From 2ee75f647978e38f8180aca3ea811221bf1fda2e Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 4 Jan 2018 16:05:08 +0000
Subject: [PATCH] if ElastAlert disabled, don't configure template

---
 usr/sbin/so-elastic-configure-elastalert | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/usr/sbin/so-elastic-configure-elastalert b/usr/sbin/so-elastic-configure-elastalert
index c4bf37f..d4194e8 100755
--- a/usr/sbin/so-elastic-configure-elastalert
+++ b/usr/sbin/so-elastic-configure-elastalert
@@ -4,15 +4,14 @@
 
 . /etc/nsm/securityonion.conf
 
-header "Configuring ElastAlert"
+if [ ${ELASTALERT_ENABLED} = "yes" ]; then
 
-# Not sure that we should delete the existing elastalert index,
-# but we'll leave this here until ElastAlert supports ES6 as that will change things anyway
-#if ! curl -s -XGET http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/${ELASTALERT_INDEX} | grep -q "no such index"; then
-#	curl -s -XDELETE http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/${ELASTALERT_INDEX}
-#	echo
-#fi
-echo
-echo "Applying ElastAlert template..."
-curl -s -XPUT http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/elastalert -H'Content-Type: application/json' -d'{"template" : "elastalert_status", "settings": { "number_of_shards" : 1, "number_of_replicas" : 0 }, "mappings" : { "search": {"properties": {"hits": {"type": "integer"}, "version": {"type": "integer"}, "match_body.source_ip": {"type": "ip"}, "match_body.destination_ip": {"type": "ip"}}}}}'
-echo
+	header "Configuring ElastAlert"
+
+	if ! curl -s -XGET http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/${ELASTALERT_INDEX} | grep -q "no such index"; then
+		curl -s -XDELETE http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/${ELASTALERT_INDEX}
+	fi
+	curl -s -XPUT http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/elastalert -H'Content-Type: application/json' -d'{"template" : "elastalert_status", "settings": { "number_of_shards" : 1, "number_of_replicas" : 0 }, "mappings" : { "search": {"properties": {"hits": {"type": "integer"}, "version": {"type": "integer"}, "match_body.source_ip": {"type": "ip"}, "match_body.destination_ip": {"type": "ip"}}}}}' > /dev/null && echo && echo "Template configured for ElastAlert." && echo "Done!"
+else
+	echo "ElastAlert disabled, so not configuring..."
+fi