From e9af46a8cbddba5e17d292d2776067c3523f2b51 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 30 Sep 2025 14:28:42 -0500 Subject: [PATCH 1/4] less strict exits for fleet configuration --- .../tools/sbin/so-elastic-fleet-common | 2 +- ...ic-fleet-integration-policy-elastic-defend | 10 ++++++-- .../so-elastic-fleet-integration-policy-load | 25 ++++++++++++------- .../so-elastic-fleet-integration-upgrade | 10 ++++++-- 4 files changed, 33 insertions(+), 14 deletions(-) diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common index 4ca5030aa..1a597b1db 100644 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common @@ -27,7 +27,7 @@ fleet_api() { local QUERYPATH=$1 shift - curl -sK /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/${QUERYPATH}" "$@" --retry 3 --fail 2>/dev/null + curl -sK /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/${QUERYPATH}" "$@" --retry 3 --retry-delay 10 --fail 2>/dev/null } elastic_fleet_integration_check() { diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend index 9769f2f79..d036f0d94 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend @@ -8,6 +8,7 @@ . /usr/sbin/so-elastic-fleet-common +ERROR=false # Manage Elastic Defend Integration for Initial Endpoints Policy for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/elastic-defend/*.json do @@ -17,13 +18,18 @@ do printf "\n\nIntegration $NAME exists - Upgrading integration policy\n" if ! elastic_fleet_integration_policy_upgrade "$INTEGRATION_ID"; then echo -e "\nFailed to upgrade integration policy for ${INTEGRATION##*/}" - exit 1 + ERROR=true + continue fi else printf "\n\nIntegration does not exist - Creating integration\n" if ! elastic_fleet_integration_create "@$INTEGRATION"; then echo -e "\nFailed to create integration for ${INTEGRATION##*/}" - exit 1 + ERROR=true + continue fi fi done +if [[ "$ERROR" == "true" ]]; then + exit 1 +fi \ No newline at end of file diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load index 8427b47bc..ca260891f 100644 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load @@ -17,7 +17,6 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then # Third, configure Elastic Defend Integration seperately /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend - # Initial Endpoints for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json do @@ -27,13 +26,15 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then printf "\n\nIntegration $NAME exists - Updating integration\n" if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then echo -e "\nFailed to update integration for ${INTEGRATION##*/}" - exit 1 + RETURN_CODE=1 + continue fi else printf "\n\nIntegration does not exist - Creating integration\n" if ! elastic_fleet_integration_create "@$INTEGRATION"; then echo -e "\nFailed to create integration for ${INTEGRATION##*/}" - exit 1 + RETURN_CODE=1 + continue fi fi done @@ -47,13 +48,15 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then printf "\n\nIntegration $NAME exists - Updating integration\n" if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then echo -e "\nFailed to update integration for ${INTEGRATION##*/}" - exit 1 + RETURN_CODE=1 + continue fi else printf "\n\nIntegration does not exist - Creating integration\n" if ! elastic_fleet_integration_create "@$INTEGRATION"; then echo -e "\nFailed to create integration for ${INTEGRATION##*/}" - exit 1 + RETURN_CODE=1 + continue fi fi done @@ -70,14 +73,16 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then printf "\n\nIntegration $NAME exists - Updating integration\n" if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then echo -e "\nFailed to update integration for ${INTEGRATION##*/}" - exit 1 + RETURN_CODE=1 + continue fi else printf "\n\nIntegration does not exist - Creating integration\n" if [ "$NAME" != "elasticsearch-logs" ]; then if ! elastic_fleet_integration_create "@$INTEGRATION"; then echo -e "\nFailed to create integration for ${INTEGRATION##*/}" - exit 1 + RETURN_CODE=1 + continue fi fi fi @@ -97,14 +102,16 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then printf "\n\nIntegration $NAME exists - Updating integration\n" if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then echo -e "\nFailed to update integration for ${INTEGRATION##*/}" - exit 1 + RETURN_CODE=1 + continue fi else printf "\n\nIntegration does not exist - Creating integration\n" if [ "$NAME" != "elasticsearch-logs" ]; then if ! elastic_fleet_integration_create "@$INTEGRATION"; then echo -e "\nFailed to create integration for ${INTEGRATION##*/}" - exit 1 + RETURN_CODE=1 + continue fi fi fi diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-integration-upgrade b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-integration-upgrade index f1154af1e..1a1448c53 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-integration-upgrade +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-integration-upgrade @@ -24,6 +24,7 @@ fi default_packages=({% for pkg in SUPPORTED_PACKAGES %}"{{ pkg }}"{% if not loop.last %} {% endif %}{% endfor %}) +ERROR=false for AGENT_POLICY in $agent_policies; do if ! integrations=$(elastic_fleet_integration_policy_names "$AGENT_POLICY"); then # this script upgrades default integration packages, exit 1 and let salt handle retrying @@ -73,11 +74,13 @@ for AGENT_POLICY in $agent_policies; do echo "No errors detected. Proceeding with upgrade..." if ! elastic_fleet_integration_policy_upgrade "$INTEGRATION_ID"; then echo "Error: Upgrade failed for $PACKAGE_NAME with integration ID '$INTEGRATION_ID'." - exit 1 + ERROR=true + continue fi else echo "Errors detected during dry run for $PACKAGE_NAME policy upgrade..." - exit 1 + ERROR=true + continue fi fi {%- if not AUTO_UPGRADE_INTEGRATIONS %} @@ -86,4 +89,7 @@ for AGENT_POLICY in $agent_policies; do fi done done +if [[ "$ERROR" == "true" ]]; then + exit 1 +fi echo From 5a2e70490969e0c6b3a487b75f4cc3b753140203 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 30 Sep 2025 15:33:20 -0600 Subject: [PATCH 2/4] New field for assistant health check The health check has a smaller, configurable timeout. --- salt/soc/defaults.yaml | 1 + salt/soc/soc_soc.yaml | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 6caeddbe3..d93b405b1 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1493,6 +1493,7 @@ soc: folder: securityonion-normalized assistant: apiUrl: https://onionai.securityonion.net + healthTimeoutSeconds: 3 salt: queueDir: /opt/sensoroni/queue timeoutMs: 45000 diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 4af20d444..aaa01b5c6 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -585,6 +585,10 @@ soc: description: The URL of the AI gateway. advanced: True global: True + healthTimeoutSeconds: + description: Timeout in seconds for the Onion AI health check. + global: True + advanced: True client: assistant: enabled: From 066e227325eafbfaf6faf75e2dd6ebe3cce1d2fb Mon Sep 17 00:00:00 2001 From: Matthew Wright Date: Wed, 1 Oct 2025 11:01:10 -0400 Subject: [PATCH 3/4] made lowBalanceColorAlert global --- salt/soc/soc_soc.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index aaa01b5c6..3fa914227 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -619,6 +619,7 @@ soc: advanced: True lowBalanceColorAlert: description: Onion AI credit amount at which balance turns red. + global: True advanced: True apiTimeoutMs: description: Duration (in milliseconds) to wait for a response from the SOC server API before giving up and showing an error on the SOC UI. From 030e4961d7afa8bc091718d1ad985133009191ed Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 1 Oct 2025 12:13:56 -0400 Subject: [PATCH 4/4] updates for wiretap lib --- salt/common/tools/sbin_jinja/so-import-pcap | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin_jinja/so-import-pcap b/salt/common/tools/sbin_jinja/so-import-pcap index e8c2b84c8..b630df015 100755 --- a/salt/common/tools/sbin_jinja/so-import-pcap +++ b/salt/common/tools/sbin_jinja/so-import-pcap @@ -173,7 +173,7 @@ for PCAP in $INPUT_FILES; do status "- assigning unique identifier to import: $HASH" pcap_data=$(pcapinfo "${PCAP}") - if ! echo "$pcap_data" | grep -q "First packet time:" || echo "$pcap_data" |egrep -q "Last packet time: 1970-01-01|Last packet time: n/a"; then + if ! echo "$pcap_data" | grep -q "Earliest packet time:" || echo "$pcap_data" |egrep -q "Latest packet time: 1970-01-01|Latest packet time: n/a"; then status "- this PCAP file is invalid; skipping" INVALID_PCAPS_COUNT=$((INVALID_PCAPS_COUNT + 1)) else @@ -205,8 +205,8 @@ for PCAP in $INPUT_FILES; do HASHES="${HASHES} ${HASH}" fi - START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}') - END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}') + START=$(pcapinfo "${PCAP}" -a |grep "Earliest packet time:" | awk '{print $4}') + END=$(pcapinfo "${PCAP}" -e |grep "Latest packet time:" | awk '{print $4}') status "- found PCAP data spanning dates $START through $END" # compare $START to $START_OLDEST