Setup Script - Suricata yaml

salt/logstash/files/logstash.yml

@@ -2,5 +2,5 @@ path.config: /usr/share/logstash/pipeline
 http.host: 0.0.0.0
 queue.type: persisted
 queue.max_bytes: 1gb
-pipeline.workers: 1
+pipeline.workers: {{ pipeline.workers }}
 path.logs: /var/log/logstash

salt/suricata/files/suricata.yaml

@@ -1309,7 +1309,7 @@ spm-algo: auto
 
 # Suricata is multi-threaded. Here the threading can be influenced.
 threading:
-  set-cpu-affinity: no
+  set-cpu-affinity: yes
   # Tune cpu affinity of threads. Each family of threads can be bound
   # on specific CPUs.
   #
@@ -1321,22 +1321,38 @@ threading:
   # receive-cpu-set is used for capture threads
   # verdict-cpu-set is used for IPS verdict threads
   #
+  {%- if salt['pillar.get']('sensor:suriprocs') %}
   cpu-affinity:
     - management-cpu-set:
-        cpu: [ 0 ]  # include only these cpus in affinity settings
+        cpu: [ all ]  # include only these cpus in affinity settings
     - receive-cpu-set:
-        cpu: [ 0 ]  # include only these cpus in affinity settings
+        cpu: [ all ]  # include only these cpus in affinity settings
     - worker-cpu-set:
         cpu: [ "all" ]
         mode: "exclusive"
         # Use explicitely 3 threads and don't compute number by using
         # detect-thread-ratio variable:
-        # threads: 3
+        threads: {{ salt['pillar.get']('sensor:suriprocs') }}
         prio:
-          low: [ 0 ]
-          medium: [ "1-2" ]
-          high: [ 3 ]
           default: "medium"
+  {% endif %}
+  
+  {%- if salt['pillar.get']('sensor:suripins') %}
+  cpu-affinity:
+    - management-cpu-set:
+        cpu: [ {{ salt['pillar.get']('sensor:suripins') }} ]  # include only these cpus in affinity settings
+    - receive-cpu-set:
+        cpu: [ {{ salt['pillar.get']('sensor:suripins') }} ]  # include only these cpus in affinity settings
+    - worker-cpu-set:
+        cpu: [ {{ salt['pillar.get']('sensor:suripins') }} ]
+        mode: "exclusive"
+        # Use explicitely 3 threads and don't compute number by using
+        # detect-thread-ratio variable:
+        threads: {{ salt['pillar.get']('sensor:surithreads') }}
+        prio:
+          default: "high"
+  {% endif %}
+
     #- verdict-cpu-set:
     #    cpu: [ 0 ]
     #    prio:

so-setup-network.sh

@@ -386,12 +386,15 @@ sensor_pillar() {
       PIN=$(echo $PIN |  cut -d\" -f2)
     echo "    - $PIN" >> /tmp/$HOSTNAME.sls
     done
-    ST=("${SURITHREADS[@]//\"/}")
+    SP=("${SURIPINS[@]//\"/}")
-    STHREADS=${ST// /,}
+    SPINS=${SP// /,}
-    echo "  surithreads: $STHREADS" >> /tmp/$HOSTNAME.sls
+    SCOUNT=${#SURIPINS[@]}
+
+    echo "  suripins: $SPINS" >> /tmp/$HOSTNAME.sls
+    echo "  surithreads: $SCOUNT"
   else
     echo "  bro_lbprocs: $BASICBRO" >> /tmp/$HOSTNAME.sls
-    echo "  surithreads: $BASICSURI" >> /tmp/$HOSTNAME.sls
+    echo "  suriprocs: $BASICSURI" >> /tmp/$HOSTNAME.sls
   fi
   echo "  brobpf:" >> /tmp/$HOSTNAME.sls
   echo "  pcapbpf:" >> /tmp/$HOSTNAME.sls
@@ -641,7 +644,7 @@ whiptail_setup_complete() {
 whiptail_suricata_pins() {
 
   FILTEREDCORES=$(echo ${LISTCORES[@]} ${BROPINS[@]} | tr -d '"' | tr ' ' '\n' | sort | uniq -u | awk '{print $1 " \"" "core" "\""}')
-  SURITHREADS=$(whiptail --noitem --title "Pin Suricata CPUS" --checklist "Please Select $LBPROCS cores to pin Suricata to:" 20 78 12 ${FILTEREDCORES[@]} 3>&1 1>&2 2>&3 )
+  SURIPINS=$(whiptail --noitem --title "Pin Suricata CPUS" --checklist "Please Select $LBPROCS cores to pin Suricata to:" 20 78 12 ${FILTEREDCORES[@]} 3>&1 1>&2 2>&3 )
 
   local exitstatus=$?
   whiptail_check_exitstatus $exitstatus