-
Notifications
You must be signed in to change notification settings - Fork 32
/
Copy pathhubblestack_masterless
178 lines (159 loc) · 4.77 KB
/
hubblestack_masterless
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
## Instructions for a master-managed masterless deploy
##
## These instructions assume that you are using gitfs to deploy your main salt
## files, as they will be deploying files to /srv/salt and /srv/pillar on the
## minions, including the minion on the master.
##
## Note that pulsar must still be configured with master-side pillar data,
## as pulsar requires connection to a master with a running minion daemon.
##
## Once you have configured your folder structure as shown below, deployment
## to your minions should be as easy as running the `salt '*' state.sls hubble`.
## We recommend you add this state to your state topfile so it will be deployed
## to all minions whenever your highstate is applied.
##
## Here is the recommended folder structure:
##
## salt://hubble/
## salt://hubble/init.sls
## salt://hubble/hubblestack_cron
## salt://hubble/pillar/top.sls
## salt://hubble/pillar/hubble.sls
##
## Here are the files:
##
## salt://hubble/init.sls
hubblestack_pulsar_data:
file.recurse:
- name: /srv/salt/hubblestack_pulsar
- source: salt://hubblestack_pulsar
- clean: True
- user: root
- group: root
- dir_mode: 700
- file_mode: 600
hubblestack_nova_profiles:
file.recurse:
- name: /srv/salt/hubblestack_nova_profiles
- source: salt://hubblestack_nova_profiles
- clean: True
- user: root
- group: root
- dir_mode: 700
- file_mode: 600
hubblestack_nova_modules:
file.recurse:
- name: /srv/salt/hubblestack_nova
- source: salt://hubblestack_nova
- clean: True
- user: root
- group: root
- dir_mode: 700
- file_mode: 600
hubblestack_nebula_data:
file.recurse:
- name: /srv/salt/hubblestack_nebula
- source: salt://hubblestack_nebula
- clean: True
- user: root
- group: root
- dir_mode: 700
- file_mode: 600
hubblestack_pillar_data:
file.recurse:
- name: /srv/pillar
- source: salt://hubble/pillar
- clean: True
- user: root
- group: root
- dir_mode: 700
- file_mode: 600
hubblestack_modules:
file.recurse:
- name: /srv/salt/_modules
- source: salt://_modules
- clean: True
- user: root
- group: root
- dir_mode: 700
- file_mode: 600
hubblestack_beacons:
file.recurse:
- name: /srv/salt/_beacons
- source: salt://_beacons
- clean: True
- user: root
- group: root
- dir_mode: 700
- file_mode: 600
hubblestack_returners:
file.recurse:
- name: /srv/salt/_returners
- source: salt://_returners
- clean: True
- user: root
- group: root
- dir_mode: 700
- file_mode: 600
hubblestack_sync_all:
module.run:
- name: saltutil.sync_all
- onchanges:
- file: hubblestack_pillar_data
- file: hubblestack_modules
- file: hubblestack_beacons
- file: hubblestack_returners
hubblestack_cron:
file.managed:
- name: /etc/cron.d/hubblestack_cron
- mode: 0600
- source: salt://hubble/hubblestack_cron
- require:
- file: hubblestack_pillar_data
- file: hubblestack_nova_modules
- file: hubblestack_nova_profiles
- file: hubblestack_pulsar_data
- file: hubblestack_nebula_data
- file: hubblestack_modules
- file: hubblestack_beacons
- file: hubblestack_returners
## salt://hubble/hubblestack_cron
# This file managed by salt. Do not modify!
MAILTO=""
SHELL=/bin/bash
PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin
*/15 * * * * root sleep $(expr $RANDOM \% 600); /usr/bin/salt-call --local nebula.queries fifteen_min --return splunk_nebula_return
@hourly root sleep $(expr $RANDOM \% 1800); /usr/bin/salt-call --local nebula.queries hour --return splunk_nebula_return
@daily root sleep $(expr $RANDOM \% 3600); /usr/bin/salt-call --local nebula.queries day --return splunk_nebula_return
@daily root sleep $(expr $RANDOM \% 3600); /usr/bin/salt-call --local cp.cache_file salt://hubblestack_pulsar/hubblestack_pulsar_config.yaml
@daily root sleep $(expr $RANDOM \% 3600); /usr/bin/salt-call --local hubble.top verbose=True show_profile=True --return splunk_nova_return
@daily root /usr/bin/salt-call --local saltutil.sync_all
## salt://hubble/pillar/top.sls
base:
'*':
- hubble
## salt://hubble/pillar/hubble.sls
##
## This file must be modified with your API credentials and index
hubblestack:
nova:
returner:
splunk:
token: <splunk_token>
indexer: splunk-hec.loc.adobe.net
sourcetype: hubble_audit
index: <index>
nebula:
returner:
splunk:
token: <splunk_token>
indexer: splunk-hec.loc.adobe.net
sourcetype: hubble_osquery
index: <index>
pulsar:
returner:
splunk:
token: <splunk_token>
indexer: splunk-hec.loc.adobe.net
sourcetype: hubble_fim
index: <index>