Merge pull request #15436 from Security-Onion-Solutions/reyesj2-patch-13

run fleet ssl state in fleet.config to ensure all required certs are created before so-elastic-fleet-setup runs
Merge pull request #15435 from Security-Onion-Solutions/reyesj2/patch-ea-grid-upgrade
2026-01-29 03:13:30 +01:00 · 2026-01-28 15:36:50 -06:00 · 2026-01-28 15:23:38 -06:00 · 2026-01-28 14:22:19 -06:00 · 2026-01-28 11:01:57 -06:00 · 2026-01-28 08:11:02 -06:00
6 changed files with 10 additions and 3 deletions
--- a/salt/common/tools/sbin/so-log-check
+++ b/salt/common/tools/sbin/so-log-check
@@ -163,6 +163,7 @@ if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|updating component template"  # false positive (elasticsearch index or template names contain 'error') 
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|upgrading component template"  # false positive (elasticsearch index or template names contain 'error')
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|upgrading composable template" # false positive (elasticsearch composable template names contain 'error')
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Error while parsing document for index \[.ds-logs-kratos-so-.*object mapping for \[file\]" # false positive (mapping error occuring BEFORE kratos index has rolled over in 2.4.210)
 fi
 if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
@@ -226,6 +227,7 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|from NIC checksum offloading" # zeek reporter.log
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|marked for removal"           # docker container getting recycled
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|tcp 127.0.0.1:6791: bind: address already in use" # so-elastic-fleet agent restarting. Seen starting w/ 8.18.8 https://github.com/elastic/kibana/issues/201459
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|TransformTask\] \[logs-(tychon|aws_billing|microsoft_defender_endpoint).*user so_kibana lacks the required permissions \[logs-\1" # Known issue with 3 integrations using kibana_system role vs creating unique api creds with proper permissions.
 fi
 RESULT=0
--- a/salt/elasticfleet/config.sls
+++ b/salt/elasticfleet/config.sls
@@ -11,6 +11,7 @@
 include:
  - elasticfleet.artifact_registry
  - elasticfleet.ssl
 # Add EA Group
 elasticfleetgroup:
--- a/salt/elasticfleet/enabled.sls
+++ b/salt/elasticfleet/enabled.sls
@@ -15,7 +15,6 @@
 include:
  - ca
  - logstash.ssl
  - elasticfleet.ssl
  - elasticfleet.config
  - elasticfleet.sostatus
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/redis-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/redis-logs.json
@@ -15,7 +15,7 @@
          "enabled": true,
          "vars": {
            "paths": [
-              "/opt/so/log/redis/redis.log"
+              "/opt/so/log/redis/redis-server.log"
            ],
            "tags": [
              "redis-log"
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade
@@ -14,7 +14,7 @@ if ! is_manager_node; then
 fi
 # Get current list of Grid Node Agents that need to be upgraded
-RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/agents?perPage=20&page=1&kuery=NOT%20agent.version%20:%20%22{{ELASTICSEARCHDEFAULTS.elasticsearch.version}}%22%20and%20policy_id%20:%20%22so-grid-nodes_general%22&showInactive=false&getStatusSummary=true" --retry 3 --retry-delay 30 --fail 2>/dev/null)
+RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/agents?perPage=20&page=1&kuery=NOT%20agent.version%3A%20{{ELASTICSEARCHDEFAULTS.elasticsearch.version}}%20AND%20policy_id%3A%20so-grid-nodes_%2A&showInactive=false&getStatusSummary=true" --retry 3 --retry-delay 30 --fail 2>/dev/null)
 # Check to make sure that the server responded with good data - else, bail from script
 CHECKSUM=$(jq -r '.page' <<< "$RAW_JSON")
--- a/salt/elasticfleet/tools/sbin_jinja/so-kafka-fleet-output-policy
+++ b/salt/elasticfleet/tools/sbin_jinja/so-kafka-fleet-output-policy
@@ -34,6 +34,11 @@ if [[ "$RETURN_CODE" != "0" ]]; then
  exit 1
 fi
 if [[ ! -f /etc/pki/elasticfleet-kafka.crt || ! -f /etc/pki/elasticfleet-kafka.key ]]; then
  echo -e "\nKafka certificates not found, can't setup Elastic Fleet output policy for Kafka...\n"
  exit 1
 fi
 KAFKACRT=$(openssl x509 -in /etc/pki/elasticfleet-kafka.crt)
 KAFKAKEY=$(openssl rsa -in  /etc/pki/elasticfleet-kafka.key)
 KAFKACA=$(openssl x509 -in  /etc/pki/tls/certs/intca.crt)
Author	SHA1	Message	Date
Jorge Reyes	1d57c02608	Merge pull request #15436 from Security-Onion-Solutions/reyesj2-patch-13	2026-01-28 15:36:50 -06:00
reyesj2	ebeeb91297	run fleet ssl state in fleet.config to ensure all required certs are created before so-elastic-fleet-setup runs	2026-01-28 15:23:38 -06:00
Jorge Reyes	6282beb6bd	Merge pull request #15435 from Security-Onion-Solutions/reyesj2/patch-ea-grid-upgrade include all so-grid-nodes_* policies in automatic EA upgrades	2026-01-28 14:22:19 -06:00
reyesj2	1c06bddb09	include all so-grid-nodes_* policies in automatic EA upgrades	2026-01-28 11:01:57 -06:00
Jorge Reyes	36f8c490c8	Merge pull request #15418 from Security-Onion-Solutions/reyesj2-patch-11 update heavynode's elastic-agent standalone policy	2026-01-28 08:11:02 -06:00
Jorge Reyes	94c1a641d8	Merge pull request #15424 from Security-Onion-Solutions/reyesj2-patch-5 update redis log file path	2026-01-28 08:10:47 -06:00
reyesj2	4ad6136d98	update redis log file path	2026-01-27 14:23:22 -06:00
Jorge Reyes	006c17bdca	Merge pull request #15420 from Security-Onion-Solutions/reyesj2-patch-12 exclude known error	2026-01-27 13:41:23 -06:00
reyesj2	6b1939b827	exclude known issues with 3 integrations	2026-01-27 12:59:17 -06:00
Jorge Reyes	b0d87b49c6	Merge pull request #15414 from Security-Onion-Solutions/reyesj2/patch-falsepos	2026-01-23 17:20:56 -06:00
reyesj2	55b3fa389e	no dates	2026-01-23 16:33:22 -06:00
reyesj2	b3ae716929	ignore kratos file mapping error	2026-01-23 16:31:30 -06:00