#!/bin/bash # # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. {% from 'vars/globals.map.jinja' import GLOBALS %} . /usr/sbin/so-common require_manager # Inform user we are about to remove Elastic Fleet data echo echo "This script will remove the current Elastic Fleet install & all of its data and rerun Elastic Fleet setup." echo echo "If you would like to proceed, type AGREE and hit ENTER." echo # Read user input read INPUT if [ "${INPUT^^}" != 'AGREE' ]; then exit 0; fi status "Uninstalling all Elastic Agents on all Grid Nodes..." salt \* cmd.run "elastic-agent uninstall -f" queue=True status "Stopping Fleet Container..." so-elastic-fleet-stop --force status "Deleting Fleet Data from Pillars..." sed -i -z "s/elasticfleet:.*grid_enrollment_heavy.*'//" /opt/so/saltstack/local/pillar/minions/{{ GLOBALS.minion_id }}.sls sed -i "/fleet_grid_enrollment_token_general.*/d" /opt/so/saltstack/local/pillar/global/soc_global.sls sed -i "/fleet_grid_enrollment_token_heavy.*/d" /opt/so/saltstack/local/pillar/global/soc_global.sls status "Deleting Elastic Fleet data..." # Check to make sure that Elasticsearch is up & ready RETURN_CODE=0 wait_for_web_response "https://localhost:9200/_cat/indices/.kibana*" "green open" 300 "curl -K /opt/so/conf/elasticsearch/curl.config" RETURN_CODE=$? if [[ "$RETURN_CODE" != "0" ]]; then status "Elasticsearch not accessible, exiting script..." exit 1 fi ALIASES=".fleet-servers .fleet-policies-leader .fleet-agents .fleet-artifacts .fleet-enrollment-api-keys .kibana_ingest" for ALIAS in ${ALIASES} do # Get all concrete indices from alias INDXS=$(curl -K /opt/so/conf/kibana/curl.config -s -k -L -H "Content-Type: application/json" "https://localhost:9200/_resolve/index/${ALIAS}" | jq -r '.aliases[].indices[]') # Delete all resolved indices for INDX in ${INDXS} do status "Deleting $INDX" curl -K /opt/so/conf/kibana/curl.config -s -k -L -H "Content-Type: application/json" "https://localhost:9200/${INDX}" -XDELETE done done status "Restarting Kibana..." so-kibana-restart --force status "Checking to make sure that Kibana API is up & ready..." RETURN_CODE=0 wait_for_web_response "http://localhost:5601/api/fleet/settings" "fleet" 300 "curl -K /opt/so/conf/elasticsearch/curl.config" RETURN_CODE=$? if [[ "$RETURN_CODE" != "0" ]]; then status "Kibana API not accessible, exiting script..." exit 1 fi status "Starting Elastic Fleet Setup..." so-elastic-fleet-setup status "Re-installing Elastic Agent on all Grid Nodes..." salt \* state.apply elasticfleet.install_agent_grid queue=True status "Elastic Fleet Reset complete...."