Merge pull request #1417 from Security-Onion-Solutions/bugfix/local_zeeklogs

Bugfix/local zeeklogs
2025-12-06 17:22:49 +01:00 · 2020-09-29 08:58:02 -04:00
parent 60134829d5 f77305e22f
commit ebe00822f8
4 changed files with 54 additions and 102 deletions
--- a/pillar/zeeklogs.sls
+++ b/pillar/zeeklogs.sls
@@ -1,42 +0,0 @@
-zeeklogs:
-  enabled:
-    - conn
-    - dce_rpc
-    - dhcp
-    - dhcpv6
-    - dnp3
-    - dns
-    - dpd
-    - files
-    - ftp
-    - http
-    - intel
-    - irc
-    - kerberos
-    - modbus
-    - mqtt
-    - notice
-    - ntlm
-    - openvpn
-    - pe
-    - radius
-    - rfb
-    - rdp
-    - signatures
-    - sip
-    - smb_files
-    - smb_mapping
-    - smtp
-    - snmp
-    - software
-    - ssh
-    - ssl
-    - syslog
-    - telnet
-    - tunnel
-    - weird
-    - mysql
-    - socks
-    - x509
-    
-  disabled:
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1119,8 +1119,6 @@ manager_pillar() {
 		"  kratoskey: $KRATOSKEY"\
 		"" >> "$pillar_file"

-	printf '%s\n'  '----' >> "$setup_log" 2>&1
-	cat "$pillar_file" >> "$setup_log" 2>&1
  }

 manager_global() {
@@ -1326,8 +1324,6 @@ elasticsearch_pillar() {
 		"  lsheap: $NODE_LS_HEAP_SIZE"\
 		"" >> "$pillar_file"

-	printf '%s\n'  '----' >> "$setup_log" 2>&1
-	cat "$pillar_file" >> "$setup_log" 2>&1
 }

 parse_install_username() {
@@ -1347,9 +1343,6 @@ patch_pillar() {
 		"    splay: 300"\
 		"" >> "$pillar_file"

-	printf '%s\n'  '----' >> "$setup_log" 2>&1
-	cat "$pillar_file" >> "$setup_log" 2>&1
-
 }

 patch_schedule_os_new() {
@@ -1372,8 +1365,6 @@ patch_schedule_os_new() {
 		done
 	done

-	printf '%s\n'  '----' >> "$setup_log" 2>&1
-	cat "$OSPATCHSCHEDULE" >> "$setup_log" 2>&1
 }

 print_salt_state_apply() {
@@ -1746,8 +1737,6 @@ sensor_pillar() {
 		echo "  hnsensor: $HNSENSOR" >> "$pillar_file"
 	fi

-	printf '%s\n'  '----' >> "$setup_log" 2>&1
-	cat "$pillar_file" >> "$setup_log" 2>&1
 }

 set_default_log_size() {
@@ -2031,7 +2020,7 @@ es_heapsize() {
 zeek_logs_enabled() {
 	echo "Enabling Zeek Logs" >> "$setup_log" 2>&1

-	local zeeklogs_pillar=./pillar/zeeklogs.sls
+	local zeeklogs_pillar=$local_salt_dir/pillar/zeeklogs.sls

 	printf '%s\n'\
 		"zeeklogs:"\
@@ -2043,44 +2032,44 @@ zeek_logs_enabled() {
 		done
 	elif [ "$install_type" == "EVAL" ]  || [ "$install_type" == "IMPORT" ]; then
 		printf '%s\n'\
-                        "    - conn"\
-                        "    - dce_rpc"\
-                        "    - dhcp"\
-                        "    - dhcpv6"\
-                        "    - dnp3"\
-                        "    - dns"\
-                        "    - dpd"\
-                        "    - files"\
-                        "    - ftp"\
-                        "    - http"\
-                        "    - intel"\
-                        "    - irc"\
-                        "    - kerberos"\
-                        "    - modbus"\
-                        "    - mqtt"\
-                        "    - notice"\
-                        "    - ntlm"\
-                        "    - openvpn"\
-                        "    - pe"\
-                        "    - radius"\
-                        "    - rfb"\
-                        "    - rdp"\
-                        "    - signatures"\
-                        "    - sip"\
-                        "    - smb_files"\
-                        "    - smb_mapping"\
-                        "    - smtp"\
-                        "    - snmp"\
-                        "    - software"\
-                        "    - ssh"\
-                        "    - ssl"\
-                        "    - syslog"\
-                        "    - telnet"\
-                        "    - tunnel"\
-                        "    - weird"\
-                        "    - mysql"\
-                        "    - socks"\
-                        "    - x509" >> "$zeeklogs_pillar"
+			"    - conn"\
+			"    - dce_rpc"\
+			"    - dhcp"\
+			"    - dhcpv6"\
+			"    - dnp3"\
+			"    - dns"\
+			"    - dpd"\
+			"    - files"\
+			"    - ftp"\
+			"    - http"\
+			"    - intel"\
+			"    - irc"\
+			"    - kerberos"\
+			"    - modbus"\
+			"    - mqtt"\
+			"    - notice"\
+			"    - ntlm"\
+			"    - openvpn"\
+			"    - pe"\
+			"    - radius"\
+			"    - rfb"\
+			"    - rdp"\
+			"    - signatures"\
+			"    - sip"\
+			"    - smb_files"\
+			"    - smb_mapping"\
+			"    - smtp"\
+			"    - snmp"\
+			"    - software"\
+			"    - ssh"\
+			"    - ssl"\
+			"    - syslog"\
+			"    - telnet"\
+			"    - tunnel"\
+			"    - weird"\
+			"    - mysql"\
+			"    - socks"\
+			"    - x509" >> "$zeeklogs_pillar"
 	# Disable syslog log by default
 	else
 		printf '%s\n'\
@@ -2122,7 +2111,4 @@ zeek_logs_enabled() {
 			"    - socks"\
 			"    - x509" >> "$zeeklogs_pillar"
 	fi
-
-	printf '%s\n'  '----' >> "$setup_log" 2>&1
-	cat "$zeeklogs_pillar" >> "$setup_log" 2>&1
 }
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -490,17 +490,17 @@ fi
 	set_progress_str 5 'Installing Salt and dependencies'
 	saltify 2>> $setup_log

-	set_progress_str 7 'Installing Docker and dependencies'
+	set_progress_str 6 'Installing Docker and dependencies'
 	docker_install >> $setup_log 2>&1
 	
-	set_progress_str 8 'Generating patch pillar'
+	set_progress_str 7 'Generating patch pillar'
 	patch_pillar >> $setup_log 2>&1

-	set_progress_str 9 'Initializing Salt minion'
+	set_progress_str 8 'Initializing Salt minion'
 	configure_minion "$minion_type" >> $setup_log 2>&1

 	if [[ $is_manager || $is_helix || $is_import ]]; then
-		set_progress_str 10 'Configuring Salt master'
+		set_progress_str 9 'Configuring Salt master'
 		{
 			create_local_directories;
 			addtotab_generate_templates;
@@ -509,17 +509,22 @@ fi
 			firewall_generate_templates;
 		} >> $setup_log 2>&1
 		
-		set_progress_str 11 'Updating sudoers file for soremote user'
+		set_progress_str 10 'Updating sudoers file for soremote user'
 		update_sudoers >> $setup_log 2>&1
 		
-		set_progress_str 12 'Generating manager global pillar'
+		set_progress_str 11 'Generating manager global pillar'
 		#minio_generate_keys
 		manager_global >> $setup_log 2>&1
 		
-		set_progress_str 13 'Generating manager pillar'
+		set_progress_str 12 'Generating manager pillar'
 		manager_pillar >> $setup_log 2>&1
 	fi

+	if [[ $is_sensor || $is_import ]]; then
+		set_progress_str 13 'Generating zeeklogs pillar'
+		zeek_logs_enabled >> $setup_log 2>&1
+	fi
+

 	set_progress_str 16 'Running first Salt checkin'
 	salt_firstcheckin >> $setup_log 2>&1
@@ -617,6 +622,7 @@ fi
 		salt-call state.apply -l info suricata >> $setup_log 2>&1

 		set_progress_str 67 "$(print_salt_state_apply 'zeek')"
+		zeek_logs_enabled >> $setup_log 2>&1
 		salt-call state.apply -l info zeek >> $setup_log 2>&1
 	fi

--- a/setup/so-variables
+++ b/setup/so-variables
@@ -54,8 +54,10 @@ export percentage_str='Getting started'
 export DEBIAN_FRONTEND=noninteractive

 export default_salt_dir=/opt/so/saltstack/default
+mkdir -p "$default_salt_dir"

 export local_salt_dir=/opt/so/saltstack/local
+mkdir -p "$local_salt_dir"

 SCRIPTDIR=$(cd "$(dirname "$0")" && pwd)
 export SCRIPTDIR