-
Notifications
You must be signed in to change notification settings - Fork 94
/
indexer-ism-init.sh
294 lines (272 loc) · 9.87 KB
/
indexer-ism-init.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
#!/bin/bash
# Wazuh Copyright (C) 2023 Wazuh Inc. (License GPLv2)
# Wazuh - Indexer set rollover policy and templates
# Policy settings
MIN_SHARD_SIZE="25"
MIN_INDEX_AGE="7d"
MIN_DOC_COUNT="200000000"
ISM_INDEX_PATTERNS='["wazuh-alerts-*", "wazuh-archives-*", "-wazuh-alerts-4.x-sample*"]'
ISM_PRIORITY="50"
INDEXER_PASSWORD="admin"
INDEXER_HOSTNAME="localhost"
POLICY_NAME="rollover_policy"
INDEXER_URL="https://${INDEXER_HOSTNAME}:9200"
# curl settings shortcuts
C_AUTH="-u admin:${INDEXER_PASSWORD}"
#########################################################################
# Creates the rollover_policy ISM policy.
# Globals:
# MIN_SHARD_SIZE: The minimum shard size in GB.
# MIN_INDEX_AGE: The minimum index age.
# MIN_DOC_COUNT: The minimum document count.
# ISM_INDEX_PATTERNS: The index patterns to apply the policy.
# ISM_PRIORITY: The policy priority.
# Arguments:
# None.
# Returns:
# The rollover policy as a JSON string
#########################################################################
function generate_rollover_policy() {
cat <<-EOF
{
"policy": {
"description": "Wazuh rollover and alias policy",
"default_state": "active",
"states": [
{
"name": "active",
"actions": [
{
"rollover": {
"min_primary_shard_size": "${MIN_SHARD_SIZE}gb",
"min_index_age": "${MIN_INDEX_AGE}",
"min_doc_count": "${MIN_DOC_COUNT}"
}
}
]
}
],
"ism_template": {
"index_patterns": ${ISM_INDEX_PATTERNS},
"priority": "${ISM_PRIORITY}"
}
}
}
EOF
}
#########################################################################
# Creates an index template with order 3 to set the rollover alias.
# Arguments:
# - The alias name, a string. Also used as index pattern.
# Returns:
# The index template as a JSON string.
#########################################################################
function generate_rollover_template() {
cat <<-EOF
{
"order": 3,
"index_patterns": ["${1}-*"],
"settings": {
"index.plugins.index_state_management.rollover_alias": "${1}"
}
}
EOF
}
#########################################################################
# Loads the index templates for the rollover policy to the indexer.
#########################################################################
function load_templates() {
# Note: the wazuh-template.json could also be loaded here.
for alias in "${aliases[@]}"; do
echo "TEMPLATES AND POLICIES - Uploading ${alias} template"
generate_rollover_template "${alias}" | curl -s -k ${C_AUTH} \
-X PUT "${INDEXER_URL}/_template/${alias}-rollover" -o /dev/null \
-H 'Content-Type: application/json' -d @-
done
}
#########################################################################
# Uploads the rollover policy.
# If the policy does not exist, the policy "${POLICY_NAME}" is created.
# If the policy exists, but the rollover conditions are different, the
# policy is updated.
# Arguments:
# None.
#########################################################################
function upload_rollover_policy() {
policy_exists=$(
curl -s -k ${C_AUTH} \
-X GET "${INDEXER_URL}/_plugins/_ism/policies/${POLICY_NAME}" \
-o /dev/null \
-w "%{http_code}"
)
# Check if the ${POLICY_NAME} ISM policy was loaded (404 error if not found)
if [[ "${policy_exists}" == "404" ]]; then
echo "TEMPLATES AND POLICIES - Uploading ${POLICY_NAME} ISM policy"
curl -s -k ${C_AUTH} -o /dev/null \
-X PUT "${INDEXER_URL}/_plugins/_ism/policies/${POLICY_NAME}" \
-H 'Content-Type: application/json' -d "$(generate_rollover_policy)"
else
if [[ "${policy_exists}" == "200" ]]; then
echo "TEMPLATES AND POLICIES - ${POLICY_NAME} policy already exists"
else
echo "TEMPLATES AND POLICIES - Error uploading ${POLICY_NAME} policy"
fi
fi
}
#########################################################################
# Check if an alias exists in the indexer.
# Arguments:
# 1. The alias to look for. String.
#########################################################################
function check_for_write_index() {
curl -s -k ${C_AUTH} "${INDEXER_URL}/_cat/aliases" |
grep -i "${1}" |
grep -i true |
awk '{print $2}'
}
#########################################################################
# Creates the settings for the aliased write index.
# Arguments:
# 1. The alias. String.
#########################################################################
function generate_write_index_alias() {
cat <<-EOF
{
"aliases": {
"$1": {
"is_write_index": true
}
}
}
EOF
}
#########################################################################
# Creates the initial aliased write index.
# Arguments:
# 1. The alias. String.
#########################################################################
function create_write_index() {
curl -s -k ${C_AUTH} -o /dev/null \
-X PUT "$INDEXER_URL/%3C${1}-4.x-%7Bnow%2Fd%7D-000001%3E?pretty" \
-H 'Content-Type: application/json' -d "$(generate_write_index_alias "${1}")"
}
#########################################################################
# Creates the write indices for the aliases given as parameter.
# Arguments:
# 1. List of aliases to initialize.
#########################################################################
function create_indices() {
echo "TEMPLATES AND POLICIES - Creating write indices"
for alias in "${aliases[@]}"; do
# Check if there are any write indices for the current alias
write_index_exists=$(check_for_write_index "${alias}")
# Create the write index if it does not exist
if [[ -z $write_index_exists ]]; then
create_write_index "${alias}"
fi
done
}
#########################################################################
# Shows usage help.
#########################################################################
function show_help() {
echo -e ""
echo -e "NAME"
echo -e " indexer-ism-init.sh - Manages the Index State Management plugin for Wazuh indexer index rollovers policies."
echo -e ""
echo -e "SYNOPSIS"
echo -e " indexer-ism-init.sh [OPTIONS]"
echo -e ""
echo -e "DESCRIPTION"
echo -e " -a, --min-index-age <index-age>"
echo -e " Set the minimum index age. By default 7d."
echo -e ""
echo -e " -d, --min-doc-count <doc-count>"
echo -e " Set the minimum document count. By default 200000000."
echo -e ""
echo -e " -h, --help"
echo -e " Shows help."
echo -e ""
echo -e " -i, --indexer-hostname <hostname>"
echo -e " Specifies the Wazuh indexer hostname or IP."
echo -e ""
echo -e " -p, --indexer-password <password>"
echo -e " Specifies the Wazuh indexer admin user password."
echo -e ""
echo -e " -s, --min-shard-size <shard-size>"
echo -e " Set the minimum shard size in GB. By default 25."
echo -e ""
exit 1
}
#########################################################################
# Main function.
#########################################################################
function main() {
# The list should contain every alias which indices implement the
# rollover policy
aliases=("wazuh-alerts" "wazuh-archives")
while [ -n "${1}" ]; do
case "${1}" in
"-a" | "--min-index-age")
if [ -z "${2}" ]; then
echo "Error on arguments. Probably missing <index-age> after -a|--min-index-age"
show_help
else
MIN_INDEX_AGE="${2}"
shift 2
fi
;;
"-d" | "--min-doc-count")
if [ -z "${2}" ]; then
echo "Error on arguments. Probably missing <doc-count> after -d|--min-doc-count"
show_help
else
MIN_DOC_COUNT="${2}"
shift 2
fi
;;
"-h" | "--help")
show_help
;;
"-i" | "--indexer-hostname")
if [ -z "${2}" ]; then
echo "Error on arguments. Probably missing <hostname> after -i|--indexer-hostname"
show_help
else
INDEXER_HOSTNAME="${2}"
shift 2
fi
;;
"-p" | "--indexer-password")
if [ -z "${2}" ]; then
echo "Error on arguments. Probably missing <password> after -p|--indexer-password"
show_help
else
INDEXER_PASSWORD="${2}"
C_AUTH="-u admin:${INDEXER_PASSWORD}"
shift 2
fi
;;
"-s" | "--min-shard-size")
if [ -z "${2}" ]; then
echo "Error on arguments. Probably missing <shard-size> after -s|--min-shard-size"
show_help
else
MIN_SHARD_SIZE="${2}"
shift 2
fi
;;
*)
echo "Unknow option: ${1}"
show_help
;;
esac
done
# Load the Wazuh Indexer templates
load_templates
# Upload the rollover policy
upload_rollover_policy
# Create the initial write indices
create_indices "${aliases[@]}"
}
main "$@"