diff --git a/pillar/logrotate/init.sls b/pillar/logrotate/init.sls deleted file mode 100644 index f8a54f442..000000000 --- a/pillar/logrotate/init.sls +++ /dev/null @@ -1,13 +0,0 @@ -logrotate: - conf: | - daily - rotate 14 - missingok - copytruncate - compress - create - extension .log - dateext - dateyesterday - group_conf: | - su root socore \ No newline at end of file diff --git a/salt/common/cron/common-rotate b/salt/common/cron/common-rotate deleted file mode 100644 index 63b8e2b5d..000000000 --- a/salt/common/cron/common-rotate +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -/usr/sbin/logrotate -f /opt/so/conf/log-rotate.conf > /dev/null 2>&1 diff --git a/salt/common/cron/sensor-rotate b/salt/common/cron/sensor-rotate deleted file mode 100644 index 94cebf75d..000000000 --- a/salt/common/cron/sensor-rotate +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -/usr/sbin/logrotate -f /opt/so/conf/sensor-rotate.conf > /dev/null 2>&1 diff --git a/salt/common/files/log-rotate.conf b/salt/common/files/log-rotate.conf deleted file mode 100644 index 1d04c4bb3..000000000 --- a/salt/common/files/log-rotate.conf +++ /dev/null @@ -1,37 +0,0 @@ -{%- set logrotate_conf = salt['pillar.get']('logrotate:conf') %} -{%- set group_conf = salt['pillar.get']('logrotate:group_conf') %} - - -/opt/so/log/aptcacher-ng/*.log -/opt/so/log/idstools/*.log -/opt/so/log/nginx/*.log -/opt/so/log/soc/*.log -/opt/so/log/kratos/*.log -/opt/so/log/kibana/*.log -/opt/so/log/influxdb/*.log -/opt/so/log/elastalert/*.log -/opt/so/log/soctopus/*.log -/opt/so/log/curator/*.log -/opt/so/log/fleet/*.log -/opt/so/log/suricata/*.log -/opt/so/log/mysql/*.log -/opt/so/log/telegraf/*.log -/opt/so/log/redis/*.log -/opt/so/log/sensoroni/*.log -/opt/so/log/stenographer/*.log -/opt/so/log/salt/so-salt-minion-check -/opt/so/log/salt/minion -/opt/so/log/salt/master -/opt/so/log/logscan/*.log -/nsm/idh/*.log -{ - {{ logrotate_conf | indent(width=4) }} -} - -# Playbook's log directory needs additional configuration -# because Playbook requires a more permissive directory -/opt/so/log/playbook/*.log -{ - {{ logrotate_conf | indent(width=4) }} - {{ group_conf | indent(width=4) }} -} diff --git a/salt/common/files/sensor-rotate.conf b/salt/common/files/sensor-rotate.conf deleted file mode 100644 index cefd3944e..000000000 --- a/salt/common/files/sensor-rotate.conf +++ /dev/null @@ -1,22 +0,0 @@ -/opt/so/log/sensor_clean.log -{ - daily - rotate 2 - missingok - nocompress - create - sharedscripts -} - -/nsm/strelka/log/strelka.log -{ - daily - rotate 14 - missingok - copytruncate - compress - create - extension .log - dateext - dateyesterday -} \ No newline at end of file diff --git a/salt/common/init.sls b/salt/common/init.sls index 4fe150f02..72233f23b 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -151,56 +151,8 @@ so-sensor-clean: - daymonth: '*' - month: '*' - dayweek: '*' - -sensorrotatescript: - file.managed: - - name: /usr/local/bin/sensor-rotate - - source: salt://common/cron/sensor-rotate - - mode: 755 - -sensorrotateconf: - file.managed: - - name: /opt/so/conf/sensor-rotate.conf - - source: salt://common/files/sensor-rotate.conf - - mode: 644 - -sensor-rotate: - cron.present: - - name: /usr/local/bin/sensor-rotate - - identifier: sensor-rotate - - user: root - - minute: '1' - - hour: '0' - - daymonth: '*' - - month: '*' - - dayweek: '*' - {% endif %} -commonlogrotatescript: - file.managed: - - name: /usr/local/bin/common-rotate - - source: salt://common/cron/common-rotate - - mode: 755 - -commonlogrotateconf: - file.managed: - - name: /opt/so/conf/log-rotate.conf - - source: salt://common/files/log-rotate.conf - - template: jinja - - mode: 644 - -common-rotate: - cron.present: - - name: /usr/local/bin/common-rotate - - identifier: common-rotate - - user: root - - minute: '1' - - hour: '0' - - daymonth: '*' - - month: '*' - - dayweek: '*' - # Create the status directory sostatusdir: file.directory: diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup index b1486e35c..faf2cab90 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup @@ -6,6 +6,12 @@ # this file except in compliance with the Elastic License 2.0. {% from 'vars/globals.map.jinja' import GLOBALS %} +{% if GLOBALS.os == 'Ubuntu' %} +INTCA=/etc/ssl/certs/intca.crt +{% else %} +INTCA=/etc/pki/tls/certs/intca.crt +{% endif %} + . /usr/sbin/so-elastic-fleet-common printf "\n### Create ES Token ###\n" @@ -13,7 +19,7 @@ ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5 ### Create Outputs & Fleet URLs ### printf "\nAdd Manager Elasticsearch Output...\n" -ESCACRT=$(openssl x509 -in /etc/pki/tls/certs/intca.crt) +ESCACRT=$(openssl x509 -in $INTCA) JSON_STRING=$( jq -n \ --arg ESCACRT "$ESCACRT" \ '{"name":"so-manager_elasticsearch","id":"so-manager_elasticsearch","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200","https://{{ GLOBALS.manager }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate_authorities": [$ESCACRT]}}' ) @@ -24,7 +30,7 @@ printf "\nCreate Logstash Output if node is not an Import or Eval install\n" {% if grains.role not in ['so-import', 'so-eval'] %} LOGSTASHCRT=$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt) LOGSTASHKEY=$(openssl rsa -in /etc/pki/elasticfleet-logstash.key) -LOGSTASHCA=$(openssl x509 -in /etc/pki/tls/certs/intca.crt) +LOGSTASHCA=$(openssl x509 -in $INTCA) JSON_STRING=$( jq -n \ --arg LOGSTASHCRT "$LOGSTASHCRT" \ --arg LOGSTASHKEY "$LOGSTASHKEY" \ diff --git a/salt/logrotate/defaults.yaml b/salt/logrotate/defaults.yaml new file mode 100644 index 000000000..68095fcbd --- /dev/null +++ b/salt/logrotate/defaults.yaml @@ -0,0 +1,230 @@ +logrotate: + config: + /opt/so/log/idstools/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/nginx/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/soc/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/kratos/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/kibana/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/influxdb/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/elastalert/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/soctopus/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/curator/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/fleet/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/suricata/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/mysql/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/telegraf/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/redis/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/sensoroni/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/stenographer/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/salt/so-salt-minion-check: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/salt/minion: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/salt/master: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /nsm/idh/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/playbook/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + - su root socore + /nsm/strelka/log/strelka_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/sensor_clean_x_log: + - daily + - rotate 2 + - missingok + - nocompress + - create + - sharedscripts diff --git a/salt/logrotate/etc/rotate.conf.jinja b/salt/logrotate/etc/rotate.conf.jinja new file mode 100644 index 000000000..2822019e9 --- /dev/null +++ b/salt/logrotate/etc/rotate.conf.jinja @@ -0,0 +1,8 @@ +{%- for file, opts in CONFIG.items() %} +{{ file | replace("_x_", ".")}} +{ +{%- for opt in opts %} + {{ opt }} +{%- endfor %} +} +{%- endfor %} diff --git a/salt/logrotate/init.sls b/salt/logrotate/init.sls new file mode 100644 index 000000000..1b096f9db --- /dev/null +++ b/salt/logrotate/init.sls @@ -0,0 +1,31 @@ +{% from 'logrotate/map.jinja' import LOGROTATEMERGED %} + +logrotateconfdir: + file.directory: + - name: /opt/so/conf/logrotate + +commonlogrotatescript: + file.managed: + - name: /usr/local/bin/common-rotate + - source: salt://logrotate/tools/sbin/common-rotate + - mode: 755 + +commonlogrotateconf: + file.managed: + - name: /opt/so/conf/logrotate/common-rotate.conf + - source: salt://logrotate/etc/rotate.conf.jinja + - template: jinja + - mode: 644 + - defaults: + CONFIG: {{ LOGROTATEMERGED.config }} + +common-rotate: + cron.present: + - name: /usr/local/bin/common-rotate + - identifier: common-rotate + - user: root + - minute: '1' + - hour: '0' + - daymonth: '*' + - month: '*' + - dayweek: '*' diff --git a/salt/logrotate/map.jinja b/salt/logrotate/map.jinja new file mode 100644 index 000000000..24fcbd78f --- /dev/null +++ b/salt/logrotate/map.jinja @@ -0,0 +1,7 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + +{% import_yaml 'logrotate/defaults.yaml' as LOGROTATEDEFAULTS %} +{% set LOGROTATEMERGED = salt['pillar.get']('logrotate', LOGROTATEDEFAULTS.logrotate, merge=True) %} diff --git a/salt/logrotate/soc_logrotate.yaml b/salt/logrotate/soc_logrotate.yaml new file mode 100644 index 000000000..5b9fd720f --- /dev/null +++ b/salt/logrotate/soc_logrotate.yaml @@ -0,0 +1,163 @@ +logrotate: + config: + "/opt/so/log/idstools/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/idstools/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/nginx/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/nginx/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/soc/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/soc/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/kratos/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/kratos/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/kibana/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/kibana/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/influxdb/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/influxdb/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/elastalert/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/elastalert/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/soctopus/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/soctopus/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/curator/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/curator/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/fleet/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/fleet/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/suricata/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/suricata/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/mysql/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/mysql/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/telegraf/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/telegraf/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/redis/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/redis/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/sensoroni/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/sensoroni/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/stenographer/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/stenographer/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/salt/so-salt-minion-check": + description: List of logrotate options for this file. + title: /opt/so/log/salt/so-salt-minion-check + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/salt/minion": + description: List of logrotate options for this file. + title: /opt/so/log/salt/minion + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/salt/master": + description: List of logrotate options for this file. + title: /opt/so/log/salt/master + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/nsm/idh/*_x_log": + description: List of logrotate options for this file. + title: /nsm/idh/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/playbook/*_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/playbook/*.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/nsm/strelka/log/strelka_x_log": + description: List of logrotate options for this file. + title: /nsm/strelka/log/strelka.log + advanced: True + multiline: True + global: True + forcedType: "[]string" + "/opt/so/log/sensor_clean_x_log": + description: List of logrotate options for this file. + title: /opt/so/log/sensor_clean.log + advanced: True + multiline: True + global: True + forcedType: "[]string" diff --git a/salt/logrotate/tools/sbin/common-rotate b/salt/logrotate/tools/sbin/common-rotate new file mode 100644 index 000000000..14c3536da --- /dev/null +++ b/salt/logrotate/tools/sbin/common-rotate @@ -0,0 +1,2 @@ +#!/bin/bash +/usr/sbin/logrotate -f /opt/so/conf/logrotate/common-rotate.conf > /dev/null 2>&1 diff --git a/salt/top.sls b/salt/top.sls index e53791673..e53895324 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -14,6 +14,7 @@ base: - repo.client - ntp - schedule + - logrotate 'not G@saltversion:{{saltversion}}': - match: compound diff --git a/setup/so-functions b/setup/so-functions index 9fae0c97a..3611025a9 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1352,8 +1352,9 @@ kibana_pillar() { } logrotate_pillar() { - touch $adv_logrotate_pillar_file - touch $logrotate_pillar_file + logCmd "mkdir -p $local_salt_dir/pillar/logrotate" + logCmd "touch $adv_logrotate_pillar_file" + logCmd "touch $logrotate_pillar_file" } patch_pillar() {