pillarize elastalert https://github.com/Security-Onion-Solutions/securityonion/issues/1191

2025-12-06 09:12:45 +01:00 · 2021-01-27 15:35:29 -05:00
parent 0ac19142c4
commit 8df9e020ac
4 changed files with 60 additions and 1 deletions
--- a/salt/elastalert/defaults.yaml
+++ b/salt/elastalert/defaults.yaml
@@ -0,0 +1,48 @@
+elastalert:
+  config:
+    rules_folder: /opt/elastalert/rules/
+    scan_subdirectories: true
+    disable_rules_on_error: false
+    run_every:
+      minutes: 3
+    buffer_time:
+      minutes: 10
+    old_query_limit:
+      minutes: 5
+    es_host: {{salt['pillar.get']('manager:mainip', '')}}
+    es_port: {{salt['pillar.get']('manager:es_port', '')}}
+    es_conn_timeout: 55
+    max_query_size: 5000
+    #aws_region: us-east-1
+    #profile: test
+    #es_url_prefix: elasticsearch
+    #use_ssl: True
+    #verify_certs: True
+    #es_send_get_body_as: GET
+    #es_username: someusername
+    #es_password: somepassword
+    writeback_index: elastalert_status
+    alert_time_limit:
+      days: 2
+    index_settings:
+      shards: 1
+      replicas: 0
+    logging:
+      version: 1
+      incremental: false
+      disable_existing_loggers: false
+      formatters:
+        logline:
+          format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s'
+      handlers:
+        file:
+          class : logging.FileHandler
+          formatter: logline
+          level: INFO
+          filename: /var/log/elastalert/elastalert.log
+      loggers:
+        '':
+          level: INFO
+          handlers:
+            - file
+          propagate: false
--- a/salt/elastalert/elastalert_config.map.jinja
+++ b/salt/elastalert/elastalert_config.map.jinja
@@ -0,0 +1,4 @@
+{% import_yaml 'elastalert/defaults.yaml' as elastalert_defaults with context %}
+{% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %}
+
+{% do salt['defaults.merge'](elastalert_defaults.elastalert.config, elastalert_pillar, in_place=True) %}
--- a/salt/elastalert/files/elastalert_config.yaml.jinja
+++ b/salt/elastalert/files/elastalert_config.yaml.jinja
@@ -0,0 +1,3 @@
+%YAML 1.1
+---
+{{ elastalert_config | yaml(False) }}
--- a/salt/elastalert/init.sls
+++ b/salt/elastalert/init.sls
@@ -15,6 +15,8 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}

+{% from 'elastalert/elastalert_config.map.jinja' import elastalert_defaults as elastalert_config with context %}
+
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
@@ -92,7 +94,9 @@ elastasomodulesync:
 elastaconf:
  file.managed:
    - name: /opt/so/conf/elastalert/elastalert_config.yaml
-    - source: salt://elastalert/files/elastalert_config.yaml
+    - source: salt://elastalert/files/elastalert_config.yaml.jinja
+    - context:
+        elastalert_config: {{ elastalert_config.elastalert.config }
    - user: 933
    - group: 933
    - template: jinja