From 621e5c1cf819d797b77168dff12174a0fa8cc7e2 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 13 Apr 2021 19:18:10 -0400
Subject: [PATCH 1/6] Enable Filebeat Stats

---
 salt/filebeat/etc/filebeat.yml | 5 +++--
 salt/filebeat/init.sls         | 1 +
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index c680d61c1..f6d3c5334 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -493,12 +493,13 @@ setup.template.enabled: false
 # append ?pretty to the URL.
 
 # Defines if the HTTP endpoint is enabled.
-#http.enabled: false
+http.enabled: true
 
 # The HTTP endpoint will bind to this hostname or IP address. It is recommended to use only localhost.
-#http.host: localhost
+http.host: localhost
 
 # Port on which the HTTP endpoint will bind. Default is 5066.
+http.port: 5066
 
 queue.mem.events: {{ FBMEMEVENTS }}
 queue.mem.flush.min_events: {{ FBMEMFLUSHMINEVENTS }}
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 339d307ee..4d7f81819 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -74,6 +74,7 @@ so-filebeat:
     - port_bindings:
         - 0.0.0.0:514:514/udp
         - 0.0.0.0:514:514/tcp
+        - 0.0.0.0:5066/tcp
     - watch:
       - file: /opt/so/conf/filebeat/etc/filebeat.yml
 

From 7153f58a03cba46e5f45b334449e4944663e9350 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 13 Apr 2021 20:17:26 -0400
Subject: [PATCH 2/6] Add Firewall for Beats port

---
 salt/filebeat/init.sls        | 2 +-
 salt/firewall/portgroups.yaml | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 4d7f81819..64cdc47fc 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -74,7 +74,7 @@ so-filebeat:
     - port_bindings:
         - 0.0.0.0:514:514/udp
         - 0.0.0.0:514:514/tcp
-        - 0.0.0.0:5066/tcp
+        - 0.0.0.0:5066:5066/tcp
     - watch:
       - file: /opt/so/conf/filebeat/etc/filebeat.yml
 
diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml
index 55a09c6bf..1386267f5 100644
--- a/salt/firewall/portgroups.yaml
+++ b/salt/firewall/portgroups.yaml
@@ -18,6 +18,9 @@ firewall:
       beats_5644:
         tcp:
           - 5644
+      beats_5066:
+        tcp:
+          - 5066
       cortex:
         tcp:
           - 9001

From db7dcd76cdd969ce00ec3a6077a20407b0fdf8d2 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 13 Apr 2021 20:21:32 -0400
Subject: [PATCH 3/6] Add hostname to the listener

---
 salt/filebeat/etc/filebeat.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index f6d3c5334..ecb16ac06 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -496,7 +496,7 @@ setup.template.enabled: false
 http.enabled: true
 
 # The HTTP endpoint will bind to this hostname or IP address. It is recommended to use only localhost.
-http.host: localhost
+http.host: {{ HOSTNAME }}
 
 # Port on which the HTTP endpoint will bind. Default is 5066.
 http.port: 5066

From aa66b6226fbe121c655a138346de6bce04119ef0 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 13 Apr 2021 20:22:51 -0400
Subject: [PATCH 4/6] Add hostname to the listener

---
 salt/filebeat/etc/filebeat.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index ecb16ac06..0f7c9c778 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -496,7 +496,7 @@ setup.template.enabled: false
 http.enabled: true
 
 # The HTTP endpoint will bind to this hostname or IP address. It is recommended to use only localhost.
-http.host: {{ HOSTNAME }}
+http.host: 0.0.0.0
 
 # Port on which the HTTP endpoint will bind. Default is 5066.
 http.port: 5066

From 904d34977f5508c5debf3b2ab6e306714a799e2c Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 13 Apr 2021 20:48:53 -0400
Subject: [PATCH 5/6] Add telegraf scripts to track eps and failures for beats

---
 salt/telegraf/etc/telegraf.conf | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf
index 1b172485b..03113a3f4 100644
--- a/salt/telegraf/etc/telegraf.conf
+++ b/salt/telegraf/etc/telegraf.conf
@@ -679,7 +679,8 @@
       "/scripts/redis.sh",
       "/scripts/influxdbsize.sh",
       "/scripts/eps.sh",
-      "/scripts/raid.sh"
+      "/scripts/raid.sh",
+      "/beatseps.sh"
    ]
   data_format = "influx"
   ## Timeout for each command to complete.
@@ -695,7 +696,8 @@
       "/scripts/zeekcaptureloss.sh",
   {% endif %}
       "/scripts/oldpcap.sh",
-      "/scripts/raid.sh"
+      "/scripts/raid.sh",
+      "/beatseps.sh"
    ]
   data_format = "influx"
   timeout = "15s"
@@ -711,7 +713,8 @@
   {% endif %}
       "/scripts/oldpcap.sh",
       "/scripts/eps.sh",
-      "/scripts/raid.sh"
+      "/scripts/raid.sh",
+      "/beatseps.sh"
    ]
   data_format = "influx"
   timeout = "15s"
@@ -729,7 +732,8 @@
   {% endif %}
       "/scripts/oldpcap.sh",
       "/scripts/eps.sh",
-      "/scripts/raid.sh"
+      "/scripts/raid.sh",
+      "/beatseps.sh"
    ]
   data_format = "influx"
   timeout = "15s"
@@ -746,7 +750,8 @@
   {% endif %}
       "/scripts/oldpcap.sh",
       "/scripts/influxdbsize.sh",
-      "/scripts/raid.sh"
+      "/scripts/raid.sh",
+      "/beatseps.sh"
    ]
   data_format = "influx"
   timeout = "15s"

From 6fc7ed1a25b437bde17774bbdf309ab4bc3068b4 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 13 Apr 2021 20:51:27 -0400
Subject: [PATCH 6/6] Add telegraf scripts to track eps and failures for beats

---
 salt/telegraf/scripts/beatseps.sh | 51 +++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 salt/telegraf/scripts/beatseps.sh

diff --git a/salt/telegraf/scripts/beatseps.sh b/salt/telegraf/scripts/beatseps.sh
new file mode 100644
index 000000000..faba0fabc
--- /dev/null
+++ b/salt/telegraf/scripts/beatseps.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+APP=beatseps
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
+PREVCOUNTFILE='/tmp/beatseps.txt'
+EVENTCOUNTCURRENT="$(curl -s localhost:5066/stats | jq '.libbeat.output.events.acked')"
+FAILEDEVENTCOUNT="$(curl -s localhost:5066/stats | jq '.libbeat.output.events.failed')"
+
+if [ ! -z "$EVENTCOUNTCURRENT" ]; then
+
+  if [ -f "$PREVCOUNTFILE" ]; then
+    EVENTCOUNTPREVIOUS=`cat $PREVCOUNTFILE`
+  else
+    echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE
+    exit 0
+  fi
+
+  echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE
+  # the division by 30 is because the agent interval is 30 seconds
+  EVENTS=$(((EVENTCOUNTCURRENT - EVENTCOUNTPREVIOUS)/30))
+  if [ "$EVENTS" -lt 0 ]; then
+    EVENTS=0
+  fi
+
+  echo "fbstats eps=${EVENTS%%.*},failed=$FAILEDEVENTCOUNT"
+
+fi
+
+exit 0