From e075d07f5c2e35b60b7f2f4af463a6301c74a8fe Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 29 Dec 2023 11:38:42 -0500
Subject: [PATCH] show last highstate date/time on grid metrics screen; expose
 maxUploadSize and staleMetricsMs settings on config screen

---
 salt/soc/defaults.yaml                 |  3 +++
 salt/soc/soc_soc.yaml                  |  7 +++++++
 salt/telegraf/defaults.yaml            | 12 ++++++++++++
 salt/telegraf/enabled.sls              |  1 +
 salt/telegraf/scripts/lasthighstate.sh | 18 ++++++++++++++++++
 5 files changed, 41 insertions(+)
 create mode 100644 salt/telegraf/scripts/lasthighstate.sh

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index a73c8884d..c1b9470c8 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1640,6 +1640,9 @@ soc:
               query: '* | groupby destination.port rule.name event.severity_label'
             - name: Ungroup
               query: '*'
+        grid:
+          maxUploadSize: 26214400
+          staleMetricsMs: 120000
         cases:
           advanced: false
           aggregationActionsEnabled: false
diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml
index 291f564ed..0dd39620b 100644
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -184,6 +184,13 @@ soc:
         alerts: *appSettings
         cases: *appSettings
         dashboards: *appSettings
+        grid:
+          maxUploadSize:
+            description: The maximum number of bytes for an uploaded PCAP import file.
+            global: True
+          staleMetricsMs:
+            description: The age in milliseconds of node metrics when they are considered stale. Stale metrics have a faded appearance on the Grid screen.
+            global: True
         case:
           analyzerNodeId:
             description: The node ID on which analyzers will be executed.
diff --git a/salt/telegraf/defaults.yaml b/salt/telegraf/defaults.yaml
index fa9d9b2b9..ab4b73183 100644
--- a/salt/telegraf/defaults.yaml
+++ b/salt/telegraf/defaults.yaml
@@ -13,6 +13,7 @@ telegraf:
     eval:
       - checkfiles.sh
       - influxdbsize.sh
+      - lasthighstate.sh
       - oldpcap.sh
       - os.sh
       - raid.sh
@@ -25,6 +26,7 @@ telegraf:
       - checkfiles.sh
       - eps.sh
       - influxdbsize.sh
+      - lasthighstate.sh
       - oldpcap.sh
       - os.sh
       - raid.sh
@@ -36,6 +38,7 @@ telegraf:
       - zeekloss.sh
     manager:
       - influxdbsize.sh
+      - lasthighstate.sh
       - os.sh
       - raid.sh
       - redis.sh
@@ -43,16 +46,19 @@ telegraf:
     managersearch:
       - eps.sh
       - influxdbsize.sh
+      - lasthighstate.sh
       - os.sh
       - raid.sh
       - redis.sh
       - sostatus.sh
     import:
       - influxdbsize.sh
+      - lasthighstate.sh
       - os.sh
       - sostatus.sh
     sensor:
       - checkfiles.sh
+      - lasthighstate.sh
       - oldpcap.sh
       - os.sh
       - raid.sh
@@ -64,6 +70,7 @@ telegraf:
     heavynode:
       - checkfiles.sh
       - eps.sh
+      - lasthighstate.sh
       - oldpcap.sh
       - os.sh
       - raid.sh
@@ -74,22 +81,27 @@ telegraf:
       - zeekcaptureloss.sh
       - zeekloss.sh
     idh:
+      - lasthighstate.sh
       - os.sh
       - sostatus.sh
     searchnode:
       - eps.sh
+      - lasthighstate.sh
       - os.sh
       - raid.sh
       - sostatus.sh
     receiver:
       - eps.sh
+      - lasthighstate.sh
       - os.sh
       - raid.sh
       - redis.sh
       - sostatus.sh
     fleet:
+      - lasthighstate.sh
       - os.sh
       - sostatus.sh
     desktop:
+      - lasthighstate.sh
       - os.sh
       - sostatus.sh
diff --git a/salt/telegraf/enabled.sls b/salt/telegraf/enabled.sls
index d55e536d6..b1fa0c247 100644
--- a/salt/telegraf/enabled.sls
+++ b/salt/telegraf/enabled.sls
@@ -55,6 +55,7 @@ so-telegraf:
       - /opt/so/log/suricata:/var/log/suricata:ro
       - /opt/so/log/raid:/var/log/raid:ro
       - /opt/so/log/sostatus:/var/log/sostatus:ro
+      - /opt/so/log/salt:/var/log/salt:ro
       {% if DOCKER.containers['so-telegraf'].custom_bind_mounts %}
         {% for BIND in DOCKER.containers['so-telegraf'].custom_bind_mounts %}
       - {{ BIND }}
diff --git a/salt/telegraf/scripts/lasthighstate.sh b/salt/telegraf/scripts/lasthighstate.sh
new file mode 100644
index 000000000..85f259bb8
--- /dev/null
+++ b/salt/telegraf/scripts/lasthighstate.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+# if this script isn't already running
+if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
+
+    LAST_HIGHSTATE_END=$([ -e "/var/log/salt/lasthighstate" ] && date -r /var/log/salt/lasthighstate +%s || echo 0)
+    NOW=$(date +%s)
+    HIGHSTATE_AGE_SECONDS=$((NOW-LAST_HIGHSTATE_END))
+    echo "salt highstate_age_seconds=$HIGHSTATE_AGE_SECONDS"
+
+fi
+
+exit 0