Merge pull request #2393 from Security-Onion-Solutions/fix/strelka_filestream

Fix/strelka filestream

salt/strelka/files/filestream/filestream.yaml

@@ -16,7 +16,7 @@ throughput:
   delay: 0s
 files:
   patterns:
-    - '/nsm/strelka/*'
+    - '/nsm/strelka/unprocessed/*'
   delete: false
   gatekeeper: true
 response:

salt/strelka/init.sls

@@ -72,13 +72,20 @@ strelkalogdir:
     - group: 939
     - makedirs: True
 
-strelkastagedir:
+strelkaprocessed:
    file.directory:
     - name: /nsm/strelka/processed
     - user: 939
     - group: 939
     - makedirs: True
 
+strelkaunprocessed:
+   file.directory:
+    - name: /nsm/strelka/unprocessed
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 strelka_coordinator:
   docker_container.running:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }}
@@ -164,10 +171,17 @@ append_so-strelka-filestream_so-status.conf:
     - name: /opt/so/conf/so-status/so-status.conf
     - text: so-strelka-filestream
 
+strelka_zeek_extracted_sync_old:
+  cron.absent:
+    - user: root
+    - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/ > /dev/null 2>&1'
+    - minute: '*'
+
 strelka_zeek_extracted_sync:
   cron.present:
     - user: root
-    - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/ > /dev/null 2>&1'
+    - identifier: zeek-extracted-strelka-sync
+    - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/unprocessed/ > /dev/null 2>&1'
     - minute: '*'
 
 {% else %}