From 086b3bf5286f1bbf6de38551f49c3ffadeaf004d Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 7 Mar 2023 15:14:53 +0000 Subject: [PATCH 1/7] Add Curator to so-status output --- salt/curator/init.sls | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/salt/curator/init.sls b/salt/curator/init.sls index a06696b0f..27c8d10c8 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -145,6 +145,23 @@ so-curator: - watch: - file: curconf +append_so-curator_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-curator + - unless: grep -q so-curator /opt/so/conf/so-status/so-status.conf + {% if not CURATOROPTIONS.start %} +so-curator_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-curator$ + {% else %} +delete_so-curator_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-curator$ + {% endif %} + so-curatorclusterclose: cron.present: - name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1 From df94e830c50b0cb8eceb9b03e081c05350d6cd90 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 7 Mar 2023 16:15:41 +0000 Subject: [PATCH 2/7] Remove unnecessary Curator action files --- salt/curator/files/action/so-aws-close.yml | 27 ----------------- salt/curator/files/action/so-aws-delete.yml | 27 ----------------- salt/curator/files/action/so-aws-warm.yml | 29 ------------------ salt/curator/files/action/so-azure-close.yml | 27 ----------------- salt/curator/files/action/so-azure-delete.yml | 27 ----------------- salt/curator/files/action/so-azure-warm.yml | 29 ------------------ .../files/action/so-barracuda-close.yml | 27 ----------------- .../files/action/so-barracuda-delete.yml | 27 ----------------- .../files/action/so-barracuda-warm.yml | 29 ------------------ salt/curator/files/action/so-beats-warm.yml | 29 ------------------ .../files/action/so-bluecoat-close.yml | 27 ----------------- .../files/action/so-bluecoat-delete.yml | 27 ----------------- .../curator/files/action/so-bluecoat-warm.yml | 29 ------------------ salt/curator/files/action/so-cef-close.yml | 27 ----------------- salt/curator/files/action/so-cef-delete.yml | 27 ----------------- salt/curator/files/action/so-cef-warm.yml | 29 ------------------ .../files/action/so-checkpoint-close.yml | 27 ----------------- .../files/action/so-checkpoint-delete.yml | 27 ----------------- .../files/action/so-checkpoint-warm.yml | 29 ------------------ salt/curator/files/action/so-cisco-close.yml | 27 ----------------- salt/curator/files/action/so-cisco-delete.yml | 27 ----------------- salt/curator/files/action/so-cisco-warm.yml | 29 ------------------ .../files/action/so-cyberark-close.yml | 27 ----------------- .../files/action/so-cyberark-delete.yml | 27 ----------------- .../curator/files/action/so-cyberark-warm.yml | 29 ------------------ .../curator/files/action/so-cylance-close.yml | 27 ----------------- .../files/action/so-cylance-delete.yml | 27 ----------------- salt/curator/files/action/so-cylance-warm.yml | 29 ------------------ .../files/action/so-elasticsearch-warm.yml | 29 ------------------ .../curator/files/action/so-endgame-close.yml | 27 ----------------- .../files/action/so-endgame-delete.yml | 26 ---------------- salt/curator/files/action/so-endgame-warm.yml | 29 ------------------ salt/curator/files/action/so-f5-close.yml | 28 ----------------- salt/curator/files/action/so-f5-delete.yml | 28 ----------------- salt/curator/files/action/so-f5-warm.yml | 30 ------------------- .../curator/files/action/so-firewall-warm.yml | 30 ------------------- .../files/action/so-fortinet-close.yml | 28 ----------------- .../files/action/so-fortinet-delete.yml | 28 ----------------- .../curator/files/action/so-fortinet-warm.yml | 30 ------------------- salt/curator/files/action/so-gcp-close.yml | 28 ----------------- salt/curator/files/action/so-gcp-delete.yml | 28 ----------------- salt/curator/files/action/so-gcp-warm.yml | 30 ------------------- .../action/so-google_workspace-close.yml | 28 ----------------- .../action/so-google_workspace-delete.yml | 28 ----------------- .../files/action/so-google_workspace-warm.yml | 30 ------------------- salt/curator/files/action/so-ids-warm.yml | 30 ------------------- .../curator/files/action/so-imperva-close.yml | 28 ----------------- .../files/action/so-imperva-delete.yml | 27 ----------------- salt/curator/files/action/so-imperva-warm.yml | 29 ------------------ salt/curator/files/action/so-import-warm.yml | 29 ------------------ .../files/action/so-infoblox-close.yml | 27 ----------------- .../files/action/so-infoblox-delete.yml | 27 ----------------- .../curator/files/action/so-infoblox-warm.yml | 29 ------------------ .../curator/files/action/so-juniper-close.yml | 27 ----------------- .../files/action/so-juniper-delete.yml | 27 ----------------- salt/curator/files/action/so-juniper-warm.yml | 29 ------------------ salt/curator/files/action/so-kibana-warm.yml | 29 ------------------ salt/curator/files/action/so-kratos-warm.yml | 29 ------------------ .../curator/files/action/so-logstash-warm.yml | 29 ------------------ .../files/action/so-microsoft-close.yml | 27 ----------------- .../files/action/so-microsoft-delete.yml | 27 ----------------- .../files/action/so-microsoft-warm.yml | 29 ------------------ salt/curator/files/action/so-misp-close.yml | 27 ----------------- salt/curator/files/action/so-misp-delete.yml | 27 ----------------- salt/curator/files/action/so-misp-warm.yml | 29 ------------------ salt/curator/files/action/so-netflow-warm.yml | 29 ------------------ .../files/action/so-netscout-close.yml | 27 ----------------- .../files/action/so-netscout-delete.yml | 27 ----------------- .../curator/files/action/so-netscout-warm.yml | 29 ------------------ salt/curator/files/action/so-o365-close.yml | 27 ----------------- salt/curator/files/action/so-o365-delete.yml | 27 ----------------- salt/curator/files/action/so-o365-warm.yml | 29 ------------------ salt/curator/files/action/so-okta-close.yml | 27 ----------------- salt/curator/files/action/so-okta-warm.yml | 29 ------------------ salt/curator/files/action/so-okta.delete.yml | 27 ----------------- .../files/action/so-osquery-delete.yml | 2 +- salt/curator/files/action/so-osquery-warm.yml | 29 ------------------ salt/curator/files/action/so-ossec-warm.yml | 29 ------------------ .../files/action/so-proofpoint-close.yml | 27 ----------------- .../files/action/so-proofpoint-delete.yml | 27 ----------------- .../files/action/so-proofpoint-warm.yml | 29 ------------------ .../curator/files/action/so-radware-close.yml | 27 ----------------- .../files/action/so-radware-delete.yml | 27 ----------------- salt/curator/files/action/so-radware-warm.yml | 29 ------------------ salt/curator/files/action/so-redis-warm.yml | 29 ------------------ salt/curator/files/action/so-snort-close.yml | 27 ----------------- salt/curator/files/action/so-snort-delete.yml | 27 ----------------- salt/curator/files/action/so-snort-warm.yml | 29 ------------------ salt/curator/files/action/so-snyk-close.yml | 27 ----------------- salt/curator/files/action/so-snyk-delete.yml | 27 ----------------- salt/curator/files/action/so-snyk-warm.yml | 29 ------------------ .../files/action/so-sonicwall-close.yml | 27 ----------------- .../files/action/so-sonicwall-delete.yml | 27 ----------------- .../files/action/so-sonicwall-warm.yml | 29 ------------------ salt/curator/files/action/so-sophos-close.yml | 27 ----------------- .../curator/files/action/so-sophos-delete.yml | 27 ----------------- salt/curator/files/action/so-sophos-warm.yml | 29 ------------------ salt/curator/files/action/so-strelka-warm.yml | 29 ------------------ salt/curator/files/action/so-syslog-warm.yml | 29 ------------------ salt/curator/files/action/so-tomcat-close.yml | 27 ----------------- .../curator/files/action/so-tomcat-delete.yml | 27 ----------------- salt/curator/files/action/so-tomcat-warm.yml | 29 ------------------ salt/curator/files/action/so-zeek-warm.yml | 29 ------------------ .../curator/files/action/so-zscaler-close.yml | 27 ----------------- .../files/action/so-zscaler-delete.yml | 27 ----------------- salt/curator/files/action/so-zscaler-warm.yml | 29 ------------------ 106 files changed, 1 insertion(+), 2940 deletions(-) delete mode 100644 salt/curator/files/action/so-aws-close.yml delete mode 100644 salt/curator/files/action/so-aws-delete.yml delete mode 100644 salt/curator/files/action/so-aws-warm.yml delete mode 100644 salt/curator/files/action/so-azure-close.yml delete mode 100644 salt/curator/files/action/so-azure-delete.yml delete mode 100644 salt/curator/files/action/so-azure-warm.yml delete mode 100644 salt/curator/files/action/so-barracuda-close.yml delete mode 100644 salt/curator/files/action/so-barracuda-delete.yml delete mode 100644 salt/curator/files/action/so-barracuda-warm.yml delete mode 100644 salt/curator/files/action/so-beats-warm.yml delete mode 100644 salt/curator/files/action/so-bluecoat-close.yml delete mode 100644 salt/curator/files/action/so-bluecoat-delete.yml delete mode 100644 salt/curator/files/action/so-bluecoat-warm.yml delete mode 100644 salt/curator/files/action/so-cef-close.yml delete mode 100644 salt/curator/files/action/so-cef-delete.yml delete mode 100644 salt/curator/files/action/so-cef-warm.yml delete mode 100644 salt/curator/files/action/so-checkpoint-close.yml delete mode 100644 salt/curator/files/action/so-checkpoint-delete.yml delete mode 100644 salt/curator/files/action/so-checkpoint-warm.yml delete mode 100644 salt/curator/files/action/so-cisco-close.yml delete mode 100644 salt/curator/files/action/so-cisco-delete.yml delete mode 100644 salt/curator/files/action/so-cisco-warm.yml delete mode 100644 salt/curator/files/action/so-cyberark-close.yml delete mode 100644 salt/curator/files/action/so-cyberark-delete.yml delete mode 100644 salt/curator/files/action/so-cyberark-warm.yml delete mode 100644 salt/curator/files/action/so-cylance-close.yml delete mode 100644 salt/curator/files/action/so-cylance-delete.yml delete mode 100644 salt/curator/files/action/so-cylance-warm.yml delete mode 100644 salt/curator/files/action/so-elasticsearch-warm.yml delete mode 100644 salt/curator/files/action/so-endgame-close.yml delete mode 100644 salt/curator/files/action/so-endgame-delete.yml delete mode 100644 salt/curator/files/action/so-endgame-warm.yml delete mode 100644 salt/curator/files/action/so-f5-close.yml delete mode 100644 salt/curator/files/action/so-f5-delete.yml delete mode 100644 salt/curator/files/action/so-f5-warm.yml delete mode 100644 salt/curator/files/action/so-firewall-warm.yml delete mode 100644 salt/curator/files/action/so-fortinet-close.yml delete mode 100644 salt/curator/files/action/so-fortinet-delete.yml delete mode 100644 salt/curator/files/action/so-fortinet-warm.yml delete mode 100644 salt/curator/files/action/so-gcp-close.yml delete mode 100644 salt/curator/files/action/so-gcp-delete.yml delete mode 100644 salt/curator/files/action/so-gcp-warm.yml delete mode 100644 salt/curator/files/action/so-google_workspace-close.yml delete mode 100644 salt/curator/files/action/so-google_workspace-delete.yml delete mode 100644 salt/curator/files/action/so-google_workspace-warm.yml delete mode 100644 salt/curator/files/action/so-ids-warm.yml delete mode 100644 salt/curator/files/action/so-imperva-close.yml delete mode 100644 salt/curator/files/action/so-imperva-delete.yml delete mode 100644 salt/curator/files/action/so-imperva-warm.yml delete mode 100644 salt/curator/files/action/so-import-warm.yml delete mode 100644 salt/curator/files/action/so-infoblox-close.yml delete mode 100644 salt/curator/files/action/so-infoblox-delete.yml delete mode 100644 salt/curator/files/action/so-infoblox-warm.yml delete mode 100644 salt/curator/files/action/so-juniper-close.yml delete mode 100644 salt/curator/files/action/so-juniper-delete.yml delete mode 100644 salt/curator/files/action/so-juniper-warm.yml delete mode 100644 salt/curator/files/action/so-kibana-warm.yml delete mode 100644 salt/curator/files/action/so-kratos-warm.yml delete mode 100644 salt/curator/files/action/so-logstash-warm.yml delete mode 100644 salt/curator/files/action/so-microsoft-close.yml delete mode 100644 salt/curator/files/action/so-microsoft-delete.yml delete mode 100644 salt/curator/files/action/so-microsoft-warm.yml delete mode 100644 salt/curator/files/action/so-misp-close.yml delete mode 100644 salt/curator/files/action/so-misp-delete.yml delete mode 100644 salt/curator/files/action/so-misp-warm.yml delete mode 100644 salt/curator/files/action/so-netflow-warm.yml delete mode 100644 salt/curator/files/action/so-netscout-close.yml delete mode 100644 salt/curator/files/action/so-netscout-delete.yml delete mode 100644 salt/curator/files/action/so-netscout-warm.yml delete mode 100644 salt/curator/files/action/so-o365-close.yml delete mode 100644 salt/curator/files/action/so-o365-delete.yml delete mode 100644 salt/curator/files/action/so-o365-warm.yml delete mode 100644 salt/curator/files/action/so-okta-close.yml delete mode 100644 salt/curator/files/action/so-okta-warm.yml delete mode 100644 salt/curator/files/action/so-okta.delete.yml delete mode 100644 salt/curator/files/action/so-osquery-warm.yml delete mode 100644 salt/curator/files/action/so-ossec-warm.yml delete mode 100644 salt/curator/files/action/so-proofpoint-close.yml delete mode 100644 salt/curator/files/action/so-proofpoint-delete.yml delete mode 100644 salt/curator/files/action/so-proofpoint-warm.yml delete mode 100644 salt/curator/files/action/so-radware-close.yml delete mode 100644 salt/curator/files/action/so-radware-delete.yml delete mode 100644 salt/curator/files/action/so-radware-warm.yml delete mode 100644 salt/curator/files/action/so-redis-warm.yml delete mode 100644 salt/curator/files/action/so-snort-close.yml delete mode 100644 salt/curator/files/action/so-snort-delete.yml delete mode 100644 salt/curator/files/action/so-snort-warm.yml delete mode 100644 salt/curator/files/action/so-snyk-close.yml delete mode 100644 salt/curator/files/action/so-snyk-delete.yml delete mode 100644 salt/curator/files/action/so-snyk-warm.yml delete mode 100644 salt/curator/files/action/so-sonicwall-close.yml delete mode 100644 salt/curator/files/action/so-sonicwall-delete.yml delete mode 100644 salt/curator/files/action/so-sonicwall-warm.yml delete mode 100644 salt/curator/files/action/so-sophos-close.yml delete mode 100644 salt/curator/files/action/so-sophos-delete.yml delete mode 100644 salt/curator/files/action/so-sophos-warm.yml delete mode 100644 salt/curator/files/action/so-strelka-warm.yml delete mode 100644 salt/curator/files/action/so-syslog-warm.yml delete mode 100644 salt/curator/files/action/so-tomcat-close.yml delete mode 100644 salt/curator/files/action/so-tomcat-delete.yml delete mode 100644 salt/curator/files/action/so-tomcat-warm.yml delete mode 100644 salt/curator/files/action/so-zeek-warm.yml delete mode 100644 salt/curator/files/action/so-zscaler-close.yml delete mode 100644 salt/curator/files/action/so-zscaler-delete.yml delete mode 100644 salt/curator/files/action/so-zscaler-warm.yml diff --git a/salt/curator/files/action/so-aws-close.yml b/salt/curator/files/action/so-aws-close.yml deleted file mode 100644 index 9fb37b879..000000000 --- a/salt/curator/files/action/so-aws-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-aws'].close %} -actions: - 1: - action: close - description: >- - Close aws indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-aws.*|so-aws.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-aws-delete.yml b/salt/curator/files/action/so-aws-delete.yml deleted file mode 100644 index 7291edafb..000000000 --- a/salt/curator/files/action/so-aws-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-aws'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete aws indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-aws.*|so-aws.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-aws-warm.yml b/salt/curator/files/action/so-aws-warm.yml deleted file mode 100644 index e441f1b80..000000000 --- a/salt/curator/files/action/so-aws-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-aws'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-aws - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-azure-close.yml b/salt/curator/files/action/so-azure-close.yml deleted file mode 100644 index f93c59bcb..000000000 --- a/salt/curator/files/action/so-azure-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-azure'].close %} -actions: - 1: - action: close - description: >- - Close azure indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-azure.*|so-azure.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-azure-delete.yml b/salt/curator/files/action/so-azure-delete.yml deleted file mode 100644 index 7bda39f1a..000000000 --- a/salt/curator/files/action/so-azure-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-azure'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete azure indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-azure.*|so-azure.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-azure-warm.yml b/salt/curator/files/action/so-azure-warm.yml deleted file mode 100644 index 22019fd42..000000000 --- a/salt/curator/files/action/so-azure-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-azure'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-azure - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-barracuda-close.yml b/salt/curator/files/action/so-barracuda-close.yml deleted file mode 100644 index 5613056bf..000000000 --- a/salt/curator/files/action/so-barracuda-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-barracuda'].close %} -actions: - 1: - action: close - description: >- - Close barracuda indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-barracuda.*|so-barracuda.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-barracuda-delete.yml b/salt/curator/files/action/so-barracuda-delete.yml deleted file mode 100644 index b4b3626c2..000000000 --- a/salt/curator/files/action/so-barracuda-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-barracuda'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete barracuda indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-barracuda.*|so-barracuda.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-barracuda-warm.yml b/salt/curator/files/action/so-barracuda-warm.yml deleted file mode 100644 index e09c91587..000000000 --- a/salt/curator/files/action/so-barracuda-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-barracuda'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-barracuda - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-beats-warm.yml b/salt/curator/files/action/so-beats-warm.yml deleted file mode 100644 index dd403312c..000000000 --- a/salt/curator/files/action/so-beats-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-beats'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-beats - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-bluecoat-close.yml b/salt/curator/files/action/so-bluecoat-close.yml deleted file mode 100644 index a59f6db95..000000000 --- a/salt/curator/files/action/so-bluecoat-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-bluecoat'].close %} -actions: - 1: - action: close - description: >- - Close bluecoat indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-bluecoat.*|so-bluecoat.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-bluecoat-delete.yml b/salt/curator/files/action/so-bluecoat-delete.yml deleted file mode 100644 index 8736948a2..000000000 --- a/salt/curator/files/action/so-bluecoat-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-bluecoat'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete bluecoat indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-bluecoat.*|so-bluecoat.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-bluecoat-warm.yml b/salt/curator/files/action/so-bluecoat-warm.yml deleted file mode 100644 index fbed0f6c8..000000000 --- a/salt/curator/files/action/so-bluecoat-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-bluecoat'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-bluecoat - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-cef-close.yml b/salt/curator/files/action/so-cef-close.yml deleted file mode 100644 index 25ce7067c..000000000 --- a/salt/curator/files/action/so-cef-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-cef'].close %} -actions: - 1: - action: close - description: >- - Close cef indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-cef.*|so-cef.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-cef-delete.yml b/salt/curator/files/action/so-cef-delete.yml deleted file mode 100644 index a57fb9027..000000000 --- a/salt/curator/files/action/so-cef-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-cef'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete cef indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-cef.*|so-cef.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-cef-warm.yml b/salt/curator/files/action/so-cef-warm.yml deleted file mode 100644 index efcb58cfb..000000000 --- a/salt/curator/files/action/so-cef-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-cef'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-cef - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-checkpoint-close.yml b/salt/curator/files/action/so-checkpoint-close.yml deleted file mode 100644 index 9ba1ae14d..000000000 --- a/salt/curator/files/action/so-checkpoint-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-checkpoint'].close %} -actions: - 1: - action: close - description: >- - Close checkpoint indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-checkpoint.*|so-checkpoint.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-checkpoint-delete.yml b/salt/curator/files/action/so-checkpoint-delete.yml deleted file mode 100644 index 228e6b004..000000000 --- a/salt/curator/files/action/so-checkpoint-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-checkpoint'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete checkpoint indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-checkpoint.*|so-checkpoint.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-checkpoint-warm.yml b/salt/curator/files/action/so-checkpoint-warm.yml deleted file mode 100644 index ae9193e33..000000000 --- a/salt/curator/files/action/so-checkpoint-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-checkpoint'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-checkpoint - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-cisco-close.yml b/salt/curator/files/action/so-cisco-close.yml deleted file mode 100644 index bf804fc30..000000000 --- a/salt/curator/files/action/so-cisco-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-cisco'].close %} -actions: - 1: - action: close - description: >- - Close cisco indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-cisco.*|so-cisco.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-cisco-delete.yml b/salt/curator/files/action/so-cisco-delete.yml deleted file mode 100644 index 974d17a4a..000000000 --- a/salt/curator/files/action/so-cisco-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-cisco'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete cisco indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-cisco.*|so-cisco.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-cisco-warm.yml b/salt/curator/files/action/so-cisco-warm.yml deleted file mode 100644 index fefc84320..000000000 --- a/salt/curator/files/action/so-cisco-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-cisco'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-cisco - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-cyberark-close.yml b/salt/curator/files/action/so-cyberark-close.yml deleted file mode 100644 index 4da7ae0d2..000000000 --- a/salt/curator/files/action/so-cyberark-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-cyberark'].close %} -actions: - 1: - action: close - description: >- - Close cyberark indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-cyberark.*|so-cyberark.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-cyberark-delete.yml b/salt/curator/files/action/so-cyberark-delete.yml deleted file mode 100644 index 1d46f616b..000000000 --- a/salt/curator/files/action/so-cyberark-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-cyberark'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete cyberark indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-cyberark.*|so-cyberark.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-cyberark-warm.yml b/salt/curator/files/action/so-cyberark-warm.yml deleted file mode 100644 index c6dc52e4c..000000000 --- a/salt/curator/files/action/so-cyberark-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-cyberark'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-cyberark - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-cylance-close.yml b/salt/curator/files/action/so-cylance-close.yml deleted file mode 100644 index 957ac468e..000000000 --- a/salt/curator/files/action/so-cylance-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-cylance'].close %} -actions: - 1: - action: close - description: >- - Close cylance indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-cylance.*|so-cylance.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-cylance-delete.yml b/salt/curator/files/action/so-cylance-delete.yml deleted file mode 100644 index caa0a40a6..000000000 --- a/salt/curator/files/action/so-cylance-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-cylance'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete cylance indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-cylance.*|so-cylance.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-cylance-warm.yml b/salt/curator/files/action/so-cylance-warm.yml deleted file mode 100644 index 3e7d32258..000000000 --- a/salt/curator/files/action/so-cylance-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-cylance'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-cylance - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-elasticsearch-warm.yml b/salt/curator/files/action/so-elasticsearch-warm.yml deleted file mode 100644 index 5ef8f3df8..000000000 --- a/salt/curator/files/action/so-elasticsearch-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-elasticsearch'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-elasticsearch - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-endgame-close.yml b/salt/curator/files/action/so-endgame-close.yml deleted file mode 100644 index 9d1fbfbfb..000000000 --- a/salt/curator/files/action/so-endgame-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-endgame'].close %} -actions: - 1: - action: close - description: >- - Close Endgame indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-endgame.*|so-endgame.*|endgame.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-endgame-delete.yml b/salt/curator/files/action/so-endgame-delete.yml deleted file mode 100644 index a175c1c3b..000000000 --- a/salt/curator/files/action/so-endgame-delete.yml +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set DELETE_DAYS = CURATORMERGED['so-endgame'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete Endgame indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-endgame.*|so-endgame.*|endgame.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: diff --git a/salt/curator/files/action/so-endgame-warm.yml b/salt/curator/files/action/so-endgame-warm.yml deleted file mode 100644 index 67e4c545e..000000000 --- a/salt/curator/files/action/so-endgame-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set WARM_DAYS = CURATORMERGED['so-endgame'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-endgame.*|so-endgame.*|endgame.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} diff --git a/salt/curator/files/action/so-f5-close.yml b/salt/curator/files/action/so-f5-close.yml deleted file mode 100644 index da8946d96..000000000 --- a/salt/curator/files/action/so-f5-close.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set cur_close_days = CURATORMERGED['so-f5'].close %} -actions: - 1: - action: close - description: >- - Close f5 indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-f5.*|so-f5.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-f5-delete.yml b/salt/curator/files/action/so-f5-delete.yml deleted file mode 100644 index 867029640..000000000 --- a/salt/curator/files/action/so-f5-delete.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set DELETE_DAYS = CURATORMERGED['so-f5'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete f5 indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-f5.*|so-f5.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-f5-warm.yml b/salt/curator/files/action/so-f5-warm.yml deleted file mode 100644 index edf17f687..000000000 --- a/salt/curator/files/action/so-f5-warm.yml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set WARM_DAYS = CURATORMERGED['so-f5'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-f5 - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-firewall-warm.yml b/salt/curator/files/action/so-firewall-warm.yml deleted file mode 100644 index d76f52a83..000000000 --- a/salt/curator/files/action/so-firewall-warm.yml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set WARM_DAYS = CURATORMERGED['so-firewall'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-firewall - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-fortinet-close.yml b/salt/curator/files/action/so-fortinet-close.yml deleted file mode 100644 index 1a77b5d73..000000000 --- a/salt/curator/files/action/so-fortinet-close.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set cur_close_days = CURATORMERGED['so-fortinet'].close %} -actions: - 1: - action: close - description: >- - Close fortinet indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-fortinet.*|so-fortinet.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-fortinet-delete.yml b/salt/curator/files/action/so-fortinet-delete.yml deleted file mode 100644 index 2cb530269..000000000 --- a/salt/curator/files/action/so-fortinet-delete.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set DELETE_DAYS = CURATORMERGED['so-fortinet'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete fortinet indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-fortinet.*|so-fortinet.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-fortinet-warm.yml b/salt/curator/files/action/so-fortinet-warm.yml deleted file mode 100644 index c4a273315..000000000 --- a/salt/curator/files/action/so-fortinet-warm.yml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set WARM_DAYS = CURATORMERGED['so-fortinet'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-fortinet - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-gcp-close.yml b/salt/curator/files/action/so-gcp-close.yml deleted file mode 100644 index 7bc3b3584..000000000 --- a/salt/curator/files/action/so-gcp-close.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set cur_close_days = CURATORMERGED['so-gcp'].close %} -actions: - 1: - action: close - description: >- - Close gcp indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-gcp.*|so-gcp.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-gcp-delete.yml b/salt/curator/files/action/so-gcp-delete.yml deleted file mode 100644 index de55f350e..000000000 --- a/salt/curator/files/action/so-gcp-delete.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set DELETE_DAYS = CURATORMERGED['so-gcp'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete gcp indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-gcp.*|so-gcp.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-gcp-warm.yml b/salt/curator/files/action/so-gcp-warm.yml deleted file mode 100644 index 17085436d..000000000 --- a/salt/curator/files/action/so-gcp-warm.yml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set WARM_DAYS = CURATORMERGED['so-gcp'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-gcp - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-google_workspace-close.yml b/salt/curator/files/action/so-google_workspace-close.yml deleted file mode 100644 index 35ccd5375..000000000 --- a/salt/curator/files/action/so-google_workspace-close.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set cur_close_days = CURATORMERGED['so-google_workspace'].close %} -actions: - 1: - action: close - description: >- - Close google_workspace indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-google_workspace.*|so-google_workspace.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-google_workspace-delete.yml b/salt/curator/files/action/so-google_workspace-delete.yml deleted file mode 100644 index 9ccff9cba..000000000 --- a/salt/curator/files/action/so-google_workspace-delete.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set DELETE_DAYS = CURATORMERGED['so-google_workspace'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete google_workspace indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-google_workspace.*|so-google_workspace.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-google_workspace-warm.yml b/salt/curator/files/action/so-google_workspace-warm.yml deleted file mode 100644 index d1b5874f5..000000000 --- a/salt/curator/files/action/so-google_workspace-warm.yml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set WARM_DAYS = CURATORMERGED['so-google_workspace'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-google_workspace - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-ids-warm.yml b/salt/curator/files/action/so-ids-warm.yml deleted file mode 100644 index d6dfc9ce8..000000000 --- a/salt/curator/files/action/so-ids-warm.yml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set WARM_DAYS = CURATORMERGED['so-ids'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-ids - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-imperva-close.yml b/salt/curator/files/action/so-imperva-close.yml deleted file mode 100644 index e8a86c753..000000000 --- a/salt/curator/files/action/so-imperva-close.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set cur_close_days = CURATORMERGED['so-imperva'].close %} -actions: - 1: - action: close - description: >- - Close imperva indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-imperva.*|so-imperva.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-imperva-delete.yml b/salt/curator/files/action/so-imperva-delete.yml deleted file mode 100644 index 17f221d64..000000000 --- a/salt/curator/files/action/so-imperva-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-imperva'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete imperva indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-imperva.*|so-imperva.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-imperva-warm.yml b/salt/curator/files/action/so-imperva-warm.yml deleted file mode 100644 index 082d553df..000000000 --- a/salt/curator/files/action/so-imperva-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-imperva'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-imperva - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-import-warm.yml b/salt/curator/files/action/so-import-warm.yml deleted file mode 100644 index 75d1da2d8..000000000 --- a/salt/curator/files/action/so-import-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-import'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-import - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-infoblox-close.yml b/salt/curator/files/action/so-infoblox-close.yml deleted file mode 100644 index cc3704c12..000000000 --- a/salt/curator/files/action/so-infoblox-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-infoblox'].close %} -actions: - 1: - action: close - description: >- - Close infoblox indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-infoblox.*|so-infoblox.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-infoblox-delete.yml b/salt/curator/files/action/so-infoblox-delete.yml deleted file mode 100644 index f10be3b93..000000000 --- a/salt/curator/files/action/so-infoblox-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-infoblox'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete infoblox indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-infoblox.*|so-infoblox.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-infoblox-warm.yml b/salt/curator/files/action/so-infoblox-warm.yml deleted file mode 100644 index 5fe51c7e2..000000000 --- a/salt/curator/files/action/so-infoblox-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-infoblox'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-infoblox - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-juniper-close.yml b/salt/curator/files/action/so-juniper-close.yml deleted file mode 100644 index 62f783322..000000000 --- a/salt/curator/files/action/so-juniper-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-juniper'].close %} -actions: - 1: - action: close - description: >- - Close juniper indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-juniper.*|so-juniper.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-juniper-delete.yml b/salt/curator/files/action/so-juniper-delete.yml deleted file mode 100644 index b0e5306fc..000000000 --- a/salt/curator/files/action/so-juniper-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-juniper'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete juniper indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-juniper.*|so-juniper.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-juniper-warm.yml b/salt/curator/files/action/so-juniper-warm.yml deleted file mode 100644 index e441f1b80..000000000 --- a/salt/curator/files/action/so-juniper-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-aws'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-aws - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-kibana-warm.yml b/salt/curator/files/action/so-kibana-warm.yml deleted file mode 100644 index ce6f6a2c7..000000000 --- a/salt/curator/files/action/so-kibana-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-kibana'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-kibana - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-kratos-warm.yml b/salt/curator/files/action/so-kratos-warm.yml deleted file mode 100644 index 296c34ea4..000000000 --- a/salt/curator/files/action/so-kratos-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-kratos'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-kratos - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-logstash-warm.yml b/salt/curator/files/action/so-logstash-warm.yml deleted file mode 100644 index b6a6bc010..000000000 --- a/salt/curator/files/action/so-logstash-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-logstash'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-logstash - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-microsoft-close.yml b/salt/curator/files/action/so-microsoft-close.yml deleted file mode 100644 index 55b077446..000000000 --- a/salt/curator/files/action/so-microsoft-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-microsoft'].close %} -actions: - 1: - action: close - description: >- - Close microsoft indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-microsoft.*|so-microsoft.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-microsoft-delete.yml b/salt/curator/files/action/so-microsoft-delete.yml deleted file mode 100644 index 5f92c23a4..000000000 --- a/salt/curator/files/action/so-microsoft-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-microsoft'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete microsoft indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-microsoft.*|so-microsoft.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-microsoft-warm.yml b/salt/curator/files/action/so-microsoft-warm.yml deleted file mode 100644 index 4ce0283ac..000000000 --- a/salt/curator/files/action/so-microsoft-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-microsoft'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-microsoft - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-misp-close.yml b/salt/curator/files/action/so-misp-close.yml deleted file mode 100644 index 9f326b54b..000000000 --- a/salt/curator/files/action/so-misp-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-misp'].close %} -actions: - 1: - action: close - description: >- - Close misp indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-misp.*|so-misp.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-misp-delete.yml b/salt/curator/files/action/so-misp-delete.yml deleted file mode 100644 index 1b8426344..000000000 --- a/salt/curator/files/action/so-misp-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-misp'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete misp indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-misp.*|so-misp.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-misp-warm.yml b/salt/curator/files/action/so-misp-warm.yml deleted file mode 100644 index 410cc3e4c..000000000 --- a/salt/curator/files/action/so-misp-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-misp'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-misp - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-netflow-warm.yml b/salt/curator/files/action/so-netflow-warm.yml deleted file mode 100644 index a8c5250b2..000000000 --- a/salt/curator/files/action/so-netflow-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-netflow'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-netflow - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-netscout-close.yml b/salt/curator/files/action/so-netscout-close.yml deleted file mode 100644 index c601f5e45..000000000 --- a/salt/curator/files/action/so-netscout-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-netscout'].close %} -actions: - 1: - action: close - description: >- - Close netscout indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-netscout.*|so-netscout.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-netscout-delete.yml b/salt/curator/files/action/so-netscout-delete.yml deleted file mode 100644 index d779bfed8..000000000 --- a/salt/curator/files/action/so-netscout-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-netscout'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete netscout indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-netscout.*|so-netscout.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-netscout-warm.yml b/salt/curator/files/action/so-netscout-warm.yml deleted file mode 100644 index cd101d519..000000000 --- a/salt/curator/files/action/so-netscout-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-netscout'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-netscout - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-o365-close.yml b/salt/curator/files/action/so-o365-close.yml deleted file mode 100644 index 0fb7738a7..000000000 --- a/salt/curator/files/action/so-o365-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-o365'].close %} -actions: - 1: - action: close - description: >- - Close o365 indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-o365.*|so-o365.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-o365-delete.yml b/salt/curator/files/action/so-o365-delete.yml deleted file mode 100644 index fe8e5451e..000000000 --- a/salt/curator/files/action/so-o365-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-o365'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete o365 indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-o365.*|so-o365.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-o365-warm.yml b/salt/curator/files/action/so-o365-warm.yml deleted file mode 100644 index 049ab26f2..000000000 --- a/salt/curator/files/action/so-o365-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-o365'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-o365 - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-okta-close.yml b/salt/curator/files/action/so-okta-close.yml deleted file mode 100644 index cf7948e8d..000000000 --- a/salt/curator/files/action/so-okta-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-okta'].close %} -actions: - 1: - action: close - description: >- - Close okta indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-okta.*|so-okta.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-okta-warm.yml b/salt/curator/files/action/so-okta-warm.yml deleted file mode 100644 index 775aafdc1..000000000 --- a/salt/curator/files/action/so-okta-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-okta'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-okta - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-okta.delete.yml b/salt/curator/files/action/so-okta.delete.yml deleted file mode 100644 index 4854df292..000000000 --- a/salt/curator/files/action/so-okta.delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-okta'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete okta indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-okta.*|so-okta.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-osquery-delete.yml b/salt/curator/files/action/so-osquery-delete.yml index 24033d41d..b6263b0e8 100644 --- a/salt/curator/files/action/so-osquery-delete.yml +++ b/salt/curator/files/action/so-osquery-delete.yml @@ -24,4 +24,4 @@ actions: unit_count: {{ DELETE_DAYS }} exclude: - \ No newline at end of file + diff --git a/salt/curator/files/action/so-osquery-warm.yml b/salt/curator/files/action/so-osquery-warm.yml deleted file mode 100644 index bd2cbc0b2..000000000 --- a/salt/curator/files/action/so-osquery-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-osquery'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-osquery - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-ossec-warm.yml b/salt/curator/files/action/so-ossec-warm.yml deleted file mode 100644 index c9718ee31..000000000 --- a/salt/curator/files/action/so-ossec-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-ossec'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-ossec - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-proofpoint-close.yml b/salt/curator/files/action/so-proofpoint-close.yml deleted file mode 100644 index 28044ecc9..000000000 --- a/salt/curator/files/action/so-proofpoint-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-proofpoint'].close %} -actions: - 1: - action: close - description: >- - Close proofpoint indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-proofpoint.*|so-proofpoint.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-proofpoint-delete.yml b/salt/curator/files/action/so-proofpoint-delete.yml deleted file mode 100644 index 436c4c803..000000000 --- a/salt/curator/files/action/so-proofpoint-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-proofpoint'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete proofpoint indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-proofpoint.*|so-proofpoint.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-proofpoint-warm.yml b/salt/curator/files/action/so-proofpoint-warm.yml deleted file mode 100644 index daa8d0265..000000000 --- a/salt/curator/files/action/so-proofpoint-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-proofpoint'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-proofpoint - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-radware-close.yml b/salt/curator/files/action/so-radware-close.yml deleted file mode 100644 index 1f932058a..000000000 --- a/salt/curator/files/action/so-radware-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-radware'].close %} -actions: - 1: - action: close - description: >- - Close radware indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-radware.*|so-radware.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-radware-delete.yml b/salt/curator/files/action/so-radware-delete.yml deleted file mode 100644 index 46a614570..000000000 --- a/salt/curator/files/action/so-radware-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-radware'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete radware indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-radware.*|so-radware.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-radware-warm.yml b/salt/curator/files/action/so-radware-warm.yml deleted file mode 100644 index b0f15663d..000000000 --- a/salt/curator/files/action/so-radware-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-radware'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-radware - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-redis-warm.yml b/salt/curator/files/action/so-redis-warm.yml deleted file mode 100644 index dc472be97..000000000 --- a/salt/curator/files/action/so-redis-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-redis'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-redis - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-snort-close.yml b/salt/curator/files/action/so-snort-close.yml deleted file mode 100644 index 955c8d065..000000000 --- a/salt/curator/files/action/so-snort-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-snort'].close %} -actions: - 1: - action: close - description: >- - Close snort indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-snort.*|so-snort.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-snort-delete.yml b/salt/curator/files/action/so-snort-delete.yml deleted file mode 100644 index 3077a3d51..000000000 --- a/salt/curator/files/action/so-snort-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-snort'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete snort indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-snort.*|so-snort.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-snort-warm.yml b/salt/curator/files/action/so-snort-warm.yml deleted file mode 100644 index 82af9a140..000000000 --- a/salt/curator/files/action/so-snort-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-snort'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-snort - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-snyk-close.yml b/salt/curator/files/action/so-snyk-close.yml deleted file mode 100644 index 60bde3d43..000000000 --- a/salt/curator/files/action/so-snyk-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-snyk'].close %} -actions: - 1: - action: close - description: >- - Close snyk indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-snyk.*|so-snyk.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-snyk-delete.yml b/salt/curator/files/action/so-snyk-delete.yml deleted file mode 100644 index 95104ead0..000000000 --- a/salt/curator/files/action/so-snyk-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-snyk'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete snyk indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-snyk.*|so-snyk.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-snyk-warm.yml b/salt/curator/files/action/so-snyk-warm.yml deleted file mode 100644 index 3767bc0d0..000000000 --- a/salt/curator/files/action/so-snyk-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-snyk'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-snyk - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-sonicwall-close.yml b/salt/curator/files/action/so-sonicwall-close.yml deleted file mode 100644 index ef61f9427..000000000 --- a/salt/curator/files/action/so-sonicwall-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-sonicwall'].close %} -actions: - 1: - action: close - description: >- - Close sonicwall indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-sonicwall.*|so-sonicwall.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-sonicwall-delete.yml b/salt/curator/files/action/so-sonicwall-delete.yml deleted file mode 100644 index 2a9d40739..000000000 --- a/salt/curator/files/action/so-sonicwall-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-sonicwall'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete sonicwall indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-sonicwall.*|so-sonicwall.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-sonicwall-warm.yml b/salt/curator/files/action/so-sonicwall-warm.yml deleted file mode 100644 index 9f6b596df..000000000 --- a/salt/curator/files/action/so-sonicwall-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-sonicwall'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-sonicwall - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-sophos-close.yml b/salt/curator/files/action/so-sophos-close.yml deleted file mode 100644 index b2ccbb65f..000000000 --- a/salt/curator/files/action/so-sophos-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-sophos'].close %} -actions: - 1: - action: close - description: >- - Close sophos indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-sophos.*|so-sophos.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-sophos-delete.yml b/salt/curator/files/action/so-sophos-delete.yml deleted file mode 100644 index b15cc06dd..000000000 --- a/salt/curator/files/action/so-sophos-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-sophos'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete sophos indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-sophos.*|so-sophos.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-sophos-warm.yml b/salt/curator/files/action/so-sophos-warm.yml deleted file mode 100644 index 619fde7a3..000000000 --- a/salt/curator/files/action/so-sophos-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-sophos'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-sophos - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-strelka-warm.yml b/salt/curator/files/action/so-strelka-warm.yml deleted file mode 100644 index 96bc9f55d..000000000 --- a/salt/curator/files/action/so-strelka-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-strelka'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-strelka - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-syslog-warm.yml b/salt/curator/files/action/so-syslog-warm.yml deleted file mode 100644 index be42c20da..000000000 --- a/salt/curator/files/action/so-syslog-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-syslog'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-syslog - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-tomcat-close.yml b/salt/curator/files/action/so-tomcat-close.yml deleted file mode 100644 index 816293853..000000000 --- a/salt/curator/files/action/so-tomcat-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-tomcat'].close %} -actions: - 1: - action: close - description: >- - Close tomcat indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-tomcat.*|so-tomcat.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-tomcat-delete.yml b/salt/curator/files/action/so-tomcat-delete.yml deleted file mode 100644 index e605266b4..000000000 --- a/salt/curator/files/action/so-tomcat-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-tomcat'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete tomcat indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-tomcat.*|so-tomcat.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-tomcat-warm.yml b/salt/curator/files/action/so-tomcat-warm.yml deleted file mode 100644 index e176a272b..000000000 --- a/salt/curator/files/action/so-tomcat-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-tomcat'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-tomcat - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-zeek-warm.yml b/salt/curator/files/action/so-zeek-warm.yml deleted file mode 100644 index d53d70659..000000000 --- a/salt/curator/files/action/so-zeek-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-zeek'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-zeek - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-zscaler-close.yml b/salt/curator/files/action/so-zscaler-close.yml deleted file mode 100644 index 4b453a260..000000000 --- a/salt/curator/files/action/so-zscaler-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-zscaler'].close %} -actions: - 1: - action: close - description: >- - Close zscaler indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-zscaler.*|so-zscaler.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-zscaler-delete.yml b/salt/curator/files/action/so-zscaler-delete.yml deleted file mode 100644 index a56ebd859..000000000 --- a/salt/curator/files/action/so-zscaler-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-zscaler'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete zscaler indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-zscaler.*|so-zscaler.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-zscaler-warm.yml b/salt/curator/files/action/so-zscaler-warm.yml deleted file mode 100644 index c6ea011e5..000000000 --- a/salt/curator/files/action/so-zscaler-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-zscaler'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-zscaler - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - From 073054b447a6197737d3a20fa231db13bb2a384e Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 7 Mar 2023 16:21:55 +0000 Subject: [PATCH 3/7] Remove 'so-curator-cluster-warm' and remove unncessary Curator default values --- salt/curator/defaults.yaml | 135 ------------------ .../curator/files/bin/so-curator-cluster-warm | 26 ---- salt/curator/init.sls | 10 -- 3 files changed, 171 deletions(-) delete mode 100644 salt/curator/files/bin/so-curator-cluster-warm diff --git a/salt/curator/defaults.yaml b/salt/curator/defaults.yaml index 3eda48d81..8e791b0d5 100644 --- a/salt/curator/defaults.yaml +++ b/salt/curator/defaults.yaml @@ -1,182 +1,47 @@ elasticsearch: index_settings: - so-aws: - warm: 7 - close: 30 - delete: 365 - so-azure: - warm: 7 - close: 30 - delete: 365 - so-barracuda: - warm: 7 - close: 30 - delete: 365 so-beats: - warm: 7 - close: 30 - delete: 365 - so-bluecoat: - warm: 7 - close: 30 - delete: 365 - so-cef: - warm: 7 - close: 30 - delete: 365 - so-checkpoint: - warm: 7 - close: 30 - delete: 365 - so-cisco: - warm: 7 - close: 30 - delete: 365 - so-cyberark: - warm: 7 - close: 30 - delete: 365 - so-cylance: - warm: 7 close: 30 delete: 365 so-elasticsearch: - warm: 7 - close: 30 - delete: 365 - so-endgame: - warm: 7 - close: 30 - delete: 365 - so-f5: - warm: 7 close: 30 delete: 365 so-firewall: - warm: 7 - close: 30 - delete: 365 - so-fortinet: - warm: 7 - close: 30 - delete: 365 - so-gcp: - warm: 7 - close: 30 - delete: 365 - so-google_workspace: - warm: 7 close: 30 delete: 365 so-ids: - warm: 7 - close: 30 - delete: 365 - so-imperva: - warm: 7 close: 30 delete: 365 so-import: - warm: 7 close: 73000 delete: 73001 - so-infoblox: - warm: 7 - close: 30 - delete: 365 - so-juniper: - warm: 7 - close: 30 - delete: 365 so-kratos: - warm: 7 close: 30 delete: 365 so-kibana: - warm: 7 close: 30 delete: 365 so-logstash: - warm: 7 - close: 30 - delete: 365 - so-microsoft: - warm: 7 - close: 30 - delete: 365 - so-misp: - warm: 7 close: 30 delete: 365 so-netflow: - warm: 7 - close: 30 - delete: 365 - so-netscout: - warm: 7 - close: 30 - delete: 365 - so-o365: - warm: 7 - close: 30 - delete: 365 - so-okta: - warm: 7 close: 30 delete: 365 so-osquery: - warm: 7 close: 30 delete: 365 so-ossec: - warm: 7 - close: 30 - delete: 365 - so-proofpoint: - warm: 7 - close: 30 - delete: 365 - so-radware: - warm: 7 close: 30 delete: 365 so-redis: - warm: 7 - close: 30 - delete: 365 - so-snort: - warm: 7 - close: 30 - delete: 365 - so-snyk: - warm: 7 - close: 30 - delete: 365 - so-sonicwall: - warm: 7 - close: 30 - delete: 365 - so-sophos: - warm: 7 close: 30 delete: 365 so-strelka: - warm: 7 close: 30 delete: 365 so-syslog: - warm: 7 - close: 30 - delete: 365 - so-tomcat: - warm: 7 close: 30 delete: 365 so-zeek: - warm: 7 - close: 30 - delete: 365 - so-zscaler: - warm: 7 close: 30 delete: 365 diff --git a/salt/curator/files/bin/so-curator-cluster-warm b/salt/curator/files/bin/so-curator-cluster-warm deleted file mode 100644 index f868caf0d..000000000 --- a/salt/curator/files/bin/so-curator-cluster-warm +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -APP=warm -lf=/tmp/$APP-pidLockFile -# create empty lock file if none exists -cat /dev/null >> $lf -read lastPID < $lf -# if lastPID is not null and a process with that pid exists , exit -[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit -echo $$ > $lf - -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kratos-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-warm.yml > /dev/null 2>&1; diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 27c8d10c8..4a828beb6 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -182,16 +182,6 @@ so-curatorclusterdelete: - month: '*' - dayweek: '*' -so-curatorclusterwarm: - cron.present: - - name: /usr/sbin/so-curator-cluster-warm > /opt/so/log/curator/cron-warm.log 2>&1 - - user: root - - minute: '2' - - hour: '*/1' - - daymonth: '*' - - month: '*' - - dayweek: '*' - {% else %} {{sls}}_state_not_allowed: From d6365468716ba93a49939a73b152fcb2a35301c8 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 7 Mar 2023 17:15:25 +0000 Subject: [PATCH 4/7] Add new Curator action files --- .../files/action/logs-import-so-close.yml | 27 +++++++++++++++++++ .../files/action/logs-import-so-delete.yml | 27 +++++++++++++++++++ .../files/action/logs-strelka-so-close.yml | 27 +++++++++++++++++++ .../files/action/logs-strelka-so-delete.yml | 27 +++++++++++++++++++ .../files/action/logs-suricata-so-close.yml | 27 +++++++++++++++++++ .../files/action/logs-suricata-so-delete.yml | 27 +++++++++++++++++++ .../files/action/logs-syslog-so-close.yml | 27 +++++++++++++++++++ .../files/action/logs-syslog-so-delete.yml | 27 +++++++++++++++++++ .../files/action/logs-zeek-so-close.yml | 27 +++++++++++++++++++ .../files/action/logs-zeek-so-delete.yml | 27 +++++++++++++++++++ 10 files changed, 270 insertions(+) create mode 100644 salt/curator/files/action/logs-import-so-close.yml create mode 100644 salt/curator/files/action/logs-import-so-delete.yml create mode 100644 salt/curator/files/action/logs-strelka-so-close.yml create mode 100644 salt/curator/files/action/logs-strelka-so-delete.yml create mode 100644 salt/curator/files/action/logs-suricata-so-close.yml create mode 100644 salt/curator/files/action/logs-suricata-so-delete.yml create mode 100644 salt/curator/files/action/logs-syslog-so-close.yml create mode 100644 salt/curator/files/action/logs-syslog-so-delete.yml create mode 100644 salt/curator/files/action/logs-zeek-so-close.yml create mode 100644 salt/curator/files/action/logs-zeek-so-delete.yml diff --git a/salt/curator/files/action/logs-import-so-close.yml b/salt/curator/files/action/logs-import-so-close.yml new file mode 100644 index 000000000..52ddb5eb5 --- /dev/null +++ b/salt/curator/files/action/logs-import-so-close.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-import-so'].close %} +actions: + 1: + action: close + description: >- + Close import indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-import-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-import-so-delete.yml b/salt/curator/files/action/logs-import-so-delete.yml new file mode 100644 index 000000000..274d06711 --- /dev/null +++ b/salt/curator/files/action/logs-import-so-delete.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-syslog-so'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete syslog indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-syslog-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-strelka-so-close.yml b/salt/curator/files/action/logs-strelka-so-close.yml new file mode 100644 index 000000000..a5b31785f --- /dev/null +++ b/salt/curator/files/action/logs-strelka-so-close.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-strelka-so'].close %} +actions: + 1: + action: close + description: >- + Close Strelka indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-strelka-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-strelka-so-delete.yml b/salt/curator/files/action/logs-strelka-so-delete.yml new file mode 100644 index 000000000..d01bdcc83 --- /dev/null +++ b/salt/curator/files/action/logs-strelka-so-delete.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-strelka-so'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Strelka indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-strelka-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-suricata-so-close.yml b/salt/curator/files/action/logs-suricata-so-close.yml new file mode 100644 index 000000000..a25be9f3d --- /dev/null +++ b/salt/curator/files/action/logs-suricata-so-close.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-suricata-so'].close %} +actions: + 1: + action: close + description: >- + Close Suricata indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-suricata-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-suricata-so-delete.yml b/salt/curator/files/action/logs-suricata-so-delete.yml new file mode 100644 index 000000000..765ba1293 --- /dev/null +++ b/salt/curator/files/action/logs-suricata-so-delete.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-suricata-so'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Suricata indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-suricata-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-syslog-so-close.yml b/salt/curator/files/action/logs-syslog-so-close.yml new file mode 100644 index 000000000..b9baf3c1a --- /dev/null +++ b/salt/curator/files/action/logs-syslog-so-close.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-syslog-so'].close %} +actions: + 1: + action: close + description: >- + Close syslog indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-syslog-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-syslog-so-delete.yml b/salt/curator/files/action/logs-syslog-so-delete.yml new file mode 100644 index 000000000..b46a5fc73 --- /dev/null +++ b/salt/curator/files/action/logs-syslog-so-delete.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete import indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-import-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-zeek-so-close.yml b/salt/curator/files/action/logs-zeek-so-close.yml new file mode 100644 index 000000000..f8ad13ca0 --- /dev/null +++ b/salt/curator/files/action/logs-zeek-so-close.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-zeek-so'].close %} +actions: + 1: + action: close + description: >- + Close Zeek indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-zeek-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-zeek-so-delete.yml b/salt/curator/files/action/logs-zeek-so-delete.yml new file mode 100644 index 000000000..5acfc50a7 --- /dev/null +++ b/salt/curator/files/action/logs-zeek-so-delete.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-zeek-so'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Zeek indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-zeek-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + From 88d98af243ef5bf19024e2c3b7abc02b15d9aa2a Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 7 Mar 2023 17:21:03 +0000 Subject: [PATCH 5/7] Add new Curator action files to Curator close and delete scripts --- salt/curator/files/bin/so-curator-close | 5 +++++ salt/curator/files/bin/so-curator-cluster-close | 5 +++++ salt/curator/files/bin/so-curator-cluster-delete | 5 +++++ 3 files changed, 15 insertions(+) diff --git a/salt/curator/files/bin/so-curator-close b/salt/curator/files/bin/so-curator-close index 885cb4502..af66a03df 100644 --- a/salt/curator/files/bin/so-curator-close +++ b/salt/curator/files/bin/so-curator-close @@ -25,3 +25,8 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-import-so-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-strelka-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-suricata-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-syslog-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-zeek-close.yml > /dev/null 2>&1; diff --git a/salt/curator/files/bin/so-curator-cluster-close b/salt/curator/files/bin/so-curator-cluster-close index 0929149ed..4359dcfc1 100644 --- a/salt/curator/files/bin/so-curator-cluster-close +++ b/salt/curator/files/bin/so-curator-cluster-close @@ -23,3 +23,8 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-import-so-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-strelka-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-suricata-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-syslog-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-zeek-close.yml > /dev/null 2>&1; diff --git a/salt/curator/files/bin/so-curator-cluster-delete b/salt/curator/files/bin/so-curator-cluster-delete index 2d71f725d..34c3c10cf 100644 --- a/salt/curator/files/bin/so-curator-cluster-delete +++ b/salt/curator/files/bin/so-curator-cluster-delete @@ -23,3 +23,8 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-delete.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-import-so-delete.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-strelka-delete.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-suricata-delete.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-syslog-delete.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-zeek-delete.yml > /dev/null 2>&1; From 26c9813276675f9646fbea13753e6e8c3379fca5 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 7 Mar 2023 17:29:07 +0000 Subject: [PATCH 6/7] Add keys for new Curator actions to defaults.yaml --- salt/curator/defaults.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/salt/curator/defaults.yaml b/salt/curator/defaults.yaml index 8e791b0d5..237a50c81 100644 --- a/salt/curator/defaults.yaml +++ b/salt/curator/defaults.yaml @@ -1,5 +1,20 @@ elasticsearch: index_settings: + logs-import-so: + close: 73000 + delete: 73001 + logs-strelka-so: + close: 30 + delete: 365 + logs-suricata-so: + close: 30 + delete: 365 + logs-syslog-so: + close: 30 + delete: 365 + logs-zeek-so: + close: 30 + delete: 365 so-beats: close: 30 delete: 365 From f50639d2d2c6950492439ce110e78a160ee8af66 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 7 Mar 2023 17:41:48 +0000 Subject: [PATCH 7/7] Fix import and syslog actions --- salt/curator/files/action/logs-import-so-delete.yml | 6 +++--- salt/curator/files/action/logs-syslog-so-delete.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/curator/files/action/logs-import-so-delete.yml b/salt/curator/files/action/logs-import-so-delete.yml index 274d06711..b46a5fc73 100644 --- a/salt/curator/files/action/logs-import-so-delete.yml +++ b/salt/curator/files/action/logs-import-so-delete.yml @@ -3,19 +3,19 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = CURATORMERGED['logs-syslog-so'].delete %} +{%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %} actions: 1: action: delete_indices description: >- - Delete syslog indices when older than {{ DELETE_DAYS }} days. + Delete import indices when older than {{ DELETE_DAYS }} days. options: ignore_empty_list: True disable_action: False filters: - filtertype: pattern kind: regex - value: '^(.ds-logs-syslog-so.*)$' + value: '^(.ds-logs-import-so.*)$' - filtertype: age source: name direction: older diff --git a/salt/curator/files/action/logs-syslog-so-delete.yml b/salt/curator/files/action/logs-syslog-so-delete.yml index b46a5fc73..274d06711 100644 --- a/salt/curator/files/action/logs-syslog-so-delete.yml +++ b/salt/curator/files/action/logs-syslog-so-delete.yml @@ -3,19 +3,19 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %} +{%- set DELETE_DAYS = CURATORMERGED['logs-syslog-so'].delete %} actions: 1: action: delete_indices description: >- - Delete import indices when older than {{ DELETE_DAYS }} days. + Delete syslog indices when older than {{ DELETE_DAYS }} days. options: ignore_empty_list: True disable_action: False filters: - filtertype: pattern kind: regex - value: '^(.ds-logs-import-so.*)$' + value: '^(.ds-logs-syslog-so.*)$' - filtertype: age source: name direction: older