Merge pull request #7206 from Security-Onion-Solutions/feature/template-reorg

Re-organize Elasticsearch Index Templates
2025-12-06 17:22:49 +01:00 · 2022-02-15 16:50:14 -05:00
parent 1fee5e6a60 4fa3749418
commit 9e222b1464
8 changed files with 3776 additions and 58 deletions
--- a/pillar/elasticsearch/eval.sls
+++ b/pillar/elasticsearch/eval.sls
@@ -1,14 +1,2 @@
 elasticsearch:
  templates:
-    - so/so-beats-template.json.jinja
-    - so/so-case-template.json.jinja
-    - so/so-common-template.json.jinja
-    - so/so-firewall-template.json.jinja
-    - so/so-flow-template.json.jinja
-    - so/so-ids-template.json.jinja
-    - so/so-import-template.json.jinja
-    - so/so-osquery-template.json.jinja
-    - so/so-ossec-template.json.jinja
-    - so/so-strelka-template.json.jinja
-    - so/so-syslog-template.json.jinja
-    - so/so-zeek-template.json.jinja
--- a/pillar/elasticsearch/manager.sls
+++ b/pillar/elasticsearch/manager.sls
@@ -1,15 +1,2 @@
 elasticsearch:
  templates:
-    - so/so-beats-template.json.jinja
-    - so/so-case-template.json.jinja
-    - so/so-common-template.json.jinja
-    - so/so-endgame-template.json.jinja
-    - so/so-firewall-template.json.jinja
-    - so/so-flow-template.json.jinja
-    - so/so-ids-template.json.jinja
-    - so/so-import-template.json.jinja
-    - so/so-osquery-template.json.jinja
-    - so/so-ossec-template.json.jinja
-    - so/so-strelka-template.json.jinja
-    - so/so-syslog-template.json.jinja
-    - so/so-zeek-template.json.jinja
--- a/pillar/elasticsearch/search.sls
+++ b/pillar/elasticsearch/search.sls
@@ -1,15 +1,2 @@
 elasticsearch:
  templates:
-    - so/so-beats-template.json.jinja
-    - so/so-case-template.json.jinja
-    - so/so-common-template.json.jinja
-    - so/so-endgame-template.json.jinja
-    - so/so-firewall-template.json.jinja
-    - so/so-flow-template.json.jinja
-    - so/so-ids-template.json.jinja
-    - so/so-import-template.json.jinja
-    - so/so-osquery-template.json.jinja
-    - so/so-ossec-template.json.jinja
-    - so/so-strelka-template.json.jinja
-    - so/so-syslog-template.json.jinja
-    - so/so-zeek-template.json.jinja
--- a/salt/elasticsearch/base-template.json.jinja
+++ b/salt/elasticsearch/base-template.json.jinja
@@ -0,0 +1 @@
+{{ TEMPLATE_CONFIG | tojson(true) }}
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -41,7 +41,7 @@ include:
 {% set ROLES = salt['pillar.get']('elasticsearch:roles', {}) %}
 {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %}
 {% from 'elasticsearch/config.map.jinja' import ESCONFIG with context %}
-
+{% from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS without context %}

 vm.max_map_count:
  sysctl.present:
@@ -152,8 +152,6 @@ estemplatedir:
    - group: 939
    - makedirs: True

-
-
 esrolesdir:
  file.directory:
    - name: /opt/so/conf/elasticsearch/roles
@@ -198,7 +196,26 @@ esyml:
        ESCONFIG: {{ ESCONFIG }}
    - template: jinja

-#sync templates to /opt/so/conf/elasticsearch/templates
+escomponenttemplates:
+  file.recurse:
+    - name: /opt/so/conf/elasticsearch/templates/component
+    - source: salt://elasticsearch/templates/component
+    - user: 930
+    - group: 939
+
+# Auto-generate templates from defaults file
+{% for index, settings in ES_INDEX_SETTINGS.items() %}
+es_index_template_{{index}}:
+  file.managed:
+    - name: /opt/so/conf/elasticsearch/templates/index/{{ index }}-template.json
+    - source: salt://elasticsearch/base-template.json.jinja
+    - defaults:
+      TEMPLATE_CONFIG: {{ settings.index_template }}
+    - template: jinja
+{% endfor %}
+
+{% if TEMPLATES %}
+# Sync custom templates to /opt/so/conf/elasticsearch/templates
 {% for TEMPLATE in TEMPLATES %}
 es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
  file.managed:
@@ -212,13 +229,7 @@ es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
    - user: 930
    - group: 939
 {% endfor %}
-
-escomponenttemplates:
-  file.recurse:
-    - name: /opt/so/conf/elasticsearch/templates/component
-    - source: salt://elasticsearch/templates/component
-    - user: 930
-    - group: 939
+{% endif %}

 esroles:
  file.recurse:
@@ -380,7 +391,6 @@ so-elasticsearch-pipelines:
      - docker_container: so-elasticsearch
      - file: so-elasticsearch-pipelines-script

-{% if TEMPLATES %}
 so-elasticsearch-templates:
  cmd.run:
    - name: /usr/sbin/so-elasticsearch-templates-load
@@ -389,7 +399,6 @@ so-elasticsearch-templates:
    - require:
      - docker_container: so-elasticsearch
      - file: es_sync_scripts
-{% endif %}

 so-elasticsearch-roles-load:
  cmd.run:
--- a/salt/elasticsearch/template.map.jinja
+++ b/salt/elasticsearch/template.map.jinja
@@ -0,0 +1,7 @@
+{% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %}
+{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ESCONFIG.elasticsearch.index_settings, merge=True) %}
+{% for index, settings in ES_INDEX_SETTINGS.items() %}
+  {% if settings.index_sorting, False %}
+    {% do settings.index_template.template.settings.index.pop('sort') %}
+  {% endif %}
+{% endfor %}
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -199,9 +199,6 @@ so-logstash:
    {% for CONFIGFILE in PIPELINES[PL].config %}
      - file: ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}
    {% endfor %}
-  {% endfor %}
-  {% for TEMPLATE in TEMPLATES %}
-      - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}
  {% endfor %}
    - require:
  {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %}