mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
watch elastalert config and restart docker if chagnes
This commit is contained in:
m0duspwnens
@@ -1,110 +0,0 @@
|
|||||||
{% set esip = salt['pillar.get']('manager:mainip', '') %}
|
|
||||||
{% set esport = salt['pillar.get']('manager:es_port', '') %}
|
|
||||||
# This is the folder that contains the rule yaml files
|
|
||||||
# Any .yaml file will be loaded as a rule
|
|
||||||
rules_folder: /opt/elastalert/rules/
|
|
||||||
|
|
||||||
# Sets whether or not ElastAlert should recursively descend
|
|
||||||
# the rules directory - true or false
|
|
||||||
scan_subdirectories: true
|
|
||||||
|
|
||||||
# Do not disable a rule when an uncaught exception is thrown -
|
|
||||||
# This setting should be tweaked once the following issue has been fixed
|
|
||||||
# https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/98
|
|
||||||
disable_rules_on_error: false
|
|
||||||
|
|
||||||
# How often ElastAlert will query Elasticsearch
|
|
||||||
# The unit can be anything from weeks to seconds
|
|
||||||
run_every:
|
|
||||||
minutes: 3
|
|
||||||
|
|
||||||
# ElastAlert will buffer results from the most recent
|
|
||||||
# period of time, in case some log sources are not in real time
|
|
||||||
buffer_time:
|
|
||||||
minutes: 10
|
|
||||||
|
|
||||||
# The maximum time between queries for ElastAlert to start at the most recently
|
|
||||||
# run query. When ElastAlert starts, for each rule, it will search elastalert_metadata
|
|
||||||
# for the most recently run query and start from that time, unless it is older than
|
|
||||||
# old_query_limit, in which case it will start from the present time. The default is one week.
|
|
||||||
old_query_limit:
|
|
||||||
minutes: 5
|
|
||||||
|
|
||||||
# The Elasticsearch hostname for metadata writeback
|
|
||||||
# Note that every rule can have its own Elasticsearch host
|
|
||||||
es_host: {{ esip }}
|
|
||||||
|
|
||||||
# The Elasticsearch port
|
|
||||||
es_port: {{ esport }}
|
|
||||||
|
|
||||||
# Sets timeout for connecting to and reading from es_host
|
|
||||||
es_conn_timeout: 55
|
|
||||||
|
|
||||||
# The maximum number of documents that will be downloaded from Elasticsearch in
|
|
||||||
# a single query. The default is 10,000, and if you expect to get near this number,
|
|
||||||
# consider using use_count_query for the rule. If this limit is reached, ElastAlert
|
|
||||||
# will scroll through pages the size of max_query_size until processing all results.
|
|
||||||
max_query_size: 5000
|
|
||||||
|
|
||||||
# The AWS region to use. Set this when using AWS-managed elasticsearch
|
|
||||||
#aws_region: us-east-1
|
|
||||||
|
|
||||||
# The AWS profile to use. Use this if you are using an aws-cli profile.
|
|
||||||
# See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
|
|
||||||
# for details
|
|
||||||
#profile: test
|
|
||||||
|
|
||||||
# Optional URL prefix for Elasticsearch
|
|
||||||
#es_url_prefix: elasticsearch
|
|
||||||
|
|
||||||
# Connect with TLS to Elasticsearch
|
|
||||||
#use_ssl: True
|
|
||||||
|
|
||||||
# Verify TLS certificates
|
|
||||||
#verify_certs: True
|
|
||||||
|
|
||||||
# GET request with body is the default option for Elasticsearch.
|
|
||||||
# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
|
|
||||||
# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
|
|
||||||
# for details
|
|
||||||
#es_send_get_body_as: GET
|
|
||||||
|
|
||||||
# Option basic-auth username and password for Elasticsearch
|
|
||||||
#es_username: someusername
|
|
||||||
#es_password: somepassword
|
|
||||||
|
|
||||||
# The index on es_host which is used for metadata storage
|
|
||||||
# This can be a unmapped index, but it is recommended that you run
|
|
||||||
# elastalert-create-index to set a mapping
|
|
||||||
writeback_index: elastalert_status
|
|
||||||
|
|
||||||
# If an alert fails for some reason, ElastAlert will retry
|
|
||||||
# sending the alert until this time period has elapsed
|
|
||||||
alert_time_limit:
|
|
||||||
days: 2
|
|
||||||
|
|
||||||
index_settings:
|
|
||||||
shards: 1
|
|
||||||
replicas: 0
|
|
||||||
|
|
||||||
logging:
|
|
||||||
version: 1
|
|
||||||
incremental: false
|
|
||||||
disable_existing_loggers: false
|
|
||||||
formatters:
|
|
||||||
logline:
|
|
||||||
format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s'
|
|
||||||
|
|
||||||
handlers:
|
|
||||||
file:
|
|
||||||
class : logging.FileHandler
|
|
||||||
formatter: logline
|
|
||||||
level: INFO
|
|
||||||
filename: /var/log/elastalert/elastalert.log
|
|
||||||
|
|
||||||
loggers:
|
|
||||||
'':
|
|
||||||
level: INFO
|
|
||||||
handlers:
|
|
||||||
- file
|
|
||||||
propagate: false
|
|
||||||
@@ -1,3 +1 @@
|
|||||||
%YAML 1.1
|
|
||||||
---
|
|
||||||
{{ elastalert_config | yaml(False) }}
|
{{ elastalert_config | yaml(False) }}
|
||||||
@@ -123,6 +123,8 @@ so-elastalert:
|
|||||||
- {{MANAGER_URL}}:{{MANAGER_IP}}
|
- {{MANAGER_URL}}:{{MANAGER_IP}}
|
||||||
- require:
|
- require:
|
||||||
- module: wait_for_elasticsearch
|
- module: wait_for_elasticsearch
|
||||||
|
- watch:
|
||||||
|
- file: elastaconf
|
||||||
|
|
||||||
append_so-elastalert_so-status.conf:
|
append_so-elastalert_so-status.conf:
|
||||||
file.append:
|
file.append:
|
||||||
|
|||||||
Reference in New Issue
Block a user