From 9b973e07e298affc1ce4e9a6ed0d7d0f26a25ff9 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 08:49:43 -0400 Subject: [PATCH 01/12] Add files via upload --- .../alarm_high_redis_memory_usage.json | 27 +++++++++++++++++++ .../templates/alarm_low_monitor_traffic.json | 21 +++++++++++++++ .../templates/alarm_pcap_retention.json | 27 +++++++++++++++++++ .../templates/alarm_steno_packet_loss.json | 26 ++++++++++++++++++ .../templates/alarm_suricata_packet_loss.json | 26 ++++++++++++++++++ .../templates/alarm_zeek_packet_loss.json | 26 ++++++++++++++++++ 6 files changed, 153 insertions(+) create mode 100644 salt/influxdb/templates/alarm_high_redis_memory_usage.json create mode 100644 salt/influxdb/templates/alarm_low_monitor_traffic.json create mode 100644 salt/influxdb/templates/alarm_pcap_retention.json create mode 100644 salt/influxdb/templates/alarm_steno_packet_loss.json create mode 100644 salt/influxdb/templates/alarm_suricata_packet_loss.json create mode 100644 salt/influxdb/templates/alarm_zeek_packet_loss.json diff --git a/salt/influxdb/templates/alarm_high_redis_memory_usage.json b/salt/influxdb/templates/alarm_high_redis_memory_usage.json new file mode 100644 index 000000000..98f4d206c --- /dev/null +++ b/salt/influxdb/templates/alarm_high_redis_memory_usage.json @@ -0,0 +1,27 @@ +[{ + "apiVersion": "influxdata.com/v2alpha1", + "kind": "CheckThreshold", + "metadata": { + "name": "high-redis-memory" + }, + "spec": { + "every": "1m", + "name": "High Redis Memory Usage", + "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"redisqueue\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"mem_used\")\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", + "status": "active", + "statusMessageTemplate": "The amount of available memory for Redis on the ${r.host} node has reached the ${r._level} threshold. The current percent of used memory is ${r.mem_used}.", + "thresholds": [ + { + "level": "WARN", + "type": "greater", + "value": 80 + }, + { + "level": "CRIT", + "type": "greater", + "value": 90 + } + ] + } +}] + diff --git a/salt/influxdb/templates/alarm_low_monitor_traffic.json b/salt/influxdb/templates/alarm_low_monitor_traffic.json new file mode 100644 index 000000000..910b13803 --- /dev/null +++ b/salt/influxdb/templates/alarm_low_monitor_traffic.json @@ -0,0 +1,21 @@ +[{ + "apiVersion": "influxdata.com/v2alpha1", + "kind": "CheckThreshold", + "metadata": { + "name": "monitor-interface-traffic" + }, + "spec": { + "every": "1m", + "name": "Low Traffic Volume on Monitor Interface", + "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"net\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"bytes_recv\")\n |\u003e filter(fn: (r) =\u003e r[\"interface\"] == \"bond0\")\n |\u003e derivative(unit: 1s, nonNegative: true)\n |\u003e map(fn: (r) =\u003e ({r with \"_value\": r._value * 8.0 / 1000000.0}))\n |\u003e yield(name: \"nonnegative derivative\")", + "status": "active", + "statusMessageTemplate": "Interface ${r.interface} on node ${r.host} has reached the ${r._level} threshold. The current volume of traffic on interface ${r.interface} is ${r.bytes_recv}MB/s.", + "thresholds": [ + { + "level": "CRIT", + "type": "lesser", + "value": 5 + } + ] + } +}] diff --git a/salt/influxdb/templates/alarm_pcap_retention.json b/salt/influxdb/templates/alarm_pcap_retention.json new file mode 100644 index 000000000..0964906c7 --- /dev/null +++ b/salt/influxdb/templates/alarm_pcap_retention.json @@ -0,0 +1,27 @@ +[{ + "apiVersion": "influxdata.com/v2alpha1", + "kind": "CheckThreshold", + "metadata": { + "name": "alarm-pcap-retention" + }, + "spec": { + "description": "Percent used space on the root partition of at least one node has exceeded the alarm threshold.", + "every": "1m0s", + "name": "Low PCAP Retention", + "query": "from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)})) |\u003e map(fn: (r) =\u003e ({r with _value: int(v: r._value)}))\n |> aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")", + "status": "active", + "statusMessageTemplate": "PCAP retention on node ${r.host} has reached the ${r._level} threshold. Node ${r.host} currently has approximately ${r.seconds} days of PCAP data.", + "thresholds": [ + { + "level": "CRIT", + "type": "lesser", + "value": 1 + }, + { + "level": "WARN", + "type": "lesser", + "value": 3 + } + ] + } +}] \ No newline at end of file diff --git a/salt/influxdb/templates/alarm_steno_packet_loss.json b/salt/influxdb/templates/alarm_steno_packet_loss.json new file mode 100644 index 000000000..967b7ff92 --- /dev/null +++ b/salt/influxdb/templates/alarm_steno_packet_loss.json @@ -0,0 +1,26 @@ +[{ + "apiVersion": "influxdata.com/v2alpha1", + "kind": "CheckThreshold", + "metadata": { + "name": "steno-packet-loss" + }, + "spec": { + "every": "1m", + "name": "Stenographer Packet Loss", + "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"stenodrop\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"drop\")\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", + "status": "active", + "statusMessageTemplate": "Stenographer Packet Loss on node ${r.host} has reached the ${ r._level } threshold. The current packet loss is ${ r.drop }%.", + "thresholds": [ + { + "level": "CRIT", + "type": "greater", + "value": 5 + }, + { + "level": "WARN", + "type": "greater", + "value": 3 + } + ] + } +}] diff --git a/salt/influxdb/templates/alarm_suricata_packet_loss.json b/salt/influxdb/templates/alarm_suricata_packet_loss.json new file mode 100644 index 000000000..48bda0ff3 --- /dev/null +++ b/salt/influxdb/templates/alarm_suricata_packet_loss.json @@ -0,0 +1,26 @@ +[{ + "apiVersion": "influxdata.com/v2alpha1", + "kind": "CheckThreshold", + "metadata": { + "name": "suricata-packet-loss" + }, + "spec": { + "every": "1m", + "name": "Suricata Packet Loss", + "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"suridrop\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"drop\")\n |\u003e map(fn: (r) =\u003e ({r with \"_value\": r._value * 100.0}))\n |\u003e map(fn: (r) =\u003e ({ r with _value: int(v: r._value) }))\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", + "status": "active", + "statusMessageTemplate": "Suricata packet loss on node ${r.host} has reached the ${ r._level } threshold. The current packet loss is ${ r.drop }%.", + "thresholds": [ + { + "level": "CRIT", + "type": "greater", + "value": 5 + }, + { + "level": "WARN", + "type": "greater", + "value": 3 + } + ] + } +}] diff --git a/salt/influxdb/templates/alarm_zeek_packet_loss.json b/salt/influxdb/templates/alarm_zeek_packet_loss.json new file mode 100644 index 000000000..33e19ea5b --- /dev/null +++ b/salt/influxdb/templates/alarm_zeek_packet_loss.json @@ -0,0 +1,26 @@ +[{ + "apiVersion": "influxdata.com/v2alpha1", + "kind": "CheckThreshold", + "metadata": { + "name": "zeek-packet-loss" + }, + "spec": { + "every": "1m", + "name": "Zeek Packet Loss", + "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"zeekdrop\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"drop\")\n |\u003e map(fn: (r) =\u003e ({r with \"_value\": r._value * 100.0}))\n |\u003e map(fn: (r) =\u003e ({ r with _value: int(v: r._value) }))\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", + "status": "active", + "statusMessageTemplate": "Zeek Packet Loss on node ${r.host} has reached the ${ r._level } threshold. The current packet loss is ${ r.drop }%.", + "thresholds": [ + { + "level": "CRIT", + "type": "greater", + "value": 5 + }, + { + "level": "WARN", + "type": "greater", + "value": 3 + } + ] + } +}] From 839275814c23b09b3a844b8b8067a0d1b96556fb Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 08:51:49 -0400 Subject: [PATCH 02/12] Update redis.sh - Added percent of used memory. --- salt/telegraf/scripts/redis.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/telegraf/scripts/redis.sh b/salt/telegraf/scripts/redis.sh index c730885d4..dba893c87 100644 --- a/salt/telegraf/scripts/redis.sh +++ b/salt/telegraf/scripts/redis.sh @@ -11,8 +11,9 @@ if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then UNPARSED=$(redis-cli llen logstash:unparsed | awk '{print $1}') PARSED=$(redis-cli llen logstash:parsed | awk '{print $1}') - - echo "redisqueue unparsed=$UNPARSED,parsed=$PARSED" + MEM_USED=$(redis-cli info memory | grep used_memory_peak_perc | cut -d ":" -f2 | sed "s/%//") + + echo "redisqueue unparsed=$UNPARSED,parsed=$PARSED,mem_used=$MEM_USED" fi From 645555b990a9618093975ff6a248692672bdbe7f Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 10:10:44 -0400 Subject: [PATCH 03/12] Update alarm_zeek_packet_loss.json --- .../templates/alarm_zeek_packet_loss.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/salt/influxdb/templates/alarm_zeek_packet_loss.json b/salt/influxdb/templates/alarm_zeek_packet_loss.json index 33e19ea5b..a236be521 100644 --- a/salt/influxdb/templates/alarm_zeek_packet_loss.json +++ b/salt/influxdb/templates/alarm_zeek_packet_loss.json @@ -12,15 +12,15 @@ "statusMessageTemplate": "Zeek Packet Loss on node ${r.host} has reached the ${ r._level } threshold. The current packet loss is ${ r.drop }%.", "thresholds": [ { - "level": "CRIT", - "type": "greater", - "value": 5 - }, - { - "level": "WARN", - "type": "greater", - "value": 3 - } + "level": "CRIT", + "type": "greater", + "value": 5 + }, + { + "level": "WARN", + "type": "greater", + "value": 3 + } ] } }] From ef4f2491f398e730c601470e3e48d503e2e79065 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 10:12:44 -0400 Subject: [PATCH 04/12] Update alarm_high_redis_memory_usage.json --- salt/influxdb/templates/alarm_high_redis_memory_usage.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/influxdb/templates/alarm_high_redis_memory_usage.json b/salt/influxdb/templates/alarm_high_redis_memory_usage.json index 98f4d206c..ebb0f9f4a 100644 --- a/salt/influxdb/templates/alarm_high_redis_memory_usage.json +++ b/salt/influxdb/templates/alarm_high_redis_memory_usage.json @@ -5,6 +5,7 @@ "name": "high-redis-memory" }, "spec": { + "description": "Percent of Redis memory used.", "every": "1m", "name": "High Redis Memory Usage", "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"redisqueue\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"mem_used\")\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", From 13c9142814d6088ed7d4efb242ce454a40ad8c6d Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 10:21:43 -0400 Subject: [PATCH 05/12] Update alarm_low_monitor_traffic.json --- salt/influxdb/templates/alarm_low_monitor_traffic.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/influxdb/templates/alarm_low_monitor_traffic.json b/salt/influxdb/templates/alarm_low_monitor_traffic.json index 910b13803..831a721ed 100644 --- a/salt/influxdb/templates/alarm_low_monitor_traffic.json +++ b/salt/influxdb/templates/alarm_low_monitor_traffic.json @@ -5,6 +5,7 @@ "name": "monitor-interface-traffic" }, "spec": { + "description": "Triggers when the volume of network traffic received on the monitor interface, per sensor, falls below a defined threshold. To tune this alert, modify the value in MBs for the appropriate alert level.", "every": "1m", "name": "Low Traffic Volume on Monitor Interface", "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"net\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"bytes_recv\")\n |\u003e filter(fn: (r) =\u003e r[\"interface\"] == \"bond0\")\n |\u003e derivative(unit: 1s, nonNegative: true)\n |\u003e map(fn: (r) =\u003e ({r with \"_value\": r._value * 8.0 / 1000000.0}))\n |\u003e yield(name: \"nonnegative derivative\")", From e91dd29cb267acc45f285fe5781041cbe7c59e6d Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 10:25:22 -0400 Subject: [PATCH 06/12] Update alarm_high_redis_memory_usage.json --- salt/influxdb/templates/alarm_high_redis_memory_usage.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/influxdb/templates/alarm_high_redis_memory_usage.json b/salt/influxdb/templates/alarm_high_redis_memory_usage.json index ebb0f9f4a..fe99ad430 100644 --- a/salt/influxdb/templates/alarm_high_redis_memory_usage.json +++ b/salt/influxdb/templates/alarm_high_redis_memory_usage.json @@ -5,7 +5,7 @@ "name": "high-redis-memory" }, "spec": { - "description": "Percent of Redis memory used.", + "description": "Triggers when the average percent of used memory for Redis reaches a defined threshold. To tune this alert, modify the value for the appropriate alert level.", "every": "1m", "name": "High Redis Memory Usage", "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"redisqueue\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"mem_used\")\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", From 592c67d1f2621841036f6177711331e1f140ccfe Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 10:29:15 -0400 Subject: [PATCH 07/12] Update alarm_pcap_retention.json --- salt/influxdb/templates/alarm_pcap_retention.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/influxdb/templates/alarm_pcap_retention.json b/salt/influxdb/templates/alarm_pcap_retention.json index 0964906c7..969d462c9 100644 --- a/salt/influxdb/templates/alarm_pcap_retention.json +++ b/salt/influxdb/templates/alarm_pcap_retention.json @@ -5,7 +5,7 @@ "name": "alarm-pcap-retention" }, "spec": { - "description": "Percent used space on the root partition of at least one node has exceeded the alarm threshold.", + "description": "Triggers when the PCAP retention (in days), falls below the defined threshold. To tune this alert, modify the value for the appropriate alert level.", "every": "1m0s", "name": "Low PCAP Retention", "query": "from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)})) |\u003e map(fn: (r) =\u003e ({r with _value: int(v: r._value)}))\n |> aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")", @@ -24,4 +24,4 @@ } ] } -}] \ No newline at end of file +}] From 1e9e2facde804771501b748d42998c3a4e216d43 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 10:29:53 -0400 Subject: [PATCH 08/12] Update alarm_low_monitor_traffic.json --- salt/influxdb/templates/alarm_low_monitor_traffic.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/influxdb/templates/alarm_low_monitor_traffic.json b/salt/influxdb/templates/alarm_low_monitor_traffic.json index 831a721ed..167ae1b5a 100644 --- a/salt/influxdb/templates/alarm_low_monitor_traffic.json +++ b/salt/influxdb/templates/alarm_low_monitor_traffic.json @@ -5,7 +5,7 @@ "name": "monitor-interface-traffic" }, "spec": { - "description": "Triggers when the volume of network traffic received on the monitor interface, per sensor, falls below a defined threshold. To tune this alert, modify the value in MBs for the appropriate alert level.", + "description": "Triggers when the volume of network traffic (in MBs) received on the monitor interface, per sensor, falls below a defined threshold. To tune this alert, modify the value in MBs for the appropriate alert level.", "every": "1m", "name": "Low Traffic Volume on Monitor Interface", "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"net\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"bytes_recv\")\n |\u003e filter(fn: (r) =\u003e r[\"interface\"] == \"bond0\")\n |\u003e derivative(unit: 1s, nonNegative: true)\n |\u003e map(fn: (r) =\u003e ({r with \"_value\": r._value * 8.0 / 1000000.0}))\n |\u003e yield(name: \"nonnegative derivative\")", From 2de95bcb637c767946f29e9976ac106b07d33b71 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 10:32:13 -0400 Subject: [PATCH 09/12] Update alarm_steno_packet_loss.json --- salt/influxdb/templates/alarm_steno_packet_loss.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/influxdb/templates/alarm_steno_packet_loss.json b/salt/influxdb/templates/alarm_steno_packet_loss.json index 967b7ff92..c5cfb4297 100644 --- a/salt/influxdb/templates/alarm_steno_packet_loss.json +++ b/salt/influxdb/templates/alarm_steno_packet_loss.json @@ -5,6 +5,7 @@ "name": "steno-packet-loss" }, "spec": { + "description": "Triggers when the average percent of packet loss is above the defined threshold. To tune this alert, modify the value for the appropriate alert level.", "every": "1m", "name": "Stenographer Packet Loss", "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"stenodrop\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"drop\")\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", From a84322f9b7c7c36167b24de1571ad78b917bc5fb Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 10:32:29 -0400 Subject: [PATCH 10/12] Update alarm_suricata_packet_loss.json --- salt/influxdb/templates/alarm_suricata_packet_loss.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/influxdb/templates/alarm_suricata_packet_loss.json b/salt/influxdb/templates/alarm_suricata_packet_loss.json index 48bda0ff3..8a4c3f5cf 100644 --- a/salt/influxdb/templates/alarm_suricata_packet_loss.json +++ b/salt/influxdb/templates/alarm_suricata_packet_loss.json @@ -5,6 +5,7 @@ "name": "suricata-packet-loss" }, "spec": { + "description": "Triggers when the average percent of packet loss is above the defined threshold. To tune this alert, modify the value for the appropriate alert level." "every": "1m", "name": "Suricata Packet Loss", "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"suridrop\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"drop\")\n |\u003e map(fn: (r) =\u003e ({r with \"_value\": r._value * 100.0}))\n |\u003e map(fn: (r) =\u003e ({ r with _value: int(v: r._value) }))\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", From 5b2d91b5b51bc1d6024f0312cff76edda6bc7300 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Fri, 19 May 2023 10:32:53 -0400 Subject: [PATCH 11/12] Update alarm_zeek_packet_loss.json --- salt/influxdb/templates/alarm_zeek_packet_loss.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/influxdb/templates/alarm_zeek_packet_loss.json b/salt/influxdb/templates/alarm_zeek_packet_loss.json index a236be521..cebd1dc50 100644 --- a/salt/influxdb/templates/alarm_zeek_packet_loss.json +++ b/salt/influxdb/templates/alarm_zeek_packet_loss.json @@ -5,6 +5,7 @@ "name": "zeek-packet-loss" }, "spec": { + "description": "Triggers when the average percent of packet loss is above the defined threshold. To tune this alert, modify the value for the appropriate alert level." "every": "1m", "name": "Zeek Packet Loss", "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"zeekdrop\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"drop\")\n |\u003e map(fn: (r) =\u003e ({r with \"_value\": r._value * 100.0}))\n |\u003e map(fn: (r) =\u003e ({ r with _value: int(v: r._value) }))\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", From 732d2aadf85ab00776469083eab91f41918ed103 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 24 May 2023 08:58:43 -0400 Subject: [PATCH 12/12] rename state to resolve conflicting / duplicate state ids --- salt/suricata/disabled.sls | 2 +- salt/suricata/enabled.sls | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/suricata/disabled.sls b/salt/suricata/disabled.sls index 60754ed3c..49f8f93bf 100644 --- a/salt/suricata/disabled.sls +++ b/salt/suricata/disabled.sls @@ -13,7 +13,7 @@ so-suricata: docker_container.absent: - force: True -so-kibana_so-status.disabled: +so-suricata_so-status.disabled: file.comment: - name: /opt/so/conf/so-status/so-status.conf - regex: ^so-suricata$ diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index efc5f0251..bfe91d244 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -36,7 +36,7 @@ so-suricata: - file: surithresholding - file: suribpf -delete_so-kibana_so-status.disabled: +delete_so-suricata_so-status.disabled: file.uncomment: - name: /opt/so/conf/so-status/so-status.conf - regex: ^so-suricata$