Remove preconfigured zeeklog + create it during setup

2025-12-08 02:02:50 +01:00 · 2020-09-28 15:12:36 -04:00
parent 66b7678df8
commit f782299281
4 changed files with 42 additions and 95 deletions
--- a/pillar/zeeklogs.sls
+++ b/pillar/zeeklogs.sls
@@ -1,42 +0,0 @@
 zeeklogs:
  enabled:
    - conn
    - dce_rpc
    - dhcp
    - dhcpv6
    - dnp3
    - dns
    - dpd
    - files
    - ftp
    - http
    - intel
    - irc
    - kerberos
    - modbus
    - mqtt
    - notice
    - ntlm
    - openvpn
    - pe
    - radius
    - rfb
    - rdp
    - signatures
    - sip
    - smb_files
    - smb_mapping
    - smtp
    - snmp
    - software
    - ssh
    - ssl
    - syslog
    - telnet
    - tunnel
    - weird
    - mysql
    - socks
    - x509
  disabled:
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1111,8 +1111,6 @@ manager_pillar() {
 		"  kratoskey: $KRATOSKEY"\
 		"" >> "$pillar_file"
 	printf '%s\n'  '----' >> "$setup_log" 2>&1
 	cat "$pillar_file" >> "$setup_log" 2>&1
  }
 manager_global() {
@@ -1318,8 +1316,6 @@ elasticsearch_pillar() {
 		"  lsheap: $NODE_LS_HEAP_SIZE"\
 		"" >> "$pillar_file"
 	printf '%s\n'  '----' >> "$setup_log" 2>&1
 	cat "$pillar_file" >> "$setup_log" 2>&1
 }
 parse_install_username() {
@@ -1339,9 +1335,6 @@ patch_pillar() {
 		"    splay: 300"\
 		"" >> "$pillar_file"
 	printf '%s\n'  '----' >> "$setup_log" 2>&1
 	cat "$pillar_file" >> "$setup_log" 2>&1
 }
 patch_schedule_os_new() {
@@ -1364,8 +1357,6 @@ patch_schedule_os_new() {
 		done
 	done
 	printf '%s\n'  '----' >> "$setup_log" 2>&1
 	cat "$OSPATCHSCHEDULE" >> "$setup_log" 2>&1
 }
 print_salt_state_apply() {
@@ -1738,8 +1729,6 @@ sensor_pillar() {
 		echo "  hnsensor: $HNSENSOR" >> "$pillar_file"
 	fi
 	printf '%s\n'  '----' >> "$setup_log" 2>&1
 	cat "$pillar_file" >> "$setup_log" 2>&1
 }
 set_default_log_size() {
@@ -2023,7 +2012,7 @@ es_heapsize() {
 zeek_logs_enabled() {
 	echo "Enabling Zeek Logs" >> "$setup_log" 2>&1
-	local zeeklogs_pillar=./pillar/zeeklogs.sls
+	local zeeklogs_pillar=$local_salt_dir/pillar/zeeklogs.sls
 	printf '%s\n'\
 		"zeeklogs:"\
@@ -2035,44 +2024,44 @@ zeek_logs_enabled() {
 		done
 	elif [ "$install_type" == "EVAL" ]  || [ "$install_type" == "IMPORT" ]; then
 		printf '%s\n'\
-                        "    - conn"\
+			"    - conn"\
-                        "    - dce_rpc"\
+			"    - dce_rpc"\
-                        "    - dhcp"\
+			"    - dhcp"\
-                        "    - dhcpv6"\
+			"    - dhcpv6"\
-                        "    - dnp3"\
+			"    - dnp3"\
-                        "    - dns"\
+			"    - dns"\
-                        "    - dpd"\
+			"    - dpd"\
-                        "    - files"\
+			"    - files"\
-                        "    - ftp"\
+			"    - ftp"\
-                        "    - http"\
+			"    - http"\
-                        "    - intel"\
+			"    - intel"\
-                        "    - irc"\
+			"    - irc"\
-                        "    - kerberos"\
+			"    - kerberos"\
-                        "    - modbus"\
+			"    - modbus"\
-                        "    - mqtt"\
+			"    - mqtt"\
-                        "    - notice"\
+			"    - notice"\
-                        "    - ntlm"\
+			"    - ntlm"\
-                        "    - openvpn"\
+			"    - openvpn"\
-                        "    - pe"\
+			"    - pe"\
-                        "    - radius"\
+			"    - radius"\
-                        "    - rfb"\
+			"    - rfb"\
-                        "    - rdp"\
+			"    - rdp"\
-                        "    - signatures"\
+			"    - signatures"\
-                        "    - sip"\
+			"    - sip"\
-                        "    - smb_files"\
+			"    - smb_files"\
-                        "    - smb_mapping"\
+			"    - smb_mapping"\
-                        "    - smtp"\
+			"    - smtp"\
-                        "    - snmp"\
+			"    - snmp"\
-                        "    - software"\
+			"    - software"\
-                        "    - ssh"\
+			"    - ssh"\
-                        "    - ssl"\
+			"    - ssl"\
-                        "    - syslog"\
+			"    - syslog"\
-                        "    - telnet"\
+			"    - telnet"\
-                        "    - tunnel"\
+			"    - tunnel"\
-                        "    - weird"\
+			"    - weird"\
-                        "    - mysql"\
+			"    - mysql"\
-                        "    - socks"\
+			"    - socks"\
-                        "    - x509" >> "$zeeklogs_pillar"
+			"    - x509" >> "$zeeklogs_pillar"
 	# Disable syslog log by default
 	else
 		printf '%s\n'\
@@ -2114,7 +2103,4 @@ zeek_logs_enabled() {
 			"    - socks"\
 			"    - x509" >> "$zeeklogs_pillar"
 	fi
 	printf '%s\n'  '----' >> "$setup_log" 2>&1
 	cat "$zeeklogs_pillar" >> "$setup_log" 2>&1
 }
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -617,6 +617,7 @@ fi
 		salt-call state.apply -l info suricata >> $setup_log 2>&1
 		set_progress_str 67 "$(print_salt_state_apply 'zeek')"
 		zeek_logs_enabled >> $setup_log 2>&1
 		salt-call state.apply -l info zeek >> $setup_log 2>&1
 	fi
--- a/setup/so-variables
+++ b/setup/so-variables
@@ -54,8 +54,10 @@ export percentage_str='Getting started'
 export DEBIAN_FRONTEND=noninteractive
 export default_salt_dir=/opt/so/saltstack/default
 mkdir -p "$default_salt_dir"
 export local_salt_dir=/opt/so/saltstack/local
 mkdir -p "$local_salt_dir"
 SCRIPTDIR=$(cd "$(dirname "$0")" && pwd)
 export SCRIPTDIR