Merge pull request #8550 from Security-Onion-Solutions/fix/soup_elastalert_indices_check_delete_if_less_than_es_8

SOUP: Ensure Elastalert indices are not deleted for major Elasticsearch version 8 or greater
2025-12-06 17:22:49 +01:00 · 2022-08-18 09:45:00 -04:00
parent 3b8d8163b3 fbf0803906
commit c17f0081ef
1 changed files with 46 additions and 39 deletions
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -387,12 +387,7 @@ clone_to_tmp() {
 }

 elastalert_indices_check() {
-
-  # Stop Elastalert to prevent Elastalert indices from being re-created
-  if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then
-    so-elastalert-stop || true
-  fi
-  
+  echo "Checking Elastalert indices for compatibility..."
  # Wait for ElasticSearch to initialize
  echo -n "Waiting for ElasticSearch..."
  COUNT=0
@@ -418,6 +413,14 @@ elastalert_indices_check() {
    exit 1
  fi

+  MAJOR_ES_VERSION=$(so-elasticsearch-query / | jq -r .version.number | cut -d '.' -f1)
+  if [[ "$MAJOR_ES_VERSION" -lt "8" ]]; then
+
+    # Stop Elastalert to prevent Elastalert indices from being re-created
+    if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then
+      so-elastalert-stop || true
+    fi
+
    # Check Elastalert indices
    echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..."
    CHECK_COUNT=0
@@ -431,10 +434,9 @@ elastalert_indices_check() {
      COUNT=0
      ELASTALERT_INDICES_DELETED="no"
      while [[ "$COUNT" -le 240 ]]; do
-      RESPONSE=$(so-elasticsearch-query elastalert*)
+        RESPONSE=$(so-elasticsearch-query "elastalert*")
        if [[ "$RESPONSE" == "{}" ]]; then
          ELASTALERT_INDICES_DELETED="yes"
-        echo "Elastalert indices successfully deleted."
          break
        else
          ((COUNT+=1))
@@ -446,12 +448,17 @@ elastalert_indices_check() {
    done

    # If we were unable to delete the Elastalert indices, exit the script
-  if [ "$ELASTALERT_INDICES_DELETED" == "no" ]; then
+    if [ "$ELASTALERT_INDICES_DELETED" == "yes" ]; then
+      echo "Elastalert indices successfully deleted."
+    else
      echo
      echo -e "Unable to connect to delete Elastalert indices. Exiting."
      echo
      exit 1
    fi
+  else
+    echo "Major Elasticsearch version is 8 or greater...skipping Elastalert index maintenance."
+  fi
 }

 enable_highstate() {