Merge pull request #10804 from Security-Onion-Solutions/fix/fleet_logging

Fleet logging

salt/elasticfleet/config.sls

@@ -45,6 +45,13 @@ eaconfdir:
     - group: 939
     - makedirs: True
 
+ealogdir:
+  file.directory:
+    - name: /opt/so/log/elasticfleet
+    - user: 947
+    - group: 939
+    - makedirs: True
+
 eastatedir:
   file.directory:
     - name: /opt/so/conf/elastic-fleet/state

salt/elasticfleet/enabled.sls

@@ -66,6 +66,7 @@ so-elastic-fleet:
       - /etc/ssl:/etc/ssl:ro
       {% endif %}
       #- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw
+      - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs 
      {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
         {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
       - {{ BIND }}
@@ -85,8 +86,8 @@ so-elastic-fleet:
       {% else %}
       - FLEET_CA=/etc/pki/tls/certs/intca.crt
       - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
-
       {% endif %}
+      - LOGS_PATH=logs
       {% if DOCKER.containers['so-elastic-fleet'].extra_env %}
         {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
       - {{ XTRAENV }}

salt/logrotate/defaults.yaml

@@ -90,7 +90,7 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /opt/so/log/fleet/*_x_log:
+    /opt/so/log/elasticfleet/*_x_log:
       - daily
       - rotate 14
       - missingok
@@ -100,6 +100,16 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
+    /opt/so/log/elasticfleet/*_x_ndjson:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .ndjson
+      - dateext
+      - dateyesterday
     /opt/so/log/suricata/*_x_log:
       - daily
       - rotate 14

salt/logrotate/soc_logrotate.yaml

@@ -63,9 +63,16 @@ logrotate:
       multiline: True
       global: True
       forcedType: "[]string"
-    "/opt/so/log/fleet/*_x_log":
+    "/opt/so/log/elasticfleet/*_x_log":
       description: List of logrotate options for this file.
-      title: /opt/so/log/fleet/*.log
+      title: /opt/so/log/elasticfleet/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
+    "/opt/so/log/elasticfleet/*_x_ndjson":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/elasticfleet/*.ndjson
       advanced: True
       multiline: True
       global: True