add receiver node

files/firewall/assigned_hostgroups.local.map.yaml

@@ -16,6 +16,7 @@ role:
   import:
   manager:
   managersearch:
+  receiver:
   standalone:
   searchnode:
-  sensor:
+  sensor:

files/firewall/hostgroups.local.yaml

@@ -44,6 +44,10 @@ firewall:
       ips:
         delete:
         insert:
+    receiver:
+      ips:
+        delete:
+        insert:
     search_node:
       ips:
         delete:

pillar/logstash/receiver.sls

@@ -0,0 +1,10 @@
+{%- set PIPELINE = salt['pillar.get']('global:pipeline', 'redis') %}
+logstash:
+  pipelines:
+    manager:
+      config:
+        - so/0009_input_beats.conf      
+        - so/0010_input_hhbeats.conf
+        - so/0011_input_endgame.conf
+        - so/9999_output_redis.conf.jinja
+        

pillar/top.sls

@@ -104,6 +104,14 @@ base:
     - minions.{{ grains.id }}
     - data.nodestab
 
+  '*_receiver':
+    - logstash
+    - logstash.receiver
+    - elasticsearch.auth
+    - global
+    - minions.{{ grains.id }}
+    - data.receivertab
+
   '*_import':
     - zeeklogs
     - secrets

salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja

@@ -1,4 +1,4 @@
-{%- if grains.role in ['so-heavynode'] %}
+{%- if grains.role in ['so-heavynode', 'so-receiver'] %}
   {%- set HOST = salt['grains.get']('host') %}
 {%- else %}
   {%- set HOST = salt['grains.get']('master') %}

salt/top.sls

@@ -478,3 +478,27 @@ base:
     - docker_clean
     - pipeline.load
     - learn
+
+  '*_receiver and G@saltversion:{{saltversion}}':
+    - match: compound
+    - ca
+    - ssl
+    - telegraf
+    - firewall
+    {%- if WAZUH != 0 %}
+    - wazuh
+    {%- endif %}
+    {%- if LOGSTASH %}
+    - logstash
+    {%- endif %}
+    {%- if REDIS %}
+    - redis
+    {%- endif %}
+    {%- if FILEBEAT %}
+    - filebeat
+    {%- endif %}
+    {%- if FLEETMANAGER or FLEETNODE %}
+    - fleet.install_package
+    {%- endif %}
+    - schedule
+    - docker_clean

setup/so-functions

@@ -2665,7 +2665,7 @@ set_initial_firewall_policy() {
 			$default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
             $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP"
 			;;
-		'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET')
+		'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET' | 'RECEIVER')
 			$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
 			case "$install_type" in
 				'SENSOR')
@@ -2685,6 +2685,9 @@ set_initial_firewall_policy() {
 				'FLEET')
 				    $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP"
 					;;
+				'RECEIVER')
+					$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost receiver "$MAINIP"
+					$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh receivertab "$MINION_ID" "$MAINIP"
 			esac
 			;;
 		'PARSINGNODE')

setup/so-whiptail

@@ -796,11 +796,12 @@ whiptail_install_type_dist_existing() {
 	Note: Heavy nodes (HEAVYNODE) are NOT recommended for most users.
 	EOM
 	
-	install_type=$(whiptail --title "$whiptail_title" --radiolist "$node_msg" 18 58 4 \
+	install_type=$(whiptail --title "$whiptail_title" --radiolist "$node_msg" 18 58 5 \
 		"SENSOR" "Create a forward only sensor " ON \
 		"SEARCHNODE" "Add a search node with parsing " OFF \
 		"FLEET" "Dedicated Fleet Osquery Node " OFF \
 		"HEAVYNODE" "Sensor + Search Node " OFF \
+		"RECEIVER" "Receiver Node " OFF \
 		3>&1 1>&2 2>&3
 		# "HOTNODE" "Add Hot Node (Uses Elastic Clustering)" OFF \ # TODO
 		# "WARMNODE" "Add Warm Node to existing Hot or Search node" OFF \ # TODO