From a0ce46e7029f2c9662a7fe69086bcc52e7fb82ef Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 10 May 2023 11:16:03 -0400 Subject: [PATCH] enable/disable logstash in ui --- salt/allowed_states.map.jinja | 3 +- salt/logstash/config.sls | 153 ++++++++++++++++++++ salt/logstash/defaults.yaml | 1 + salt/logstash/disabled.sls | 27 ++++ salt/logstash/enabled.sls | 100 +++++++++++++ salt/logstash/init.sls | 232 +----------------------------- salt/logstash/map.jinja | 5 + salt/logstash/soc_logstash.yaml | 3 + salt/logstash/sostatus.sls | 21 +++ salt/manager/tools/sbin/so-minion | 8 +- salt/top.sls | 13 -- 11 files changed, 320 insertions(+), 246 deletions(-) create mode 100644 salt/logstash/config.sls create mode 100644 salt/logstash/disabled.sls create mode 100644 salt/logstash/enabled.sls create mode 100644 salt/logstash/sostatus.sls diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index a932692cf..1165a80f8 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -3,7 +3,6 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %} {% set CURATOR = salt['pillar.get']('curator:enabled', True) %} {% set REDIS = salt['pillar.get']('redis:enabled', True) %} {% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %} @@ -252,7 +251,7 @@ {% do allowed_states.append('redis') %} {% endif %} - {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %} + {% if grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %} {% do allowed_states.append('logstash') %} {% endif %} diff --git a/salt/logstash/config.sls b/salt/logstash/config.sls new file mode 100644 index 000000000..6ff33ff1a --- /dev/null +++ b/salt/logstash/config.sls @@ -0,0 +1,153 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'logstash/map.jinja' import LOGSTASH_MERGED %} +{% set ASSIGNED_PIPELINES = LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %} + +include: + - ssl + {% if GLOBALS.role not in ['so-receiver','so-fleet'] %} + - elasticsearch + {% endif %} + +# Create the logstash group +logstashgroup: + group.present: + - name: logstash + - gid: 931 + +# Add the logstash user for the jog4j settings +logstash: + user.present: + - uid: 931 + - gid: 931 + - home: /opt/so/conf/logstash + +lslibdir: + file.absent: + - name: /opt/so/conf/logstash/lib + +logstash_sbin: + file.recurse: + - name: /usr/sbin + - source: salt://logstash/tools/sbin + - user: 931 + - group: 939 + - file_mode: 755 + +#logstash_sbin_jinja: +# file.recurse: +# - name: /usr/sbin +# - source: salt://logstash/tools/sbin_jinja +# - user: 931 +# - group: 939 +# - file_mode: 755 +# - template: jinja + +lsetcdir: + file.directory: + - name: /opt/so/conf/logstash/etc + - user: 931 + - group: 939 + - makedirs: True + +lspipelinedir: + file.directory: + - name: /opt/so/conf/logstash/pipelines + - user: 931 + - group: 939 + +{% for assigned_pipeline in ASSIGNED_PIPELINES %} + {% for CONFIGFILE in LOGSTASH_MERGED.defined_pipelines[assigned_pipeline] %} +ls_pipeline_{{assigned_pipeline}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}: + file.managed: + - source: salt://logstash/pipelines/config/{{CONFIGFILE}} + {% if 'jinja' in CONFIGFILE.split('.')[-1] %} + - name: /opt/so/conf/logstash/pipelines/{{assigned_pipeline}}/{{CONFIGFILE.split('/')[1] | replace(".jinja", "")}} + - template: jinja + - defaults: + GLOBALS: {{ GLOBALS }} + ES_USER: "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') }}" + ES_PASS: "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') }}" + THREADS: {{ LOGSTASH_MERGED.config.pipeline_x_workers }} + BATCH: {{ LOGSTASH_MERGED.config.pipeline_x_batch_x_size }} + {% else %} + - name: /opt/so/conf/logstash/pipelines/{{assigned_pipeline}}/{{CONFIGFILE.split('/')[1]}} + {% endif %} + - user: 931 + - group: 939 + - mode: 660 + - makedirs: True + - show_changes: False + {% endfor %} + +ls_pipeline_{{assigned_pipeline}}: + file.directory: + - name: /opt/so/conf/logstash/pipelines/{{assigned_pipeline}} + - user: 931 + - group: 939 + - require: + {% for CONFIGFILE in LOGSTASH_MERGED.defined_pipelines[assigned_pipeline] %} + - file: ls_pipeline_{{assigned_pipeline}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }} + {% endfor %} + - clean: True +{% endfor %} + +# Copy down all the configs +lspipelinesyml: + file.managed: + - name: /opt/so/conf/logstash/etc/pipelines.yml + - source: salt://logstash/etc/pipelines.yml.jinja + - template: jinja + - defaults: + ASSIGNED_PIPELINES: {{ ASSIGNED_PIPELINES }} + +lsetcsync: + file.recurse: + - name: /opt/so/conf/logstash/etc + - source: salt://logstash/etc + - user: 931 + - group: 939 + - template: jinja + - clean: True + - exclude_pat: pipelines* + - defaults: + LOGSTASH_MERGED: {{ LOGSTASH_MERGED }} + +# Create the import directory +importdir: + file.directory: + - name: /nsm/import + - user: 931 + - group: 939 + - makedirs: True + +# Create the logstash data directory +nsmlsdir: + file.directory: + - name: /nsm/logstash/tmp + - user: 931 + - group: 939 + - makedirs: True + +# Create the log directory +lslogdir: + file.directory: + - name: /opt/so/log/logstash + - user: 931 + - group: 939 + - makedirs: True + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/logstash/defaults.yaml b/salt/logstash/defaults.yaml index d253a6b51..b29f3277e 100644 --- a/salt/logstash/defaults.yaml +++ b/salt/logstash/defaults.yaml @@ -1,4 +1,5 @@ logstash: + enabled: False assigned_pipelines: roles: standalone: diff --git a/salt/logstash/disabled.sls b/salt/logstash/disabled.sls new file mode 100644 index 000000000..76901b60a --- /dev/null +++ b/salt/logstash/disabled.sls @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - logstash.sostatus + +so-logstash: + docker_container.absent: + - force: True + +so-logstash_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-logstash$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls new file mode 100644 index 000000000..2f5a46323 --- /dev/null +++ b/salt/logstash/enabled.sls @@ -0,0 +1,100 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'logstash/map.jinja' import LOGSTASH_MERGED %} +{% from 'logstash/map.jinja' import REDIS_NODES %} +{% set lsheap = LOGSTASH_MERGED.settings.lsheap %} + +include: + - logstash.config + - logstash.sostatus + +so-logstash: + docker_container.running: + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ GLOBALS.so_version }} + - hostname: so-logstash + - name: so-logstash + - networks: + - sobridge: + - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }} + - user: logstash + - extra_hosts: {{ REDIS_NODES }} + - environment: + - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }} + - port_bindings: + {% for BINDING in DOCKER.containers['so-logstash'].port_bindings %} + - {{ BINDING }} + {% endfor %} + - binds: + - /opt/so/conf/elasticsearch/templates/:/templates/:ro + - /opt/so/conf/logstash/etc/:/usr/share/logstash/config/:ro + - /opt/so/conf/logstash/pipelines:/usr/share/logstash/pipelines:ro + - /opt/so/rules:/etc/nsm/rules:ro + - /nsm/import:/nsm/import:ro + - /nsm/logstash:/usr/share/logstash/data:rw + - /opt/so/log/logstash:/var/log/logstash:rw + - /sys/fs/cgroup:/sys/fs/cgroup:ro + - /opt/so/conf/logstash/etc/certs:/usr/share/logstash/certs:ro + {% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %} + - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro + - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro + {% endif %} + {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import', 'so-eval','so-fleet'] %} + - /opt/so/conf/elastic-fleet/certs/elasticfleet-logstash.crt:/usr/share/logstash/elasticfleet-logstash.crt:ro + - /opt/so/conf/elastic-fleet/certs/elasticfleet-logstash.p8:/usr/share/logstash/elasticfleet-logstash.key:ro + {% endif %} + {% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} + - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro + {% else %} + - /etc/ssl/certs/intca.crt:/usr/share/filebeat/ca.crt:ro + {% endif %} + {% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode'] %} + - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro + - /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro + {% endif %} + {% if GLOBALS.role == 'so-eval' %} + - /nsm/zeek:/nsm/zeek:ro + - /nsm/suricata:/suricata:ro + - /opt/so/log/fleet/:/osquery/logs:ro + - /opt/so/log/strelka:/strelka:ro + {% endif %} + - watch: + - file: lsetcsync + {% for assigned_pipeline in LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %} + - file: ls_pipeline_{{assigned_pipeline}} + {% for CONFIGFILE in LOGSTASH_MERGED.defined_pipelines[assigned_pipeline] %} + - file: ls_pipeline_{{assigned_pipeline}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }} + {% endfor %} + {% endfor %} + - require: + {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %} + - x509: etc_filebeat_crt + {% endif %} + {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} + - x509: pki_public_ca_crt + {% else %} + - x509: trusttheca + {% endif %} + {% if grains.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} + - file: cacertz + - file: capemz + {% endif %} + +delete_so-logstash_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-logstash$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 7072ed46d..62b2a2ebb 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -3,237 +3,11 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} -{% from 'logstash/map.jinja' import REDIS_NODES %} {% from 'logstash/map.jinja' import LOGSTASH_MERGED %} -# Logstash Section - Decide which pillar to use -{% set lsheap = LOGSTASH_MERGED.settings.lsheap %} -{% if GLOBALS.role in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} - {% set nodetype = GLOBALS.role %} -{% endif %} - -{% set ASSIGNED_PIPELINES = LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %} -{% set DOCKER_OPTIONS = LOGSTASH_MERGED.docker_options %} - include: - - ssl - {% if GLOBALS.role not in ['so-receiver','so-fleet'] %} - - elasticsearch - {% endif %} - -# Create the logstash group -logstashgroup: - group.present: - - name: logstash - - gid: 931 - -# Add the logstash user for the jog4j settings -logstash: - user.present: - - uid: 931 - - gid: 931 - - home: /opt/so/conf/logstash - -lslibdir: - file.absent: - - name: /opt/so/conf/logstash/lib - -logstash_sbin: - file.recurse: - - name: /usr/sbin - - source: salt://logstash/tools/sbin - - user: 931 - - group: 939 - - file_mode: 755 - -#logstash_sbin_jinja: -# file.recurse: -# - name: /usr/sbin -# - source: salt://logstash/tools/sbin_jinja -# - user: 931 -# - group: 939 -# - file_mode: 755 -# - template: jinja - -lsetcdir: - file.directory: - - name: /opt/so/conf/logstash/etc - - user: 931 - - group: 939 - - makedirs: True - -lspipelinedir: - file.directory: - - name: /opt/so/conf/logstash/pipelines - - user: 931 - - group: 939 - -{% for assigned_pipeline in ASSIGNED_PIPELINES %} - {% for CONFIGFILE in LOGSTASH_MERGED.defined_pipelines[assigned_pipeline] %} -ls_pipeline_{{assigned_pipeline}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}: - file.managed: - - source: salt://logstash/pipelines/config/{{CONFIGFILE}} - {% if 'jinja' in CONFIGFILE.split('.')[-1] %} - - name: /opt/so/conf/logstash/pipelines/{{assigned_pipeline}}/{{CONFIGFILE.split('/')[1] | replace(".jinja", "")}} - - template: jinja - - defaults: - GLOBALS: {{ GLOBALS }} - ES_USER: "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') }}" - ES_PASS: "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') }}" - THREADS: {{ LOGSTASH_MERGED.config.pipeline_x_workers }} - BATCH: {{ LOGSTASH_MERGED.config.pipeline_x_batch_x_size }} - {% else %} - - name: /opt/so/conf/logstash/pipelines/{{assigned_pipeline}}/{{CONFIGFILE.split('/')[1]}} - {% endif %} - - user: 931 - - group: 939 - - mode: 660 - - makedirs: True - - show_changes: False - {% endfor %} - -ls_pipeline_{{assigned_pipeline}}: - file.directory: - - name: /opt/so/conf/logstash/pipelines/{{assigned_pipeline}} - - user: 931 - - group: 939 - - require: - {% for CONFIGFILE in LOGSTASH_MERGED.defined_pipelines[assigned_pipeline] %} - - file: ls_pipeline_{{assigned_pipeline}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }} - {% endfor %} - - clean: True -{% endfor %} - -# Copy down all the configs -lspipelinesyml: - file.managed: - - name: /opt/so/conf/logstash/etc/pipelines.yml - - source: salt://logstash/etc/pipelines.yml.jinja - - template: jinja - - defaults: - ASSIGNED_PIPELINES: {{ ASSIGNED_PIPELINES }} - -lsetcsync: - file.recurse: - - name: /opt/so/conf/logstash/etc - - source: salt://logstash/etc - - user: 931 - - group: 939 - - template: jinja - - clean: True - - exclude_pat: pipelines* - - defaults: - LOGSTASH_MERGED: {{ LOGSTASH_MERGED }} - -# Create the import directory -importdir: - file.directory: - - name: /nsm/import - - user: 931 - - group: 939 - - makedirs: True - -# Create the logstash data directory -nsmlsdir: - file.directory: - - name: /nsm/logstash/tmp - - user: 931 - - group: 939 - - makedirs: True - -# Create the log directory -lslogdir: - file.directory: - - name: /opt/so/log/logstash - - user: 931 - - group: 939 - - makedirs: True - -so-logstash: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ GLOBALS.so_version }} - - hostname: so-logstash - - name: so-logstash - - networks: - - sobridge: - - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }} - - user: logstash - - extra_hosts: {{ REDIS_NODES }} - - environment: - - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }} - - port_bindings: - {% for BINDING in DOCKER.containers['so-logstash'].port_bindings %} - - {{ BINDING }} - {% endfor %} - - binds: - - /opt/so/conf/elasticsearch/templates/:/templates/:ro - - /opt/so/conf/logstash/etc/:/usr/share/logstash/config/:ro - - /opt/so/conf/logstash/pipelines:/usr/share/logstash/pipelines:ro - - /opt/so/rules:/etc/nsm/rules:ro - - /nsm/import:/nsm/import:ro - - /nsm/logstash:/usr/share/logstash/data:rw - - /opt/so/log/logstash:/var/log/logstash:rw - - /sys/fs/cgroup:/sys/fs/cgroup:ro - - /opt/so/conf/logstash/etc/certs:/usr/share/logstash/certs:ro - {% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %} - - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro - - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro - {% endif %} - {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import', 'so-eval','so-fleet'] %} - - /opt/so/conf/elastic-fleet/certs/elasticfleet-logstash.crt:/usr/share/logstash/elasticfleet-logstash.crt:ro - - /opt/so/conf/elastic-fleet/certs/elasticfleet-logstash.p8:/usr/share/logstash/elasticfleet-logstash.key:ro - {% endif %} - {% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} - - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro - {% else %} - - /etc/ssl/certs/intca.crt:/usr/share/filebeat/ca.crt:ro - {% endif %} - {% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode'] %} - - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro - - /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro - {% endif %} - {%- if GLOBALS.role == 'so-eval' %} - - /nsm/zeek:/nsm/zeek:ro - - /nsm/suricata:/suricata:ro - - /opt/so/log/fleet/:/osquery/logs:ro - - /opt/so/log/strelka:/strelka:ro - {%- endif %} - - watch: - - file: lsetcsync - {% for assigned_pipeline in LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %} - - file: ls_pipeline_{{assigned_pipeline}} - {% for CONFIGFILE in LOGSTASH_MERGED.defined_pipelines[assigned_pipeline] %} - - file: ls_pipeline_{{assigned_pipeline}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }} - {% endfor %} - {% endfor %} - - require: - {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %} - - x509: etc_filebeat_crt - {% endif %} - {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} - - x509: pki_public_ca_crt - {% else %} - - x509: trusttheca - {% endif %} - {% if grains.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} - - file: cacertz - - file: capemz - {% endif %} - -append_so-logstash_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-logstash - +{% if LOGSTASH_MERGED.enabled %} + - logstash.enabled {% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - + - logstash.disabled {% endif %} diff --git a/salt/logstash/map.jinja b/salt/logstash/map.jinja index c4ad5d96a..69e102e78 100644 --- a/salt/logstash/map.jinja +++ b/salt/logstash/map.jinja @@ -1,3 +1,8 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + {% from 'vars/globals.map.jinja' import GLOBALS %} {% import_yaml 'logstash/defaults.yaml' as LOGSTASH_DEFAULTS %} {% set LOGSTASH_MERGED = salt['pillar.get']('logstash', LOGSTASH_DEFAULTS.logstash, merge=True) %} diff --git a/salt/logstash/soc_logstash.yaml b/salt/logstash/soc_logstash.yaml index e41ff000f..cbb1eef8b 100644 --- a/salt/logstash/soc_logstash.yaml +++ b/salt/logstash/soc_logstash.yaml @@ -1,4 +1,7 @@ logstash: + enabled: + description: You can enable or disable Logstash. + helpLink: logstash.html assigned_pipelines: roles: standalone: &assigned_pipelines diff --git a/salt/logstash/sostatus.sls b/salt/logstash/sostatus.sls new file mode 100644 index 000000000..e42e5ebe0 --- /dev/null +++ b/salt/logstash/sostatus.sls @@ -0,0 +1,21 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +append_so-logstash_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-logstash + - unless: grep -q so-logstash /opt/so/conf/so-status/so-status.conf + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index bb657d29d..a7fd3a19d 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -165,6 +165,7 @@ function add_logstash_to_minion() { # Create the logstash advanced pillar printf '%s\n'\ "logstash:"\ + " enabled: True"\ " config:"\ " pipeline_x_workers: $CPUCORES"\ " settings:"\ @@ -241,6 +242,7 @@ function add_kibana_to_minion() { " " >> $PILLARFILE } + function create_fleet_policy() { JSON_STRING=$( jq -n \ @@ -286,7 +288,6 @@ function apply_ES_state() { } function createEVAL() { add_elasticsearch_to_minion - add_logstash_to_minion add_sensor_to_minion add_elastalert_to_minion add_kibana_to_minion @@ -319,7 +320,6 @@ function createMANAGERSEARCH() { function createIMPORT() { add_elasticsearch_to_minion - add_logstash_to_minion add_sensor_to_minion add_kibana_to_minion } @@ -353,6 +353,10 @@ function createSEARCHNODE() { apply_ES_state } +function createRECEIVER() { + add_logstash_to_minion +} + function testConnection() { retry 15 3 "salt '$MINION_ID' test.ping" True diff --git a/salt/top.sls b/salt/top.sls index 6ebd0340d..95f599f04 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -3,7 +3,6 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %} {% set REDIS = salt['pillar.get']('redis:enabled', True) %} {% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %} {% import_yaml 'salt/minion.defaults.yaml' as saltversion %} @@ -111,9 +110,7 @@ base: - suricata.manager - mysql - elasticsearch - {%- if LOGSTASH %} - logstash - {%- endif %} {%- if REDIS %} - redis {%- endif %} @@ -147,9 +144,7 @@ base: - healthcheck - mysql - elasticsearch - {%- if LOGSTASH %} - logstash - {%- endif %} {%- if REDIS %} - redis {%- endif %} @@ -177,9 +172,7 @@ base: - telegraf - firewall - elasticsearch - {%- if LOGSTASH %} - logstash - {%- endif %} - elasticfleet.install_agent_grid - docker_clean @@ -202,9 +195,7 @@ base: - suricata.manager - mysql - elasticsearch - {%- if LOGSTASH %} - logstash - {%- endif %} {%- if REDIS %} - redis {%- endif %} @@ -226,9 +217,7 @@ base: - telegraf - firewall - elasticsearch - {%- if LOGSTASH %} - logstash - {%- endif %} {%- if REDIS %} - redis {%- endif %} @@ -274,9 +263,7 @@ base: - sensoroni - telegraf - firewall - {%- if LOGSTASH %} - logstash - {%- endif %} {%- if REDIS %} - redis {%- endif %}