From b09c3776b7c2a780ea544e50377644cfca41abec Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 24 Jun 2026 16:51:32 -0400 Subject: [PATCH] Point pillar_db beacon at securityonion database The SOC postgres database was renamed so_soc -> securityonion (see POSTGRES_DB in salt/postgres/enabled.sls and the SOC postgres config in salt/soc/defaults.yaml). The pillar_db beacon still hardcoded so_soc, so every poll failed with 'database "so_soc" does not exist' (rc=2), silently disabling active-push detection of audit_settings changes. Update DATABASE to 'securityonion' and refresh the now-stale so_soc references in the beacon and push_pillar reactor comments. --- salt/_beacons/pillar_db.py | 6 +++--- salt/reactor/push_pillar.sls | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/_beacons/pillar_db.py b/salt/_beacons/pillar_db.py index 9022d9b87..8712cce7f 100644 --- a/salt/_beacons/pillar_db.py +++ b/salt/_beacons/pillar_db.py @@ -6,7 +6,7 @@ # Custom salt beacon that watches the SOC audit_settings table in postgres for # new settings changes and emits a beacon event per new row. This replaces the # inotify watch on /opt/so/saltstack/local/pillar -- instead of monitoring pillar -# files on disk, we monitor the so_soc.audit_settings table that SOC writes to. +# files on disk, we monitor the securityonion.audit_settings table that SOC writes to. # # Detection is poll-based with a monotonic `id` watermark persisted to # WATERMARK_FILE: each pass selects rows with id greater than the last id seen, @@ -24,7 +24,7 @@ log = logging.getLogger(__name__) WATERMARK_FILE = '/opt/so/state/pillar_db_watch.id' CONTAINER = 'so-postgres' -DATABASE = 'so_soc' +DATABASE = 'securityonion' # Unaligned, tuples-only psql output with a field separator that cannot appear in # an id/setting_id/node_id, so we can split each row reliably. @@ -60,7 +60,7 @@ def _write_watermark(value): def _query(sql): - # Run a query against so_soc inside the so-postgres container over the unix + # Run a query against securityonion inside the so-postgres container over the unix # socket (trust auth, no password). Returns stdout on success, or None on any # failure so the caller can no-op and retry on the next interval. cmd = [ diff --git a/salt/reactor/push_pillar.sls b/salt/reactor/push_pillar.sls index 47e586788..c4b82959b 100644 --- a/salt/reactor/push_pillar.sls +++ b/salt/reactor/push_pillar.sls @@ -1,7 +1,7 @@ #!py # Reactor invoked by the pillar_db beacon when SOC records settings changes in -# the so_soc.audit_settings table (see salt/_beacons/pillar_db.py). The beacon +# the securityonion.audit_settings table (see salt/_beacons/pillar_db.py). The beacon # emits one event per new row carrying setting_id and node_id. # # Two branches, keyed on node_id: