monitoring zeek - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/90

salt/_modules/healthcheck.py

@@ -3,50 +3,60 @@
 import logging
 import sys
 
-allowed_functions = ['zeek']
+allowed_functions = ['is_enabled,zeek']
 states_to_apply = []
 
 
 def apply_states(states=''):
 
   calling_func = sys._getframe().f_back.f_code.co_name
-  logging.debug('healthcheck module: apply_states function caller: %s' % calling_func)
+  logging.debug('healthcheck_module: apply_states function caller: %s' % calling_func)
 
   if not states:
     states = ','.join(states_to_apply)
  
   if states: 
-    logging.info('healthcheck module: apply_states states: %s' % str(states))
+    logging.info('healthcheck_module: apply_states states: %s' % str(states))
     __salt__['state.apply'](states)
 
 
-def docker_restart(container):
+def docker_stop(container):
   
   try:
     stopdocker = __salt__['docker.rm'](container, 'stop=True')
   except Exception as e:
-    logging.error('healthcheck module: %s' % e)
+    logging.error('healthcheck_module: %s' % e)
+
+
+def is_enabled():
+  
+  if __salt__['pillar.get']('healthcheck:enabled', 'False'):
+    retval = True
+  else:
+    retval = False
+  
+  return retval
   
 
 def run(checks=''):
   
   retval = []
   calling_func = sys._getframe().f_back.f_code.co_name
-  logging.debug('healthcheck module: run function caller: %s' % calling_func)
+  logging.debug('healthcheck_module: run function caller: %s' % calling_func)
   
   if checks:
     checks = checks.split(',')
   else:  
     checks = __salt__['pillar.get']('healthcheck:checks', {})
   
-  logging.debug('healthcheck module: run checks to be run: %s' % str(checks))
+  logging.debug('healthcheck_module: run checks to be run: %s' % str(checks))
   for check in checks:
     if check in allowed_functions:
       retval.append(check)
       check = getattr(sys.modules[__name__], check)
       check()
     else:
-      logging.warning('healthcheck module: attempted to run function %s' % check)
+      logging.warning('healthcheck_module: attempted to run function %s' % check)
 
   # If you want to apply states at the end of the run,
   # be sure to append the state name to states_to_apply[]
@@ -58,19 +68,23 @@ def run(checks=''):
 def zeek():
 
   calling_func = sys._getframe().f_back.f_code.co_name
-  logging.debug('healthcheck module: zeek function caller: %s' % calling_func)
+  logging.info('healthcheck_module: zeek function caller: %s' % calling_func)
+  retval = []
 
   retcode = __salt__['zeekctl.status'](verbose=False)
-  logging.debug('zeekctl.status retcode: %i' % retcode)
+  logging.info('healthcheck_module: zeekctl.status retcode: %i' % retcode)
   if retcode:
-    docker_restart('so-zeek')
-    states_to_apply.append('zeek')
-    zeek_restarted = True
+    zeek_restart = True
+    if calling_func != 'beacon':
+      docker_stop('so-zeek')
+      states_to_apply.append('zeek')
   else:
-    zeek_restarted = False
+    zeek_restart = False
 
-  if calling_func == 'execute':
+  if calling_func == 'execute' and zeek_restart:
     apply_states()
+  
+  retval.append({'zeek_restart': zeek_restart})
 
-  __salt__['telegraf.send']('healthcheck zeek_restarted=%s' % str(zeek_restarted))
-  return 'zeek_restarted: %s' % str(zeek_restarted)
+  __salt__['telegraf.send']('healthcheck zeek_restart=%s' % str(zeek_restart))
+  return retval

salt/_modules/zeekctl.py

@@ -1,5 +1,7 @@
 #!py
 
+import logging
+
 
 def capstats(interval=10):
 
@@ -140,7 +142,7 @@ def status(verbose=True):
  retval = __salt__['docker.run']('so-zeek', cmd)
  if not verbose:
    retval = __context__['retcode']
-
+   logging.info('zeekctl_module: zeekctl.status_NOTVERBOSE retval: %s' % retval)
  return retval