From 994eabae1b4fabc35208d152682225e5ea8e6609 Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 10 Feb 2023 18:57:19 +0000 Subject: [PATCH 1/2] Manage policy loading in Elasticsearch state --- salt/elasticsearch/init.sls | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 43e8d9f72..b9caa2e89 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -53,9 +53,19 @@ es_sync_scripts: - source: salt://elasticsearch/tools/sbin - exclude_pat: - so-elasticsearch-pipelines # exclude this because we need to watch it for changes, we sync it in another state + - so-elasticsearch-ilm-policy-load - defaults: GLOBALS: {{ GLOBALS }} +so-elasticsearch-ilm-policy-load-script: + file.managed: + - name: /usr/sbin/so-elasticsearch-ilm-policy-load + - source: salt://elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load + - user: 930 + - group: 939 + - mode: 754 + - template: jinja + so-elasticsearch-pipelines-script: file.managed: - name: /usr/sbin/so-elasticsearch-pipelines @@ -362,6 +372,16 @@ so-es-cluster-settings: - docker_container: so-elasticsearch - file: es_sync_scripts +so-elasticsearch-ilm-policy-load: + cmd.run: + - name: /usr/sbin/so-elasticsearch-ilm-policy-load + - cwd: /opt/so + - require: + - docker_container: so-elasticsearch + - file: so-elasticsearch-ilm-policy-load-script + - onchanges: + - file: so-elasticsearch-ilm-policy-load-script + so-elasticsearch-templates: cmd.run: - name: /usr/sbin/so-elasticsearch-templates-load From 1255c6031746df6a444ff59df319b3982152514c Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 10 Feb 2023 18:59:45 +0000 Subject: [PATCH 2/2] Move policy load script into Elasticsearch state script directory --- .../sbin/so-elasticsearch-ilm-policy-load | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100755 salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load new file mode 100755 index 000000000..dda521736 --- /dev/null +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load @@ -0,0 +1,21 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %} +{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ESCONFIG.elasticsearch.index_settings, merge=True) %} +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +{%- for index, settings in ES_INDEX_SETTINGS.items() %} + {%- if settings.policy is defined %} +echo +echo "Setting up {{ index }}-logs policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/{{ index }}-logs" -H 'Content-Type: application/json' -d'{ "policy": {{ settings.policy | tojson(true) }} }' +echo + {%- endif %} +{%- endfor %} +echo