From d5bb223235c6ac48cd69691a0b36419ea20cfb70 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 13 Mar 2023 17:10:52 -0400 Subject: [PATCH 1/7] Fix system syslog delete file configuration --- .../files/action/logs-system-syslog-default-delete.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/curator/files/action/logs-system-syslog-default-delete.yaml b/salt/curator/files/action/logs-system-syslog-default-delete.yaml index b46a5fc73..36e079408 100644 --- a/salt/curator/files/action/logs-system-syslog-default-delete.yaml +++ b/salt/curator/files/action/logs-system-syslog-default-delete.yaml @@ -3,19 +3,19 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %} +{%- set DELETE_DAYS = CURATORMERGED['logs-system.syslog-default'].delete %} actions: 1: action: delete_indices description: >- - Delete import indices when older than {{ DELETE_DAYS }} days. + Delete Elastic Agent system syslog indices when older than {{ DELETE_DAYS }} days. options: ignore_empty_list: True disable_action: False filters: - filtertype: pattern kind: regex - value: '^(.ds-logs-import-so.*)$' + value: '^(.ds-logs-system.syslog-default.*)$' - filtertype: age source: name direction: older From c2701f1835372a75ed5ccb3fbca41561679fba3f Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 13 Mar 2023 17:24:12 -0400 Subject: [PATCH 2/7] Fix system syslog default key value --- .../curator/files/action/logs-system-syslog-default-delete.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/files/action/logs-system-syslog-default-delete.yaml b/salt/curator/files/action/logs-system-syslog-default-delete.yaml index 36e079408..1a7d217e9 100644 --- a/salt/curator/files/action/logs-system-syslog-default-delete.yaml +++ b/salt/curator/files/action/logs-system-syslog-default-delete.yaml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = CURATORMERGED['logs-system.syslog-default'].delete %} +{%- set DELETE_DAYS = CURATORMERGED['logs-system-syslog-default'].delete %} actions: 1: action: delete_indices From 8ade7b85fc450efbd9cb28ee5264b7ccd76213e7 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 13 Mar 2023 17:24:40 -0400 Subject: [PATCH 3/7] Fix system syslog default key value --- salt/curator/files/action/logs-system-syslog-default-close.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/files/action/logs-system-syslog-default-close.yaml b/salt/curator/files/action/logs-system-syslog-default-close.yaml index a9a697a66..3c9482b40 100644 --- a/salt/curator/files/action/logs-system-syslog-default-close.yaml +++ b/salt/curator/files/action/logs-system-syslog-default-close.yaml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = CURATORMERGED['logs-system.syslog-default'].close %} +{%- set cur_close_days = CURATORMERGED['logs-system-syslog-default'].close %} actions: 1: action: close From 785f100132bf6fc21010da55fad47450b1d8b666 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 13 Mar 2023 17:25:33 -0400 Subject: [PATCH 4/7] Fix system auth default key value --- salt/curator/files/action/logs-system-auth-default-close.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/files/action/logs-system-auth-default-close.yaml b/salt/curator/files/action/logs-system-auth-default-close.yaml index 7c04a0ca9..af9843b35 100644 --- a/salt/curator/files/action/logs-system-auth-default-close.yaml +++ b/salt/curator/files/action/logs-system-auth-default-close.yaml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = CURATORMERGED['logs-system.auth-default'].close %} +{%- set cur_close_days = CURATORMERGED['logs-system-auth-default'].close %} actions: 1: action: close From bab40de58d7becd7e71059cc01fa5933ac36bf32 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 13 Mar 2023 17:26:05 -0400 Subject: [PATCH 5/7] Fix system auth default key value --- salt/curator/files/action/logs-system-auth-default-delete.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/files/action/logs-system-auth-default-delete.yaml b/salt/curator/files/action/logs-system-auth-default-delete.yaml index d14d560f3..9a1cc6a9a 100644 --- a/salt/curator/files/action/logs-system-auth-default-delete.yaml +++ b/salt/curator/files/action/logs-system-auth-default-delete.yaml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = CURATORMERGED['logs-system.auth-default'].delete %} +{%- set DELETE_DAYS = CURATORMERGED['logs-system-auth-default'].delete %} actions: 1: action: delete_indices From f4112b30c0402bdca6a5711a48bff4c88f4e1473 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 13 Mar 2023 17:27:06 -0400 Subject: [PATCH 6/7] Fix index reference for system auth default --- salt/curator/files/action/logs-system-auth-syslog-close.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/curator/files/action/logs-system-auth-syslog-close.yaml b/salt/curator/files/action/logs-system-auth-syslog-close.yaml index 52ddb5eb5..f71ffacb5 100644 --- a/salt/curator/files/action/logs-system-auth-syslog-close.yaml +++ b/salt/curator/files/action/logs-system-auth-syslog-close.yaml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = CURATORMERGED['logs-import-so'].close %} +{%- set cur_close_days = CURATORMERGED['logs-system-auth-default'].close %} actions: 1: action: close @@ -17,7 +17,7 @@ actions: filters: - filtertype: pattern kind: regex - value: '^(.ds-logs-import-so.*)$' + value: '^(.ds-logs-system.auth-default.*)$' - filtertype: age source: name direction: older From 486de12ca5eaee9ecbb9c43dbdab7f73db18a476 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 13 Mar 2023 17:27:52 -0400 Subject: [PATCH 7/7] Delete logs-system-auth-syslog-close.yaml --- .../action/logs-system-auth-syslog-close.yaml | 27 ------------------- 1 file changed, 27 deletions(-) delete mode 100644 salt/curator/files/action/logs-system-auth-syslog-close.yaml diff --git a/salt/curator/files/action/logs-system-auth-syslog-close.yaml b/salt/curator/files/action/logs-system-auth-syslog-close.yaml deleted file mode 100644 index f71ffacb5..000000000 --- a/salt/curator/files/action/logs-system-auth-syslog-close.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['logs-system-auth-default'].close %} -actions: - 1: - action: close - description: >- - Close import indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-system.auth-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: