Skip to content

Commit

Permalink
Merge pull request #10983 from Security-Onion-Solutions/fix/tgrafzeek…
Browse files Browse the repository at this point in the history 
…closs

Fix/tgrafzeekcloss
  • Loading branch information
@m0duspwnens
m0duspwnens authored Aug 8, 2023
2 parents dad5414 + 673b45a commit bcd1ccd
Show file tree
Hide file tree
Showing 7 changed files with 135 additions and 119 deletions.
15 changes: 7 additions & 8 deletions salt/telegraf/config.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,17 +32,16 @@ tgrafetsdir:
- name: /opt/so/conf/telegraf/scripts
- makedirs: True
tgrafsyncscripts:
file.recurse:
- name: /opt/so/conf/telegraf/scripts
{% for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
tgraf_sync_script_{{script}}:
file.managed:
- name: /opt/so/conf/telegraf/scripts/{{script}}
- user: root
- group: 939
- file_mode: 770
- mode: 770
- template: jinja
- source: salt://telegraf/scripts
{% if GLOBALS.md_engine == 'SURICATA' %}
- exclude_pat: zeekcaptureloss.sh
{% endif %}
- source: salt://telegraf/scripts/{{script}}
{% endfor %}
telegraf_sbin:
file.recurse:
Expand Down
79 changes: 79 additions & 0 deletions salt/telegraf/defaults.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,82 @@ telegraf:
flush_jitter: '0s'
debug: 'false'
quiet: 'false'
scripts:
eval:
- beatseps.sh
- checkfiles.sh
- influxdbsize.sh
- oldpcap.sh
- raid.sh
- redis.sh
- sostatus.sh
- stenoloss.sh
- suriloss.sh
- zeekcaptureloss.sh
- zeekloss.sh
standalone:
- beatseps.sh
- checkfiles.sh
- eps.sh
- influxdbsize.sh
- oldpcap.sh
- raid.sh
- redis.sh
- sostatus.sh
- stenoloss.sh
- suriloss.sh
- zeekcaptureloss.sh
- zeekloss.sh
manager:
- beatseps.sh
- influxdbsize.sh
- raid.sh
- redis.sh
- sostatus.sh
managersearch:
- beatseps.sh
- eps.sh
- influxdbsize.sh
- raid.sh
- redis.sh
- sostatus.sh
import:
- sostatus.sh
sensor:
- beatseps.sh
- checkfiles.sh
- oldpcap.sh
- raid.sh
- sostatus.sh
- stenoloss.sh
- suriloss.sh
- zeekcaptureloss.sh
- zeekloss.sh
heavynode:
- beatseps.sh
- checkfiles.sh
- eps.sh
- oldpcap.sh
- raid.sh
- redis.sh
- sostatus.sh
- stenoloss.sh
- suriloss.sh
- zeekcaptureloss.sh
- zeekloss.sh
idh:
- sostatus.sh
searchnode:
- beatseps.sh
- eps.sh
- raid.sh
- sostatus.sh
receiver:
- beatseps.sh
- eps.sh
- raid.sh
- redis.sh
- sostatus.sh
fleet:
- sostatus.sh
desktop: []
5 changes: 4 additions & 1 deletion salt/telegraf/enabled.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'telegraf/map.jinja' import TELEGRAFMERGED %}
include:
Expand Down Expand Up @@ -67,8 +68,10 @@ so-telegraf:
{% endif %}
- watch:
- file: tgrafconf
- file: tgrafsyncscripts
- file: node_config
{% for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
- file: tgraf_sync_script_{{script}}
{% endfor %}
- require:
- file: tgrafconf
- file: node_config
Expand Down
114 changes: 10 additions & 104 deletions salt/telegraf/etc/telegraf.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -193,7 +193,7 @@
username = "{{ ES_USER }}"
password = "{{ ES_PASS }}"
insecure_skip_verify = true
{%- elif grains['role'] in ['so-searchnode', 'so-hotnode', 'so-warmnode'] %}
{%- elif grains['role'] in ['so-searchnode'] %}
[[inputs.elasticsearch]]
servers = ["https://{{ NODEIP }}:9200"]
cluster_stats = false
Expand Down Expand Up @@ -244,129 +244,35 @@
{%- endif %}

# # Read metrics from one or more commands that can output to stdout
{%- if 'sostatus.sh' in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
{%- do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('sostatus.sh') %}
[[inputs.exec]]
commands = [
"/scripts/sostatus.sh"
]
data_format = "influx"
timeout = "15s"
interval = "60s"
{%- endif %}

# ## Commands array
{% if grains['role'] in ['so-manager'] %}
[[inputs.exec]]
commands = [
"/scripts/redis.sh",
"/scripts/influxdbsize.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
## Timeout for each command to complete.
timeout = "15s"
{% elif grains['role'] in ['so-managersearch'] %}
[[inputs.exec]]
commands = [
"/scripts/redis.sh",
"/scripts/influxdbsize.sh",
"/scripts/eps.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
## Timeout for each command to complete.
timeout = "15s"
{% elif grains['role'] in ['so-searchnode', 'so-receiver'] %}
{%- if TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] | length > 0 %}
[[inputs.exec]]
commands = [
"/scripts/eps.sh",
"/scripts/raid.sh",
{% if grains.role == 'so-receiver' %}
"/scripts/redis.sh",
{% endif %}
"/scripts/beatseps.sh"
{%- for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
"/scripts/{{script}}"{% if not loop.last %},{% endif %}
{%- endfor %}
]
data_format = "influx"
## Timeout for each command to complete.
timeout = "15s"
{% elif grains['role'] == 'so-sensor' %}
[[inputs.exec]]
commands = [
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
{%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
{%- endif %}
"/scripts/oldpcap.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
timeout = "15s"
{% elif grains['role'] == 'so-heavynode' %}
[[inputs.exec]]
commands = [
"/scripts/redis.sh",
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
{%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
{%- endif %}
"/scripts/oldpcap.sh",
"/scripts/eps.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
timeout = "15s"
{% elif grains['role'] == 'so-standalone' %}
[[inputs.exec]]
commands = [
"/scripts/redis.sh",
"/scripts/influxdbsize.sh",
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
{%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
{%- endif %}
"/scripts/oldpcap.sh",
"/scripts/eps.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
timeout = "15s"
{% elif grains['role'] == 'so-eval' %}
[[inputs.exec]]
commands = [
"/scripts/redis.sh",
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
{%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
{%- endif %}
"/scripts/oldpcap.sh",
"/scripts/influxdbsize.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
timeout = "15s"
{% endif %}
{%- endif %}

{%- if salt['pillar.get']('healthcheck:enabled', False) %}
[[inputs.file]]
files = ["/host/nsm/zeek/logs/zeek_restart.log"]
data_format = "influx"
{%- endif %}

[[inputs.file]]
files = ["/etc/telegraf/node_config.json"]
name_override = "node_config"
Expand Down
12 changes: 11 additions & 1 deletion salt/telegraf/map.jinja
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,16 @@
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #}


{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'telegraf/defaults.yaml' as TELEGRAFDEFAULTS %}
{% set TELEGRAFMERGED = salt['pillar.get']('telegraf', TELEGRAFDEFAULTS.telegraf, merge=True) %}

{% if GLOBALS.role in ['so-eval', 'so-standalone', 'so-sensor', 'so-heavynode'] %}
{% from 'zeek/config.map.jinja' import ZEEKMERGED %}
{# if the md engine isn't zeek or zeek is disabled, dont run the zeek scripts for telegraf #}
{% if GLOBALS.md_engine != 'ZEEK' or not ZEEKMERGED.enabled %}
{% do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekloss.sh') %}
{% do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekcaptureloss.sh') %}
{% endif %}
{% endif %}
10 changes: 6 additions & 4 deletions salt/telegraf/scripts/zeekcaptureloss.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,18 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.




# This script returns the average of all the workers average capture loss to telegraf / influxdb in influx format include nanosecond precision timestamp

# if this script isn't already running
{%- from 'zeek/config.map.jinja' import ZEEKMERGED %}
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then

if [ -d "/host/nsm/zeek/spool/logger" ]; then
WORKERS={{ salt['pillar.get']('sensor:zeek_lbprocs', salt['pillar.get']('sensor:zeek_pins') | length) }}
{%- if ZEEKMERGED.config.node.pins %}
WORKERS={{ ZEEKMERGED.config.node.pins | length }}
{%- else %}
WORKERS={{ ZEEKMERGED.config.node.lb_procs }}
{%- endif %}
ZEEKLOG=/host/nsm/zeek/spool/logger/capture_loss.log
elif [ -d "/host/nsm/zeek/spool/zeeksa" ]; then
WORKERS=1
Expand Down
19 changes: 18 additions & 1 deletion salt/telegraf/soc_telegraf.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,4 +42,21 @@ telegraf:
global: True
advanced: True
helpLink: telegraf.html

scripts:
eval: &telegrafscripts
description: List of input.exec scripts to run for this node type. The script must be present in salt/telegraf/scripts.
forcedType: "[]string"
multiline: True
advanced: True
helpLink: telegraf.html
standalone: *telegrafscripts
manager: *telegrafscripts
managersearch: *telegrafscripts
import: *telegrafscripts
sensor: *telegrafscripts
heavynode: *telegrafscripts
idh: *telegrafscripts
searchnode: *telegrafscripts
receiver: *telegrafscripts
fleet: *telegrafscripts
desktop: *telegrafscripts

0 comments on commit bcd1ccd

Please sign in to comment.