From 5898c9ef3177c45ecc1432cb671d516f2d688531 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 29 Jun 2023 12:54:37 -0400
Subject: [PATCH 1/4] start of logrotate configurable via ui

---
 salt/common/files/log-rotate.conf      |   2 -
 salt/logrotate/defaults.yaml           | 233 +++++++++++++++++++++++++
 salt/logrotate/etc/rotate.config.jinja |   0
 salt/logrotate/map.jinja               |   7 +
 4 files changed, 240 insertions(+), 2 deletions(-)
 create mode 100644 salt/logrotate/defaults.yaml
 create mode 100644 salt/logrotate/etc/rotate.config.jinja
 create mode 100644 salt/logrotate/map.jinja

diff --git a/salt/common/files/log-rotate.conf b/salt/common/files/log-rotate.conf
index 1d04c4bb3..a312f7870 100644
--- a/salt/common/files/log-rotate.conf
+++ b/salt/common/files/log-rotate.conf
@@ -2,7 +2,6 @@
 {%- set group_conf = salt['pillar.get']('logrotate:group_conf') %}
 
 
-/opt/so/log/aptcacher-ng/*.log
 /opt/so/log/idstools/*.log
 /opt/so/log/nginx/*.log
 /opt/so/log/soc/*.log
@@ -22,7 +21,6 @@
 /opt/so/log/salt/so-salt-minion-check
 /opt/so/log/salt/minion
 /opt/so/log/salt/master
-/opt/so/log/logscan/*.log
 /nsm/idh/*.log
 {
     {{ logrotate_conf | indent(width=4) }}
diff --git a/salt/logrotate/defaults.yaml b/salt/logrotate/defaults.yaml
new file mode 100644
index 000000000..6d0fa7dc7
--- /dev/null
+++ b/salt/logrotate/defaults.yaml
@@ -0,0 +1,233 @@
+logrotate:
+  common:
+    config:
+      /opt/so/log/idstools/*.log:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/nginx/*.log:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/soc/*.log:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/kratos/*.log:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/kibana/*.log:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/influxdb/*.log:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/elastalert/*.log:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/soctopus/*.log:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/curator/*.log:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/fleet/*.log:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/suricata/*.log:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/mysql/*.log:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/telegraf/*.log:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/redis/*.log:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/sensoroni/*.log:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/stenographer/*.log:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/salt/so-salt-minion-check:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/salt/minion:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/salt/master:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /nsm/idh/*.log:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/playbook/*.log:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+        - su root socore
+      /nsm/strelka/log/strelka.log:
+        - daily
+        - rotate 14
+        - missingok
+        - copytruncate
+        - compress
+        - create
+        - extension .log
+        - dateext
+        - dateyesterday
+      /opt/so/log/sensor_clean.log:
+        - daily
+        - rotate 2
+        - missingok
+        - nocompress
+        - create
+        - sharedscripts
+      
+  sensor:
diff --git a/salt/logrotate/etc/rotate.config.jinja b/salt/logrotate/etc/rotate.config.jinja
new file mode 100644
index 000000000..e69de29bb
diff --git a/salt/logrotate/map.jinja b/salt/logrotate/map.jinja
new file mode 100644
index 000000000..24fcbd78f
--- /dev/null
+++ b/salt/logrotate/map.jinja
@@ -0,0 +1,7 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
+{% import_yaml 'logrotate/defaults.yaml' as LOGROTATEDEFAULTS %}
+{% set LOGROTATEMERGED = salt['pillar.get']('logrotate', LOGROTATEDEFAULTS.logrotate, merge=True) %}

From 41a4321b032701649680b31a2080a880719037e4 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 30 Jun 2023 11:26:55 -0400
Subject: [PATCH 2/4] configure logrotate through soc

---
 salt/common/cron/common-rotate          |   2 -
 salt/common/cron/sensor-rotate          |   2 -
 salt/common/files/log-rotate.conf       |  35 --
 salt/common/files/sensor-rotate.conf    |  22 --
 salt/common/init.sls                    |  48 ---
 salt/logrotate/defaults.yaml            | 461 ++++++++++++------------
 salt/logrotate/etc/rotate.conf.jinja    |   8 +
 salt/logrotate/etc/rotate.config.jinja  |   0
 salt/logrotate/init.sls                 |  31 ++
 salt/logrotate/soc_logrotate.yaml       |  29 ++
 salt/logrotate/tools/sbin/common-rotate |   2 +
 salt/top.sls                            |   1 +
 12 files changed, 300 insertions(+), 341 deletions(-)
 delete mode 100644 salt/common/cron/common-rotate
 delete mode 100644 salt/common/cron/sensor-rotate
 delete mode 100644 salt/common/files/log-rotate.conf
 delete mode 100644 salt/common/files/sensor-rotate.conf
 create mode 100644 salt/logrotate/etc/rotate.conf.jinja
 delete mode 100644 salt/logrotate/etc/rotate.config.jinja
 create mode 100644 salt/logrotate/init.sls
 create mode 100644 salt/logrotate/soc_logrotate.yaml
 create mode 100644 salt/logrotate/tools/sbin/common-rotate

diff --git a/salt/common/cron/common-rotate b/salt/common/cron/common-rotate
deleted file mode 100644
index 63b8e2b5d..000000000
--- a/salt/common/cron/common-rotate
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/bash
-/usr/sbin/logrotate -f /opt/so/conf/log-rotate.conf > /dev/null 2>&1
diff --git a/salt/common/cron/sensor-rotate b/salt/common/cron/sensor-rotate
deleted file mode 100644
index 94cebf75d..000000000
--- a/salt/common/cron/sensor-rotate
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/bash
-/usr/sbin/logrotate -f /opt/so/conf/sensor-rotate.conf > /dev/null 2>&1
diff --git a/salt/common/files/log-rotate.conf b/salt/common/files/log-rotate.conf
deleted file mode 100644
index a312f7870..000000000
--- a/salt/common/files/log-rotate.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-{%- set logrotate_conf = salt['pillar.get']('logrotate:conf') %}
-{%- set group_conf = salt['pillar.get']('logrotate:group_conf') %}
-
-
-/opt/so/log/idstools/*.log
-/opt/so/log/nginx/*.log
-/opt/so/log/soc/*.log
-/opt/so/log/kratos/*.log
-/opt/so/log/kibana/*.log
-/opt/so/log/influxdb/*.log
-/opt/so/log/elastalert/*.log
-/opt/so/log/soctopus/*.log
-/opt/so/log/curator/*.log
-/opt/so/log/fleet/*.log
-/opt/so/log/suricata/*.log
-/opt/so/log/mysql/*.log
-/opt/so/log/telegraf/*.log
-/opt/so/log/redis/*.log
-/opt/so/log/sensoroni/*.log
-/opt/so/log/stenographer/*.log
-/opt/so/log/salt/so-salt-minion-check
-/opt/so/log/salt/minion
-/opt/so/log/salt/master
-/nsm/idh/*.log
-{
-    {{ logrotate_conf | indent(width=4) }}
-}
-
-# Playbook's log directory needs additional configuration
-# because Playbook requires a more permissive directory
-/opt/so/log/playbook/*.log
-{
-    {{ logrotate_conf | indent(width=4) }}
-    {{ group_conf | indent(width=4) }}
-}
diff --git a/salt/common/files/sensor-rotate.conf b/salt/common/files/sensor-rotate.conf
deleted file mode 100644
index cefd3944e..000000000
--- a/salt/common/files/sensor-rotate.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-/opt/so/log/sensor_clean.log
-{
-    daily
-    rotate 2
-    missingok
-    nocompress
-    create
-    sharedscripts
-}
-
-/nsm/strelka/log/strelka.log
-{
-    daily
-    rotate 14
-    missingok
-    copytruncate
-    compress
-    create
-    extension .log
-    dateext
-    dateyesterday
-}
\ No newline at end of file
diff --git a/salt/common/init.sls b/salt/common/init.sls
index c23e82543..d2dfef3be 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -151,56 +151,8 @@ so-sensor-clean:
     - daymonth: '*'
     - month: '*'
     - dayweek: '*'
-
-sensorrotatescript:
-  file.managed:
-    - name: /usr/local/bin/sensor-rotate
-    - source: salt://common/cron/sensor-rotate
-    - mode: 755
-
-sensorrotateconf:
-  file.managed:
-    - name: /opt/so/conf/sensor-rotate.conf
-    - source: salt://common/files/sensor-rotate.conf
-    - mode: 644
-
-sensor-rotate:
-  cron.present:
-    - name: /usr/local/bin/sensor-rotate
-    - identifier: sensor-rotate
-    - user: root
-    - minute: '1'
-    - hour: '0'
-    - daymonth: '*'
-    - month: '*'
-    - dayweek: '*'
-
 {% endif %}
 
-commonlogrotatescript:
-  file.managed:
-    - name: /usr/local/bin/common-rotate
-    - source: salt://common/cron/common-rotate
-    - mode: 755
-
-commonlogrotateconf:
-  file.managed:
-    - name: /opt/so/conf/log-rotate.conf
-    - source: salt://common/files/log-rotate.conf
-    - template: jinja
-    - mode: 644
-
-common-rotate:
-  cron.present:
-    - name: /usr/local/bin/common-rotate
-    - identifier: common-rotate
-    - user: root
-    - minute: '1'
-    - hour: '0'
-    - daymonth: '*'
-    - month: '*'
-    - dayweek: '*'
-
 # Create the status directory
 sostatusdir:
   file.directory:
diff --git a/salt/logrotate/defaults.yaml b/salt/logrotate/defaults.yaml
index 6d0fa7dc7..841094d84 100644
--- a/salt/logrotate/defaults.yaml
+++ b/salt/logrotate/defaults.yaml
@@ -1,233 +1,230 @@
 logrotate:
-  common:
-    config:
-      /opt/so/log/idstools/*.log:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/nginx/*.log:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/soc/*.log:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/kratos/*.log:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/kibana/*.log:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/influxdb/*.log:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/elastalert/*.log:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/soctopus/*.log:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/curator/*.log:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/fleet/*.log:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/suricata/*.log:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/mysql/*.log:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/telegraf/*.log:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/redis/*.log:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/sensoroni/*.log:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/stenographer/*.log:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/salt/so-salt-minion-check:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/salt/minion:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/salt/master:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /nsm/idh/*.log:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/playbook/*.log:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-        - su root socore
-      /nsm/strelka/log/strelka.log:
-        - daily
-        - rotate 14
-        - missingok
-        - copytruncate
-        - compress
-        - create
-        - extension .log
-        - dateext
-        - dateyesterday
-      /opt/so/log/sensor_clean.log:
-        - daily
-        - rotate 2
-        - missingok
-        - nocompress
-        - create
-        - sharedscripts
-      
-  sensor:
+  config:
+    /opt/so/log/idstools/*.log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/nginx/*.log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/soc/*.log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/kratos/*.log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/kibana/*.log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/influxdb/*.log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/elastalert/*.log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/soctopus/*.log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/curator/*.log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/fleet/*.log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/suricata/*.log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/mysql/*.log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/telegraf/*.log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/redis/*.log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/sensoroni/*.log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/stenographer/*.log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/salt/so-salt-minion-check:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/salt/minion:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/salt/master:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /nsm/idh/*.log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/playbook/*.log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+      - su root socore
+    /nsm/strelka/log/strelka.log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
+    /opt/so/log/sensor_clean.log:
+      - daily
+      - rotate 2
+      - missingok
+      - nocompress
+      - create
+      - sharedscripts
diff --git a/salt/logrotate/etc/rotate.conf.jinja b/salt/logrotate/etc/rotate.conf.jinja
new file mode 100644
index 000000000..60852af38
--- /dev/null
+++ b/salt/logrotate/etc/rotate.conf.jinja
@@ -0,0 +1,8 @@
+{%- for file, opts in CONFIG.items() %}
+{{ file }}
+{
+{%-   for opt in opts %}
+  {{ opt }}
+{%-   endfor %}
+}
+{%- endfor %}
diff --git a/salt/logrotate/etc/rotate.config.jinja b/salt/logrotate/etc/rotate.config.jinja
deleted file mode 100644
index e69de29bb..000000000
diff --git a/salt/logrotate/init.sls b/salt/logrotate/init.sls
new file mode 100644
index 000000000..1b096f9db
--- /dev/null
+++ b/salt/logrotate/init.sls
@@ -0,0 +1,31 @@
+{% from 'logrotate/map.jinja' import LOGROTATEMERGED %}
+
+logrotateconfdir:
+  file.directory:
+    - name: /opt/so/conf/logrotate
+
+commonlogrotatescript:
+  file.managed:
+    - name: /usr/local/bin/common-rotate
+    - source: salt://logrotate/tools/sbin/common-rotate
+    - mode: 755
+
+commonlogrotateconf:
+  file.managed:
+    - name: /opt/so/conf/logrotate/common-rotate.conf
+    - source: salt://logrotate/etc/rotate.conf.jinja
+    - template: jinja
+    - mode: 644
+    - defaults:
+        CONFIG: {{ LOGROTATEMERGED.config }}
+
+common-rotate:
+  cron.present:
+    - name: /usr/local/bin/common-rotate
+    - identifier: common-rotate
+    - user: root
+    - minute: '1'
+    - hour: '0'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
diff --git a/salt/logrotate/soc_logrotate.yaml b/salt/logrotate/soc_logrotate.yaml
new file mode 100644
index 000000000..a300ec38e
--- /dev/null
+++ b/salt/logrotate/soc_logrotate.yaml
@@ -0,0 +1,29 @@
+logrotate:
+  config:
+    /opt/so/log/idstools/*.log: &rotateopts
+      description: List of logrotate options for this file.
+      advanced: True
+      multiline: True
+      forcedType: "[]string"
+    /opt/so/log/nginx/*.log: *rotateopts
+    /opt/so/log/soc/*.log: *rotateopts
+    /opt/so/log/kratos/*.log: *rotateopts
+    /opt/so/log/kibana/*.log: *rotateopts
+    /opt/so/log/influxdb/*.log: *rotateopts
+    /opt/so/log/elastalert/*.log: *rotateopts
+    /opt/so/log/soctopus/*.log: *rotateopts
+    /opt/so/log/curator/*.log: *rotateopts
+    /opt/so/log/fleet/*.log: *rotateopts
+    /opt/so/log/suricata/*.log: *rotateopts
+    /opt/so/log/mysql/*.log: *rotateopts
+    /opt/so/log/telegraf/*.log: *rotateopts
+    /opt/so/log/redis/*.log: *rotateopts
+    /opt/so/log/sensoroni/*.log: *rotateopts
+    /opt/so/log/stenographer/*.log: *rotateopts
+    /opt/so/log/salt/so-salt-minion-check: *rotateopts
+    /opt/so/log/salt/minion: *rotateopts
+    /opt/so/log/salt/master: *rotateopts
+    /nsm/idh/*.log: *rotateopts
+    /opt/so/log/playbook/*.log: *rotateopts
+    /nsm/strelka/log/strelka.log: *rotateopts
+    /opt/so/log/sensor_clean.log: *rotateopts
diff --git a/salt/logrotate/tools/sbin/common-rotate b/salt/logrotate/tools/sbin/common-rotate
new file mode 100644
index 000000000..14c3536da
--- /dev/null
+++ b/salt/logrotate/tools/sbin/common-rotate
@@ -0,0 +1,2 @@
+#!/bin/bash
+/usr/sbin/logrotate -f /opt/so/conf/logrotate/common-rotate.conf > /dev/null 2>&1
diff --git a/salt/top.sls b/salt/top.sls
index e53791673..e53895324 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -14,6 +14,7 @@ base:
     - repo.client
     - ntp
     - schedule
+    - logrotate
 
   'not G@saltversion:{{saltversion}}':
     - match: compound

From 7319d7ae9b7b53bde64c6c01eb79dcb2beb2cea6 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 30 Jun 2023 14:18:20 -0400
Subject: [PATCH 3/4] replace . with _x_

---
 pillar/logrotate/init.sls            |  13 --
 salt/logrotate/defaults.yaml         |  40 +++---
 salt/logrotate/etc/rotate.conf.jinja |   2 +-
 salt/logrotate/soc_logrotate.yaml    | 180 +++++++++++++++++++++++----
 4 files changed, 178 insertions(+), 57 deletions(-)
 delete mode 100644 pillar/logrotate/init.sls

diff --git a/pillar/logrotate/init.sls b/pillar/logrotate/init.sls
deleted file mode 100644
index f8a54f442..000000000
--- a/pillar/logrotate/init.sls
+++ /dev/null
@@ -1,13 +0,0 @@
-logrotate:
-  conf: | 
-    daily
-    rotate 14
-    missingok
-    copytruncate
-    compress
-    create
-    extension .log
-    dateext
-    dateyesterday
-  group_conf: |
-    su root socore
\ No newline at end of file
diff --git a/salt/logrotate/defaults.yaml b/salt/logrotate/defaults.yaml
index 841094d84..68095fcbd 100644
--- a/salt/logrotate/defaults.yaml
+++ b/salt/logrotate/defaults.yaml
@@ -1,6 +1,6 @@
 logrotate:
   config:
-    /opt/so/log/idstools/*.log:
+    /opt/so/log/idstools/*_x_log:
       - daily
       - rotate 14
       - missingok
@@ -10,7 +10,7 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /opt/so/log/nginx/*.log:
+    /opt/so/log/nginx/*_x_log:
       - daily
       - rotate 14
       - missingok
@@ -20,7 +20,7 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /opt/so/log/soc/*.log:
+    /opt/so/log/soc/*_x_log:
       - daily
       - rotate 14
       - missingok
@@ -30,7 +30,7 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /opt/so/log/kratos/*.log:
+    /opt/so/log/kratos/*_x_log:
       - daily
       - rotate 14
       - missingok
@@ -40,7 +40,7 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /opt/so/log/kibana/*.log:
+    /opt/so/log/kibana/*_x_log:
       - daily
       - rotate 14
       - missingok
@@ -50,7 +50,7 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /opt/so/log/influxdb/*.log:
+    /opt/so/log/influxdb/*_x_log:
       - daily
       - rotate 14
       - missingok
@@ -60,7 +60,7 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /opt/so/log/elastalert/*.log:
+    /opt/so/log/elastalert/*_x_log:
       - daily
       - rotate 14
       - missingok
@@ -70,7 +70,7 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /opt/so/log/soctopus/*.log:
+    /opt/so/log/soctopus/*_x_log:
       - daily
       - rotate 14
       - missingok
@@ -80,7 +80,7 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /opt/so/log/curator/*.log:
+    /opt/so/log/curator/*_x_log:
       - daily
       - rotate 14
       - missingok
@@ -90,7 +90,7 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /opt/so/log/fleet/*.log:
+    /opt/so/log/fleet/*_x_log:
       - daily
       - rotate 14
       - missingok
@@ -100,7 +100,7 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /opt/so/log/suricata/*.log:
+    /opt/so/log/suricata/*_x_log:
       - daily
       - rotate 14
       - missingok
@@ -110,7 +110,7 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /opt/so/log/mysql/*.log:
+    /opt/so/log/mysql/*_x_log:
       - daily
       - rotate 14
       - missingok
@@ -120,7 +120,7 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /opt/so/log/telegraf/*.log:
+    /opt/so/log/telegraf/*_x_log:
       - daily
       - rotate 14
       - missingok
@@ -130,7 +130,7 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /opt/so/log/redis/*.log:
+    /opt/so/log/redis/*_x_log:
       - daily
       - rotate 14
       - missingok
@@ -140,7 +140,7 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /opt/so/log/sensoroni/*.log:
+    /opt/so/log/sensoroni/*_x_log:
       - daily
       - rotate 14
       - missingok
@@ -150,7 +150,7 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /opt/so/log/stenographer/*.log:
+    /opt/so/log/stenographer/*_x_log:
       - daily
       - rotate 14
       - missingok
@@ -190,7 +190,7 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /nsm/idh/*.log:
+    /nsm/idh/*_x_log:
       - daily
       - rotate 14
       - missingok
@@ -200,7 +200,7 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /opt/so/log/playbook/*.log:
+    /opt/so/log/playbook/*_x_log:
       - daily
       - rotate 14
       - missingok
@@ -211,7 +211,7 @@ logrotate:
       - dateext
       - dateyesterday
       - su root socore
-    /nsm/strelka/log/strelka.log:
+    /nsm/strelka/log/strelka_x_log:
       - daily
       - rotate 14
       - missingok
@@ -221,7 +221,7 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /opt/so/log/sensor_clean.log:
+    /opt/so/log/sensor_clean_x_log:
       - daily
       - rotate 2
       - missingok
diff --git a/salt/logrotate/etc/rotate.conf.jinja b/salt/logrotate/etc/rotate.conf.jinja
index 60852af38..2822019e9 100644
--- a/salt/logrotate/etc/rotate.conf.jinja
+++ b/salt/logrotate/etc/rotate.conf.jinja
@@ -1,5 +1,5 @@
 {%- for file, opts in CONFIG.items() %}
-{{ file }}
+{{ file | replace("_x_", ".")}}
 {
 {%-   for opt in opts %}
   {{ opt }}
diff --git a/salt/logrotate/soc_logrotate.yaml b/salt/logrotate/soc_logrotate.yaml
index a300ec38e..5b9fd720f 100644
--- a/salt/logrotate/soc_logrotate.yaml
+++ b/salt/logrotate/soc_logrotate.yaml
@@ -1,29 +1,163 @@
 logrotate:
   config:
-    /opt/so/log/idstools/*.log: &rotateopts
+    "/opt/so/log/idstools/*_x_log":
       description: List of logrotate options for this file.
+      title: /opt/so/log/idstools/*.log
       advanced: True
       multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/nginx/*_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/nginx/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/soc/*_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/soc/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/kratos/*_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/kratos/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/kibana/*_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/kibana/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/influxdb/*_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/influxdb/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/elastalert/*_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/elastalert/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/soctopus/*_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/soctopus/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/curator/*_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/curator/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/fleet/*_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/fleet/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/suricata/*_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/suricata/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/mysql/*_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/mysql/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/telegraf/*_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/telegraf/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/redis/*_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/redis/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/sensoroni/*_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/sensoroni/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/stenographer/*_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/stenographer/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/salt/so-salt-minion-check":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/salt/so-salt-minion-check
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/salt/minion":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/salt/minion
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/salt/master":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/salt/master
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/nsm/idh/*_x_log":
+      description: List of logrotate options for this file.
+      title: /nsm/idh/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/playbook/*_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/playbook/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/nsm/strelka/log/strelka_x_log":
+      description: List of logrotate options for this file.
+      title: /nsm/strelka/log/strelka.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/sensor_clean_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/sensor_clean.log
+      advanced: True
+      multiline: True
+      global: True
       forcedType: "[]string"
-    /opt/so/log/nginx/*.log: *rotateopts
-    /opt/so/log/soc/*.log: *rotateopts
-    /opt/so/log/kratos/*.log: *rotateopts
-    /opt/so/log/kibana/*.log: *rotateopts
-    /opt/so/log/influxdb/*.log: *rotateopts
-    /opt/so/log/elastalert/*.log: *rotateopts
-    /opt/so/log/soctopus/*.log: *rotateopts
-    /opt/so/log/curator/*.log: *rotateopts
-    /opt/so/log/fleet/*.log: *rotateopts
-    /opt/so/log/suricata/*.log: *rotateopts
-    /opt/so/log/mysql/*.log: *rotateopts
-    /opt/so/log/telegraf/*.log: *rotateopts
-    /opt/so/log/redis/*.log: *rotateopts
-    /opt/so/log/sensoroni/*.log: *rotateopts
-    /opt/so/log/stenographer/*.log: *rotateopts
-    /opt/so/log/salt/so-salt-minion-check: *rotateopts
-    /opt/so/log/salt/minion: *rotateopts
-    /opt/so/log/salt/master: *rotateopts
-    /nsm/idh/*.log: *rotateopts
-    /opt/so/log/playbook/*.log: *rotateopts
-    /nsm/strelka/log/strelka.log: *rotateopts
-    /opt/so/log/sensor_clean.log: *rotateopts

From 35945ed224daab52a3af0e1edcf2aeda9903e124 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 30 Jun 2023 14:43:00 -0400
Subject: [PATCH 4/4] create local logrotate pillar dir

---
 setup/so-functions | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/setup/so-functions b/setup/so-functions
index 814165fbb..077800fe3 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1341,8 +1341,9 @@ kibana_pillar() {
 }
 
 logrotate_pillar() {
-	touch $adv_logrotate_pillar_file
-	touch $logrotate_pillar_file
+	logCmd "mkdir -p $local_salt_dir/pillar/logrotate"
+	logCmd "touch $adv_logrotate_pillar_file"
+	logCmd "touch $logrotate_pillar_file"
 }
 
 patch_pillar() {