diff --git a/pillar/top.sls b/pillar/top.sls index 464307065..75117e35f 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -189,8 +189,6 @@ base: - logstash.adv_logstash - elasticsearch.soc_elasticsearch - elasticsearch.adv_elasticsearch - - elasticagent.soc_elasticagent - - elasticagent.adv_elasticagent - curator.soc_curator - curator.adv_curator - redis.soc_redis diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/elasticsearch-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/elasticsearch-logs.json new file mode 100644 index 000000000..4c22f92ee --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/elasticsearch-logs.json @@ -0,0 +1,106 @@ +{ + "package": { + "name": "elasticsearch", + "version": "" + }, + "name": "elasticsearch-logs", + "namespace": "default", + "description": "Elasticsearch Logs", + "policy_id": "so-grid-nodes_general", + "inputs": { + "elasticsearch-logfile": { + "enabled": true, + "streams": { + "elasticsearch.audit": { + "enabled": false, + "vars": { + "paths": [ + "/var/log/elasticsearch/*_audit.json" + ] + } + }, + "elasticsearch.deprecation": { + "enabled": false, + "vars": { + "paths": [ + "/var/log/elasticsearch/*_deprecation.json" + ] + } + }, + "elasticsearch.gc": { + "enabled": false, + "vars": { + "paths": [ + "/var/log/elasticsearch/gc.log.[0-9]*", + "/var/log/elasticsearch/gc.log" + ] + } + }, + "elasticsearch.server": { + "enabled": true, + "vars": { + "paths": [ + "/opt/so/log/elasticsearch/*.log" + ] + } + }, + "elasticsearch.slowlog": { + "enabled": false, + "vars": { + "paths": [ + "/var/log/elasticsearch/*_index_search_slowlog.json", + "/var/log/elasticsearch/*_index_indexing_slowlog.json" + ] + } + } + } + }, + "elasticsearch-elasticsearch/metrics": { + "enabled": false, + "vars": { + "hosts": [ + "http://localhost:9200" + ], + "scope": "node" + }, + "streams": { + "elasticsearch.stack_monitoring.ccr": { + "enabled": false + }, + "elasticsearch.stack_monitoring.cluster_stats": { + "enabled": false + }, + "elasticsearch.stack_monitoring.enrich": { + "enabled": false + }, + "elasticsearch.stack_monitoring.index": { + "enabled": false + }, + "elasticsearch.stack_monitoring.index_recovery": { + "enabled": false, + "vars": { + "active.only": true + } + }, + "elasticsearch.stack_monitoring.index_summary": { + "enabled": false + }, + "elasticsearch.stack_monitoring.ml_job": { + "enabled": false + }, + "elasticsearch.stack_monitoring.node": { + "enabled": false + }, + "elasticsearch.stack_monitoring.node_stats": { + "enabled": false + }, + "elasticsearch.stack_monitoring.pending_tasks": { + "enabled": false + }, + "elasticsearch.stack_monitoring.shard": { + "enabled": false + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/idh-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json similarity index 97% rename from salt/elasticfleet/files/integrations/grid-nodes/idh-logs.json rename to salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json index 95b72e0a0..32055112a 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/idh-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json @@ -6,7 +6,7 @@ "name": "idh-logs", "namespace": "so", "description": "IDH integration", - "policy_id": "so-grid-nodes", + "policy_id": "so-grid-nodes_general", "inputs": { "logs-logfile": { "enabled": true, diff --git a/salt/elasticfleet/files/integrations/grid-nodes/import-evtx-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json similarity index 98% rename from salt/elasticfleet/files/integrations/grid-nodes/import-evtx-logs.json rename to salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json index 5bebfd54d..d9f8daeb9 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/import-evtx-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json @@ -6,7 +6,7 @@ "name": "import-evtx-logs", "namespace": "so", "description": "Import Windows EVTX logs", - "policy_id": "so-grid-nodes", + "policy_id": "so-grid-nodes_general", "vars": {}, "inputs": { "logs-logfile": { diff --git a/salt/elasticfleet/files/integrations/grid-nodes/import-suricata-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json similarity index 95% rename from salt/elasticfleet/files/integrations/grid-nodes/import-suricata-logs.json rename to salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json index 4cba27121..f17ee33d1 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/import-suricata-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json @@ -6,7 +6,7 @@ "name": "import-suricata-logs", "namespace": "so", "description": "Import Suricata logs", - "policy_id": "so-grid-nodes", + "policy_id": "so-grid-nodes_general", "inputs": { "logs-logfile": { "enabled": true, diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json new file mode 100644 index 000000000..c342b57bd --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json @@ -0,0 +1,29 @@ +{ + "package": { + "name": "log", + "version": "" + }, + "name": "kratos-logs", + "namespace": "so", + "description": "Kratos logs", + "policy_id": "so-grid-nodes_general", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/opt/so/log/kratos/kratos.log" + ], + "data_stream.dataset": "kratos", + "tags": ["so-kratos"], + "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: iam\n module: kratos", + "custom": "pipeline: kratos" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/osquery-grid-nodes.json b/salt/elasticfleet/files/integrations/grid-nodes_general/osquery-grid-nodes.json new file mode 100644 index 000000000..0349c9fc3 --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/osquery-grid-nodes.json @@ -0,0 +1,20 @@ +{ + "package": { + "name": "osquery_manager", + "version": "" + }, + "name": "osquery-grid-nodes", + "namespace": "default", + "policy_id": "so-grid-nodes_general", + "inputs": { + "osquery_manager-osquery": { + "enabled": true, + "streams": { + "osquery_manager.result": { + "enabled": true, + "vars": {} + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/redis-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/redis-logs.json new file mode 100644 index 000000000..6b9cbffaf --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/redis-logs.json @@ -0,0 +1,76 @@ +{ + "package": { + "name": "redis", + "version": "" + }, + "name": "redis-logs", + "namespace": "default", + "description": "Redis logs", + "policy_id": "so-grid-nodes_general", + "inputs": { + "redis-logfile": { + "enabled": true, + "streams": { + "redis.log": { + "enabled": true, + "vars": { + "paths": [ + "/opt/so/log/redis/redis.log" + ], + "tags": [ + "redis-log" + ], + "preserve_original_event": false + } + } + } + }, + "redis-redis": { + "enabled": false, + "streams": { + "redis.slowlog": { + "enabled": false, + "vars": { + "hosts": [ + "127.0.0.1:6379" + ], + "password": "" + } + } + } + }, + "redis-redis/metrics": { + "enabled": false, + "vars": { + "hosts": [ + "127.0.0.1:6379" + ], + "idle_timeout": "20s", + "maxconn": 10, + "network": "tcp", + "password": "" + }, + "streams": { + "redis.info": { + "enabled": false, + "vars": { + "period": "10s" + } + }, + "redis.key": { + "enabled": false, + "vars": { + "key.patterns": "- limit: 20\n pattern: *\n", + "period": "10s" + } + }, + "redis.keyspace": { + "enabled": false, + "vars": { + "period": "10s" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json new file mode 100644 index 000000000..84e9ae94d --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json @@ -0,0 +1,29 @@ +{ + "package": { + "name": "log", + "version": "" + }, + "name": "soc-auth-sync-logs", + "namespace": "so", + "description": "Security Onion - Elastic Auth Sync - Logs", + "policy_id": "so-grid-nodes_general", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/opt/so/log/soc/sync.log" + ], + "data_stream.dataset": "soc", + "tags": ["so-soc"], + "processors": "- dissect:\n tokenizer: \"%{event.action}\"\n field: \"message\"\n target_prefix: \"\"\n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: auth_sync", + "custom": "pipeline: common" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json new file mode 100644 index 000000000..07bd89b89 --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json @@ -0,0 +1,29 @@ +{ + "package": { + "name": "log", + "version": "" + }, + "name": "soc-salt-relay-logs", + "namespace": "so", + "description": "Security Onion - Salt Relay - Logs", + "policy_id": "so-grid-nodes_general", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/opt/so/log/soc/salt-relay.log" + ], + "data_stream.dataset": "soc", + "tags": ["so-soc"], + "processors": "- dissect:\n tokenizer: \"%{soc.ts} | %{event.action}\"\n field: \"message\"\n target_prefix: \"\"\n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: salt_relay", + "custom": "pipeline: common" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json new file mode 100644 index 000000000..bee14ebf5 --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json @@ -0,0 +1,29 @@ +{ + "package": { + "name": "log", + "version": "" + }, + "name": "soc-sensoroni-logs", + "namespace": "so", + "description": "Security Onion - Sensoroni - Logs", + "policy_id": "so-grid-nodes_general", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/opt/so/log/sensoroni/sensoroni.log" + ], + "data_stream.dataset": "soc", + "tags": [], + "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"sensoroni\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: sensoroni\n- rename:\n fields:\n - from: \"sensoroni.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"sensoroni.fields.status\"\n to: \"http.response.status_code\"\n - from: \"sensoroni.fields.method\"\n to: \"http.request.method\"\n - from: \"sensoroni.fields.path\"\n to: \"url.path\"\n - from: \"sensoroni.message\"\n to: \"event.action\"\n - from: \"sensoroni.level\"\n to: \"log.level\"\n ignore_missing: true", + "custom": "pipeline: common" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json new file mode 100644 index 000000000..285d79148 --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json @@ -0,0 +1,29 @@ +{ + "package": { + "name": "log", + "version": "" + }, + "name": "soc-server-logs", + "namespace": "so", + "description": "Security Onion Console Logs", + "policy_id": "so-grid-nodes_general", + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.log": { + "enabled": true, + "vars": { + "paths": [ + "/opt/so/log/soc/sensoroni-server.log" + ], + "data_stream.dataset": "soc", + "tags": ["so-soc"], + "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"soc\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: server\n- rename:\n fields:\n - from: \"soc.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"soc.fields.status\"\n to: \"http.response.status_code\"\n - from: \"soc.fields.method\"\n to: \"http.request.method\"\n - from: \"soc.fields.path\"\n to: \"url.path\"\n - from: \"soc.message\"\n to: \"event.action\"\n - from: \"soc.level\"\n to: \"log.level\"\n ignore_missing: true", + "custom": "pipeline: common" + } + } + } + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/strelka-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json similarity index 94% rename from salt/elasticfleet/files/integrations/grid-nodes/strelka-logs.json rename to salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json index ac6157638..6f6beca99 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/strelka-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json @@ -6,7 +6,7 @@ "name": "strelka-logs", "namespace": "so", "description": "Strelka logs", - "policy_id": "so-grid-nodes", + "policy_id": "so-grid-nodes_general", "inputs": { "logs-logfile": { "enabled": true, diff --git a/salt/elasticfleet/files/integrations/grid-nodes/suricata-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json similarity index 94% rename from salt/elasticfleet/files/integrations/grid-nodes/suricata-logs.json rename to salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json index 9d7e4040d..7ff43c3a8 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/suricata-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json @@ -6,7 +6,7 @@ "name": "suricata-logs", "namespace": "so", "description": "Suricata integration", - "policy_id": "so-grid-nodes", + "policy_id": "so-grid-nodes_general", "inputs": { "logs-logfile": { "enabled": true, diff --git a/salt/elasticfleet/files/integrations/grid-nodes/syslog-tcp-514.json b/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-tcp-514.json similarity index 94% rename from salt/elasticfleet/files/integrations/grid-nodes/syslog-tcp-514.json rename to salt/elasticfleet/files/integrations/grid-nodes_general/syslog-tcp-514.json index 495aaa309..80baa45ca 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/syslog-tcp-514.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-tcp-514.json @@ -6,7 +6,7 @@ "name": "syslog-tcp-514", "namespace": "so", "description": "Syslog Over TCP Port 514", - "policy_id": "so-grid-nodes", + "policy_id": "so-grid-nodes_general", "inputs": { "tcp-tcp": { "enabled": true, diff --git a/salt/elasticfleet/files/integrations/grid-nodes/syslog-udp-514.json b/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-udp-514.json similarity index 95% rename from salt/elasticfleet/files/integrations/grid-nodes/syslog-udp-514.json rename to salt/elasticfleet/files/integrations/grid-nodes_general/syslog-udp-514.json index 053e95299..653c788b5 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/syslog-udp-514.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-udp-514.json @@ -6,7 +6,7 @@ "name": "syslog-udp-514", "namespace": "so", "description": "Syslog over UDP Port 514", - "policy_id": "so-grid-nodes", + "policy_id": "so-grid-nodes_general", "inputs": { "udp-udp": { "enabled": true, diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/system-grid-nodes.json b/salt/elasticfleet/files/integrations/grid-nodes_general/system-grid-nodes.json new file mode 100644 index 000000000..a5c4c3e81 --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/system-grid-nodes.json @@ -0,0 +1,40 @@ +{ + "policy_id": "so-grid-nodes_general", + "package": { + "name": "system", + "version": "" + }, + "name": "system-grid-nodes", + "namespace": "default", + "inputs": { + "system-logfile": { + "enabled": true, + "streams": { + "system.auth": { + "enabled": true, + "vars": { + "paths": [ + "/var/log/auth.log*", + "/var/log/secure*" + ] + } + }, + "system.syslog": { + "enabled": true, + "vars": { + "paths": [ + "/var/log/messages*", + "/var/log/syslog*" + ] + } + } + } + }, + "system-winlog": { + "enabled": false + }, + "system-system/metrics": { + "enabled": false + } + } +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/elasticsearch-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/elasticsearch-logs.json similarity index 98% rename from salt/elasticfleet/files/integrations/grid-nodes/elasticsearch-logs.json rename to salt/elasticfleet/files/integrations/grid-nodes_heavy/elasticsearch-logs.json index 99f2733c9..711602775 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/elasticsearch-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/elasticsearch-logs.json @@ -6,7 +6,7 @@ "name": "elasticsearch-logs", "namespace": "default", "description": "Elasticsearch Logs", - "policy_id": "so-grid-nodes", + "policy_id": "so-grid-nodes_heavy", "inputs": { "elasticsearch-logfile": { "enabled": true, diff --git a/salt/elasticfleet/files/integrations/grid-nodes/kratos-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json similarity index 95% rename from salt/elasticfleet/files/integrations/grid-nodes/kratos-logs.json rename to salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json index 5e134f1f6..c9e4183de 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/kratos-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json @@ -6,7 +6,7 @@ "name": "kratos-logs", "namespace": "so", "description": "Kratos logs", - "policy_id": "so-grid-nodes", + "policy_id": "so-grid-nodes_heavy", "inputs": { "logs-logfile": { "enabled": true, diff --git a/salt/elasticfleet/files/integrations/grid-nodes/osquery-grid-nodes.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/osquery-grid-nodes.json similarity index 89% rename from salt/elasticfleet/files/integrations/grid-nodes/osquery-grid-nodes.json rename to salt/elasticfleet/files/integrations/grid-nodes_heavy/osquery-grid-nodes.json index 197526ce3..d0281c111 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/osquery-grid-nodes.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/osquery-grid-nodes.json @@ -5,7 +5,7 @@ }, "name": "osquery-grid-nodes", "namespace": "default", - "policy_id": "so-grid-nodes", + "policy_id": "so-grid-nodes_heavy", "inputs": { "osquery_manager-osquery": { "enabled": true, diff --git a/salt/elasticfleet/files/integrations/grid-nodes/redis-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/redis-logs.json similarity index 97% rename from salt/elasticfleet/files/integrations/grid-nodes/redis-logs.json rename to salt/elasticfleet/files/integrations/grid-nodes_heavy/redis-logs.json index a5d4102df..cddcedfd8 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/redis-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/redis-logs.json @@ -6,7 +6,7 @@ "name": "redis-logs", "namespace": "default", "description": "Redis logs", - "policy_id": "so-grid-nodes", + "policy_id": "so-grid-nodes_heavy", "inputs": { "redis-logfile": { "enabled": true, diff --git a/salt/elasticfleet/files/integrations/grid-nodes/soc-auth-sync-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json similarity index 95% rename from salt/elasticfleet/files/integrations/grid-nodes/soc-auth-sync-logs.json rename to salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json index 7f60d1706..2004c8c5d 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/soc-auth-sync-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json @@ -6,7 +6,7 @@ "name": "soc-auth-sync-logs", "namespace": "so", "description": "Security Onion - Elastic Auth Sync - Logs", - "policy_id": "so-grid-nodes", + "policy_id": "so-grid-nodes_heavy", "inputs": { "logs-logfile": { "enabled": true, diff --git a/salt/elasticfleet/files/integrations/grid-nodes/soc-salt-relay-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json similarity index 95% rename from salt/elasticfleet/files/integrations/grid-nodes/soc-salt-relay-logs.json rename to salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json index 7821f4081..b1b6098c1 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/soc-salt-relay-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json @@ -6,7 +6,7 @@ "name": "soc-salt-relay-logs", "namespace": "so", "description": "Security Onion - Salt Relay - Logs", - "policy_id": "so-grid-nodes", + "policy_id": "so-grid-nodes_heavy", "inputs": { "logs-logfile": { "enabled": true, diff --git a/salt/elasticfleet/files/integrations/grid-nodes/soc-sensoroni-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json similarity index 97% rename from salt/elasticfleet/files/integrations/grid-nodes/soc-sensoroni-logs.json rename to salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json index 56069ed65..5954e5052 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/soc-sensoroni-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json @@ -6,7 +6,7 @@ "name": "soc-sensoroni-logs", "namespace": "so", "description": "Security Onion - Sensoroni - Logs", - "policy_id": "so-grid-nodes", + "policy_id": "so-grid-nodes_heavy", "inputs": { "logs-logfile": { "enabled": true, diff --git a/salt/elasticfleet/files/integrations/grid-nodes/soc-server-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json similarity index 97% rename from salt/elasticfleet/files/integrations/grid-nodes/soc-server-logs.json rename to salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json index fcdfc9344..89e26563a 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/soc-server-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json @@ -6,7 +6,7 @@ "name": "soc-server-logs", "namespace": "so", "description": "Security Onion Console Logs", - "policy_id": "so-grid-nodes", + "policy_id": "so-grid-nodes_heavy", "inputs": { "logs-logfile": { "enabled": true, diff --git a/salt/elasticfleet/files/integrations/grid-nodes/system-grid-nodes.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/system-grid-nodes.json similarity index 95% rename from salt/elasticfleet/files/integrations/grid-nodes/system-grid-nodes.json rename to salt/elasticfleet/files/integrations/grid-nodes_heavy/system-grid-nodes.json index 3c10227ca..31d30d4e0 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/system-grid-nodes.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/system-grid-nodes.json @@ -1,5 +1,5 @@ { - "policy_id": "so-grid-nodes", + "policy_id": "so-grid-nodes_heavy", "package": { "name": "system", "version": "" diff --git a/salt/elasticfleet/install_agent_grid.sls b/salt/elasticfleet/install_agent_grid.sls index 2199d2530..1d6c5a241 100644 --- a/salt/elasticfleet/install_agent_grid.sls +++ b/salt/elasticfleet/install_agent_grid.sls @@ -2,17 +2,24 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use # this file except in compliance with the Elastic License 2.0. -{%- set GRIDNODETOKEN = salt['pillar.get']('global:fleet_grid_enrollment_token') -%} +{%- set GRIDNODETOKENGENERAL = salt['pillar.get']('global:fleet_grid_enrollment_token_general') -%} +{%- set GRIDNODETOKENHEAVY = salt['pillar.get']('global:fleet_grid_enrollment_token_heavy') -%} {% set AGENT_STATUS = salt['service.available']('elastic-agent') %} {% if not AGENT_STATUS %} -{% if grains.role not in ['so-heavy'] %} +{% if grains.role not in ['so-heavynode'] %} run_installer: cmd.script: - name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64 - cwd: /opt/so - - args: -token={{ GRIDNODETOKEN }} + - args: -token={{ GRIDNODETOKENGENERAL }} +{% else %} +run_installer: + cmd.script: + - name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64 + - cwd: /opt/so + - args: -token={{ GRIDNODETOKENHEAVY }} {% endif %} {% endif %} diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load index 771d923ef..54538ed9e 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load @@ -25,11 +25,30 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then fi done - # Grid Nodes - for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/grid-nodes/*.json + # Grid Nodes - General + for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/grid-nodes_general/*.json do - printf "\n\nGrid Nodes Policy - Loading $INTEGRATION\n" - elastic_fleet_integration_check "so-grid-nodes" "$INTEGRATION" + printf "\n\nGrid Nodes Policy_General - Loading $INTEGRATION\n" + elastic_fleet_integration_check "so-grid-nodes_general" "$INTEGRATION" + if [ -n "$INTEGRATION_ID" ]; then + printf "\n\nIntegration $NAME exists - Updating integration\n" + elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION" + else + printf "\n\nIntegration does not exist - Creating integration\n" + if [ "$NAME" != "elasticsearch-logs" ]; then + elastic_fleet_integration_create "@$INTEGRATION" + fi + fi + done + if [[ "$RETURN_CODE" != "1" ]]; then + touch /opt/so/state/eaintegrations.txt + fi + + # Grid Nodes - Heavy + for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/grid-nodes_heavy/*.json + do + printf "\n\nGrid Nodes Policy_Heavy - Loading $INTEGRATION\n" + elastic_fleet_integration_check "so-grid-nodes_heavy" "$INTEGRATION" if [ -n "$INTEGRATION_ID" ]; then printf "\n\nIntegration $NAME exists - Updating integration\n" elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION" diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup index 94a42a70a..3b75fef56 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup @@ -62,8 +62,11 @@ curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fle # Initial Endpoints Policy elastic_fleet_policy_create "endpoints-initial" "Initial Endpoint Policy" "false" "1209600" -# Grid Nodes Policy -elastic_fleet_policy_create "so-grid-nodes" "SO Grid Node Policy" "false" "1209600" +# Grid Nodes - General Policy +elastic_fleet_policy_create "so-grid-nodes_general" "SO Grid Nodes - General Purpose" "false" "1209600" + +# Grid Nodes - Heavy Node Policy +elastic_fleet_policy_create "so-grid-nodes_heavy" "SO Grid Nodes - Heavy Node" "false" "1209600" # Load Integrations for default policies so-elastic-fleet-integration-policy-load @@ -81,7 +84,8 @@ curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fl # Query for Enrollment Tokens for default policies ENDPOINTSENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key') -GRIDNODESENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("so-grid-nodes")) | .api_key') +GRIDNODESENROLLMENTOKENGENERAL=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("so-grid-nodes_general")) | .api_key') +GRIDNODESENROLLMENTOKENHEAVY=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("so-grid-nodes_heavy")) | .api_key') # Store needed data in minion pillar pillar_file=/opt/so/saltstack/local/pillar/minions/{{ GLOBALS.minion_id }}.sls @@ -92,13 +96,15 @@ printf '%s\n'\ " server:"\ " es_token: '$ESTOKEN'"\ " endpoints_enrollment: '$ENDPOINTSENROLLMENTOKEN'"\ - " grid_enrollment: '$GRIDNODESENROLLMENTOKEN'"\ + " grid_enrollment_general: '$GRIDNODESENROLLMENTOKENGENERAL'"\ + " grid_enrollment_heavy: '$GRIDNODESENROLLMENTOKENHEAVY'"\ "" >> "$pillar_file" #Store Grid Nodes Enrollment token in Global pillar global_pillar_file=/opt/so/saltstack/local/pillar/global/soc_global.sls printf '%s\n'\ - " fleet_grid_enrollment_token: '$GRIDNODESENROLLMENTOKEN'"\ + " fleet_grid_enrollment_token_general: '$GRIDNODESENROLLMENTOKENGENERAL'"\ + " fleet_grid_enrollment_token_heavy: '$GRIDNODESENROLLMENTOKENHEAVY'"\ "" >> "$global_pillar_file" # Call Elastic-Fleet Salt State