diff --git a/salt/common/tools/sbin_jinja/so-import-pcap b/salt/common/tools/sbin_jinja/so-import-pcap index e8c2b84c8..b630df015 100755 --- a/salt/common/tools/sbin_jinja/so-import-pcap +++ b/salt/common/tools/sbin_jinja/so-import-pcap @@ -173,7 +173,7 @@ for PCAP in $INPUT_FILES; do status "- assigning unique identifier to import: $HASH" pcap_data=$(pcapinfo "${PCAP}") - if ! echo "$pcap_data" | grep -q "First packet time:" || echo "$pcap_data" |egrep -q "Last packet time: 1970-01-01|Last packet time: n/a"; then + if ! echo "$pcap_data" | grep -q "Earliest packet time:" || echo "$pcap_data" |egrep -q "Latest packet time: 1970-01-01|Latest packet time: n/a"; then status "- this PCAP file is invalid; skipping" INVALID_PCAPS_COUNT=$((INVALID_PCAPS_COUNT + 1)) else @@ -205,8 +205,8 @@ for PCAP in $INPUT_FILES; do HASHES="${HASHES} ${HASH}" fi - START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}') - END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}') + START=$(pcapinfo "${PCAP}" -a |grep "Earliest packet time:" | awk '{print $4}') + END=$(pcapinfo "${PCAP}" -e |grep "Latest packet time:" | awk '{print $4}') status "- found PCAP data spanning dates $START through $END" # compare $START to $START_OLDEST diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common index 4ca5030aa..1a597b1db 100644 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common @@ -27,7 +27,7 @@ fleet_api() { local QUERYPATH=$1 shift - curl -sK /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/${QUERYPATH}" "$@" --retry 3 --fail 2>/dev/null + curl -sK /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/${QUERYPATH}" "$@" --retry 3 --retry-delay 10 --fail 2>/dev/null } elastic_fleet_integration_check() { diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend index 9769f2f79..d036f0d94 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend @@ -8,6 +8,7 @@ . /usr/sbin/so-elastic-fleet-common +ERROR=false # Manage Elastic Defend Integration for Initial Endpoints Policy for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/elastic-defend/*.json do @@ -17,13 +18,18 @@ do printf "\n\nIntegration $NAME exists - Upgrading integration policy\n" if ! elastic_fleet_integration_policy_upgrade "$INTEGRATION_ID"; then echo -e "\nFailed to upgrade integration policy for ${INTEGRATION##*/}" - exit 1 + ERROR=true + continue fi else printf "\n\nIntegration does not exist - Creating integration\n" if ! elastic_fleet_integration_create "@$INTEGRATION"; then echo -e "\nFailed to create integration for ${INTEGRATION##*/}" - exit 1 + ERROR=true + continue fi fi done +if [[ "$ERROR" == "true" ]]; then + exit 1 +fi \ No newline at end of file diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load index 8427b47bc..ca260891f 100644 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load @@ -17,7 +17,6 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then # Third, configure Elastic Defend Integration seperately /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend - # Initial Endpoints for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json do @@ -27,13 +26,15 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then printf "\n\nIntegration $NAME exists - Updating integration\n" if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then echo -e "\nFailed to update integration for ${INTEGRATION##*/}" - exit 1 + RETURN_CODE=1 + continue fi else printf "\n\nIntegration does not exist - Creating integration\n" if ! elastic_fleet_integration_create "@$INTEGRATION"; then echo -e "\nFailed to create integration for ${INTEGRATION##*/}" - exit 1 + RETURN_CODE=1 + continue fi fi done @@ -47,13 +48,15 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then printf "\n\nIntegration $NAME exists - Updating integration\n" if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then echo -e "\nFailed to update integration for ${INTEGRATION##*/}" - exit 1 + RETURN_CODE=1 + continue fi else printf "\n\nIntegration does not exist - Creating integration\n" if ! elastic_fleet_integration_create "@$INTEGRATION"; then echo -e "\nFailed to create integration for ${INTEGRATION##*/}" - exit 1 + RETURN_CODE=1 + continue fi fi done @@ -70,14 +73,16 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then printf "\n\nIntegration $NAME exists - Updating integration\n" if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then echo -e "\nFailed to update integration for ${INTEGRATION##*/}" - exit 1 + RETURN_CODE=1 + continue fi else printf "\n\nIntegration does not exist - Creating integration\n" if [ "$NAME" != "elasticsearch-logs" ]; then if ! elastic_fleet_integration_create "@$INTEGRATION"; then echo -e "\nFailed to create integration for ${INTEGRATION##*/}" - exit 1 + RETURN_CODE=1 + continue fi fi fi @@ -97,14 +102,16 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then printf "\n\nIntegration $NAME exists - Updating integration\n" if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then echo -e "\nFailed to update integration for ${INTEGRATION##*/}" - exit 1 + RETURN_CODE=1 + continue fi else printf "\n\nIntegration does not exist - Creating integration\n" if [ "$NAME" != "elasticsearch-logs" ]; then if ! elastic_fleet_integration_create "@$INTEGRATION"; then echo -e "\nFailed to create integration for ${INTEGRATION##*/}" - exit 1 + RETURN_CODE=1 + continue fi fi fi diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-integration-upgrade b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-integration-upgrade index f1154af1e..1a1448c53 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-integration-upgrade +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-integration-upgrade @@ -24,6 +24,7 @@ fi default_packages=({% for pkg in SUPPORTED_PACKAGES %}"{{ pkg }}"{% if not loop.last %} {% endif %}{% endfor %}) +ERROR=false for AGENT_POLICY in $agent_policies; do if ! integrations=$(elastic_fleet_integration_policy_names "$AGENT_POLICY"); then # this script upgrades default integration packages, exit 1 and let salt handle retrying @@ -73,11 +74,13 @@ for AGENT_POLICY in $agent_policies; do echo "No errors detected. Proceeding with upgrade..." if ! elastic_fleet_integration_policy_upgrade "$INTEGRATION_ID"; then echo "Error: Upgrade failed for $PACKAGE_NAME with integration ID '$INTEGRATION_ID'." - exit 1 + ERROR=true + continue fi else echo "Errors detected during dry run for $PACKAGE_NAME policy upgrade..." - exit 1 + ERROR=true + continue fi fi {%- if not AUTO_UPGRADE_INTEGRATIONS %} @@ -86,4 +89,7 @@ for AGENT_POLICY in $agent_policies; do fi done done +if [[ "$ERROR" == "true" ]]; then + exit 1 +fi echo diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 6caeddbe3..d93b405b1 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1493,6 +1493,7 @@ soc: folder: securityonion-normalized assistant: apiUrl: https://onionai.securityonion.net + healthTimeoutSeconds: 3 salt: queueDir: /opt/sensoroni/queue timeoutMs: 45000 diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 4af20d444..3fa914227 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -585,6 +585,10 @@ soc: description: The URL of the AI gateway. advanced: True global: True + healthTimeoutSeconds: + description: Timeout in seconds for the Onion AI health check. + global: True + advanced: True client: assistant: enabled: @@ -615,6 +619,7 @@ soc: advanced: True lowBalanceColorAlert: description: Onion AI credit amount at which balance turns red. + global: True advanced: True apiTimeoutMs: description: Duration (in milliseconds) to wait for a response from the SOC server API before giving up and showing an error on the SOC UI.