From 95ba327eb3e9eab2b031cf80c49658cedb0b5b79 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 10 Jul 2025 11:08:46 -0500 Subject: [PATCH 1/5] cribl metrics template rename --- salt/elasticfleet/integration-defaults.map.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 182dc95a3..500a9e63c 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -15,6 +15,7 @@ 'awsfirehose.logs': 'awsfirehose', 'awsfirehose.metrics': 'aws.cloudwatch', 'cribl.logs': 'cribl', + 'cribl.metrics': 'cribl', 'sentinel_one_cloud_funnel.logins': 'sentinel_one_cloud_funnel.login', 'azure_application_insights.app_insights': 'azure.app_insights', 'azure_application_insights.app_state': 'azure.app_state', From a4e8e7ea535251d9aeb826a5fd97c9ef18fe977e Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 10 Jul 2025 13:12:26 -0500 Subject: [PATCH 2/5] update syslog-tcp-514 policy --- .../integrations/grid-nodes_general/syslog-tcp-514.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-tcp-514.json b/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-tcp-514.json index 4088f5a87..f284ede06 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-tcp-514.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-tcp-514.json @@ -11,7 +11,7 @@ "tcp-tcp": { "enabled": true, "streams": { - "tcp.generic": { + "tcp.tcp": { "enabled": true, "vars": { "listen_address": "0.0.0.0", @@ -23,7 +23,8 @@ "syslog" ], "syslog_options": "field: message\n#format: auto\n#timezone: Local", - "ssl": "" + "ssl": "", + "custom": "" } } } From 8a57b79b779f60fa04b22cdd8226bbd1f1eb07c7 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 10 Jul 2025 15:52:59 -0500 Subject: [PATCH 3/5] make package installs go in groups of 25 or less --- ...so-elastic-fleet-optional-integrations-load | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-optional-integrations-load b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-optional-integrations-load index 8a2c388b1..886bbf75c 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-optional-integrations-load +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-optional-integrations-load @@ -148,8 +148,22 @@ if [[ -f $STATE_FILE_SUCCESS ]]; then done <<< "$(jq -c '.packages[]' "$INSTALLED_PACKAGE_LIST")" if [ "$PENDING_UPDATE" = true ]; then - # Run bulk install of packages - elastic_fleet_bulk_package_install $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_OUTPUT + # Run chunked install of packages + echo "" > $BULK_INSTALL_OUTPUT + pkg_group=1 + pkg_filename="${BULK_INSTALL_PACKAGE_LIST%.json}" + + jq -c '.packages | _nwise(25)' $BULK_INSTALL_PACKAGE_LIST | while read -r line; do + echo "$line" | jq '{ "packages": . }' > "${pkg_filename}_${pkg_group}.json" + pkg_group=$((pkg_group + 1)) + done + + for file in "${pkg_filename}_"*.json; do + [ -e "$file" ] || continue + elastic_fleet_bulk_package_install $file >> $BULK_INSTALL_OUTPUT + done + # cleanup any temp files for chunked package install + rm -f ${pkg_filename}_*.json $BULK_INSTALL_PACKAGE_LIST else echo "Elastic integrations don't appear to need installation/updating..." fi From 10e3b32fedd1bdb3cf87b82b329692aa2021c4d3 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 11 Jul 2025 11:29:16 -0400 Subject: [PATCH 4/5] fix typo --- salt/soc/soc_soc.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 58560e89e..00342b4b8 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -589,6 +589,10 @@ soc: global: True advanced: True forcedType: "[]{}" + exportNodeId: + description: The node ID on which export jobs will be executed. + global: True + advanced: True hunt: &appSettings groupItemsPerPage: description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI. @@ -712,7 +716,7 @@ soc: global: True status: labels: - description: List of available case statuses. Some statuses have specifial characteristics and related functionality built into SOC. + description: List of available case statuses. Note that some default statuses have special characteristics and related functionality built into SOC. global: True customEnabled: description: Set to true to allow users add their own case statuses directly in the SOC UI. From 9b125fbe531dbbf76bffb68883da934cf4ef2508 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 11 Jul 2025 11:30:01 -0400 Subject: [PATCH 5/5] fix typo --- salt/soc/soc_soc.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 00342b4b8..da3549039 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -589,10 +589,6 @@ soc: global: True advanced: True forcedType: "[]{}" - exportNodeId: - description: The node ID on which export jobs will be executed. - global: True - advanced: True hunt: &appSettings groupItemsPerPage: description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI.