Merge pull request #8550 from Security-Onion-Solutions/fix/soup_elastalert_indices_check_delete_if_less_than_es_8

SOUP: Ensure Elastalert indices are not deleted for major Elasticsearch version 8 or greater

salt/common/tools/sbin/soup

@@ -387,12 +387,7 @@ clone_to_tmp() {
 }
 
 elastalert_indices_check() {
-
-  # Stop Elastalert to prevent Elastalert indices from being re-created
-  if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then
-    so-elastalert-stop || true
-  fi
-  
+  echo "Checking Elastalert indices for compatibility..."
   # Wait for ElasticSearch to initialize
   echo -n "Waiting for ElasticSearch..."
   COUNT=0
@@ -409,8 +404,8 @@ elastalert_indices_check() {
         echo -n "."
       fi
   done
-  
-  # Unable to connect to Elasticsearch 
+
+  # Unable to connect to Elasticsearch
   if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
     echo
     echo -e "Connection attempt timed out.  Unable to connect to ElasticSearch.  \nPlease try: \n  -checking log(s) in /var/log/elasticsearch/\n  -running 'sudo docker ps' \n  -running 'sudo so-elastic-restart'"
@@ -418,39 +413,51 @@ elastalert_indices_check() {
     exit 1
   fi
 
-  # Check Elastalert indices
-  echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..."
-  CHECK_COUNT=0
-  while [[ "$CHECK_COUNT" -le 2 ]]; do
-    # Delete Elastalert indices
-    for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do
-      so-elasticsearch-query $i -XDELETE;
+  MAJOR_ES_VERSION=$(so-elasticsearch-query / | jq -r .version.number | cut -d '.' -f1)
+  if [[ "$MAJOR_ES_VERSION" -lt "8" ]]; then
+
+    # Stop Elastalert to prevent Elastalert indices from being re-created
+    if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then
+      so-elastalert-stop || true
+    fi
+
+    # Check Elastalert indices
+    echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..."
+    CHECK_COUNT=0
+    while [[ "$CHECK_COUNT" -le 2 ]]; do
+      # Delete Elastalert indices
+      for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do
+        so-elasticsearch-query $i -XDELETE;
+         done
+
+      # Check to ensure Elastalert indices are deleted
+      COUNT=0
+      ELASTALERT_INDICES_DELETED="no"
+      while [[ "$COUNT" -le 240 ]]; do
+        RESPONSE=$(so-elasticsearch-query "elastalert*")
+        if [[ "$RESPONSE" == "{}" ]]; then
+          ELASTALERT_INDICES_DELETED="yes"
+          break
+        else
+          ((COUNT+=1))
+          sleep 1
+          echo -n "."
+        fi
+      done
+      ((CHECK_COUNT+=1))
     done
 
-    # Check to ensure Elastalert indices are deleted
-    COUNT=0
-    ELASTALERT_INDICES_DELETED="no"
-    while [[ "$COUNT" -le 240 ]]; do
-      RESPONSE=$(so-elasticsearch-query elastalert*)
-      if [[ "$RESPONSE" == "{}" ]]; then
-        ELASTALERT_INDICES_DELETED="yes"
-        echo "Elastalert indices successfully deleted."
-        break
-      else
-        ((COUNT+=1))
-        sleep 1
-        echo -n "."
-      fi
-    done
-    ((CHECK_COUNT+=1))
-  done
-
-  # If we were unable to delete the Elastalert indices, exit the script
-  if [ "$ELASTALERT_INDICES_DELETED" == "no" ]; then
-    echo
-    echo -e "Unable to connect to delete Elastalert indices. Exiting."
-    echo
-    exit 1
+    # If we were unable to delete the Elastalert indices, exit the script
+    if [ "$ELASTALERT_INDICES_DELETED" == "yes" ]; then
+      echo "Elastalert indices successfully deleted."
+    else
+      echo
+      echo -e "Unable to connect to delete Elastalert indices. Exiting."
+      echo
+      exit 1
+    fi
+  else
+    echo "Major Elasticsearch version is 8 or greater...skipping Elastalert index maintenance."
   fi
 }