diff --git a/pillar/logrotate/init.sls b/pillar/logrotate/init.sls deleted file mode 100644 index f8a54f442..000000000 --- a/pillar/logrotate/init.sls +++ /dev/null @@ -1,13 +0,0 @@ -logrotate: - conf: | - daily - rotate 14 - missingok - copytruncate - compress - create - extension .log - dateext - dateyesterday - group_conf: | - su root socore \ No newline at end of file diff --git a/salt/common/cron/common-rotate b/salt/common/cron/common-rotate deleted file mode 100644 index 63b8e2b5d..000000000 --- a/salt/common/cron/common-rotate +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -/usr/sbin/logrotate -f /opt/so/conf/log-rotate.conf > /dev/null 2>&1 diff --git a/salt/common/cron/sensor-rotate b/salt/common/cron/sensor-rotate deleted file mode 100644 index 94cebf75d..000000000 --- a/salt/common/cron/sensor-rotate +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -/usr/sbin/logrotate -f /opt/so/conf/sensor-rotate.conf > /dev/null 2>&1 diff --git a/salt/common/files/log-rotate.conf b/salt/common/files/log-rotate.conf deleted file mode 100644 index 1d04c4bb3..000000000 --- a/salt/common/files/log-rotate.conf +++ /dev/null @@ -1,37 +0,0 @@ -{%- set logrotate_conf = salt['pillar.get']('logrotate:conf') %} -{%- set group_conf = salt['pillar.get']('logrotate:group_conf') %} - - -/opt/so/log/aptcacher-ng/*.log -/opt/so/log/idstools/*.log -/opt/so/log/nginx/*.log -/opt/so/log/soc/*.log -/opt/so/log/kratos/*.log -/opt/so/log/kibana/*.log -/opt/so/log/influxdb/*.log -/opt/so/log/elastalert/*.log -/opt/so/log/soctopus/*.log -/opt/so/log/curator/*.log -/opt/so/log/fleet/*.log -/opt/so/log/suricata/*.log -/opt/so/log/mysql/*.log -/opt/so/log/telegraf/*.log -/opt/so/log/redis/*.log -/opt/so/log/sensoroni/*.log -/opt/so/log/stenographer/*.log -/opt/so/log/salt/so-salt-minion-check -/opt/so/log/salt/minion -/opt/so/log/salt/master -/opt/so/log/logscan/*.log -/nsm/idh/*.log -{ - {{ logrotate_conf | indent(width=4) }} -} - -# Playbook's log directory needs additional configuration -# because Playbook requires a more permissive directory -/opt/so/log/playbook/*.log -{ - {{ logrotate_conf | indent(width=4) }} - {{ group_conf | indent(width=4) }} -} diff --git a/salt/common/files/sensor-rotate.conf b/salt/common/files/sensor-rotate.conf deleted file mode 100644 index cefd3944e..000000000 --- a/salt/common/files/sensor-rotate.conf +++ /dev/null @@ -1,22 +0,0 @@ -/opt/so/log/sensor_clean.log -{ - daily - rotate 2 - missingok - nocompress - create - sharedscripts -} - -/nsm/strelka/log/strelka.log -{ - daily - rotate 14 - missingok - copytruncate - compress - create - extension .log - dateext - dateyesterday -} \ No newline at end of file diff --git a/salt/common/init.sls b/salt/common/init.sls index c23e82543..d2dfef3be 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -151,56 +151,8 @@ so-sensor-clean: - daymonth: '*' - month: '*' - dayweek: '*' - -sensorrotatescript: - file.managed: - - name: /usr/local/bin/sensor-rotate - - source: salt://common/cron/sensor-rotate - - mode: 755 - -sensorrotateconf: - file.managed: - - name: /opt/so/conf/sensor-rotate.conf - - source: salt://common/files/sensor-rotate.conf - - mode: 644 - -sensor-rotate: - cron.present: - - name: /usr/local/bin/sensor-rotate - - identifier: sensor-rotate - - user: root - - minute: '1' - - hour: '0' - - daymonth: '*' - - month: '*' - - dayweek: '*' - {% endif %} -commonlogrotatescript: - file.managed: - - name: /usr/local/bin/common-rotate - - source: salt://common/cron/common-rotate - - mode: 755 - -commonlogrotateconf: - file.managed: - - name: /opt/so/conf/log-rotate.conf - - source: salt://common/files/log-rotate.conf - - template: jinja - - mode: 644 - -common-rotate: - cron.present: - - name: /usr/local/bin/common-rotate - - identifier: common-rotate - - user: root - - minute: '1' - - hour: '0' - - daymonth: '*' - - month: '*' - - dayweek: '*' - # Create the status directory sostatusdir: file.directory: diff --git a/salt/logrotate/defaults.yaml b/salt/logrotate/defaults.yaml new file mode 100644 index 000000000..68095fcbd --- /dev/null +++ b/salt/logrotate/defaults.yaml @@ -0,0 +1,230 @@ +logrotate: + config: + /opt/so/log/idstools/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/nginx/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/soc/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/kratos/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/kibana/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/influxdb/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/elastalert/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/soctopus/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/curator/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/fleet/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/suricata/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/mysql/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/telegraf/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/redis/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/sensoroni/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/stenographer/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/salt/so-salt-minion-check: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/salt/minion: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/salt/master: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /nsm/idh/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/playbook/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + - su root socore + /nsm/strelka/log/strelka_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/sensor_clean_x_log: + - daily + - rotate 2 + - missingok + - nocompress + - create + - sharedscripts diff --git a/salt/logrotate/etc/rotate.conf.jinja b/salt/logrotate/etc/rotate.conf.jinja new file mode 100644 index 000000000..2822019e9 --- /dev/null +++ b/salt/logrotate/etc/rotate.conf.jinja @@ -0,0 +1,8 @@ +{%- for file, opts in CONFIG.items() %} +{{ file | replace("_x_", ".")}} +{ +{%- for opt in opts %} + {{ opt }} +{%- endfor %} +} +{%- endfor %} diff --git a/salt/logrotate/init.sls b/salt/logrotate/init.sls new file mode 100644 index 000000000..1b096f9db --- /dev/null +++ b/salt/logrotate/init.sls @@ -0,0 +1,31 @@ +{% from 'logrotate/map.jinja' import LOGROTATEMERGED %} + +logrotateconfdir: + file.directory: + - name: /opt/so/conf/logrotate + +commonlogrotatescript: + file.managed: + - name: /usr/local/bin/common-rotate + - source: salt://logrotate/tools/sbin/common-rotate + - mode: 755 + +commonlogrotateconf: + file.managed: + - name: /opt/so/conf/logrotate/common-rotate.conf + - source: salt://logrotate/etc/rotate.conf.jinja + - template: jinja + - mode: 644 + - defaults: + CONFIG: {{ LOGROTATEMERGED.config }} + +common-rotate: + cron.present: + - name: /usr/local/bin/common-rotate + - identifier: common-rotate + - user: root + - minute: '1' + - hour: '0' + - daymonth: '*' + - month: '*' + - dayweek: '*' diff --git a/salt/logrotate/map.jinja b/salt/logrotate/map.jinja new file mode 100644 index 000000000..24fcbd78f --- /dev/null +++ b/salt/logrotate/map.jinja @@ -0,0 +1,7 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + +{% import_yaml 'logrotate/defaults.yaml' as LOGROTATEDEFAULTS %} +{% set LOGROTATEMERGED = salt['pillar.get']('logrotate', LOGROTATEDEFAULTS.logrotate, merge=True) %} diff --git a/salt/logrotate/soc_logrotate.yaml b/salt/logrotate/soc_logrotate.yaml new file mode 100644 index 000000000..5b9fd720f --- /dev/null +++ b/salt/logrotate/soc_logrotate.yaml @@ -0,0 +1,163 @@ +logrotate: + config: + "/opt/so/log/idstools/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/idstools/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/nginx/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/nginx/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/soc/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/soc/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/kratos/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/kratos/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/kibana/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/kibana/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/influxdb/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/influxdb/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/elastalert/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/elastalert/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/soctopus/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/soctopus/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/curator/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/curator/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/fleet/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/fleet/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/suricata/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/suricata/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/mysql/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/mysql/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/telegraf/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/telegraf/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/redis/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/redis/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/sensoroni/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/sensoroni/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/stenographer/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/stenographer/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/salt/so-salt-minion-check": + description: List of logrotate options for this file. + title: /opt/so/log/salt/so-salt-minion-check + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/salt/minion": + description: List of logrotate options for this file. + title: /opt/so/log/salt/minion + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/salt/master": + description: List of logrotate options for this file. + title: /opt/so/log/salt/master + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/nsm/idh/*_x_log": + description: List of logrotate options for this file. + title: /nsm/idh/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/playbook/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/playbook/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/nsm/strelka/log/strelka_x_log": + description: List of logrotate options for this file. + title: /nsm/strelka/log/strelka.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/sensor_clean_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/sensor_clean.log + advanced: True + multiline: True + global: True + forcedType: "[]string" diff --git a/salt/logrotate/tools/sbin/common-rotate b/salt/logrotate/tools/sbin/common-rotate new file mode 100644 index 000000000..14c3536da --- /dev/null +++ b/salt/logrotate/tools/sbin/common-rotate @@ -0,0 +1,2 @@ +#!/bin/bash +/usr/sbin/logrotate -f /opt/so/conf/logrotate/common-rotate.conf > /dev/null 2>&1 diff --git a/salt/top.sls b/salt/top.sls index e53791673..e53895324 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -14,6 +14,7 @@ base: - repo.client - ntp - schedule + - logrotate 'not G@saltversion:{{saltversion}}': - match: compound diff --git a/setup/so-functions b/setup/so-functions index 814165fbb..077800fe3 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1341,8 +1341,9 @@ kibana_pillar() { } logrotate_pillar() { - touch $adv_logrotate_pillar_file - touch $logrotate_pillar_file + logCmd "mkdir -p $local_salt_dir/pillar/logrotate" + logCmd "touch $adv_logrotate_pillar_file" + logCmd "touch $logrotate_pillar_file" } patch_pillar() {