From ece3c367b59ee451c50263e577c4c45190628d02 Mon Sep 17 00:00:00 2001 From: Jonathan Race Date: Wed, 29 Nov 2023 09:20:37 -0500 Subject: [PATCH 01/14] Update import-evtx-logs.json version updates to match 2.4 release pipelines --- .../integrations/grid-nodes_general/import-evtx-logs.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json index 4887a1a01..baa8683ae 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json @@ -20,8 +20,8 @@ ], "data_stream.dataset": "import", "custom": "", - "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-1.34.0\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-1.24.0\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-1.34.0\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-1.34.0\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-1.24.0\n- add_fields:\n target: data_stream\n fields:\n dataset: import", - "tags": [ + "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-1.43.0\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-1.38.0\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-1.43.0\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-1.43.0\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-1.38.0\n- add_fields:\n target: data_stream\n fields:\n dataset: import", + "tags": [ "import" ] } From a6d20bdc71d9ec4949ce4b21d9c75b8b2be64b5d Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 29 Nov 2023 17:01:29 -0500 Subject: [PATCH 02/14] Update HOTFIX --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index ac1f7a840..39e4800ae 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -20231121 +20231204 From 2368e8b7934a0bf4adb21939b886f41550853aba Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 29 Nov 2023 22:06:11 +0000 Subject: [PATCH 03/14] Fix action file names --- salt/curator/tools/sbin/so-curator-close | 8 ++++---- salt/curator/tools/sbin/so-curator-cluster-close | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/salt/curator/tools/sbin/so-curator-close b/salt/curator/tools/sbin/so-curator-close index af66a03df..f64863cc7 100644 --- a/salt/curator/tools/sbin/so-curator-close +++ b/salt/curator/tools/sbin/so-curator-close @@ -26,7 +26,7 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-import-so-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-strelka-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-suricata-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-syslog-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-zeek-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-strelka-so-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-suricata-so-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-syslog-so-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-zeek-so-close.yml > /dev/null 2>&1; diff --git a/salt/curator/tools/sbin/so-curator-cluster-close b/salt/curator/tools/sbin/so-curator-cluster-close index 4359dcfc1..b9896ea2a 100755 --- a/salt/curator/tools/sbin/so-curator-cluster-close +++ b/salt/curator/tools/sbin/so-curator-cluster-close @@ -24,7 +24,7 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-import-so-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-strelka-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-suricata-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-syslog-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-zeek-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-strelka-so-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-suricata-so-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-syslog-so-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-zeek-so-close.yml > /dev/null 2>&1; From a605c5c62c3c25c5ba3702082a8606d9e000c24a Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 29 Nov 2023 22:13:20 +0000 Subject: [PATCH 04/14] Ensure indices managed by ILM can be managed by Curator --- salt/curator/files/action/delete.yml | 1 + salt/curator/files/action/logs-import-so-close.yml | 1 + salt/curator/files/action/logs-import-so-delete.yml | 1 + salt/curator/files/action/logs-strelka-so-close.yml | 1 + salt/curator/files/action/logs-strelka-so-delete.yml | 1 + salt/curator/files/action/logs-suricata-so-close.yml | 1 + salt/curator/files/action/logs-suricata-so-delete.yml | 1 + salt/curator/files/action/logs-syslog-so-close.yml | 1 + salt/curator/files/action/logs-syslog-so-delete.yml | 1 + salt/curator/files/action/logs-zeek-so-close.yml | 1 + salt/curator/files/action/logs-zeek-so-delete.yml | 1 + salt/curator/files/action/so-beats-close.yml | 1 + salt/curator/files/action/so-beats-delete.yml | 1 + salt/curator/files/action/so-elasticsearch-close.yml | 1 + salt/curator/files/action/so-elasticsearch-delete.yml | 1 + salt/curator/files/action/so-firewall-close.yml | 1 + salt/curator/files/action/so-firewall-delete.yml | 1 + salt/curator/files/action/so-ids-close.yml | 1 + salt/curator/files/action/so-ids-delete.yml | 1 + salt/curator/files/action/so-import-close.yml | 1 + salt/curator/files/action/so-import-delete.yml | 1 + salt/curator/files/action/so-kibana-close.yml | 1 + salt/curator/files/action/so-kibana-delete.yml | 1 + salt/curator/files/action/so-kratos-close.yml | 1 + salt/curator/files/action/so-kratos-delete.yml | 1 + salt/curator/files/action/so-logstash-close.yml | 1 + salt/curator/files/action/so-logstash-delete.yml | 1 + salt/curator/files/action/so-netflow-close.yml | 1 + salt/curator/files/action/so-netflow-delete.yml | 1 + salt/curator/files/action/so-osquery-close.yml | 1 + salt/curator/files/action/so-osquery-delete.yml | 1 + salt/curator/files/action/so-ossec-close.yml | 1 + salt/curator/files/action/so-ossec-delete.yml | 1 + salt/curator/files/action/so-redis-close.yml | 1 + salt/curator/files/action/so-redis-delete.yml | 1 + salt/curator/files/action/so-strelka-close.yml | 1 + salt/curator/files/action/so-strelka-delete.yml | 1 + salt/curator/files/action/so-syslog-close.yml | 1 + salt/curator/files/action/so-syslog-delete.yml | 1 + salt/curator/files/action/so-zeek-close.yml | 1 + salt/curator/files/action/so-zeek-delete.yml | 1 + 41 files changed, 41 insertions(+) diff --git a/salt/curator/files/action/delete.yml b/salt/curator/files/action/delete.yml index c81a9e548..253c6fd67 100644 --- a/salt/curator/files/action/delete.yml +++ b/salt/curator/files/action/delete.yml @@ -15,6 +15,7 @@ actions: description: >- Delete indices when {{log_size_limit}}(GB) is exceeded. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/logs-import-so-close.yml b/salt/curator/files/action/logs-import-so-close.yml index e2d28fd06..7ed2b1e35 100644 --- a/salt/curator/files/action/logs-import-so-close.yml +++ b/salt/curator/files/action/logs-import-so-close.yml @@ -10,6 +10,7 @@ actions: description: >- Close import indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/logs-import-so-delete.yml b/salt/curator/files/action/logs-import-so-delete.yml index b46a5fc73..06e24acc0 100644 --- a/salt/curator/files/action/logs-import-so-delete.yml +++ b/salt/curator/files/action/logs-import-so-delete.yml @@ -10,6 +10,7 @@ actions: description: >- Delete import indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/logs-strelka-so-close.yml b/salt/curator/files/action/logs-strelka-so-close.yml index c4b57995d..09385b968 100644 --- a/salt/curator/files/action/logs-strelka-so-close.yml +++ b/salt/curator/files/action/logs-strelka-so-close.yml @@ -10,6 +10,7 @@ actions: description: >- Close Strelka indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/logs-strelka-so-delete.yml b/salt/curator/files/action/logs-strelka-so-delete.yml index d01bdcc83..a0f70c937 100644 --- a/salt/curator/files/action/logs-strelka-so-delete.yml +++ b/salt/curator/files/action/logs-strelka-so-delete.yml @@ -10,6 +10,7 @@ actions: description: >- Delete Strelka indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/logs-suricata-so-close.yml b/salt/curator/files/action/logs-suricata-so-close.yml index c99a85285..596fc8283 100644 --- a/salt/curator/files/action/logs-suricata-so-close.yml +++ b/salt/curator/files/action/logs-suricata-so-close.yml @@ -10,6 +10,7 @@ actions: description: >- Close Suricata indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/logs-suricata-so-delete.yml b/salt/curator/files/action/logs-suricata-so-delete.yml index 765ba1293..df1d0251b 100644 --- a/salt/curator/files/action/logs-suricata-so-delete.yml +++ b/salt/curator/files/action/logs-suricata-so-delete.yml @@ -10,6 +10,7 @@ actions: description: >- Delete Suricata indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/logs-syslog-so-close.yml b/salt/curator/files/action/logs-syslog-so-close.yml index 3ccf7834b..2a2ec6fbf 100644 --- a/salt/curator/files/action/logs-syslog-so-close.yml +++ b/salt/curator/files/action/logs-syslog-so-close.yml @@ -10,6 +10,7 @@ actions: description: >- Close syslog indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/logs-syslog-so-delete.yml b/salt/curator/files/action/logs-syslog-so-delete.yml index 274d06711..beaf2f23c 100644 --- a/salt/curator/files/action/logs-syslog-so-delete.yml +++ b/salt/curator/files/action/logs-syslog-so-delete.yml @@ -10,6 +10,7 @@ actions: description: >- Delete syslog indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/logs-zeek-so-close.yml b/salt/curator/files/action/logs-zeek-so-close.yml index 020c89cbc..e1c2c5db2 100644 --- a/salt/curator/files/action/logs-zeek-so-close.yml +++ b/salt/curator/files/action/logs-zeek-so-close.yml @@ -10,6 +10,7 @@ actions: description: >- Close Zeek indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/logs-zeek-so-delete.yml b/salt/curator/files/action/logs-zeek-so-delete.yml index 5acfc50a7..6c442bb8d 100644 --- a/salt/curator/files/action/logs-zeek-so-delete.yml +++ b/salt/curator/files/action/logs-zeek-so-delete.yml @@ -10,6 +10,7 @@ actions: description: >- Delete Zeek indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-beats-close.yml b/salt/curator/files/action/so-beats-close.yml index 88c7ce91a..3b085382e 100644 --- a/salt/curator/files/action/so-beats-close.yml +++ b/salt/curator/files/action/so-beats-close.yml @@ -10,6 +10,7 @@ actions: description: >- Close Beats indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-beats-delete.yml b/salt/curator/files/action/so-beats-delete.yml index c4e1f8b4e..efdbe068e 100644 --- a/salt/curator/files/action/so-beats-delete.yml +++ b/salt/curator/files/action/so-beats-delete.yml @@ -10,6 +10,7 @@ actions: description: >- Delete beats indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-elasticsearch-close.yml b/salt/curator/files/action/so-elasticsearch-close.yml index e4d8824bd..ffb30116e 100644 --- a/salt/curator/files/action/so-elasticsearch-close.yml +++ b/salt/curator/files/action/so-elasticsearch-close.yml @@ -10,6 +10,7 @@ actions: description: >- Close elasticsearch indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-elasticsearch-delete.yml b/salt/curator/files/action/so-elasticsearch-delete.yml index 3c6bf4aac..8f5ba03bd 100644 --- a/salt/curator/files/action/so-elasticsearch-delete.yml +++ b/salt/curator/files/action/so-elasticsearch-delete.yml @@ -10,6 +10,7 @@ actions: description: >- Delete elasticsearch indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-firewall-close.yml b/salt/curator/files/action/so-firewall-close.yml index 18d30737d..3b798d427 100644 --- a/salt/curator/files/action/so-firewall-close.yml +++ b/salt/curator/files/action/so-firewall-close.yml @@ -11,6 +11,7 @@ actions: description: >- Close Firewall indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-firewall-delete.yml b/salt/curator/files/action/so-firewall-delete.yml index 5143e2fe9..bedc73a81 100644 --- a/salt/curator/files/action/so-firewall-delete.yml +++ b/salt/curator/files/action/so-firewall-delete.yml @@ -11,6 +11,7 @@ actions: description: >- Delete firewall indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-ids-close.yml b/salt/curator/files/action/so-ids-close.yml index 359e0a4cc..30869af55 100644 --- a/salt/curator/files/action/so-ids-close.yml +++ b/salt/curator/files/action/so-ids-close.yml @@ -11,6 +11,7 @@ actions: description: >- Close IDS indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-ids-delete.yml b/salt/curator/files/action/so-ids-delete.yml index 6cf120fef..32032ec9c 100644 --- a/salt/curator/files/action/so-ids-delete.yml +++ b/salt/curator/files/action/so-ids-delete.yml @@ -11,6 +11,7 @@ actions: description: >- Delete IDS indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-import-close.yml b/salt/curator/files/action/so-import-close.yml index 7a60b9343..9fc386e5b 100644 --- a/salt/curator/files/action/so-import-close.yml +++ b/salt/curator/files/action/so-import-close.yml @@ -10,6 +10,7 @@ actions: description: >- Close Import indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-import-delete.yml b/salt/curator/files/action/so-import-delete.yml index 36e213b26..3051a449d 100644 --- a/salt/curator/files/action/so-import-delete.yml +++ b/salt/curator/files/action/so-import-delete.yml @@ -10,6 +10,7 @@ actions: description: >- Delete import indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-kibana-close.yml b/salt/curator/files/action/so-kibana-close.yml index 7c29ed294..77e0da5f8 100644 --- a/salt/curator/files/action/so-kibana-close.yml +++ b/salt/curator/files/action/so-kibana-close.yml @@ -10,6 +10,7 @@ actions: description: >- Close kibana indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-kibana-delete.yml b/salt/curator/files/action/so-kibana-delete.yml index 971a178fe..b687eec7d 100644 --- a/salt/curator/files/action/so-kibana-delete.yml +++ b/salt/curator/files/action/so-kibana-delete.yml @@ -10,6 +10,7 @@ actions: description: >- Delete kibana indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-kratos-close.yml b/salt/curator/files/action/so-kratos-close.yml index d5fc3385c..6ae76efcd 100644 --- a/salt/curator/files/action/so-kratos-close.yml +++ b/salt/curator/files/action/so-kratos-close.yml @@ -10,6 +10,7 @@ actions: description: >- Close kratos indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-kratos-delete.yml b/salt/curator/files/action/so-kratos-delete.yml index d7cb2c4ad..361c485e0 100644 --- a/salt/curator/files/action/so-kratos-delete.yml +++ b/salt/curator/files/action/so-kratos-delete.yml @@ -10,6 +10,7 @@ actions: description: >- Delete kratos indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-logstash-close.yml b/salt/curator/files/action/so-logstash-close.yml index 34402d95c..b59a4a6c6 100644 --- a/salt/curator/files/action/so-logstash-close.yml +++ b/salt/curator/files/action/so-logstash-close.yml @@ -10,6 +10,7 @@ actions: description: >- Close logstash indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-logstash-delete.yml b/salt/curator/files/action/so-logstash-delete.yml index 1ca1a6f6c..55f202342 100644 --- a/salt/curator/files/action/so-logstash-delete.yml +++ b/salt/curator/files/action/so-logstash-delete.yml @@ -10,6 +10,7 @@ actions: description: >- Delete logstash indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-netflow-close.yml b/salt/curator/files/action/so-netflow-close.yml index 359d6f1f1..4371d9fb0 100644 --- a/salt/curator/files/action/so-netflow-close.yml +++ b/salt/curator/files/action/so-netflow-close.yml @@ -10,6 +10,7 @@ actions: description: >- Close netflow indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-netflow-delete.yml b/salt/curator/files/action/so-netflow-delete.yml index 63adaa393..910df2c48 100644 --- a/salt/curator/files/action/so-netflow-delete.yml +++ b/salt/curator/files/action/so-netflow-delete.yml @@ -10,6 +10,7 @@ actions: description: >- Delete netflow indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-osquery-close.yml b/salt/curator/files/action/so-osquery-close.yml index 59b6a92b2..d3cc6860d 100644 --- a/salt/curator/files/action/so-osquery-close.yml +++ b/salt/curator/files/action/so-osquery-close.yml @@ -10,6 +10,7 @@ actions: description: >- Close osquery indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-osquery-delete.yml b/salt/curator/files/action/so-osquery-delete.yml index b6263b0e8..42a862ca8 100644 --- a/salt/curator/files/action/so-osquery-delete.yml +++ b/salt/curator/files/action/so-osquery-delete.yml @@ -10,6 +10,7 @@ actions: description: >- Delete import indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-ossec-close.yml b/salt/curator/files/action/so-ossec-close.yml index ac0691ad8..c2a59bf6c 100644 --- a/salt/curator/files/action/so-ossec-close.yml +++ b/salt/curator/files/action/so-ossec-close.yml @@ -10,6 +10,7 @@ actions: description: >- Close ossec indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-ossec-delete.yml b/salt/curator/files/action/so-ossec-delete.yml index e24fe3819..7f2f5dac9 100644 --- a/salt/curator/files/action/so-ossec-delete.yml +++ b/salt/curator/files/action/so-ossec-delete.yml @@ -10,6 +10,7 @@ actions: description: >- Delete ossec indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-redis-close.yml b/salt/curator/files/action/so-redis-close.yml index f7c5ef4c6..e1aad460d 100644 --- a/salt/curator/files/action/so-redis-close.yml +++ b/salt/curator/files/action/so-redis-close.yml @@ -10,6 +10,7 @@ actions: description: >- Close redis indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-redis-delete.yml b/salt/curator/files/action/so-redis-delete.yml index 1c7f95ded..b4197f9e1 100644 --- a/salt/curator/files/action/so-redis-delete.yml +++ b/salt/curator/files/action/so-redis-delete.yml @@ -10,6 +10,7 @@ actions: description: >- Delete redis indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-strelka-close.yml b/salt/curator/files/action/so-strelka-close.yml index 9d908d6d2..eaca46b46 100644 --- a/salt/curator/files/action/so-strelka-close.yml +++ b/salt/curator/files/action/so-strelka-close.yml @@ -10,6 +10,7 @@ actions: description: >- Close Strelka indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-strelka-delete.yml b/salt/curator/files/action/so-strelka-delete.yml index 90cf88e46..f4470a2da 100644 --- a/salt/curator/files/action/so-strelka-delete.yml +++ b/salt/curator/files/action/so-strelka-delete.yml @@ -10,6 +10,7 @@ actions: description: >- Delete Strelka indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-syslog-close.yml b/salt/curator/files/action/so-syslog-close.yml index e5a58e437..27d1774d2 100644 --- a/salt/curator/files/action/so-syslog-close.yml +++ b/salt/curator/files/action/so-syslog-close.yml @@ -10,6 +10,7 @@ actions: description: >- Close syslog indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-syslog-delete.yml b/salt/curator/files/action/so-syslog-delete.yml index c11d2ef5a..3bfcd8d87 100644 --- a/salt/curator/files/action/so-syslog-delete.yml +++ b/salt/curator/files/action/so-syslog-delete.yml @@ -10,6 +10,7 @@ actions: description: >- Delete syslog indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-zeek-close.yml b/salt/curator/files/action/so-zeek-close.yml index 1e9ea59e4..f5d332b12 100644 --- a/salt/curator/files/action/so-zeek-close.yml +++ b/salt/curator/files/action/so-zeek-close.yml @@ -10,6 +10,7 @@ actions: description: >- Close Zeek indices older than {{cur_close_days}} days. options: + allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-zeek-delete.yml b/salt/curator/files/action/so-zeek-delete.yml index 1f8522696..65cb0b10a 100644 --- a/salt/curator/files/action/so-zeek-delete.yml +++ b/salt/curator/files/action/so-zeek-delete.yml @@ -10,6 +10,7 @@ actions: description: >- Delete Zeek indices when older than {{ DELETE_DAYS }} days. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: From 6fa4a69753594999765771397dc474d72e305eb1 Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 1 Dec 2023 16:10:07 +0000 Subject: [PATCH 05/14] Remove action changes --- salt/curator/files/action/delete.yml | 1 - salt/curator/files/action/logs-import-so-close.yml | 1 - salt/curator/files/action/logs-import-so-delete.yml | 1 - salt/curator/files/action/logs-strelka-so-close.yml | 1 - salt/curator/files/action/logs-strelka-so-delete.yml | 1 - salt/curator/files/action/logs-suricata-so-close.yml | 1 - salt/curator/files/action/logs-suricata-so-delete.yml | 1 - salt/curator/files/action/logs-syslog-so-close.yml | 1 - salt/curator/files/action/logs-syslog-so-delete.yml | 1 - salt/curator/files/action/logs-zeek-so-close.yml | 1 - salt/curator/files/action/logs-zeek-so-delete.yml | 1 - salt/curator/files/action/so-beats-close.yml | 1 - salt/curator/files/action/so-beats-delete.yml | 1 - salt/curator/files/action/so-elasticsearch-close.yml | 1 - salt/curator/files/action/so-elasticsearch-delete.yml | 1 - salt/curator/files/action/so-firewall-close.yml | 1 - salt/curator/files/action/so-firewall-delete.yml | 1 - salt/curator/files/action/so-ids-close.yml | 1 - salt/curator/files/action/so-ids-delete.yml | 1 - salt/curator/files/action/so-import-close.yml | 1 - salt/curator/files/action/so-import-delete.yml | 1 - salt/curator/files/action/so-kibana-close.yml | 1 - salt/curator/files/action/so-kibana-delete.yml | 1 - salt/curator/files/action/so-kratos-close.yml | 1 - salt/curator/files/action/so-kratos-delete.yml | 1 - salt/curator/files/action/so-logstash-close.yml | 1 - salt/curator/files/action/so-logstash-delete.yml | 1 - salt/curator/files/action/so-netflow-close.yml | 1 - salt/curator/files/action/so-netflow-delete.yml | 1 - salt/curator/files/action/so-osquery-close.yml | 1 - salt/curator/files/action/so-osquery-delete.yml | 1 - salt/curator/files/action/so-ossec-close.yml | 1 - salt/curator/files/action/so-ossec-delete.yml | 1 - salt/curator/files/action/so-redis-close.yml | 1 - salt/curator/files/action/so-redis-delete.yml | 1 - salt/curator/files/action/so-strelka-close.yml | 1 - salt/curator/files/action/so-strelka-delete.yml | 1 - salt/curator/files/action/so-syslog-close.yml | 1 - salt/curator/files/action/so-syslog-delete.yml | 1 - salt/curator/files/action/so-zeek-close.yml | 1 - salt/curator/files/action/so-zeek-delete.yml | 1 - 41 files changed, 41 deletions(-) diff --git a/salt/curator/files/action/delete.yml b/salt/curator/files/action/delete.yml index 253c6fd67..c81a9e548 100644 --- a/salt/curator/files/action/delete.yml +++ b/salt/curator/files/action/delete.yml @@ -15,7 +15,6 @@ actions: description: >- Delete indices when {{log_size_limit}}(GB) is exceeded. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/logs-import-so-close.yml b/salt/curator/files/action/logs-import-so-close.yml index 7ed2b1e35..e2d28fd06 100644 --- a/salt/curator/files/action/logs-import-so-close.yml +++ b/salt/curator/files/action/logs-import-so-close.yml @@ -10,7 +10,6 @@ actions: description: >- Close import indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/logs-import-so-delete.yml b/salt/curator/files/action/logs-import-so-delete.yml index 06e24acc0..b46a5fc73 100644 --- a/salt/curator/files/action/logs-import-so-delete.yml +++ b/salt/curator/files/action/logs-import-so-delete.yml @@ -10,7 +10,6 @@ actions: description: >- Delete import indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/logs-strelka-so-close.yml b/salt/curator/files/action/logs-strelka-so-close.yml index 09385b968..c4b57995d 100644 --- a/salt/curator/files/action/logs-strelka-so-close.yml +++ b/salt/curator/files/action/logs-strelka-so-close.yml @@ -10,7 +10,6 @@ actions: description: >- Close Strelka indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/logs-strelka-so-delete.yml b/salt/curator/files/action/logs-strelka-so-delete.yml index a0f70c937..d01bdcc83 100644 --- a/salt/curator/files/action/logs-strelka-so-delete.yml +++ b/salt/curator/files/action/logs-strelka-so-delete.yml @@ -10,7 +10,6 @@ actions: description: >- Delete Strelka indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/logs-suricata-so-close.yml b/salt/curator/files/action/logs-suricata-so-close.yml index 596fc8283..c99a85285 100644 --- a/salt/curator/files/action/logs-suricata-so-close.yml +++ b/salt/curator/files/action/logs-suricata-so-close.yml @@ -10,7 +10,6 @@ actions: description: >- Close Suricata indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/logs-suricata-so-delete.yml b/salt/curator/files/action/logs-suricata-so-delete.yml index df1d0251b..765ba1293 100644 --- a/salt/curator/files/action/logs-suricata-so-delete.yml +++ b/salt/curator/files/action/logs-suricata-so-delete.yml @@ -10,7 +10,6 @@ actions: description: >- Delete Suricata indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/logs-syslog-so-close.yml b/salt/curator/files/action/logs-syslog-so-close.yml index 2a2ec6fbf..3ccf7834b 100644 --- a/salt/curator/files/action/logs-syslog-so-close.yml +++ b/salt/curator/files/action/logs-syslog-so-close.yml @@ -10,7 +10,6 @@ actions: description: >- Close syslog indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/logs-syslog-so-delete.yml b/salt/curator/files/action/logs-syslog-so-delete.yml index beaf2f23c..274d06711 100644 --- a/salt/curator/files/action/logs-syslog-so-delete.yml +++ b/salt/curator/files/action/logs-syslog-so-delete.yml @@ -10,7 +10,6 @@ actions: description: >- Delete syslog indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/logs-zeek-so-close.yml b/salt/curator/files/action/logs-zeek-so-close.yml index e1c2c5db2..020c89cbc 100644 --- a/salt/curator/files/action/logs-zeek-so-close.yml +++ b/salt/curator/files/action/logs-zeek-so-close.yml @@ -10,7 +10,6 @@ actions: description: >- Close Zeek indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/logs-zeek-so-delete.yml b/salt/curator/files/action/logs-zeek-so-delete.yml index 6c442bb8d..5acfc50a7 100644 --- a/salt/curator/files/action/logs-zeek-so-delete.yml +++ b/salt/curator/files/action/logs-zeek-so-delete.yml @@ -10,7 +10,6 @@ actions: description: >- Delete Zeek indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-beats-close.yml b/salt/curator/files/action/so-beats-close.yml index 3b085382e..88c7ce91a 100644 --- a/salt/curator/files/action/so-beats-close.yml +++ b/salt/curator/files/action/so-beats-close.yml @@ -10,7 +10,6 @@ actions: description: >- Close Beats indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-beats-delete.yml b/salt/curator/files/action/so-beats-delete.yml index efdbe068e..c4e1f8b4e 100644 --- a/salt/curator/files/action/so-beats-delete.yml +++ b/salt/curator/files/action/so-beats-delete.yml @@ -10,7 +10,6 @@ actions: description: >- Delete beats indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-elasticsearch-close.yml b/salt/curator/files/action/so-elasticsearch-close.yml index ffb30116e..e4d8824bd 100644 --- a/salt/curator/files/action/so-elasticsearch-close.yml +++ b/salt/curator/files/action/so-elasticsearch-close.yml @@ -10,7 +10,6 @@ actions: description: >- Close elasticsearch indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-elasticsearch-delete.yml b/salt/curator/files/action/so-elasticsearch-delete.yml index 8f5ba03bd..3c6bf4aac 100644 --- a/salt/curator/files/action/so-elasticsearch-delete.yml +++ b/salt/curator/files/action/so-elasticsearch-delete.yml @@ -10,7 +10,6 @@ actions: description: >- Delete elasticsearch indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-firewall-close.yml b/salt/curator/files/action/so-firewall-close.yml index 3b798d427..18d30737d 100644 --- a/salt/curator/files/action/so-firewall-close.yml +++ b/salt/curator/files/action/so-firewall-close.yml @@ -11,7 +11,6 @@ actions: description: >- Close Firewall indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-firewall-delete.yml b/salt/curator/files/action/so-firewall-delete.yml index bedc73a81..5143e2fe9 100644 --- a/salt/curator/files/action/so-firewall-delete.yml +++ b/salt/curator/files/action/so-firewall-delete.yml @@ -11,7 +11,6 @@ actions: description: >- Delete firewall indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-ids-close.yml b/salt/curator/files/action/so-ids-close.yml index 30869af55..359e0a4cc 100644 --- a/salt/curator/files/action/so-ids-close.yml +++ b/salt/curator/files/action/so-ids-close.yml @@ -11,7 +11,6 @@ actions: description: >- Close IDS indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-ids-delete.yml b/salt/curator/files/action/so-ids-delete.yml index 32032ec9c..6cf120fef 100644 --- a/salt/curator/files/action/so-ids-delete.yml +++ b/salt/curator/files/action/so-ids-delete.yml @@ -11,7 +11,6 @@ actions: description: >- Delete IDS indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-import-close.yml b/salt/curator/files/action/so-import-close.yml index 9fc386e5b..7a60b9343 100644 --- a/salt/curator/files/action/so-import-close.yml +++ b/salt/curator/files/action/so-import-close.yml @@ -10,7 +10,6 @@ actions: description: >- Close Import indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-import-delete.yml b/salt/curator/files/action/so-import-delete.yml index 3051a449d..36e213b26 100644 --- a/salt/curator/files/action/so-import-delete.yml +++ b/salt/curator/files/action/so-import-delete.yml @@ -10,7 +10,6 @@ actions: description: >- Delete import indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-kibana-close.yml b/salt/curator/files/action/so-kibana-close.yml index 77e0da5f8..7c29ed294 100644 --- a/salt/curator/files/action/so-kibana-close.yml +++ b/salt/curator/files/action/so-kibana-close.yml @@ -10,7 +10,6 @@ actions: description: >- Close kibana indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-kibana-delete.yml b/salt/curator/files/action/so-kibana-delete.yml index b687eec7d..971a178fe 100644 --- a/salt/curator/files/action/so-kibana-delete.yml +++ b/salt/curator/files/action/so-kibana-delete.yml @@ -10,7 +10,6 @@ actions: description: >- Delete kibana indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-kratos-close.yml b/salt/curator/files/action/so-kratos-close.yml index 6ae76efcd..d5fc3385c 100644 --- a/salt/curator/files/action/so-kratos-close.yml +++ b/salt/curator/files/action/so-kratos-close.yml @@ -10,7 +10,6 @@ actions: description: >- Close kratos indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-kratos-delete.yml b/salt/curator/files/action/so-kratos-delete.yml index 361c485e0..d7cb2c4ad 100644 --- a/salt/curator/files/action/so-kratos-delete.yml +++ b/salt/curator/files/action/so-kratos-delete.yml @@ -10,7 +10,6 @@ actions: description: >- Delete kratos indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-logstash-close.yml b/salt/curator/files/action/so-logstash-close.yml index b59a4a6c6..34402d95c 100644 --- a/salt/curator/files/action/so-logstash-close.yml +++ b/salt/curator/files/action/so-logstash-close.yml @@ -10,7 +10,6 @@ actions: description: >- Close logstash indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-logstash-delete.yml b/salt/curator/files/action/so-logstash-delete.yml index 55f202342..1ca1a6f6c 100644 --- a/salt/curator/files/action/so-logstash-delete.yml +++ b/salt/curator/files/action/so-logstash-delete.yml @@ -10,7 +10,6 @@ actions: description: >- Delete logstash indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-netflow-close.yml b/salt/curator/files/action/so-netflow-close.yml index 4371d9fb0..359d6f1f1 100644 --- a/salt/curator/files/action/so-netflow-close.yml +++ b/salt/curator/files/action/so-netflow-close.yml @@ -10,7 +10,6 @@ actions: description: >- Close netflow indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-netflow-delete.yml b/salt/curator/files/action/so-netflow-delete.yml index 910df2c48..63adaa393 100644 --- a/salt/curator/files/action/so-netflow-delete.yml +++ b/salt/curator/files/action/so-netflow-delete.yml @@ -10,7 +10,6 @@ actions: description: >- Delete netflow indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-osquery-close.yml b/salt/curator/files/action/so-osquery-close.yml index d3cc6860d..59b6a92b2 100644 --- a/salt/curator/files/action/so-osquery-close.yml +++ b/salt/curator/files/action/so-osquery-close.yml @@ -10,7 +10,6 @@ actions: description: >- Close osquery indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-osquery-delete.yml b/salt/curator/files/action/so-osquery-delete.yml index 42a862ca8..b6263b0e8 100644 --- a/salt/curator/files/action/so-osquery-delete.yml +++ b/salt/curator/files/action/so-osquery-delete.yml @@ -10,7 +10,6 @@ actions: description: >- Delete import indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-ossec-close.yml b/salt/curator/files/action/so-ossec-close.yml index c2a59bf6c..ac0691ad8 100644 --- a/salt/curator/files/action/so-ossec-close.yml +++ b/salt/curator/files/action/so-ossec-close.yml @@ -10,7 +10,6 @@ actions: description: >- Close ossec indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-ossec-delete.yml b/salt/curator/files/action/so-ossec-delete.yml index 7f2f5dac9..e24fe3819 100644 --- a/salt/curator/files/action/so-ossec-delete.yml +++ b/salt/curator/files/action/so-ossec-delete.yml @@ -10,7 +10,6 @@ actions: description: >- Delete ossec indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-redis-close.yml b/salt/curator/files/action/so-redis-close.yml index e1aad460d..f7c5ef4c6 100644 --- a/salt/curator/files/action/so-redis-close.yml +++ b/salt/curator/files/action/so-redis-close.yml @@ -10,7 +10,6 @@ actions: description: >- Close redis indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-redis-delete.yml b/salt/curator/files/action/so-redis-delete.yml index b4197f9e1..1c7f95ded 100644 --- a/salt/curator/files/action/so-redis-delete.yml +++ b/salt/curator/files/action/so-redis-delete.yml @@ -10,7 +10,6 @@ actions: description: >- Delete redis indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-strelka-close.yml b/salt/curator/files/action/so-strelka-close.yml index eaca46b46..9d908d6d2 100644 --- a/salt/curator/files/action/so-strelka-close.yml +++ b/salt/curator/files/action/so-strelka-close.yml @@ -10,7 +10,6 @@ actions: description: >- Close Strelka indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-strelka-delete.yml b/salt/curator/files/action/so-strelka-delete.yml index f4470a2da..90cf88e46 100644 --- a/salt/curator/files/action/so-strelka-delete.yml +++ b/salt/curator/files/action/so-strelka-delete.yml @@ -10,7 +10,6 @@ actions: description: >- Delete Strelka indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-syslog-close.yml b/salt/curator/files/action/so-syslog-close.yml index 27d1774d2..e5a58e437 100644 --- a/salt/curator/files/action/so-syslog-close.yml +++ b/salt/curator/files/action/so-syslog-close.yml @@ -10,7 +10,6 @@ actions: description: >- Close syslog indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-syslog-delete.yml b/salt/curator/files/action/so-syslog-delete.yml index 3bfcd8d87..c11d2ef5a 100644 --- a/salt/curator/files/action/so-syslog-delete.yml +++ b/salt/curator/files/action/so-syslog-delete.yml @@ -10,7 +10,6 @@ actions: description: >- Delete syslog indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/so-zeek-close.yml b/salt/curator/files/action/so-zeek-close.yml index f5d332b12..1e9ea59e4 100644 --- a/salt/curator/files/action/so-zeek-close.yml +++ b/salt/curator/files/action/so-zeek-close.yml @@ -10,7 +10,6 @@ actions: description: >- Close Zeek indices older than {{cur_close_days}} days. options: - allow_ilm_indices: True delete_aliases: False timeout_override: ignore_empty_list: True diff --git a/salt/curator/files/action/so-zeek-delete.yml b/salt/curator/files/action/so-zeek-delete.yml index 65cb0b10a..1f8522696 100644 --- a/salt/curator/files/action/so-zeek-delete.yml +++ b/salt/curator/files/action/so-zeek-delete.yml @@ -10,7 +10,6 @@ actions: description: >- Delete Zeek indices when older than {{ DELETE_DAYS }} days. options: - allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: From e36044e16471b4ab345bb5ce5e01f73fdc537507 Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 1 Dec 2023 16:10:56 +0000 Subject: [PATCH 06/14] Remove close changes --- salt/curator/tools/sbin/so-curator-close | 8 ++++---- salt/curator/tools/sbin/so-curator-cluster-close | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/salt/curator/tools/sbin/so-curator-close b/salt/curator/tools/sbin/so-curator-close index f64863cc7..af66a03df 100644 --- a/salt/curator/tools/sbin/so-curator-close +++ b/salt/curator/tools/sbin/so-curator-close @@ -26,7 +26,7 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-import-so-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-strelka-so-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-suricata-so-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-syslog-so-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-zeek-so-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-strelka-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-suricata-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-syslog-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-zeek-close.yml > /dev/null 2>&1; diff --git a/salt/curator/tools/sbin/so-curator-cluster-close b/salt/curator/tools/sbin/so-curator-cluster-close index b9896ea2a..4359dcfc1 100755 --- a/salt/curator/tools/sbin/so-curator-cluster-close +++ b/salt/curator/tools/sbin/so-curator-cluster-close @@ -24,7 +24,7 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-import-so-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-strelka-so-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-suricata-so-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-syslog-so-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-zeek-so-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-strelka-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-suricata-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-syslog-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-zeek-close.yml > /dev/null 2>&1; From 265cde529690e960e09cc282e195b6e1d96648ce Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 1 Dec 2023 15:31:15 -0500 Subject: [PATCH 07/14] move wait_for_salt_minion for hotfix --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 5b445dae4..9d26757d8 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -768,6 +768,7 @@ apply_hotfix() { mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old systemctl_func "start" "salt-minion" + (wait_for_salt_minion "$MINIONID" "5" '/dev/stdout' || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG" fi else echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)" @@ -875,7 +876,6 @@ main() { echo "Hotfix applied" update_version enable_highstate - (wait_for_salt_minion "$MINIONID" "5" '/dev/stdout' || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG" highstate else echo "" From 38868af08ac6df3d6bee79dc5e314bea4394b6a5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 4 Dec 2023 10:11:38 -0500 Subject: [PATCH 08/14] avoid exiting salt when ca state applied in post for 2.4.30 --- salt/manager/tools/sbin/soup | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 9d26757d8..8a50c92c5 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -450,7 +450,10 @@ post_to_2.4.20() { post_to_2.4.30() { echo "Regenerating Elastic Agent Installers" /sbin/so-elastic-agent-gen-installers + # there is an occasional error with this state: pki_public_ca_crt: TypeError: list indices must be integers or slices, not str + set +e salt-call state.apply ca queue=True + set -e stop_salt_minion mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old From 55a8b1064d16502ea2d36bae1f07969fb9b28833 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 4 Dec 2023 13:36:04 -0500 Subject: [PATCH 09/14] Update soup --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 8a50c92c5..28a239b85 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -597,7 +597,7 @@ unmount_update() { update_airgap_rules() { # Copy the rules over to update them for airgap. - rsync -av $UPDATE_DIR/agrules/* /nsm/repo/rules/ + rsync -av $UPDATE_DIR/agrules/* /nsm/rules/ } update_airgap_repo() { From 0b6ba6d2f2c2a321b476d9741da009292ddbeb13 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 4 Dec 2023 13:51:12 -0500 Subject: [PATCH 10/14] Update soup --- salt/manager/tools/sbin/soup | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 28a239b85..36a839fe5 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -597,7 +597,9 @@ unmount_update() { update_airgap_rules() { # Copy the rules over to update them for airgap. - rsync -av $UPDATE_DIR/agrules/* /nsm/rules/ + rsync -av $UPDATE_DIR/agrules/suricata/* /nsm/rules/suricata/ + rsync -av $UPDATE_DIR/agrules/yara/* /nsm/rules/yara/ + rsync -av $UPDATE_DIR/agrules/sigma/* /nsm/repo/rules/sigma/ } update_airgap_repo() { From 90d9e5b927c1eb7e4ca0125aa5d41065c60dff89 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 5 Dec 2023 10:24:31 -0500 Subject: [PATCH 11/14] Update soup --- salt/manager/tools/sbin/soup | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 36a839fe5..795106cee 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -758,6 +758,9 @@ apply_hotfix() { elastic_fleet_integration_remove endpoints-initial elastic-defend-endpoints /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend elif [[ "$INSTALLEDVERSION" == "2.4.30" ]] ; then + if [[ $is_airgap -eq 0 ]]; then + update_airgap_rules + fi if [[ -f /etc/pki/managerssl.key.old ]]; then echo "Skipping Certificate Generation" else From fdd4173632b971258f695041f3a1e954dab5695b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 5 Dec 2023 11:20:56 -0500 Subject: [PATCH 12/14] Update soup --- salt/manager/tools/sbin/soup | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 795106cee..6b1bd5aa3 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -599,7 +599,9 @@ update_airgap_rules() { # Copy the rules over to update them for airgap. rsync -av $UPDATE_DIR/agrules/suricata/* /nsm/rules/suricata/ rsync -av $UPDATE_DIR/agrules/yara/* /nsm/rules/yara/ - rsync -av $UPDATE_DIR/agrules/sigma/* /nsm/repo/rules/sigma/ + if [ -d $UPDATE_DIR/agrules/sigma ]; then + rsync -av $UPDATE_DIR/agrules/sigma/* /nsm/repo/rules/sigma/ + fi } update_airgap_repo() { From 9446b750c0891bf278e57107955f8b9ba2acd5bd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 5 Dec 2023 11:25:25 -0500 Subject: [PATCH 13/14] Update soup --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 6b1bd5aa3..3c5adb7e5 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -599,7 +599,7 @@ update_airgap_rules() { # Copy the rules over to update them for airgap. rsync -av $UPDATE_DIR/agrules/suricata/* /nsm/rules/suricata/ rsync -av $UPDATE_DIR/agrules/yara/* /nsm/rules/yara/ - if [ -d $UPDATE_DIR/agrules/sigma ]; then + if [ -d /nsm/repo/rules/sigma ]; then rsync -av $UPDATE_DIR/agrules/sigma/* /nsm/repo/rules/sigma/ fi } From 386e9214fc8c3e926cdcf65bfaa7b59f61e8e2de Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 6 Dec 2023 08:34:46 -0500 Subject: [PATCH 14/14] 2.4.30 hotfix --- DOWNLOAD_AND_VERIFY_ISO.md | 22 ++++++++++----------- sigs/securityonion-2.4.30-20231204.iso.sig | Bin 0 -> 566 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.4.30-20231204.iso.sig diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index 202e00de1..8de9ed364 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.4.30-20231121 ISO image released on 2023/11/21 +### 2.4.30-20231204 ISO image released on 2023/12/06 ### Download and Verify -2.4.30-20231121 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231121.iso +2.4.30-20231204 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231204.iso -MD5: 09DB0A6B3A75435C855E777272FC03F8 -SHA1: A68868E67A3F86B77E01F54067950757EFD3BA72 -SHA256: B3880C0302D9CDED7C974585B14355544FC9C3279F952EC79FC2BA9AEC7CB749 +MD5: 596A164241D0C62AEBBE23D7883F505E +SHA1: 139FE16DC3B13B1F1A748EE57BC2C5FEBADAEB07 +SHA256: D5730F9952F5AC6DF06D4E02A9EF5C43B16AC85D8072C6D60AEFF03281122C71 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231121.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231204.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231121.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231204.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231121.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231204.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.30-20231121.iso.sig securityonion-2.4.30-20231121.iso +gpg --verify securityonion-2.4.30-20231204.iso.sig securityonion-2.4.30-20231204.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Tue 21 Nov 2023 01:21:38 PM EST using RSA key ID FE507013 +gpg: Signature made Tue 05 Dec 2023 11:46:42 AM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.4.30-20231204.iso.sig b/sigs/securityonion-2.4.30-20231204.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..104472a7b08758bd62e1b6e40c3f586c9ff6887a GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j-41gSkXz6^6dp_W8^5Ma0dP;e6k0%dPg@&F165PT3| zxBgIY6F_ed{x*zW;Ih8E@HBow#}L`63>`yfQ#}9!-nH$5@myTY^G$$_-k&@oO^nW1 z9o4g154AIdoM3Ji`ij1=)~q>yS#?PgqSpYjM>JH{@y(2$W*Y%Ls;gC&=z(6N_#Pg$1gN>i*9n@DLw! zMp>DbQJXGl^i?<)66K4SFM%V`l{e2CZKHyC+j{B0t!|{$Tyqvh2{Yl;!MZj`X~N0+ z`Of%NFhuy1!aVFR*^nL!VUK+qR0X8l%6e)N_ss9c?#q8|^tY2fW3WHI*6^Yh1);TBXI2`9X-nd^wk(yTa-h1@sUwB71W{nisZtnY0!RZYP z_`#driC9B>oWo*My`NvJN4i!fbr2g_FRNKhrI_CC^Gmjqpf6TKQ`Huql>cWYAipXa ER=-*aEC2ui literal 0 HcmV?d00001