show last highstate date/time on grid metrics screen; expose maxUploadSize and staleMetricsMs settings on config screen

salt/soc/defaults.yaml

@@ -1640,6 +1640,9 @@ soc:
               query: '* | groupby destination.port rule.name event.severity_label'
             - name: Ungroup
               query: '*'
+        grid:
+          maxUploadSize: 26214400
+          staleMetricsMs: 120000
         cases:
           advanced: false
           aggregationActionsEnabled: false

salt/soc/soc_soc.yaml

@@ -184,6 +184,13 @@ soc:
         alerts: *appSettings
         cases: *appSettings
         dashboards: *appSettings
+        grid:
+          maxUploadSize:
+            description: The maximum number of bytes for an uploaded PCAP import file.
+            global: True
+          staleMetricsMs:
+            description: The age in milliseconds of node metrics when they are considered stale. Stale metrics have a faded appearance on the Grid screen.
+            global: True
         case:
           analyzerNodeId:
             description: The node ID on which analyzers will be executed.

salt/telegraf/defaults.yaml

@@ -13,6 +13,7 @@ telegraf:
     eval:
       - checkfiles.sh
       - influxdbsize.sh
+      - lasthighstate.sh
       - oldpcap.sh
       - os.sh
       - raid.sh
@@ -25,6 +26,7 @@ telegraf:
       - checkfiles.sh
       - eps.sh
       - influxdbsize.sh
+      - lasthighstate.sh
       - oldpcap.sh
       - os.sh
       - raid.sh
@@ -36,6 +38,7 @@ telegraf:
       - zeekloss.sh
     manager:
       - influxdbsize.sh
+      - lasthighstate.sh
       - os.sh
       - raid.sh
       - redis.sh
@@ -43,16 +46,19 @@ telegraf:
     managersearch:
       - eps.sh
       - influxdbsize.sh
+      - lasthighstate.sh
       - os.sh
       - raid.sh
       - redis.sh
       - sostatus.sh
     import:
       - influxdbsize.sh
+      - lasthighstate.sh
       - os.sh
       - sostatus.sh
     sensor:
       - checkfiles.sh
+      - lasthighstate.sh
       - oldpcap.sh
       - os.sh
       - raid.sh
@@ -64,6 +70,7 @@ telegraf:
     heavynode:
       - checkfiles.sh
       - eps.sh
+      - lasthighstate.sh
       - oldpcap.sh
       - os.sh
       - raid.sh
@@ -74,22 +81,27 @@ telegraf:
       - zeekcaptureloss.sh
       - zeekloss.sh
     idh:
+      - lasthighstate.sh
       - os.sh
       - sostatus.sh
     searchnode:
       - eps.sh
+      - lasthighstate.sh
       - os.sh
       - raid.sh
       - sostatus.sh
     receiver:
       - eps.sh
+      - lasthighstate.sh
       - os.sh
       - raid.sh
       - redis.sh
       - sostatus.sh
     fleet:
+      - lasthighstate.sh
       - os.sh
       - sostatus.sh
     desktop:
+      - lasthighstate.sh
       - os.sh
       - sostatus.sh

salt/telegraf/enabled.sls

@@ -55,6 +55,7 @@ so-telegraf:
       - /opt/so/log/suricata:/var/log/suricata:ro
       - /opt/so/log/raid:/var/log/raid:ro
       - /opt/so/log/sostatus:/var/log/sostatus:ro
+      - /opt/so/log/salt:/var/log/salt:ro
       {% if DOCKER.containers['so-telegraf'].custom_bind_mounts %}
         {% for BIND in DOCKER.containers['so-telegraf'].custom_bind_mounts %}
       - {{ BIND }}

salt/telegraf/scripts/lasthighstate.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+# if this script isn't already running
+if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
+
+    LAST_HIGHSTATE_END=$([ -e "/var/log/salt/lasthighstate" ] && date -r /var/log/salt/lasthighstate +%s || echo 0)
+    NOW=$(date +%s)
+    HIGHSTATE_AGE_SECONDS=$((NOW-LAST_HIGHSTATE_END))
+    echo "salt highstate_age_seconds=$HIGHSTATE_AGE_SECONDS"
+
+fi
+
+exit 0