diff --git a/salt/telegraf/config.sls b/salt/telegraf/config.sls index a35be55f5..05aa6a422 100644 --- a/salt/telegraf/config.sls +++ b/salt/telegraf/config.sls @@ -45,6 +45,24 @@ tgraf_sync_script_{{script}}: GLOBALS: {{ GLOBALS }} {% endfor %} +{% if GLOBALS.role in ['so-standalone', 'so-manager', 'so-managersearch', 'so-heavynode', 'so-eval', 'so-import'] %} +tgraf_sync_script_esindexsize.sh: + file.managed: + - name: /opt/so/conf/telegraf/scripts/esindexsize.sh + - user: root + - group: 939 + - mode: 770 + - source: salt://telegraf/scripts/esindexsize.sh +{# Copy conf/elasticsearch/curl.config for telegraf to use with esindexsize.sh #} +tgraf_sync_escurl_conf: + file.managed: + - name: /opt/so/conf/telegraf/etc/escurl.config + - user: 939 + - group: 939 + - mode: 400 + - source: salt://elasticsearch/curl.config +{% endif %} + telegraf_sbin: file.recurse: - name: /usr/sbin diff --git a/salt/telegraf/enabled.sls b/salt/telegraf/enabled.sls index 8c71ecac3..451c78dda 100644 --- a/salt/telegraf/enabled.sls +++ b/salt/telegraf/enabled.sls @@ -56,6 +56,9 @@ so-telegraf: - /opt/so/log/sostatus:/var/log/sostatus:ro - /opt/so/log/salt:/var/log/salt:ro - /opt/so/log/agents:/var/log/agents:ro + {% if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %} + - /opt/so/conf/telegraf/etc/escurl.config:/etc/telegraf/elasticsearch.config:ro + {% endif %} {% if DOCKER.containers['so-telegraf'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-telegraf'].custom_bind_mounts %} - {{ BIND }} diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 4c2318c02..f5d331209 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -192,7 +192,7 @@ # # # Read stats from one or more Elasticsearch servers or clusters -{%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-import'] %} +{%- if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %} [[inputs.elasticsearch]] servers = ["https://{{ NODEIP }}:9200"] cluster_stats = true @@ -323,3 +323,13 @@ # # Read metrics about network interface usage [[inputs.net]] + +# Scripts run every 30s||TELEGRAFMERGED.config.interval - ES index script doesn't need to run as frequently +{%- if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %} +[[ inputs.exec ]] + commands = [ + "/scripts/esindexsize.sh" + ] + data_format = "influx" + interval = "1h" +{%- endif %} diff --git a/salt/telegraf/scripts/agentstatus.sh b/salt/telegraf/scripts/agentstatus.sh index a390552fc..718f0e5ce 100644 --- a/salt/telegraf/scripts/agentstatus.sh +++ b/salt/telegraf/scripts/agentstatus.sh @@ -24,7 +24,7 @@ if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then EVENTS=$(cat $LOGFILE | grep -wF events | awk '{print $2}' | tr -d ',') TOTAL=$(cat $LOGFILE | grep -wF total | awk '{print $2}' | tr -d ',') ALL=$(cat $LOGFILE | grep -wF all | awk '{print $2}' | tr -d ',') - ACTIVE=$(cat $LOGFILE | grep -wF active | awk '{print $2}') + ACTIVE=$(cat $LOGFILE | grep -wF active | awk '{print $2}' | tr -d ',') echo "agentstatus online=$ONLINE,error=$ERROR,inactive=$INACTIVE,offline=$OFFLINE,updating=$UPDATING,unenrolled=$UNENROLLED,other=$OTHER,events=$EVENTS,total=$TOTAL,all=$ALL,active=$ACTIVE" fi diff --git a/salt/telegraf/scripts/esindexsize.sh b/salt/telegraf/scripts/esindexsize.sh new file mode 100644 index 000000000..dbb50f83e --- /dev/null +++ b/salt/telegraf/scripts/esindexsize.sh @@ -0,0 +1,45 @@ +#!/bin/bash +# +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +if curl -K /etc/telegraf/elasticsearch.config -s -k -L "https://localhost:9200/" -w "%{http_code}" -o /dev/null | grep -q '200'; then + + DATASTREAM_INFO=$(curl -K /etc/telegraf/elasticsearch.config -s -k -L "https://localhost:9200/_data_stream?format=json") + INDICES=$(curl -K /etc/telegraf/elasticsearch.config -s -k -L "https://localhost:9200/_cat/indices?h=index,store.size&bytes=b&s=index:asc&format=json") + INDICES_WITH_SIZE=() + + while IFS= read -r DS; do + datastream_indices=() + datastream=$(echo "$DS" | jq -r '.name') + # influx doesn't like key starting with '.' + if [[ $datastream != .* ]]; then + while IFS= read -r DS_IDX; do + datastream_indices+=("$DS_IDX") + done < <(echo "$DS" | jq -r '.indices[].index_name') + datastream_size=0 + + for idx in ${datastream_indices[@]}; do + current_index=$(echo "$INDICES" | jq -r --arg index "$idx" '.[] | select(.index == $index)["store.size"]') + datastream_size=$(($datastream_size + $current_index)) + done + INDICES_WITH_SIZE+=("${datastream}=${datastream_size}i") + # echo "$datastream size is $(echo "$datastream_size" | numfmt --to iec)" + fi + done < <(echo "$DATASTREAM_INFO" | jq -c '.data_streams[]') + + measurement="elasticsearch_index_size " + total=${#INDICES_WITH_SIZE[@]} + for idxws in "${!INDICES_WITH_SIZE[@]}"; do + if [[ $idxws -lt $(($total - 1)) ]]; then + measurement+="${INDICES_WITH_SIZE[$idxws]}," + else + measurement+="${INDICES_WITH_SIZE[$idxws]}" + fi + done + + echo "$measurement" + +fi \ No newline at end of file