Merge pull request #4723 from Security-Onion-Solutions/dev

HEAVYNODE_REDIS hotfix
Merge pull request #4729 from Security-Onion-Solutions/fix/heavyfix
2025-12-06 09:12:45 +01:00 · 2021-07-08 11:42:22 -04:00 · 2021-07-07 14:49:38 -04:00 · 2021-07-07 14:48:07 -04:00 · 2021-07-07 14:47:16 -04:00 · 2021-07-07 14:44:44 -04:00
5 changed files with 50 additions and 28 deletions
--- a/2
+++ b/2
@@ -1 +1 @@
-ECSFIX
+ECSFIX HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -36,6 +36,14 @@
 {% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %}
 {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %}
 {% if grains.role in ['so-heavynode'] %}
  {% set EXTRAHOSTHOSTNAME = salt['grains.get']('host') %}
  {% set EXTRAHOSTIP = salt['pillar.get']('sensor:mainip') %}
 {% else %}
  {% set EXTRAHOSTHOSTNAME = MANAGER %}
  {% set EXTRAHOSTIP = MANAGERIP %}
 {% endif %}
 include:
  - elasticsearch
@@ -145,7 +153,7 @@ so-logstash:
    - name: so-logstash
    - user: logstash
    - extra_hosts:
-      - {{ MANAGER }}:{{ MANAGERIP }}
+      - {{ EXTRAHOSTHOSTNAME }}:{{ EXTRAHOSTIP }}
    - environment:
      - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
    - port_bindings:
--- a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja
+++ b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja
@@ -1,10 +1,13 @@
-{%- set MANAGER = salt['grains.get']('master') %}
+{%- if grains.role in ['so-heavynode'] %}
-{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %}
+  {%- set HOST = salt['grains.get']('host') %}
-{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
+{%- else %}
-
+  {%- set HOST = salt['grains.get']('master') %}
 {%- endif %}
  {%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %}
 {%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
 input {
 	redis {
-		host => '{{ MANAGER }}'
+		host => '{{ HOST }}'
 		port => 9696
 		ssl => true
 		data_type => 'list'
--- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
@@ -1,8 +1,12 @@
-{%- set MANAGER = salt['grains.get']('master') %}
+{%- if grains.role in ['so-heavynode'] %}
-{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
+  {%- set HOST = salt['grains.get']('host') %}
 {%- else %}
  {%- set HOST = salt['grains.get']('master') %}
 {%- endif %}
 {%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
 output {
 	redis {
-		host => '{{ MANAGER }}'
+		host => '{{ HOST }}'
 		port => 6379
 		data_type => 'list'
 		key => 'logstash:unparsed'
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -9,6 +9,11 @@
 {% set MAININT = salt['pillar.get']('host:mainint') %}
 {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
 {% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %}
 {% if grains.role in ['so-heavynode'] %}
  {% set COMMONNAME = salt['grains.get']('host') %}
 {% else %}
  {% set COMMONNAME = manager %}
 {% endif %}
 {% if grains.id.split('_')|last in ['manager', 'eval', 'standalone', 'import', 'helixsensor'] %}
    {% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %}
@@ -83,10 +88,12 @@ removeesp12dir:
    - days_remaining: 0
    - days_valid: 820
    - backup: True
 {% if grains.role not in ['so-heavynode'] %}
    - unless:
      # https://github.com/saltstack/salt/issues/52167
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
 {% endif %}
    - timeout: 30
    - retry:
        attempts: 5
@@ -103,7 +110,7 @@ influxkeyperms:
 # Create a cert for Redis encryption
 /etc/pki/redis.key:
  x509.private_key_managed:
-    - CN: {{ manager }}
+    - CN: {{ COMMONNAME }}
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
@@ -123,14 +130,16 @@ influxkeyperms:
    - ca_server: {{ ca_server }}
    - signing_policy: registry
    - public_key: /etc/pki/redis.key
-    - CN: {{ manager }}
+    - CN: {{ COMMONNAME }}
    - days_remaining: 0
    - days_valid: 820
    - backup: True
 {% if grains.role not in ['so-heavynode'] %}
    - unless:
      # https://github.com/saltstack/salt/issues/52167
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
 {% endif %}
    - timeout: 30
    - retry:
        attempts: 5
@@ -147,7 +156,7 @@ rediskeyperms:
 {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %}
 /etc/pki/filebeat.key:
  x509.private_key_managed:
-    - CN: {{ manager }}
+    - CN: {{ COMMONNAME }}
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
@@ -168,18 +177,16 @@ rediskeyperms:
    - ca_server: {{ ca_server }}
    - signing_policy: filebeat
    - public_key: /etc/pki/filebeat.key
-{% if grains.role == 'so-heavynode' %}
+    - CN: {{ COMMONNAME }}
    - CN: {{grains.host}}
 {% else %}
    - CN: {{manager}}
 {% endif %}
    - days_remaining: 0
    - days_valid: 820
    - backup: True
 {% if grains.role not in ['so-heavynode'] %}
    - unless:
      # https://github.com/saltstack/salt/issues/52167
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
 {% endif %}
    - timeout: 30
    - retry:
        attempts: 5
@@ -315,7 +322,7 @@ miniokeyperms:
 # Create a cert for elasticsearch
 /etc/pki/elasticsearch.key:
  x509.private_key_managed:
-    - CN: {{ manager }}
+    - CN: {{ COMMONNAME }}
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
@@ -335,14 +342,16 @@ miniokeyperms:
    - ca_server: {{ ca_server }}
    - signing_policy: registry
    - public_key: /etc/pki/elasticsearch.key
-    - CN: {{ manager }}
+    - CN: {{ COMMONNAME }}
    - days_remaining: 0
    - days_valid: 820
    - backup: True
 {% if grains.role not in ['so-heavynode'] %}
    - unless:
      # https://github.com/saltstack/salt/issues/52167
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
 {% endif %}
    - timeout: 30
    - retry:
        attempts: 5
@@ -462,7 +471,7 @@ fbcertdir:
 /opt/so/conf/filebeat/etc/pki/filebeat.key:
  x509.private_key_managed:
-    - CN: {{ manager }}
+    - CN: {{ COMMONNAME }}
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
@@ -483,18 +492,16 @@ fbcertdir:
    - ca_server: {{ ca_server }}
    - signing_policy: filebeat
    - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
-{% if grains.role == 'so-heavynode' %}
+    - CN: {{ COMMONNAME }}
    - CN: {{grains.id}}
 {% else %}
    - CN: {{manager}}
 {% endif %}
    - days_remaining: 0
    - days_valid: 820
    - backup: True
 {% if grains.role not in ['so-heavynode'] %}
    - unless:
      # https://github.com/saltstack/salt/issues/52167
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
 {% endif %}
    - timeout: 30
    - retry:
        attempts: 5
Author	SHA1	Message	Date
Jason Ertel	a43bdd9aad	Merge pull request #4723 from Security-Onion-Solutions/dev HEAVYNODE_REDIS hotfix	2021-07-08 11:42:22 -04:00
Josh Patterson	70d7513f84	Merge pull request #4729 from Security-Onion-Solutions/fix/heavyfix Fix/heavyfix	2021-07-07 14:49:38 -04:00
Josh Patterson	12b7fd3ab4	whitespace	2021-07-07 14:48:07 -04:00
Josh Patterson	c32b5b5429	whitespace	2021-07-07 14:47:16 -04:00
Josh Patterson	ea2a748dba	whitespace	2021-07-07 14:44:44 -04:00
Josh Patterson	c1d7d8c55a	add new line	2021-07-07 14:43:20 -04:00
Josh Patterson	a3c58d8445	remove heavy soup	2021-07-07 14:42:38 -04:00
Josh Patterson	cfc5c2aef6	do ; instead of &&	2021-07-07 14:32:57 -04:00
Josh Patterson	313260a0c5	add heavy action in soup for ssl redis, es, ls, fb	2021-07-07 14:22:45 -04:00
Josh Patterson	ee548aaf83	Merge pull request #4728 from Security-Onion-Solutions/fix/heavyfix remove soup control of heavy	2021-07-07 14:01:32 -04:00
m0duspwnens	5eab57e500	remove soup control of heavy	2021-07-07 13:58:52 -04:00
Josh Patterson	6f48fdad42	Merge pull request #4727 from Security-Onion-Solutions/fix/heavyfix Fix/heavyfix	2021-07-07 12:15:50 -04:00
m0duspwnens	98fb5109d7	tell heavys to update ssl and restart containers for HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES hotfix	2021-07-07 12:05:38 -04:00
m0duspwnens	9c2ead16cc	common name changes, allow cert to be managed regardless of expire date for heavy node	2021-07-07 10:22:37 -04:00
Jason Ertel	c4293c6119	Merge pull request #4724 from Security-Onion-Solutions/kilo Merge master into dev via kilo	2021-07-07 07:21:21 -04:00
Jason Ertel	13c392d758	Merge branch 'master' into kilo	2021-07-07 06:40:30 -04:00
Josh Patterson	9e94e605ee	Merge pull request #4715 from Security-Onion-Solutions/fix/heavyfix add to HOTFIX file	2021-07-06 16:01:11 -04:00
m0duspwnens	f8dc647b1f	add to HOTFIX file	2021-07-06 15:59:35 -04:00
Josh Patterson	fc727d6909	Merge pull request #4711 from Security-Onion-Solutions/fix/heavyfix Fix/heavyfix	2021-07-06 15:56:02 -04:00
m0duspwnens	c1d61dc624	add to HOTFIX file	2021-07-06 15:54:15 -04:00
m0duspwnens	0627ca2fc2	use heavynode hostname for certs if heavynode. changes to logstash pipeline for redis if heavynode	2021-07-06 15:32:39 -04:00
weslambert	ce0b064972	Add conditional for heavynode for redis and elasticsearch	2021-07-06 14:21:29 -04:00
weslambert	2f3f04e4ca	Change from nodename to host	2021-07-06 14:18:39 -04:00
weslambert	2e91f27336	Add conditional for heavynode	2021-07-06 14:17:49 -04:00
weslambert	10b1829830	Add conditional for heavynode	2021-07-06 14:16:34 -04:00
weslambert	4946f32d88	Add extra_hosts entry for local instance when running as heavy node	2021-07-06 14:14:58 -04:00
`@@ -1 +1 @@`
	`ECSFIX`	`ECSFIX HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES`