{% import_yaml 'elastalert/defaults.yaml' as elastalert_defaults with context %} +{% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %} + +{% do salt['defaults.merge'](elastalert_defaults.elastalert.config, elastalert_pillar, in_place=True) %} \ No newline at end of file diff --git a/salt/elastalert/files/elastalert_config.yaml.jinja b/salt/elastalert/files/elastalert_config.yaml.jinja new file mode 100644 index 000000000..6bcfbef56 --- /dev/null +++ b/salt/elastalert/files/elastalert_config.yaml.jinja @@ -0,0 +1,3 @@ +%YAML 1.1 +--- +{{ elastalert_config | yaml(False) }} \ No newline at end of file diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index fcab3f57c..3fa261580 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -15,6 +15,8 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'elastalert/elastalert_config.map.jinja' import elastalert_defaults as elastalert_config with context %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -92,7 +94,9 @@ elastasomodulesync: elastaconf: file.managed: - name: /opt/so/conf/elastalert/elastalert_config.yaml - - source: salt://elastalert/files/elastalert_config.yaml + - source: salt://elastalert/files/elastalert_config.yaml.jinja + - context: + elastalert_config: {{ elastalert_config.elastalert.config } - user: 933 - group: 933 - template: jinja