CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 09:42:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

use logrotate

Browse Source
This commit is contained in:
reyesj2
2025-09-05 09:22:44 -05:00
parent dfec29d18e
commit 915b9e7bd7
3 changed files with 18 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
salt/logrotate/defaults.yaml
View File

@@ -268,3 +268,12 @@ logrotate:
- nocompress - nocompress
- create - create
- sharedscripts - sharedscripts
/opt/so/log/agents/agent-monitor*_x_log:
- daily
- rotate 14
- missingok
- compress
- create
- extension .log
- dateext
- dateyesterday

7
salt/logrotate/soc_logrotate.yaml
View File

@@ -175,3 +175,10 @@ logrotate:
multiline: True multiline: True
global: True global: True
forcedType: "[]string" forcedType: "[]string"
"/opt/so/log/agents/agent-monitor*_x_log":
description: List of logrotate options for this file.
title: /opt/so/log/agents/agent-monitor*.log
advanced: True
multiline: True
global: True
forcedType: "[]string"

17
salt/manager/tools/sbin_jinja/so-elastic-agent-monitor
View File

@@ -7,7 +7,7 @@
set -euo pipefail set -euo pipefail
LOG_DIR="/opt/so/log/agents" LOG_DIR="/opt/so/log/agents"
LOG_FILE="$LOG_DIR/agent-monitor-$(date -u +"%Y%m%d").log" LOG_FILE="$LOG_DIR/agent-monitor.log"
CURL_CONFIG="/opt/so/conf/elasticsearch/curl.config" CURL_CONFIG="/opt/so/conf/elasticsearch/curl.config"
FLEET_API="http://localhost:5601/api/fleet/agents" FLEET_API="http://localhost:5601/api/fleet/agents"
{#- When using custom kquery ignore critical agents patterns. Since we want all the results of custom query logged #} {#- When using custom kquery ignore critical agents patterns. Since we want all the results of custom query logged #}
@@ -71,17 +71,6 @@ calculate_offline_hours() {
echo $((diff / 3600)) echo $((diff / 3600))
} }
cleanup_old_logs() {
# Find and delete log files older than 7 days
local old_files=$(find "$LOG_DIR" -name "agent-monitor-*.log" -type f -mtime +7 2>/dev/null)
if [ -n "$old_files" ]; then
local deleted_count=$(echo "$old_files" | wc -l)
echo "$old_files" | xargs rm -f
log_message "INFO" "Cleaned up $deleted_count old log files (>7 days)"
fi
}
main() { main() {
log_message "INFO" "Starting Fleet agent status check" log_message "INFO" "Starting Fleet agent status check"
@@ -93,8 +82,6 @@ main() {
log_message "INFO" "No critical agents filter found, monitoring all agents" log_message "INFO" "No critical agents filter found, monitoring all agents"
fi fi
cleanup_old_logs
log_message "INFO" "Querying Fleet API" log_message "INFO" "Querying Fleet API"
local page=1 local page=1
@@ -115,7 +102,7 @@ main() {
if ! response_body=$(curl -K "$CURL_CONFIG" \ if ! response_body=$(curl -K "$CURL_CONFIG" \
-s --fail \ -s --fail \
$FLEET_QUERY \ "$FLEET_QUERY" \
-H 'kbn-xsrf: true' 2>/dev/null); then -H 'kbn-xsrf: true' 2>/dev/null); then
log_message "ERROR" "Failed to query Fleet API (page $page)" log_message "ERROR" "Failed to query Fleet API (page $page)"
exit 1 exit 1