add pcap to import node, test not starting zeek docker by default

2025-12-07 17:52:46 +01:00 · 2020-08-14 13:59:23 -04:00
parent fbbec71165
commit ff84640aad
5 changed files with 12 additions and 1 deletions
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -399,6 +399,7 @@ base:
    - firewall
    - idstools
    - suricata.manager
+    - pcap
    - elasticsearch
    - kibana
    - filebeat
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -1,3 +1,5 @@
+{% from "zeek/map.jinja" import START with context %}
+
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
@@ -167,6 +169,7 @@ localzeeksync:
 so-zeek:
  docker_container.running:
    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }}
+    - start: {{ START }}
    - privileged: True
    - binds:
      - /nsm/zeek/logs:/nsm/zeek/logs:rw
--- a/salt/zeek/map.jinja
+++ b/salt/zeek/map.jinja
@@ -0,0 +1,6 @@
+# don't start the docker container if it is an import node
+{% if grains.id.split('_')|last == 'import' %}
+  {% set START = False %}
+{% else %}
+  {% set START = True %}
+{% endif %}
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -804,6 +804,7 @@ docker_seed_registry() {
 			"so-filebeat:$VERSION" \
 			"so-suricata:$VERSION" \
 			"so-soc:$VERSION" \
+			"so-steno:$VERSION" \
 			"so-elasticsearch:$VERSION" \
 			"so-kibana:$VERSION" \
 			"so-kratos:$VERSION" \
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -577,7 +577,7 @@ fi
 		salt-call state.apply -l info elasticsearch >> $setup_log 2>&1
 	fi

-	if [[ $is_sensor ]]; then
+	if [[ $is_sensor || $is_import ]]; then
 		set_progress_str 65 "$(print_salt_state_apply 'pcap')"
 		salt-call state.apply -l info pcap >> $setup_log 2>&1
 	fi