diff --git a/salt/filebeat/etc/module_config.yml.jinja b/salt/filebeat/etc/module_config.yml.jinja index 733d47c7e..5d8782c01 100644 --- a/salt/filebeat/etc/module_config.yml.jinja +++ b/salt/filebeat/etc/module_config.yml.jinja @@ -1,18 +1,2 @@ # DO NOT EDIT THIS FILE -{%- if MODULES.modules is iterable and MODULES.modules is not string and MODULES.modules|length > 0%} - {%- for module in MODULES.modules.keys() %} -- module: {{ module }} - {%- for fileset in MODULES.modules[module] %} - {{ fileset }}: - enabled: {{ MODULES.modules[module][fileset].enabled|string|lower }} - {#- only manage the settings if the fileset is enabled #} - {%- if MODULES.modules[module][fileset].enabled %} - {%- for var, value in MODULES.modules[module][fileset].items() %} - {%- if var|lower != 'enabled' %} - {{ var }}: {{ value }} - {%- endif %} - {%- endfor %} - {%- endif %} - {%- endfor %} - {%- endfor %} -{% endif %} +{{ MODULES|yaml(False) }} diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 82622c4b2..473cb7171 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -18,8 +18,8 @@ {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set LOCALHOSTNAME = salt['grains.get']('host') %} {% set MANAGER = salt['grains.get']('master') %} -{% from 'filebeat/map.jinja' import THIRDPARTY with context %} -{% from 'filebeat/map.jinja' import SO with context %} +{% from 'filebeat/modules.map.jinja' import THIRDPARTY with context %} +{% from 'filebeat/modules.map.jinja' import MODULESENABLED with context %} {% from 'filebeat/map.jinja' import FILEBEAT_EXTRA_HOSTS with context %} {% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %} @@ -88,21 +88,13 @@ filebeatmoduleconf: - template: jinja - show_changes: False -sodefaults_module_conf: +merged_module_conf: file.managed: - - name: /opt/so/conf/filebeat/modules/securityonion.yml + - name: /opt/so/conf/filebeat/modules/modules.yml - source: salt://filebeat/etc/module_config.yml.jinja - template: jinja - defaults: - MODULES: {{ SO }} - -thirdparty_module_conf: - file.managed: - - name: /opt/so/conf/filebeat/modules/thirdparty.yml - - source: salt://filebeat/etc/module_config.yml.jinja - - template: jinja - - defaults: - MODULES: {{ THIRDPARTY }} + MODULES: {{ MODULESENABLED }} so-filebeat: docker_container.running: @@ -127,14 +119,6 @@ so-filebeat: - 0.0.0.0:514:514/udp - 0.0.0.0:514:514/tcp - 0.0.0.0:5066:5066/tcp -{% for module in THIRDPARTY.modules.keys() %} - {% for submodule in THIRDPARTY.modules[module] %} - {% if THIRDPARTY.modules[module][submodule].enabled and THIRDPARTY.modules[module][submodule]["var.syslog_port"] is defined %} - - {{ THIRDPARTY.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}/tcp - - {{ THIRDPARTY.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}/udp - {% endif %} - {% endfor %} -{% endfor %} - watch: - file: filebeatconf - require: diff --git a/salt/filebeat/map.jinja b/salt/filebeat/map.jinja index f12714176..b42707e05 100644 --- a/salt/filebeat/map.jinja +++ b/salt/filebeat/map.jinja @@ -1,9 +1,22 @@ {% import_yaml 'filebeat/thirdpartydefaults.yaml' as TPDEFAULTS %} -{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %} - {% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %} -{% set SO = SODEFAULTS.securityonion_filebeat %} -{#% set SO = salt['pillar.get']('filebeat:third_party_filebeat', default=SODEFAULTS.third_party_filebeat, merge=True) %#} +{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %} +{% set SO = salt['pillar.get']('filebeat:securityonion_filebeat', default=SODEFAULTS.securityonion_filebeat, merge=True) %} +{% set MODULESMERGED = salt['defaults.merge'](SO, THIRDPARTY, in_place=False) %} + +{% set MODULESENABLED = [] %} +{% for module in MODULESMERGED.modules.keys() %} + {% set ENABLEDFILESETS = {} %} + {% for fileset in MODULESMERGED.modules[module] %} + {% if MODULESMERGED.modules[module][fileset].get('enabled', False) %} + {% do ENABLEDFILESETS.update({'module': module, fileset: MODULESMERGED.modules[module][fileset]}) %} + {% endif %} + {% endfor %} + {% if ENABLEDFILESETS|length > 0 %} + {% do MODULESENABLED.append(ENABLEDFILESETS) %} + {% endif %} +{% endfor %} +{{ MODULESENABLED }} {% set role = grains.role %} {% set FILEBEAT_EXTRA_HOSTS = [] %} diff --git a/salt/filebeat/modules.map.jinja b/salt/filebeat/modules.map.jinja new file mode 100644 index 000000000..c4a0a6db7 --- /dev/null +++ b/salt/filebeat/modules.map.jinja @@ -0,0 +1,18 @@ +{% import_yaml 'filebeat/thirdpartydefaults.yaml' as TPDEFAULTS %} +{% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %} +{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %} +{% set SO = salt['pillar.get']('filebeat:securityonion_filebeat', default=SODEFAULTS.securityonion_filebeat, merge=True) %} +{% set MODULESMERGED = salt['defaults.merge'](SO, THIRDPARTY, in_place=False) %} + +{% set MODULESENABLED = [] %} +{% for module in MODULESMERGED.modules.keys() %} + {% set ENABLEDFILESETS = {} %} + {% for fileset in MODULESMERGED.modules[module] %} + {% if MODULESMERGED.modules[module][fileset].get('enabled', False) %} + {% do ENABLEDFILESETS.update({'module': module, fileset: MODULESMERGED.modules[module][fileset]}) %} + {% endif %} + {% endfor %} + {% if ENABLEDFILESETS|length > 0 %} + {% do MODULESENABLED.append(ENABLEDFILESETS) %} + {% endif %} +{% endfor %}