From 965ced94c443a1a3a029b19deaf952c576bb0cd4 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 7 Dec 2023 13:48:08 +0000 Subject: [PATCH 1/9] Remove close files --- .../logs-elastic_agent-default-close.yaml | 27 ------------------ ...-elastic_agent-filebeat-default-close.yaml | 27 ------------------ ...stic_agent-fleet_server-default-close.yaml | 27 ------------------ ...lastic_agent-metricbeat-default-close.yaml | 27 ------------------ ...astic_agent-osquerybeat-default-close.yaml | 27 ------------------ .../files/action/logs-import-so-close.yml | 27 ------------------ .../files/action/logs-strelka-so-close.yml | 27 ------------------ .../files/action/logs-suricata-so-close.yml | 27 ------------------ .../files/action/logs-syslog-so-close.yml | 27 ------------------ ...logs-system-application-default-close.yaml | 27 ------------------ .../logs-system-auth-default-close.yaml | 27 ------------------ .../logs-system-security-default-close.yaml | 27 ------------------ .../logs-system-syslog-default-close.yaml | 27 ------------------ .../logs-system-system-default-close.yaml | 27 ------------------ ...logs-windows-powershell-default-close.yaml | 27 ------------------ ...dows-sysmon_operational-default-close.yaml | 27 ------------------ .../files/action/logs-zeek-so-close.yml | 27 ------------------ salt/curator/files/action/so-beats-close.yml | 27 ------------------ .../files/action/so-elasticsearch-close.yml | 27 ------------------ .../files/action/so-firewall-close.yml | 28 ------------------- salt/curator/files/action/so-ids-close.yml | 28 ------------------- salt/curator/files/action/so-import-close.yml | 27 ------------------ salt/curator/files/action/so-kibana-close.yml | 27 ------------------ salt/curator/files/action/so-kratos-close.yml | 27 ------------------ .../files/action/so-logstash-close.yml | 27 ------------------ .../curator/files/action/so-netflow-close.yml | 27 ------------------ .../curator/files/action/so-osquery-close.yml | 27 ------------------ salt/curator/files/action/so-ossec-close.yml | 27 ------------------ salt/curator/files/action/so-redis-close.yml | 27 ------------------ .../curator/files/action/so-strelka-close.yml | 27 ------------------ salt/curator/files/action/so-syslog-close.yml | 27 ------------------ salt/curator/files/action/so-zeek-close.yml | 27 ------------------ 32 files changed, 866 deletions(-) delete mode 100644 salt/curator/files/action/logs-elastic_agent-default-close.yaml delete mode 100644 salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml delete mode 100644 salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml delete mode 100644 salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml delete mode 100644 salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml delete mode 100644 salt/curator/files/action/logs-import-so-close.yml delete mode 100644 salt/curator/files/action/logs-strelka-so-close.yml delete mode 100644 salt/curator/files/action/logs-suricata-so-close.yml delete mode 100644 salt/curator/files/action/logs-syslog-so-close.yml delete mode 100644 salt/curator/files/action/logs-system-application-default-close.yaml delete mode 100644 salt/curator/files/action/logs-system-auth-default-close.yaml delete mode 100644 salt/curator/files/action/logs-system-security-default-close.yaml delete mode 100644 salt/curator/files/action/logs-system-syslog-default-close.yaml delete mode 100644 salt/curator/files/action/logs-system-system-default-close.yaml delete mode 100644 salt/curator/files/action/logs-windows-powershell-default-close.yaml delete mode 100644 salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml delete mode 100644 salt/curator/files/action/logs-zeek-so-close.yml delete mode 100644 salt/curator/files/action/so-beats-close.yml delete mode 100644 salt/curator/files/action/so-elasticsearch-close.yml delete mode 100644 salt/curator/files/action/so-firewall-close.yml delete mode 100644 salt/curator/files/action/so-ids-close.yml delete mode 100644 salt/curator/files/action/so-import-close.yml delete mode 100644 salt/curator/files/action/so-kibana-close.yml delete mode 100644 salt/curator/files/action/so-kratos-close.yml delete mode 100644 salt/curator/files/action/so-logstash-close.yml delete mode 100644 salt/curator/files/action/so-netflow-close.yml delete mode 100644 salt/curator/files/action/so-osquery-close.yml delete mode 100644 salt/curator/files/action/so-ossec-close.yml delete mode 100644 salt/curator/files/action/so-redis-close.yml delete mode 100644 salt/curator/files/action/so-strelka-close.yml delete mode 100644 salt/curator/files/action/so-syslog-close.yml delete mode 100644 salt/curator/files/action/so-zeek-close.yml diff --git a/salt/curator/files/action/logs-elastic_agent-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-default-close.yaml deleted file mode 100644 index 03c1ea81d8..0000000000 --- a/salt/curator/files/action/logs-elastic_agent-default-close.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-default'].close %} -actions: - 1: - action: close - description: >- - Close Elastic Agent default indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-elastic_agent-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml deleted file mode 100644 index 2d7e897cf7..0000000000 --- a/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-filebeat-default'].close %} -actions: - 1: - action: close - description: >- - Close Elastic Agent Filebeat indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-elastic_agent.filebeat-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml deleted file mode 100644 index 0fd1d61299..0000000000 --- a/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-fleet_server-default'].close %} -actions: - 1: - action: close - description: >- - Close Elastic Agent Fleet Server indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-elastic_agent.fleet_server-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml deleted file mode 100644 index cedf64eeb4..0000000000 --- a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-metricbeat-default'].close %} -actions: - 1: - action: close - description: >- - Close Elastic Agent Metricbeat indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-elastic_agent.metricbeat-default-.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml deleted file mode 100644 index e25b7f2b87..0000000000 --- a/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-osquerybeat-default'].close %} -actions: - 1: - action: close - description: >- - Close Elastic Agent Osquerybeat indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-elastic_agent.osquerybeat-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/logs-import-so-close.yml b/salt/curator/files/action/logs-import-so-close.yml deleted file mode 100644 index e2d28fd065..0000000000 --- a/salt/curator/files/action/logs-import-so-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['logs-import-so'].close %} -actions: - 1: - action: close - description: >- - Close import indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-import-so.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/logs-strelka-so-close.yml b/salt/curator/files/action/logs-strelka-so-close.yml deleted file mode 100644 index c4b57995db..0000000000 --- a/salt/curator/files/action/logs-strelka-so-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['logs-strelka-so'].close %} -actions: - 1: - action: close - description: >- - Close Strelka indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-strelka-so.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/logs-suricata-so-close.yml b/salt/curator/files/action/logs-suricata-so-close.yml deleted file mode 100644 index c99a85285c..0000000000 --- a/salt/curator/files/action/logs-suricata-so-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['logs-suricata-so'].close %} -actions: - 1: - action: close - description: >- - Close Suricata indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-suricata-so.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/logs-syslog-so-close.yml b/salt/curator/files/action/logs-syslog-so-close.yml deleted file mode 100644 index 3ccf7834ba..0000000000 --- a/salt/curator/files/action/logs-syslog-so-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['logs-syslog-so'].close %} -actions: - 1: - action: close - description: >- - Close syslog indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-syslog-so.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/logs-system-application-default-close.yaml b/salt/curator/files/action/logs-system-application-default-close.yaml deleted file mode 100644 index 4a04ebbb7c..0000000000 --- a/salt/curator/files/action/logs-system-application-default-close.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['logs-system-application-default'].close %} -actions: - 1: - action: close - description: >- - Close Elastic Agent system application indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-system.application-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/logs-system-auth-default-close.yaml b/salt/curator/files/action/logs-system-auth-default-close.yaml deleted file mode 100644 index 287997e877..0000000000 --- a/salt/curator/files/action/logs-system-auth-default-close.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['logs-system-auth-default'].close %} -actions: - 1: - action: close - description: >- - Close Elastic Agent system auth indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-system.auth-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/logs-system-security-default-close.yaml b/salt/curator/files/action/logs-system-security-default-close.yaml deleted file mode 100644 index 2506ca3579..0000000000 --- a/salt/curator/files/action/logs-system-security-default-close.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['logs-system-security-default'].close %} -actions: - 1: - action: close - description: >- - Close Elastic Agent system security indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-system.security-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/logs-system-syslog-default-close.yaml b/salt/curator/files/action/logs-system-syslog-default-close.yaml deleted file mode 100644 index 8da3afd45b..0000000000 --- a/salt/curator/files/action/logs-system-syslog-default-close.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['logs-system-syslog-default'].close %} -actions: - 1: - action: close - description: >- - Close Elastic Agent system syslog indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-system.syslog-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/logs-system-system-default-close.yaml b/salt/curator/files/action/logs-system-system-default-close.yaml deleted file mode 100644 index 401125e08b..0000000000 --- a/salt/curator/files/action/logs-system-system-default-close.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['logs-system-system-default'].close %} -actions: - 1: - action: close - description: >- - Close Elastic Agent system system indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-system.system-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/logs-windows-powershell-default-close.yaml b/salt/curator/files/action/logs-windows-powershell-default-close.yaml deleted file mode 100644 index 8f878f4c9a..0000000000 --- a/salt/curator/files/action/logs-windows-powershell-default-close.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['logs-windows-powershell-default'].close %} -actions: - 1: - action: close - description: >- - Close Elastic Agent Windows Powershell indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-windows.powershell-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml b/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml deleted file mode 100644 index 8cd9c99f30..0000000000 --- a/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['logs-windows-sysmon_operational-default'].close %} -actions: - 1: - action: close - description: >- - Close Elastic Agent Windows Sysmon operational indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-windows.sysmon_operational-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/logs-zeek-so-close.yml b/salt/curator/files/action/logs-zeek-so-close.yml deleted file mode 100644 index 020c89cbcf..0000000000 --- a/salt/curator/files/action/logs-zeek-so-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['logs-zeek-so'].close %} -actions: - 1: - action: close - description: >- - Close Zeek indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-zeek-so.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-beats-close.yml b/salt/curator/files/action/so-beats-close.yml deleted file mode 100644 index 88c7ce91a5..0000000000 --- a/salt/curator/files/action/so-beats-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-beats'].close %} -actions: - 1: - action: close - description: >- - Close Beats indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-beats.*|so-beats.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-elasticsearch-close.yml b/salt/curator/files/action/so-elasticsearch-close.yml deleted file mode 100644 index e4d8824bd6..0000000000 --- a/salt/curator/files/action/so-elasticsearch-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-elasticsearch'].close %} -actions: - 1: - action: close - description: >- - Close elasticsearch indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-elasticsearch.*|so-elasticsearch.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-firewall-close.yml b/salt/curator/files/action/so-firewall-close.yml deleted file mode 100644 index 18d30737d6..0000000000 --- a/salt/curator/files/action/so-firewall-close.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set cur_close_days = CURATORMERGED['so-firewall'].close %} -actions: - 1: - action: close - description: >- - Close Firewall indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-firewall.*|so-firewall.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-ids-close.yml b/salt/curator/files/action/so-ids-close.yml deleted file mode 100644 index 359e0a4cce..0000000000 --- a/salt/curator/files/action/so-ids-close.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set cur_close_days = CURATORMERGED['so-ids'].close %} -actions: - 1: - action: close - description: >- - Close IDS indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-ids.*|so-ids.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-import-close.yml b/salt/curator/files/action/so-import-close.yml deleted file mode 100644 index 7a60b93435..0000000000 --- a/salt/curator/files/action/so-import-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-import'].close %} -actions: - 1: - action: close - description: >- - Close Import indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-import.*|so-import.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-kibana-close.yml b/salt/curator/files/action/so-kibana-close.yml deleted file mode 100644 index 7c29ed2946..0000000000 --- a/salt/curator/files/action/so-kibana-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-kibana'].close %} -actions: - 1: - action: close - description: >- - Close kibana indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-kibana.*|so-kibana.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-kratos-close.yml b/salt/curator/files/action/so-kratos-close.yml deleted file mode 100644 index d5fc3385c7..0000000000 --- a/salt/curator/files/action/so-kratos-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-kratos'].close %} -actions: - 1: - action: close - description: >- - Close kratos indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-kratos.*|so-kratos.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-logstash-close.yml b/salt/curator/files/action/so-logstash-close.yml deleted file mode 100644 index 34402d95ca..0000000000 --- a/salt/curator/files/action/so-logstash-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-logstash'].close %} -actions: - 1: - action: close - description: >- - Close logstash indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-logstash.*|so-logstash.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-netflow-close.yml b/salt/curator/files/action/so-netflow-close.yml deleted file mode 100644 index 359d6f1f12..0000000000 --- a/salt/curator/files/action/so-netflow-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-netflow'].close %} -actions: - 1: - action: close - description: >- - Close netflow indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-netflow.*|so-netflow.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-osquery-close.yml b/salt/curator/files/action/so-osquery-close.yml deleted file mode 100644 index 59b6a92b21..0000000000 --- a/salt/curator/files/action/so-osquery-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-osquery'].close %} -actions: - 1: - action: close - description: >- - Close osquery indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-osquery.*|so-osquery.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-ossec-close.yml b/salt/curator/files/action/so-ossec-close.yml deleted file mode 100644 index ac0691ad80..0000000000 --- a/salt/curator/files/action/so-ossec-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-ossec'].close %} -actions: - 1: - action: close - description: >- - Close ossec indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-ossec.*|so-ossec.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-redis-close.yml b/salt/curator/files/action/so-redis-close.yml deleted file mode 100644 index f7c5ef4c68..0000000000 --- a/salt/curator/files/action/so-redis-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-redis'].close %} -actions: - 1: - action: close - description: >- - Close redis indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-redis.*|so-redis.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-strelka-close.yml b/salt/curator/files/action/so-strelka-close.yml deleted file mode 100644 index 9d908d6d23..0000000000 --- a/salt/curator/files/action/so-strelka-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-strelka'].close %} -actions: - 1: - action: close - description: >- - Close Strelka indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-strelka.*|so-strelka.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-syslog-close.yml b/salt/curator/files/action/so-syslog-close.yml deleted file mode 100644 index e5a58e437d..0000000000 --- a/salt/curator/files/action/so-syslog-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-syslog'].close %} -actions: - 1: - action: close - description: >- - Close syslog indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-syslog.*|so-syslog.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-zeek-close.yml b/salt/curator/files/action/so-zeek-close.yml deleted file mode 100644 index 1e9ea59e4d..0000000000 --- a/salt/curator/files/action/so-zeek-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-zeek'].close %} -actions: - 1: - action: close - description: >- - Close Zeek indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-zeek.*|so-zeek.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: From 1ac3a2d2f1436d4dfb7c27d9902ed7edc55f6919 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 7 Dec 2023 13:51:24 +0000 Subject: [PATCH 2/9] Remove delete files and allow deletion of indices managed by ILM --- salt/curator/files/action/delete.yml | 1 + .../logs-elastic_agent-default-delete.yaml | 27 ------------------- ...elastic_agent-filebeat-default-delete.yaml | 27 ------------------- ...tic_agent-fleet_server-default-delete.yaml | 27 ------------------- ...astic_agent-metricbeat-default-delete.yaml | 27 ------------------- ...stic_agent-osquerybeat-default-delete.yaml | 27 ------------------- ...logs-elastic_agent-osquerybeat-delete.yaml | 27 ------------------- .../files/action/logs-import-so-delete.yml | 27 ------------------- .../files/action/logs-strelka-so-delete.yml | 27 ------------------- .../files/action/logs-suricata-so-delete.yml | 27 ------------------- .../files/action/logs-syslog-so-delete.yml | 27 ------------------- ...ogs-system-application-default-delete.yaml | 27 ------------------- .../logs-system-auth-default-delete.yaml | 27 ------------------- .../logs-system-security-default-delete.yaml | 27 ------------------- .../logs-system-syslog-default-delete.yaml | 27 ------------------- .../logs-system-system-default-delete.yaml | 27 ------------------- ...ogs-windows-powershell-default-delete.yaml | 27 ------------------- ...ows-sysmon_operational-default-delete.yaml | 27 ------------------- .../files/action/logs-zeek-so-delete.yml | 27 ------------------- 19 files changed, 1 insertion(+), 486 deletions(-) delete mode 100644 salt/curator/files/action/logs-elastic_agent-default-delete.yaml delete mode 100644 salt/curator/files/action/logs-elastic_agent-filebeat-default-delete.yaml delete mode 100644 salt/curator/files/action/logs-elastic_agent-fleet_server-default-delete.yaml delete mode 100644 salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml delete mode 100644 salt/curator/files/action/logs-elastic_agent-osquerybeat-default-delete.yaml delete mode 100644 salt/curator/files/action/logs-elastic_agent-osquerybeat-delete.yaml delete mode 100644 salt/curator/files/action/logs-import-so-delete.yml delete mode 100644 salt/curator/files/action/logs-strelka-so-delete.yml delete mode 100644 salt/curator/files/action/logs-suricata-so-delete.yml delete mode 100644 salt/curator/files/action/logs-syslog-so-delete.yml delete mode 100644 salt/curator/files/action/logs-system-application-default-delete.yaml delete mode 100644 salt/curator/files/action/logs-system-auth-default-delete.yaml delete mode 100644 salt/curator/files/action/logs-system-security-default-delete.yaml delete mode 100644 salt/curator/files/action/logs-system-syslog-default-delete.yaml delete mode 100644 salt/curator/files/action/logs-system-system-default-delete.yaml delete mode 100644 salt/curator/files/action/logs-windows-powershell-default-delete.yaml delete mode 100644 salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml delete mode 100644 salt/curator/files/action/logs-zeek-so-delete.yml diff --git a/salt/curator/files/action/delete.yml b/salt/curator/files/action/delete.yml index c81a9e548c..253c6fd674 100644 --- a/salt/curator/files/action/delete.yml +++ b/salt/curator/files/action/delete.yml @@ -15,6 +15,7 @@ actions: description: >- Delete indices when {{log_size_limit}}(GB) is exceeded. options: + allow_ilm_indices: True ignore_empty_list: True disable_action: False filters: diff --git a/salt/curator/files/action/logs-elastic_agent-default-delete.yaml b/salt/curator/files/action/logs-elastic_agent-default-delete.yaml deleted file mode 100644 index dee51c7587..0000000000 --- a/salt/curator/files/action/logs-elastic_agent-default-delete.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-default'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete Elastic Agent default indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-elastic_agent-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - diff --git a/salt/curator/files/action/logs-elastic_agent-filebeat-default-delete.yaml b/salt/curator/files/action/logs-elastic_agent-filebeat-default-delete.yaml deleted file mode 100644 index dfa51f2601..0000000000 --- a/salt/curator/files/action/logs-elastic_agent-filebeat-default-delete.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-filebeat-default'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete Elastic Agent Filebeat indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-elastic_agent.filebeat-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - diff --git a/salt/curator/files/action/logs-elastic_agent-fleet_server-default-delete.yaml b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-delete.yaml deleted file mode 100644 index 6fa775ba85..0000000000 --- a/salt/curator/files/action/logs-elastic_agent-fleet_server-default-delete.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-fleet_server-default'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete import indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-elastic_agent.fleet_server-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - diff --git a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml deleted file mode 100644 index c69e1130a3..0000000000 --- a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-metricbeat-default'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete Elastic Agent Metricbeat indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-elastic_agent.metricbeat-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - diff --git a/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-delete.yaml b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-delete.yaml deleted file mode 100644 index bce3b7e63c..0000000000 --- a/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-delete.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-osquerybeat-default'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete Elastic Agent Osquerybeat indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-elastic_agent.osquerybeat-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - diff --git a/salt/curator/files/action/logs-elastic_agent-osquerybeat-delete.yaml b/salt/curator/files/action/logs-elastic_agent-osquerybeat-delete.yaml deleted file mode 100644 index b46a5fc737..0000000000 --- a/salt/curator/files/action/logs-elastic_agent-osquerybeat-delete.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete import indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-import-so.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - diff --git a/salt/curator/files/action/logs-import-so-delete.yml b/salt/curator/files/action/logs-import-so-delete.yml deleted file mode 100644 index b46a5fc737..0000000000 --- a/salt/curator/files/action/logs-import-so-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete import indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-import-so.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - diff --git a/salt/curator/files/action/logs-strelka-so-delete.yml b/salt/curator/files/action/logs-strelka-so-delete.yml deleted file mode 100644 index d01bdcc837..0000000000 --- a/salt/curator/files/action/logs-strelka-so-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['logs-strelka-so'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete Strelka indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-strelka-so.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - diff --git a/salt/curator/files/action/logs-suricata-so-delete.yml b/salt/curator/files/action/logs-suricata-so-delete.yml deleted file mode 100644 index 765ba12930..0000000000 --- a/salt/curator/files/action/logs-suricata-so-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['logs-suricata-so'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete Suricata indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-suricata-so.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - diff --git a/salt/curator/files/action/logs-syslog-so-delete.yml b/salt/curator/files/action/logs-syslog-so-delete.yml deleted file mode 100644 index 274d06711c..0000000000 --- a/salt/curator/files/action/logs-syslog-so-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['logs-syslog-so'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete syslog indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-syslog-so.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - diff --git a/salt/curator/files/action/logs-system-application-default-delete.yaml b/salt/curator/files/action/logs-system-application-default-delete.yaml deleted file mode 100644 index b15c06fcbd..0000000000 --- a/salt/curator/files/action/logs-system-application-default-delete.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['logs-system-application-default'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete Elastic Agent system application indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-system.application-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - diff --git a/salt/curator/files/action/logs-system-auth-default-delete.yaml b/salt/curator/files/action/logs-system-auth-default-delete.yaml deleted file mode 100644 index 9a1cc6a9a6..0000000000 --- a/salt/curator/files/action/logs-system-auth-default-delete.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['logs-system-auth-default'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete Elastic Agent system auth indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-system.auth-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - diff --git a/salt/curator/files/action/logs-system-security-default-delete.yaml b/salt/curator/files/action/logs-system-security-default-delete.yaml deleted file mode 100644 index 0bac45aeba..0000000000 --- a/salt/curator/files/action/logs-system-security-default-delete.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['logs-system-security-default'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete Elastic Agent system security indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-system.security-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - diff --git a/salt/curator/files/action/logs-system-syslog-default-delete.yaml b/salt/curator/files/action/logs-system-syslog-default-delete.yaml deleted file mode 100644 index 1a7d217e9b..0000000000 --- a/salt/curator/files/action/logs-system-syslog-default-delete.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['logs-system-syslog-default'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete Elastic Agent system syslog indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-system.syslog-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - diff --git a/salt/curator/files/action/logs-system-system-default-delete.yaml b/salt/curator/files/action/logs-system-system-default-delete.yaml deleted file mode 100644 index 4701d0492f..0000000000 --- a/salt/curator/files/action/logs-system-system-default-delete.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['logs-system-system-default'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete Elastic Agent system system indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-system.system-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - diff --git a/salt/curator/files/action/logs-windows-powershell-default-delete.yaml b/salt/curator/files/action/logs-windows-powershell-default-delete.yaml deleted file mode 100644 index 447f8102bd..0000000000 --- a/salt/curator/files/action/logs-windows-powershell-default-delete.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['logs-windows-powershell-default'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete Elastic Agent Windows Powershell indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-windows.powershell-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - diff --git a/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml b/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml deleted file mode 100644 index a1413bc1ce..0000000000 --- a/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['logs-windows-sysmon_operational-default'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete Elastic Agent Windows Sysmon operational indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-windows.sysmon_operational-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - diff --git a/salt/curator/files/action/logs-zeek-so-delete.yml b/salt/curator/files/action/logs-zeek-so-delete.yml deleted file mode 100644 index 5acfc50a74..0000000000 --- a/salt/curator/files/action/logs-zeek-so-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['logs-zeek-so'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete Zeek indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-zeek-so.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - From f38758a9c78f17a3ea01352619abb755ddeb210d Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 7 Dec 2023 13:52:25 +0000 Subject: [PATCH 3/9] Remove close scripts --- salt/curator/tools/sbin/so-curator-close | 32 ------------------- .../tools/sbin/so-curator-cluster-close | 30 ----------------- 2 files changed, 62 deletions(-) delete mode 100644 salt/curator/tools/sbin/so-curator-close delete mode 100755 salt/curator/tools/sbin/so-curator-cluster-close diff --git a/salt/curator/tools/sbin/so-curator-close b/salt/curator/tools/sbin/so-curator-close deleted file mode 100644 index af66a03df5..0000000000 --- a/salt/curator/tools/sbin/so-curator-close +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/bash -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -APP=close -lf=/tmp/$APP-pidLockFile -# create empty lock file if none exists -cat /dev/null >> $lf -read lastPID < $lf -# if lastPID is not null and a process with that pid exists , exit -[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit -echo $$ > $lf - -/usr/sbin/so-curator-closed-delete > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kibana-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kratos-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-import-so-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-strelka-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-suricata-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-syslog-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-zeek-close.yml > /dev/null 2>&1; diff --git a/salt/curator/tools/sbin/so-curator-cluster-close b/salt/curator/tools/sbin/so-curator-cluster-close deleted file mode 100755 index 4359dcfc10..0000000000 --- a/salt/curator/tools/sbin/so-curator-cluster-close +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -APP=close -lf=/tmp/$APP-pidLockFile -# create empty lock file if none exists -cat /dev/null >> $lf -read lastPID < $lf -# if lastPID is not null and a process with that pid exists , exit -[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit -echo $$ > $lf - -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kratos-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-import-so-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-strelka-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-suricata-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-syslog-close.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-zeek-close.yml > /dev/null 2>&1; From f52da4a93368742ccac6d45f34f87bb2d0b3e5d7 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 7 Dec 2023 13:58:39 +0000 Subject: [PATCH 4/9] Remove close settings and cron --- salt/curator/defaults.yaml | 51 --------------------------------- salt/curator/enabled.sls | 9 +----- salt/curator/soc_curator.yaml | 53 +---------------------------------- 3 files changed, 2 insertions(+), 111 deletions(-) diff --git a/salt/curator/defaults.yaml b/salt/curator/defaults.yaml index eb518264f7..0109197fc7 100644 --- a/salt/curator/defaults.yaml +++ b/salt/curator/defaults.yaml @@ -2,57 +2,6 @@ curator: enabled: False elasticsearch: index_settings: - logs-import-so: - close: 73000 - delete: 73001 - logs-strelka-so: - close: 30 - delete: 365 - logs-suricata-so: - close: 30 - delete: 365 - logs-syslog-so: - close: 30 - delete: 365 - logs-zeek-so: - close: 30 - delete: 365 - logs-elastic_agent-metricbeat-default: - close: 30 - delete: 365 - logs-elastic_agent-osquerybeat-default: - close: 30 - delete: 365 - logs-elastic_agent-fleet_server-default: - close: 30 - delete: 365 - logs-elastic_agent-filebeat-default: - close: 30 - delete: 365 - logs-elastic_agent-default: - close: 30 - delete: 365 - logs-system-auth-default: - close: 30 - delete: 365 - logs-system-application-default: - close: 30 - delete: 365 - logs-system-security-default: - close: 30 - delete: 365 - logs-system-system-default: - close: 30 - delete: 365 - logs-system-syslog-default: - close: 30 - delete: 365 - logs-windows-powershell-default: - close: 30 - delete: 365 - logs-windows-sysmon_operational-default: - close: 30 - delete: 365 so-beats: close: 30 delete: 365 diff --git a/salt/curator/enabled.sls b/salt/curator/enabled.sls index b2574569f4..916aa920d5 100644 --- a/salt/curator/enabled.sls +++ b/salt/curator/enabled.sls @@ -58,15 +58,8 @@ delete_so-curator_so-status.disabled: - regex: ^so-curator$ so-curator-cluster-close: - cron.present: - - name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1 + cron.absent: - identifier: so-curator-cluster-close - - user: root - - minute: '2' - - hour: '*/1' - - daymonth: '*' - - month: '*' - - dayweek: '*' so-curator-cluster-delete: cron.present: diff --git a/salt/curator/soc_curator.yaml b/salt/curator/soc_curator.yaml index 5e5b1fcc6b..a2b9ad32ef 100644 --- a/salt/curator/soc_curator.yaml +++ b/salt/curator/soc_curator.yaml @@ -4,7 +4,7 @@ curator: helpLink: curator.html elasticsearch: index_settings: - logs-import-so: + so-beats: close: &close description: Age, in days, when Curator closes the index. helpLink: curator.html @@ -13,57 +13,6 @@ curator: description: Age, in days, when Curator deletes the index. helpLink: curator.html forcedType: int - logs-strelka-so: - close: *close - delete: *delete - logs-suricata-so: - close: *close - delete: *delete - logs-syslog-so: - close: *close - delete: *delete - logs-zeek-so: - close: *close - delete: *delete - logs-elastic_agent-metricbeat-default: - close: *close - delete: *delete - logs-elastic_agent-osquerybeat-default: - close: *close - delete: *delete - logs-elastic_agent-fleet_server-default: - close: *close - delete: *delete - logs-elastic_agent-filebeat-default: - close: *close - delete: *delete - logs-elastic_agent-default: - close: *close - delete: *delete - logs-system-auth-default: - close: *close - delete: *delete - logs-system-application-default: - close: *close - delete: *delete - logs-system-security-default: - close: *close - delete: *delete - logs-system-system-default: - close: *close - delete: *delete - logs-system-syslog-default: - close: *close - delete: *delete - logs-windows-powershell-default: - close: *close - delete: *delete - logs-windows-sysmon_operational-default: - close: *close - delete: *delete - so-beats: - close: *close - delete: *delete so-elasticsearch: close: *close delete: *delete From e49fc0dd27731fc3f75a71e1f29846ae535c7b55 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 7 Dec 2023 14:03:09 +0000 Subject: [PATCH 5/9] Remove more settings --- salt/curator/defaults.yaml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/salt/curator/defaults.yaml b/salt/curator/defaults.yaml index 0109197fc7..b2be8d5edf 100644 --- a/salt/curator/defaults.yaml +++ b/salt/curator/defaults.yaml @@ -3,47 +3,32 @@ curator: elasticsearch: index_settings: so-beats: - close: 30 delete: 365 so-elasticsearch: - close: 30 delete: 365 so-firewall: - close: 30 delete: 365 so-ids: - close: 30 delete: 365 so-import: - close: 73000 delete: 73001 so-kratos: - close: 30 delete: 365 so-kibana: - close: 30 delete: 365 so-logstash: - close: 30 delete: 365 so-netflow: - close: 30 delete: 365 so-osquery: - close: 30 delete: 365 so-ossec: - close: 30 delete: 365 so-redis: - close: 30 delete: 365 so-strelka: - close: 30 delete: 365 so-syslog: - close: 30 delete: 365 so-zeek: - close: 30 delete: 365 From bdf4b2c68dc508e4e76bcb709e245a78a449cbb2 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 7 Dec 2023 14:03:45 +0000 Subject: [PATCH 6/9] Remove settings --- salt/curator/soc_curator.yaml | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/salt/curator/soc_curator.yaml b/salt/curator/soc_curator.yaml index a2b9ad32ef..acfba7f85d 100644 --- a/salt/curator/soc_curator.yaml +++ b/salt/curator/soc_curator.yaml @@ -5,53 +5,35 @@ curator: elasticsearch: index_settings: so-beats: - close: &close - description: Age, in days, when Curator closes the index. - helpLink: curator.html - forcedType: int delete: &delete description: Age, in days, when Curator deletes the index. helpLink: curator.html forcedType: int so-elasticsearch: - close: *close delete: *delete so-firewall: - close: *close delete: *delete so-ids: - close: *close delete: *delete so-import: - close: *close delete: *delete so-kratos: - close: *close delete: *delete so-kibana: - close: *close delete: *delete so-logstash: - close: *close delete: *delete so-netflow: - close: *close delete: *delete so-osquery: - close: *close delete: *delete so-ossec: - close: *close delete: *delete so-redis: - close: *close delete: *delete so-strelka: - close: *close delete: *delete so-syslog: - close: *close delete: *delete so-zeek: - close: *close delete: *delete From e0801282eb5e4972fed76ee5d2bab32ca2fb4f8c Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 7 Dec 2023 14:07:26 +0000 Subject: [PATCH 7/9] Remove files --- salt/manager/tools/sbin/soup | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 3c5adb7e5f..61abbee622 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -463,6 +463,11 @@ post_to_2.4.30() { POSTVERSION=2.4.30 } +post_to_2.4.40() { + echo "Removing Curator close files" + rm -f /opt/so/conf/curator/files/action/*-close.y*ml +} + repo_sync() { echo "Sync the local repo." su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." From 0ebc8c7beb71506fe8deeb4fa2730137688816e2 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 7 Dec 2023 15:17:51 +0000 Subject: [PATCH 8/9] Change path --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 61abbee622..64db412523 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -465,7 +465,7 @@ post_to_2.4.30() { post_to_2.4.40() { echo "Removing Curator close files" - rm -f /opt/so/conf/curator/files/action/*-close.y*ml + rm -f /opt/so/conf/curator/action/*-close.y*ml } repo_sync() { From 849e9e14adfaad67cd0e7feb761a87c21b4881d0 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 7 Dec 2023 16:49:44 +0000 Subject: [PATCH 9/9] Change soup to remove delete actions and run post_to_2.4.40 --- salt/manager/tools/sbin/soup | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 64db412523..35c9347729 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -416,7 +416,8 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.4 ]] && post_to_2.4.5 [[ "$POSTVERSION" == 2.4.5 ]] && post_to_2.4.10 [[ "$POSTVERSION" == 2.4.10 ]] && post_to_2.4.20 - [[ "$POSTVERSION" == 2.4.20 ]] && post_to_2.4.30 + [[ "$POSTVERSION" == 2.4.20 ]] && post_to_2.4.30 + [[ "$POSTVERSION" == 2.4.30 ]] && post_to_2.4.40 true } @@ -464,8 +465,9 @@ post_to_2.4.30() { } post_to_2.4.40() { - echo "Removing Curator close files" + echo "Removing Curator close and delete files" rm -f /opt/so/conf/curator/action/*-close.y*ml + rm -f /opt/so/conf/curator/action/logs*-delete.y*ml } repo_sync() {