From 63820c23aab9905e166bbbc801af32c119ceadf1 Mon Sep 17 00:00:00 2001 From: doug Date: Mon, 9 Sep 2019 15:53:43 -0400 Subject: [PATCH] securityonion-sostat: update Elastic verbiage for when components are not running Security-Onion-Solutions/security-onion#1633 --- bin/sostat | 18 ++-- debian/changelog | 12 +++ ...ecurity-Onion-Solutionssecurity-onion#1633 | 98 +++++++++++++++++++ debian/patches/series | 2 + .../sostat:-support-elastic-auth-#1562 | 67 +++++++++++++ 5 files changed, 188 insertions(+), 9 deletions(-) create mode 100644 debian/patches/securityonion-sostat:-update-Elastic-verbiage-for-when-components-are-not-running-Security-Onion-Solutionssecurity-onion#1633 create mode 100644 debian/patches/sostat:-support-elastic-auth-#1562 diff --git a/bin/sostat b/bin/sostat index 4f8a524..339986e 100755 --- a/bin/sostat +++ b/bin/sostat @@ -517,7 +517,7 @@ if [ "$ELASTICSEARCH_ENABLED" = "yes" ]; then else echo CLUST_NAME=$(grep cluster.name /etc/elasticsearch/elasticsearch.yml | awk '{print $2}'|sed -e 's/^"//' -e 's/"$//') - echo && echo -e "Elasticsearch is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo docker start so-elasticsearch'\n\n\nIf that does not work, try checking /var/log/elasticsearch/"$CLUST_NAME".log for clues." + echo && echo -e "Elasticsearch is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo so-elasticsearch-start'\n\n\nIf that does not work, try checking /var/log/elasticsearch/"$CLUST_NAME".log for clues." fi if [ "$LOGSTASH_ENABLED" = "yes" ]; then @@ -565,7 +565,7 @@ if [ "$ELASTICSEARCH_ENABLED" = "yes" ]; then echo "To obtain queue stats, try running sostat again in a few minutes." fi else - echo && echo -e "Logstash is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo docker start so-logstash'\n\n\nIf that does not work, try checking /var/log/logstash/logstash.log for clues." + echo && echo -e "Logstash is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo so-logstash-start'\n\n\nIf that does not work, try checking /var/log/logstash/logstash.log for clues." fi fi @@ -590,7 +590,7 @@ if [ "$ELASTICSEARCH_ENABLED" = "yes" ]; then echo docker stats --no-stream so-kibana else - echo && echo -e "Kibana is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo docker start so-kibana'\n\n\nIf that does not work, try checking /var/log/kibana/kibana.log for clues." + echo && echo -e "Kibana is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo so-kibana-start'\n\n\nIf that does not work, try checking /var/log/kibana/kibana.log for clues." fi fi @@ -602,7 +602,7 @@ if [ "$ELASTICSEARCH_ENABLED" = "yes" ]; then echo docker stats --no-stream so-elastalert else - echo && echo -e "ElastAlert is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo docker start so-elastalert'\n\n\nIf that does not work, try checking /var/log/elastalert/elastalert_stderr.log for clues." + echo && echo -e "ElastAlert is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo so-elastalert-start'\n\n\nIf that does not work, try checking /var/log/elastalert/elastalert_stderr.log for clues." fi fi @@ -614,7 +614,7 @@ if [ "$ELASTICSEARCH_ENABLED" = "yes" ]; then echo docker stats --no-stream so-curator else - echo && echo -e "Curator is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo docker start so-curator'\n\n\nIf that does not work, try checking /var/log/curator/curator.log for clues." + echo && echo -e "Curator is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo so-curator-start'\n\n\nIf that does not work, try checking /var/log/curator/curator.log for clues." fi fi @@ -634,10 +634,10 @@ if [ "$ELASTICSEARCH_ENABLED" = "yes" ]; then echo "Freq Server is working." else echo - echo "Freq_server is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo docker start so-freqserver'\n\n\nIf that does not work, try checking /var/log/freq_server/freq_server.log for clues." + echo "Freq_server is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo so-freqserver-start'\n\n\nIf that does not work, try checking /var/log/freq_server/freq_server.log for clues." fi else - echo && echo -e "Freq_server is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo docker start so-freqserver'\n\n\nIf that does not work, try checking /var/log/freq_server/freq_server.log for clues." + echo && echo -e "Freq_server is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo so-freqserver-start'\n\n\nIf that does not work, try checking /var/log/freq_server/freq_server.log for clues." fi fi @@ -657,10 +657,10 @@ if [ "$ELASTICSEARCH_ENABLED" = "yes" ]; then echo "Domain_stats is working." else echo - echo "Domain_stats is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo docker start so-domainstats'\n\n\nIf that does not work, try checking /var/log/domain_stats/domain_stats.log for clues." + echo "Domain_stats is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo so-domainstats-start'\n\n\nIf that does not work, try checking /var/log/domain_stats/domain_stats.log for clues." fi else - echo && echo -e "Domain_stats is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo docker start so-domainstats'\n\n\nIf that does not work, try checking /var/log/domain_stats/domain_stats.log for clues." + echo && echo -e "Domain_stats is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo so-domainstats-start'\n\n\nIf that does not work, try checking /var/log/domain_stats/domain_stats.log for clues." fi fi if [ "$ES_RUNNING" ]; then diff --git a/debian/changelog b/debian/changelog index a47126f..04ca928 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +securityonion-sostat (20120722-0ubuntu0securityonion130) xenial; urgency=medium + + * securityonion-sostat: update Elastic verbiage for when components are not running Security-Onion-Solutions/security-onion#1633 + + -- Doug Burks Mon, 09 Sep 2019 15:52:53 -0400 + +securityonion-sostat (20120722-0ubuntu0securityonion129) xenial; urgency=medium + + * sostat: support elastic auth #1562 + + -- Doug Burks Fri, 12 Jul 2019 15:16:18 -0400 + securityonion-sostat (20120722-0ubuntu0securityonion128) xenial; urgency=medium * fix spacing diff --git a/debian/patches/securityonion-sostat:-update-Elastic-verbiage-for-when-components-are-not-running-Security-Onion-Solutionssecurity-onion#1633 b/debian/patches/securityonion-sostat:-update-Elastic-verbiage-for-when-components-are-not-running-Security-Onion-Solutionssecurity-onion#1633 new file mode 100644 index 0000000..e3bbfd5 --- /dev/null +++ b/debian/patches/securityonion-sostat:-update-Elastic-verbiage-for-when-components-are-not-running-Security-Onion-Solutionssecurity-onion#1633 @@ -0,0 +1,98 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-sostat (20120722-0ubuntu0securityonion130) xenial; urgency=medium + . + * securityonion-sostat: update Elastic verbiage for when components are not running Security-Onion-Solutions/security-onion#1633 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: https://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-sostat-20120722.orig/bin/sostat ++++ securityonion-sostat-20120722/bin/sostat +@@ -517,7 +517,7 @@ if [ "$ELASTICSEARCH_ENABLED" = "yes" ]; + else + echo + CLUST_NAME=$(grep cluster.name /etc/elasticsearch/elasticsearch.yml | awk '{print $2}'|sed -e 's/^"//' -e 's/"$//') +- echo && echo -e "Elasticsearch is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo docker start so-elasticsearch'\n\n\nIf that does not work, try checking /var/log/elasticsearch/"$CLUST_NAME".log for clues." ++ echo && echo -e "Elasticsearch is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo so-elasticsearch-start'\n\n\nIf that does not work, try checking /var/log/elasticsearch/"$CLUST_NAME".log for clues." + fi + + if [ "$LOGSTASH_ENABLED" = "yes" ]; then +@@ -565,7 +565,7 @@ if [ "$ELASTICSEARCH_ENABLED" = "yes" ]; + echo "To obtain queue stats, try running sostat again in a few minutes." + fi + else +- echo && echo -e "Logstash is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo docker start so-logstash'\n\n\nIf that does not work, try checking /var/log/logstash/logstash.log for clues." ++ echo && echo -e "Logstash is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo so-logstash-start'\n\n\nIf that does not work, try checking /var/log/logstash/logstash.log for clues." + fi + fi + +@@ -590,7 +590,7 @@ if [ "$ELASTICSEARCH_ENABLED" = "yes" ]; + echo + docker stats --no-stream so-kibana + else +- echo && echo -e "Kibana is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo docker start so-kibana'\n\n\nIf that does not work, try checking /var/log/kibana/kibana.log for clues." ++ echo && echo -e "Kibana is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo so-kibana-start'\n\n\nIf that does not work, try checking /var/log/kibana/kibana.log for clues." + fi + fi + +@@ -602,7 +602,7 @@ if [ "$ELASTICSEARCH_ENABLED" = "yes" ]; + echo + docker stats --no-stream so-elastalert + else +- echo && echo -e "ElastAlert is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo docker start so-elastalert'\n\n\nIf that does not work, try checking /var/log/elastalert/elastalert_stderr.log for clues." ++ echo && echo -e "ElastAlert is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo so-elastalert-start'\n\n\nIf that does not work, try checking /var/log/elastalert/elastalert_stderr.log for clues." + fi + fi + +@@ -614,7 +614,7 @@ if [ "$ELASTICSEARCH_ENABLED" = "yes" ]; + echo + docker stats --no-stream so-curator + else +- echo && echo -e "Curator is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo docker start so-curator'\n\n\nIf that does not work, try checking /var/log/curator/curator.log for clues." ++ echo && echo -e "Curator is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo so-curator-start'\n\n\nIf that does not work, try checking /var/log/curator/curator.log for clues." + fi + fi + +@@ -634,10 +634,10 @@ if [ "$ELASTICSEARCH_ENABLED" = "yes" ]; + echo "Freq Server is working." + else + echo +- echo "Freq_server is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo docker start so-freqserver'\n\n\nIf that does not work, try checking /var/log/freq_server/freq_server.log for clues." ++ echo "Freq_server is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo so-freqserver-start'\n\n\nIf that does not work, try checking /var/log/freq_server/freq_server.log for clues." + fi + else +- echo && echo -e "Freq_server is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo docker start so-freqserver'\n\n\nIf that does not work, try checking /var/log/freq_server/freq_server.log for clues." ++ echo && echo -e "Freq_server is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo so-freqserver-start'\n\n\nIf that does not work, try checking /var/log/freq_server/freq_server.log for clues." + fi + fi + +@@ -657,10 +657,10 @@ if [ "$ELASTICSEARCH_ENABLED" = "yes" ]; + echo "Domain_stats is working." + else + echo +- echo "Domain_stats is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo docker start so-domainstats'\n\n\nIf that does not work, try checking /var/log/domain_stats/domain_stats.log for clues." ++ echo "Domain_stats is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo so-domainstats-start'\n\n\nIf that does not work, try checking /var/log/domain_stats/domain_stats.log for clues." + fi + else +- echo && echo -e "Domain_stats is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo docker start so-domainstats'\n\n\nIf that does not work, try checking /var/log/domain_stats/domain_stats.log for clues." ++ echo && echo -e "Domain_stats is not running.\n\nTry starting it with:\n\n'sudo so-elastic-start'\n OR\n'sudo so-domainstats-start'\n\n\nIf that does not work, try checking /var/log/domain_stats/domain_stats.log for clues." + fi + fi + if [ "$ES_RUNNING" ]; then diff --git a/debian/patches/series b/debian/patches/series index be6d6e6..63976dc 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -121,3 +121,5 @@ securityonion-sostat:-awk-division-error-when-Bro-doesn't-report-stats-correctly re-apply-debconffrontend-noninteractive issues-1536-and-1544 fix-spacing +sostat:-support-elastic-auth-#1562 +securityonion-sostat:-update-Elastic-verbiage-for-when-components-are-not-running-Security-Onion-Solutionssecurity-onion#1633 diff --git a/debian/patches/sostat:-support-elastic-auth-#1562 b/debian/patches/sostat:-support-elastic-auth-#1562 new file mode 100644 index 0000000..4d8549f --- /dev/null +++ b/debian/patches/sostat:-support-elastic-auth-#1562 @@ -0,0 +1,67 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-sostat (20120722-0ubuntu0securityonion129) xenial; urgency=medium + . + * sostat: support elastic auth #1562 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: https://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-sostat-20120722.orig/bin/sostat ++++ securityonion-sostat-20120722/bin/sostat +@@ -471,16 +471,18 @@ fi + + if [ "$ELASTICSEARCH_ENABLED" = "yes" ]; then + +- TOT_NODES=$(curl -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq ._nodes.total) +- #SUCCESS_NODES=curl "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq ._nodes.successful` +- FAIL_NODES=$(curl -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq ._nodes.failed) +- CLUST_NAME=$(curl -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq .cluster_name) +- TOT_INDICES=$(curl -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq .indices.count) +- TOT_SHARDS=$(curl -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq .indices.shards.total) +- CLUST_STATUS=$(curl -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq .status) +- FREE_MEM=$(curl -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq .nodes.os.mem.free_percent) +- TOT_DOCS=$(curl -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq .indices.docs.count) +- TOT_SIZE=$(curl -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq .indices.store.size_in_bytes) ++ source /usr/sbin/so-elastic-common ++ ++ TOT_NODES=$(curl $ELASTICSEARCH_AUTH -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq ._nodes.total) ++ #SUCCESS_NODES=curl $ELASTICSEARCH_AUTH "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq ._nodes.successful` ++ FAIL_NODES=$(curl $ELASTICSEARCH_AUTH -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq ._nodes.failed) ++ CLUST_NAME=$(curl $ELASTICSEARCH_AUTH -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq .cluster_name) ++ TOT_INDICES=$(curl $ELASTICSEARCH_AUTH -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq .indices.count) ++ TOT_SHARDS=$(curl $ELASTICSEARCH_AUTH -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq .indices.shards.total) ++ CLUST_STATUS=$(curl $ELASTICSEARCH_AUTH -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq .status) ++ FREE_MEM=$(curl $ELASTICSEARCH_AUTH -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq .nodes.os.mem.free_percent) ++ TOT_DOCS=$(curl $ELASTICSEARCH_AUTH -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq .indices.docs.count) ++ TOT_SIZE=$(curl $ELASTICSEARCH_AUTH -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/_cluster/stats?pretty" | jq .indices.store.size_in_bytes) + ES_RUNNING=$(docker ps | grep so-elasticsearch) + LS_RUNNING=$(docker ps | grep so-logstash) + KIB_RUNNING=$(docker ps | grep so-kibana) +@@ -488,8 +490,8 @@ if [ "$ELASTICSEARCH_ENABLED" = "yes" ]; + CURAT_RUNNING=$(docker ps | grep so-curator) + FREQ_RUNNING=$(docker ps | grep so-freqserver) + DOMAINSTATS_RUNNING=$(docker ps | grep so-domainstats) +- EVENT_COUNT=$(curl -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/*/_stats" | jq ._all.total.docs.count) +- AVG_EVENT_SIZE=$(echo $(($(curl -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/*/_stats" | jq ._all.total.store.size_in_bytes) / $(curl -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/*/_stats" | jq ._all.total.docs.count))) ++ EVENT_COUNT=$(curl $ELASTICSEARCH_AUTH -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/*/_stats" | jq ._all.total.docs.count) ++ AVG_EVENT_SIZE=$(echo $(($(curl $ELASTICSEARCH_AUTH -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/*/_stats" | jq ._all.total.store.size_in_bytes) / $(curl $ELASTICSEARCH_AUTH -s "$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT/*/_stats" | jq ._all.total.docs.count))) + ) + +