Reorganize FB module management

salt/filebeat/etc/module_config.yml.jinja

@@ -1,18 +1,2 @@
 # DO NOT EDIT THIS FILE
-{%- if MODULES.modules is iterable and MODULES.modules is not string and MODULES.modules|length > 0%}
+{{ MODULES|yaml(False) }}
-  {%- for module in MODULES.modules.keys() %}
-- module: {{ module }}
-    {%- for fileset in MODULES.modules[module] %}
-  {{ fileset }}:
-    enabled: {{ MODULES.modules[module][fileset].enabled|string|lower }}
-      {#- only manage the settings if the fileset is enabled #}
-      {%- if MODULES.modules[module][fileset].enabled %}
-        {%- for var, value in MODULES.modules[module][fileset].items() %}
-          {%- if var|lower != 'enabled' %}
-    {{ var }}: {{ value }}
-          {%- endif %}
-        {%- endfor %}
-      {%- endif %}
-    {%- endfor %}
-  {%- endfor %}
-{% endif %}

salt/filebeat/init.sls

@@ -18,8 +18,8 @@
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set LOCALHOSTNAME = salt['grains.get']('host') %}
 {% set MANAGER = salt['grains.get']('master') %}
-{% from 'filebeat/map.jinja' import THIRDPARTY with context %}
+{% from 'filebeat/modules.map.jinja' import THIRDPARTY with context %}
-{% from 'filebeat/map.jinja' import SO with context %}
+{% from 'filebeat/modules.map.jinja' import MODULESENABLED with context %}
 {% from 'filebeat/map.jinja' import FILEBEAT_EXTRA_HOSTS with context %}
 {% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %}
 
@@ -88,21 +88,13 @@ filebeatmoduleconf:
     - template: jinja
     - show_changes: False
 
-sodefaults_module_conf:
+merged_module_conf:
   file.managed:
-    - name: /opt/so/conf/filebeat/modules/securityonion.yml
+    - name: /opt/so/conf/filebeat/modules/modules.yml
     - source: salt://filebeat/etc/module_config.yml.jinja
     - template: jinja
     - defaults:
-        MODULES: {{ SO }}
+        MODULES: {{ MODULESENABLED }}
-
-thirdparty_module_conf:
-  file.managed:
-    - name: /opt/so/conf/filebeat/modules/thirdparty.yml
-    - source: salt://filebeat/etc/module_config.yml.jinja
-    - template: jinja
-    - defaults:
-        MODULES: {{ THIRDPARTY }}
     
 so-filebeat:
   docker_container.running:
@@ -127,14 +119,6 @@ so-filebeat:
         - 0.0.0.0:514:514/udp
         - 0.0.0.0:514:514/tcp
         - 0.0.0.0:5066:5066/tcp
-{% for module in THIRDPARTY.modules.keys() %}
-  {% for submodule in THIRDPARTY.modules[module] %}
-    {% if THIRDPARTY.modules[module][submodule].enabled and THIRDPARTY.modules[module][submodule]["var.syslog_port"] is defined %}
-        - {{ THIRDPARTY.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}/tcp
-        - {{ THIRDPARTY.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}/udp
-    {% endif %}
-  {% endfor %}
-{% endfor %}
     - watch:
       - file: filebeatconf
     - require:

salt/filebeat/map.jinja

@@ -1,9 +1,22 @@
 {% import_yaml 'filebeat/thirdpartydefaults.yaml' as TPDEFAULTS %}
-{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %}
-
 {% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %}
-{% set SO = SODEFAULTS.securityonion_filebeat %}
+{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %}
-{#% set SO = salt['pillar.get']('filebeat:third_party_filebeat', default=SODEFAULTS.third_party_filebeat, merge=True) %#}
+{% set SO = salt['pillar.get']('filebeat:securityonion_filebeat', default=SODEFAULTS.securityonion_filebeat, merge=True) %}
+{% set MODULESMERGED = salt['defaults.merge'](SO, THIRDPARTY, in_place=False) %}
+
+{% set MODULESENABLED = [] %}
+{% for module in MODULESMERGED.modules.keys() %}
+  {% set ENABLEDFILESETS = {} %}                               
+  {% for fileset in MODULESMERGED.modules[module] %}                        
+    {% if MODULESMERGED.modules[module][fileset].get('enabled', False) %}  
+      {% do ENABLEDFILESETS.update({'module': module, fileset: MODULESMERGED.modules[module][fileset]}) %}
+    {% endif %}
+  {% endfor %}
+  {% if ENABLEDFILESETS|length > 0 %}
+    {% do MODULESENABLED.append(ENABLEDFILESETS) %}
+  {% endif %}
+{% endfor %}
+{{ MODULESENABLED }}
 
 {% set role = grains.role %}
 {% set FILEBEAT_EXTRA_HOSTS = [] %}

salt/filebeat/modules.map.jinja

@@ -0,0 +1,18 @@
+{% import_yaml 'filebeat/thirdpartydefaults.yaml' as TPDEFAULTS %}
+{% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %}
+{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %}
+{% set SO = salt['pillar.get']('filebeat:securityonion_filebeat', default=SODEFAULTS.securityonion_filebeat, merge=True) %}
+{% set MODULESMERGED = salt['defaults.merge'](SO, THIRDPARTY, in_place=False) %}
+
+{% set MODULESENABLED = [] %}
+{% for module in MODULESMERGED.modules.keys() %}
+  {% set ENABLEDFILESETS = {} %}                               
+  {% for fileset in MODULESMERGED.modules[module] %}                        
+    {% if MODULESMERGED.modules[module][fileset].get('enabled', False) %}  
+      {% do ENABLEDFILESETS.update({'module': module, fileset: MODULESMERGED.modules[module][fileset]}) %}
+    {% endif %}
+  {% endfor %}
+  {% if ENABLEDFILESETS|length > 0 %}
+    {% do MODULESENABLED.append(ENABLEDFILESETS) %}
+  {% endif %}
+{% endfor %}