From 3783b00e217fb8b2bdf38535ce74f0aca900b93a Mon Sep 17 00:00:00 2001 From: wlambert Date: Wed, 8 Feb 2017 01:34:31 +0000 Subject: [PATCH] Add ELSA Log Storage Calculator --- bin/securityonion-elsa-log-calc | 127 ++++++++++++++++++++++++++++++++ 1 file changed, 127 insertions(+) create mode 100755 bin/securityonion-elsa-log-calc diff --git a/bin/securityonion-elsa-log-calc b/bin/securityonion-elsa-log-calc new file mode 100755 index 0000000..dbf3692 --- /dev/null +++ b/bin/securityonion-elsa-log-calc @@ -0,0 +1,127 @@ +#!/bin/bash + +# Define a banner to separate sections +banner="=========================================================================" + +# Check for root +[ "$(id -u)" -ne 0 ] && echo "This script must be run using sudo!" && exit 1 + +header() { + printf '%s\n' "$banner" "$*" "$banner" +} + + +# Set logging variables +INDEX=2.6 +ARCHIVE=.1 +PERCENTAGE=.33 +BYTES=300 +CONSTANT=86400 +EVENTS=1000 +DAYSTOKEEP=30 + +echo +echo +header "ELSA Log Storage Calculator" +read -p "This script will help you calculate how much storage should be required for your indexed and archived ELSA logs. + +Follow the prompt(s) below to begin! [Yn]" -e -i Y ANSWER +if [[ ! $ANSWER == "Y" ]];then + echo + echo "EXITING. User chose not to continue." + echo + exit 1 +fi +echo "------------------------------------------" + +# Get percentage for Index/Archive logsecho +read -p "# Please enter the percentage of indexed logs you wish to retain: " -e -i 66 INDEX_LOG_PERCENTAGE +echo +read -p "# Please enter the percentage of archived logs you wish to retain: " -e -i 33 ARCHIVE_LOG_PERCENTAGE +echo + +IND_PERCENTAGE=$(echo $INDEX_LOG_PERCENTAGE / 100 | bc -l) +ARC_PERCENTAGE=$(echo $ARCHIVE_LOG_PERCENTAGE / 100 | bc -l) +TOTAL_PERCENTAGE=$(($INDEX_LOG_PERCENAGE + $ARCHIVE_LOG_PERCENTAGE)) + +if [[ "$TOTAL_PERCENTAGE" -gt 100 ]];then + echo "ERROR: Total cannot be greater than 100 percent!" + exit 1 +fi + +# Get other values for log retention +read -p "# Please enter the number of bytes for each event: " -e -i $BYTES BYTES +echo +read -p "# Please enter the number of events per second: " -e -i $EVENTS EVENTS +echo +read -p "# Please enter the number of days for which you wish to retain events: " -e -i $DAYSTOKEEP DAYSTOKEEP +echo + +# Provide a summary of user input +header "Summary" +echo +echo "Indexed Percentage: "$INDEX_LOG_PERCENTAGE"%" +echo "Archived Percentage: "$ARCHIVE_LOG_PERCENTAGE"%" +echo "Number of bytes per event: "$BYTES +echo "Number of events per second: "$EVENTS +echo "Retention period: "$DAYSTOKEEP +echo + +# Calculate storage requirements +IND_RESULT=$(echo $IND_PERCENTAGE \* $INDEX \* $BYTES \* $EVENTS \* $DAYSTOKEEP \* $CONSTANT | bc -l) +ARC_RESULT=$(echo $ARC_PERCENTAGE \* $ARCHIVE \* $BYTES \* $EVENTS \* $DAYSTOKEEP \* $CONSTANT | bc -l) +TOTAL=$(echo $IND_RESULT + $ARC_RESULT | bc -l) + +# Create an associative array containing type and storage result +declare -A RESULTS=([Total]=$TOTAL [Archive]=$ARC_RESULT [Index]=$IND_RESULT) + +# Provide a recommendation +echo "---------------------------------------------------------------------------" +echo "---------------------------------------------------------------------------" +echo "------------------------ Calculation Complete! ----------------------------" +echo "---------------------------------------------------------------------------" +echo "---------------------------------------------------------------------------" +echo +echo "Based on your answers to the prompts, it is recommneded that you allocate +at least the following amount of storage for ELSA logs:" + echo + for i in "${!RESULTS[@]}" + do + echo + header $i "Logs" + echo + echo "Bytes" + echo "-----" + echo "${RESULTS[$i]}" / 1 | bc + echo + echo "Gigabytes" + echo "----------" + echo "scale=2; ${RESULTS[$i]}" /1000000000 / 1 | bc -l + echo + echo "Terabytes" + echo "----------" + echo "scale=2; ${RESULTS[$i]}" /1000000000000 | bc -l + echo +done +echo +# Information about current logging +header "Current Logging" +echo +ARC_LOGGING=$(grep '"percentage":' /etc/elsa_node.conf | awk '{print $2}') +echo "Archive: "${ARC_LOGGING%?}"%" +IND_LOGGING=$(((100 - ${ARC_LOGGING%?}))) +echo "Index: "$IND_LOGGING"%" +echo +echo "Available space" +echo "----------------" +echo +echo "/nsm/elsa/data/" +df -Ph /nsm/elsa/data/ | awk 'NR==2 {print $4}' +echo +echo "/var/lib/mysql/" +df -Ph /nsm/elsa/data/ | awk 'NR==2 {print $4}' +echo +df -h +echo +echo "*ELSA's logging settings can be modified in /etc/elsa_node.conf" +echo