CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8550 from Security-Onion-Solutions/fix/soup_elastalert_indices_check_delete_if_less_than_es_8

Browse Source 
SOUP: Ensure Elastalert indices are not deleted for major Elasticsearch version 8 or greater
This commit is contained in:
weslambert
2022-08-18 09:45:00 -04:00
committed by GitHub
parent 3b8d8163b3 fbf0803906
commit c17f0081ef
1 changed files with 46 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
salt/common/tools/sbin/soup
View File

@@ -387,12 +387,7 @@ clone_to_tmp() {
} }
elastalert_indices_check() { elastalert_indices_check() {
echo "Checking Elastalert indices for compatibility..."
# Stop Elastalert to prevent Elastalert indices from being re-created
if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then
so-elastalert-stop || true
fi
# Wait for ElasticSearch to initialize # Wait for ElasticSearch to initialize
echo -n "Waiting for ElasticSearch..." echo -n "Waiting for ElasticSearch..."
COUNT=0 COUNT=0
@@ -418,39 +413,51 @@ elastalert_indices_check() {
exit 1 exit 1
fi fi
# Check Elastalert indices MAJOR_ES_VERSION=$(so-elasticsearch-query / | jq -r .version.number | cut -d '.' -f1)
echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." if [[ "$MAJOR_ES_VERSION" -lt "8" ]]; then
CHECK_COUNT=0
while [[ "$CHECK_COUNT" -le 2 ]]; do # Stop Elastalert to prevent Elastalert indices from being re-created
# Delete Elastalert indices if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then
for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do so-elastalert-stop || true
so-elasticsearch-query $i -XDELETE; fi
# Check Elastalert indices
echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..."
CHECK_COUNT=0
while [[ "$CHECK_COUNT" -le 2 ]]; do
# Delete Elastalert indices
for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do
so-elasticsearch-query $i -XDELETE;
done
# Check to ensure Elastalert indices are deleted
COUNT=0
ELASTALERT_INDICES_DELETED="no"
while [[ "$COUNT" -le 240 ]]; do
RESPONSE=$(so-elasticsearch-query "elastalert*")
if [[ "$RESPONSE" == "{}" ]]; then
ELASTALERT_INDICES_DELETED="yes"
break
else
((COUNT+=1))
sleep 1
echo -n "."
fi
done
((CHECK_COUNT+=1))
done done
# Check to ensure Elastalert indices are deleted # If we were unable to delete the Elastalert indices, exit the script
COUNT=0 if [ "$ELASTALERT_INDICES_DELETED" == "yes" ]; then
ELASTALERT_INDICES_DELETED="no" echo "Elastalert indices successfully deleted."
while [[ "$COUNT" -le 240 ]]; do else
RESPONSE=$(so-elasticsearch-query elastalert*) echo
if [[ "$RESPONSE" == "{}" ]]; then echo -e "Unable to connect to delete Elastalert indices. Exiting."
ELASTALERT_INDICES_DELETED="yes" echo
echo "Elastalert indices successfully deleted." exit 1
break fi
else else
((COUNT+=1)) echo "Major Elasticsearch version is 8 or greater...skipping Elastalert index maintenance."
sleep 1
echo -n "."
fi
done
((CHECK_COUNT+=1))
done
# If we were unable to delete the Elastalert indices, exit the script
if [ "$ELASTALERT_INDICES_DELETED" == "no" ]; then
echo
echo -e "Unable to connect to delete Elastalert indices. Exiting."
echo
exit 1
fi fi
} }