CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-08 18:22:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14580 from Security-Onion-Solutions/reyesj2/feat-254

Browse Source 
collect es index sizes
This commit is contained in:
Jorge Reyes
2025-05-06 08:39:16 -05:00
committed by GitHub
parent d2fe8da082 fd02950864
commit d6139d0f19
5 changed files with 78 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
salt/telegraf/config.sls
View File

@@ -45,6 +45,24 @@ tgraf_sync_script_{{script}}:
GLOBALS: {{ GLOBALS }} GLOBALS: {{ GLOBALS }}
{% endfor %} {% endfor %}
{% if GLOBALS.role in ['so-standalone', 'so-manager', 'so-managersearch', 'so-heavynode', 'so-eval', 'so-import'] %}
tgraf_sync_script_esindexsize.sh:
file.managed:
- name: /opt/so/conf/telegraf/scripts/esindexsize.sh
- user: root
- group: 939
- mode: 770
- source: salt://telegraf/scripts/esindexsize.sh
{# Copy conf/elasticsearch/curl.config for telegraf to use with esindexsize.sh #}
tgraf_sync_escurl_conf:
file.managed:
- name: /opt/so/conf/telegraf/etc/escurl.config
- user: 939
- group: 939
- mode: 400
- source: salt://elasticsearch/curl.config
{% endif %}
telegraf_sbin: telegraf_sbin:
file.recurse: file.recurse:
- name: /usr/sbin - name: /usr/sbin

3
salt/telegraf/enabled.sls
View File

@@ -56,6 +56,9 @@ so-telegraf:
- /opt/so/log/sostatus:/var/log/sostatus:ro - /opt/so/log/sostatus:/var/log/sostatus:ro
- /opt/so/log/salt:/var/log/salt:ro - /opt/so/log/salt:/var/log/salt:ro
- /opt/so/log/agents:/var/log/agents:ro - /opt/so/log/agents:/var/log/agents:ro
{% if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %}
- /opt/so/conf/telegraf/etc/escurl.config:/etc/telegraf/elasticsearch.config:ro
{% endif %}
{% if DOCKER.containers['so-telegraf'].custom_bind_mounts %} {% if DOCKER.containers['so-telegraf'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-telegraf'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-telegraf'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}

12
salt/telegraf/etc/telegraf.conf
View File

@@ -192,7 +192,7 @@
# #
# # Read stats from one or more Elasticsearch servers or clusters # # Read stats from one or more Elasticsearch servers or clusters
{%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-import'] %} {%- if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %}
[[inputs.elasticsearch]] [[inputs.elasticsearch]]
servers = ["https://{{ NODEIP }}:9200"] servers = ["https://{{ NODEIP }}:9200"]
cluster_stats = true cluster_stats = true
@@ -323,3 +323,13 @@
# # Read metrics about network interface usage # # Read metrics about network interface usage
[[inputs.net]] [[inputs.net]]
# Scripts run every 30s||TELEGRAFMERGED.config.interval - ES index script doesn't need to run as frequently
{%- if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %}
[[ inputs.exec ]]
commands = [
"/scripts/esindexsize.sh"
]
data_format = "influx"
interval = "1h"
{%- endif %}

2
salt/telegraf/scripts/agentstatus.sh
View File

@@ -24,7 +24,7 @@ if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
EVENTS=$(cat $LOGFILE | grep -wF events | awk '{print $2}' | tr -d ',') EVENTS=$(cat $LOGFILE | grep -wF events | awk '{print $2}' | tr -d ',')
TOTAL=$(cat $LOGFILE | grep -wF total | awk '{print $2}' | tr -d ',') TOTAL=$(cat $LOGFILE | grep -wF total | awk '{print $2}' | tr -d ',')
ALL=$(cat $LOGFILE | grep -wF all | awk '{print $2}' | tr -d ',') ALL=$(cat $LOGFILE | grep -wF all | awk '{print $2}' | tr -d ',')
ACTIVE=$(cat $LOGFILE | grep -wF active | awk '{print $2}') ACTIVE=$(cat $LOGFILE | grep -wF active | awk '{print $2}' | tr -d ',')
echo "agentstatus online=$ONLINE,error=$ERROR,inactive=$INACTIVE,offline=$OFFLINE,updating=$UPDATING,unenrolled=$UNENROLLED,other=$OTHER,events=$EVENTS,total=$TOTAL,all=$ALL,active=$ACTIVE" echo "agentstatus online=$ONLINE,error=$ERROR,inactive=$INACTIVE,offline=$OFFLINE,updating=$UPDATING,unenrolled=$UNENROLLED,other=$OTHER,events=$EVENTS,total=$TOTAL,all=$ALL,active=$ACTIVE"
fi fi

45
salt/telegraf/scripts/esindexsize.sh Normal file
View File

@@ -0,0 +1,45 @@
#!/bin/bash
#
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
if curl -K /etc/telegraf/elasticsearch.config -s -k -L "https://localhost:9200/" -w "%{http_code}" -o /dev/null | grep -q '200'; then
DATASTREAM_INFO=$(curl -K /etc/telegraf/elasticsearch.config -s -k -L "https://localhost:9200/_data_stream?format=json")
INDICES=$(curl -K /etc/telegraf/elasticsearch.config -s -k -L "https://localhost:9200/_cat/indices?h=index,store.size&bytes=b&s=index:asc&format=json")
INDICES_WITH_SIZE=()
while IFS= read -r DS; do
datastream_indices=()
datastream=$(echo "$DS" | jq -r '.name')
# influx doesn't like key starting with '.'
if [[ $datastream != .* ]]; then
while IFS= read -r DS_IDX; do
datastream_indices+=("$DS_IDX")
done < <(echo "$DS" | jq -r '.indices[].index_name')
datastream_size=0
for idx in ${datastream_indices[@]}; do
current_index=$(echo "$INDICES" | jq -r --arg index "$idx" '.[] | select(.index == $index)["store.size"]')
datastream_size=$(($datastream_size + $current_index))
done
INDICES_WITH_SIZE+=("${datastream}=${datastream_size}i")
# echo "$datastream size is $(echo "$datastream_size" | numfmt --to iec)"
fi
done < <(echo "$DATASTREAM_INFO" | jq -c '.data_streams[]')
measurement="elasticsearch_index_size "
total=${#INDICES_WITH_SIZE[@]}
for idxws in "${!INDICES_WITH_SIZE[@]}"; do
if [[ $idxws -lt $(($total - 1)) ]]; then
measurement+="${INDICES_WITH_SIZE[$idxws]},"
else
measurement+="${INDICES_WITH_SIZE[$idxws]}"
fi
done
echo "$measurement"
fi