logstash cleanup, prep for multiarch, move to ubuntu

log4pot tweaking
2025-07-02 01:27:27 -04:00 · 2022-01-23 14:49:07 +00:00
parent ae18cb592e
commit a507bc5f39
6 changed files with 33 additions and 105 deletions
--- a/docker/elk/logstash/dist/entrypoint.sh
+++ b/docker/elk/logstash/dist/entrypoint.sh
@ -0,0 +1,85 @@
+#!/bin/bash
+
+# Let's ensure normal operation on exit or if interrupted ...
+function fuCLEANUP {
+  exit 0
+}
+trap fuCLEANUP EXIT
+
+# Check internet availability 
+function fuCHECKINET () {
+mySITES=$1
+error=0
+for i in $mySITES;
+  do
+    curl --connect-timeout 5 -Is $i 2>&1 > /dev/null
+      if [ $? -ne 0 ];
+        then
+          let error+=1
+      fi;
+  done;
+  echo $error
+}
+
+# Check for connectivity and download latest translation maps
+myCHECK=$(fuCHECKINET "listbot.sicherheitstacho.eu")
+if [ "$myCHECK" == "0" ];
+  then
+    echo "Connection to Listbot looks good, now downloading latest translation maps."
+    cd /etc/listbot 
+    aria2c -s16 -x 16 https://listbot.sicherheitstacho.eu/cve.yaml.bz2 && \
+    aria2c -s16 -x 16 https://listbot.sicherheitstacho.eu/iprep.yaml.bz2 && \
+    bunzip2 -f *.bz2
+    cd /
+  else
+    echo "Cannot reach Listbot, starting Logstash without latest translation maps."
+fi
+
+# Distributed T-Pot installation needs a different pipeline config and autossh tunnel. 
+if [ "$MY_TPOT_TYPE" == "SENSOR" ];
+  then
+    echo
+    echo "Distributed T-Pot setup, sending T-Pot logs to $MY_HIVE_IP."
+    echo
+    echo "T-Pot type: $MY_TPOT_TYPE"
+    echo "Keyfile used: $MY_SENSOR_PRIVATEKEYFILE"
+    echo "Hive username: $MY_HIVE_USERNAME"
+    echo "Hive IP: $MY_HIVE_IP"
+    echo
+    cp /usr/share/logstash/config/pipelines_sensor.yml /usr/share/logstash/config/pipelines.yml
+    autossh -f -M 0 -4 -l $MY_HIVE_USERNAME -i $MY_SENSOR_PRIVATEKEYFILE -p 64295 -N -L64305:127.0.0.1:64305 $MY_HIVE_IP -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "StrictHostKeyChecking=no" -o "UserKnownHostsFile=/dev/null"
+    exit 0
+fi
+
+# Index Management is happening through ILM, but we need to put T-Pot ILM setting on ES.
+myTPOTILM=$(curl -s -XGET "http://elasticsearch:9200/_ilm/policy/tpot" | grep "Lifecycle policy not found: tpot" -c)
+if [ "$myTPOTILM" == "1" ];
+  then
+    echo "T-Pot ILM template not found on ES, putting it on ES now."
+    curl -XPUT "http://elasticsearch:9200/_ilm/policy/tpot" -H 'Content-Type: application/json' -d'
+    {
+      "policy": {
+        "phases": {
+          "hot": {
+            "min_age": "0ms",
+            "actions": {}
+          },
+          "delete": {
+            "min_age": "30d",
+            "actions": {
+              "delete": {
+                "delete_searchable_snapshot": true
+              }
+            }
+          }
+        },
+        "_meta": {
+          "managed": true,
+          "description": "T-Pot ILM policy with a retention of 30 days"
+        }
+      }
+    }'
+  else
+    echo "T-Pot ILM already configured."
+fi
+echo