From bf76c1b58c940e3fd7e9841f9ae20a1a76c2cc90 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Dec 2020 10:52:14 -0500 Subject: [PATCH 1/5] Create unprocessed dir and move Zeek extracted files there --- salt/strelka/init.sls | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 8748cbe50..bdca1213b 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -72,13 +72,20 @@ strelkalogdir: - group: 939 - makedirs: True -strelkastagedir: +strelkaprocessed: file.directory: - name: /nsm/strelka/processed - user: 939 - group: 939 - makedirs: True +strelkaunprocessed: + file.directory: + - name: /nsm/strelka/unprocessed + - user: 939 + - group: 939 + - makedirs: True + strelka_coordinator: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }} @@ -167,7 +174,7 @@ append_so-strelka-filestream_so-status.conf: strelka_zeek_extracted_sync: cron.present: - user: root - - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/ > /dev/null 2>&1' + - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/unprocessed/ > /dev/null 2>&1' - minute: '*' {% else %} @@ -176,4 +183,4 @@ strelka_state_not_allowed: test.fail_without_changes: - name: strelka_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} From 9493aad1a57e54d81ab9ac50bfe308616e7b303f Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Dec 2020 10:53:17 -0500 Subject: [PATCH 2/5] Read from dedicated unprocessed dir --- salt/strelka/files/filestream/filestream.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/strelka/files/filestream/filestream.yaml b/salt/strelka/files/filestream/filestream.yaml index 0661cabfa..aa5d51ad1 100644 --- a/salt/strelka/files/filestream/filestream.yaml +++ b/salt/strelka/files/filestream/filestream.yaml @@ -16,7 +16,7 @@ throughput: delay: 0s files: patterns: - - '/nsm/strelka/*' + - '/nsm/strelka/unprocessed/*' delete: false gatekeeper: true response: From 1a463bccaf546369c9d2b275a6844e1b031a5fbd Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Dec 2020 11:25:14 -0500 Subject: [PATCH 3/5] Add cron.absent to remove old cron job if present --- salt/strelka/init.sls | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index bdca1213b..64bf089ff 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -170,7 +170,13 @@ append_so-strelka-filestream_so-status.conf: file.append: - name: /opt/so/conf/so-status/so-status.conf - text: so-strelka-filestream - + +strelka_zeek_extracted_sync_old: + cron.absent: + - user: root + - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/ > /dev/null 2>&1' + - minute: '*' + strelka_zeek_extracted_sync: cron.present: - user: root From 7453626b06fb0ea82a6be329ddd72521187acbdb Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Dec 2020 15:39:52 -0500 Subject: [PATCH 4/5] Add identifier --- salt/strelka/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 64bf089ff..0a92dbbb6 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -180,6 +180,7 @@ strelka_zeek_extracted_sync_old: strelka_zeek_extracted_sync: cron.present: - user: root + - identifier: STRELKACRON - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/unprocessed/ > /dev/null 2>&1' - minute: '*' From 2fee2ca1433a322094fb457f0fdcb1743526c9b5 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Dec 2020 15:40:54 -0500 Subject: [PATCH 5/5] Change identifier name to be more descriptive --- salt/strelka/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 0a92dbbb6..339b5d434 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -180,7 +180,7 @@ strelka_zeek_extracted_sync_old: strelka_zeek_extracted_sync: cron.present: - user: root - - identifier: STRELKACRON + - identifier: zeek-extracted-strelka-sync - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/unprocessed/ > /dev/null 2>&1' - minute: '*'