Execute custom curator jobs

[gebhard73]

This is a short description how to run custom curator jobs. I haven't been able to figure out an "official" way but this seems to work fine as of now. Please comment if there are better ways to do this.

The SO documentation can be found here: https://docs.securityonion.net/en/2.3/curator.html (but is somewhat "brief" ... ;-) )
Update 2021-06-27: The documentation has been enhanced based on the information below, thanks @TheN00bBuilder .

1. Create an action file in /opt/so/saltstack/local/salt/curator/files/action/:
   This action file defines the parameters of the delete job. For examples see /opt/so/saltstack/default/salt/curator/files/action/. The file should be owned by curator:socore.

2. Create a script file in /opt/so/saltstack/local/salt/curator/files/bin/:
   This script file will execute curator with the action file. For excamples see /opt/so/saltstack/default/salt/curator/files/bin/.

3. Create saltstack file:
   The default curator saltstack file must be altered. Copy /opt/so/saltstack/default/salt/curator/init.sls to /opt/so/saltstack/local/salt/curator and add the following parts:

• file.managed section for the script, e.g.

curdel-test:
  file.managed:
    - name: /usr/sbin/so-curator-delete-test
    - source: salt://curator/files/bin/so-curator-delete-test
    - user: 934
    - group: 939
    - mode: 755

• cron definition:

so-curatordelete-test-cron:
 cron.present:
   - name: /usr/sbin/so-curator-delete-test > /opt/so/log/curator/cron-delete-test.log 2>&1
   - user: root
   - minute: '45'
   - hour: '8'
   - daymonth: '*'
   - month: '*'
   - dayweek: '2-5'

4. Restart curator:
   sudo so-curator-restart

5. Check cronjobs:
   sudo crontab -l
   The new job should be listed. Check the bin file's location, too.

Note: please make sure that you copy modifications / additions introduced by SO updates for /opt/so/saltstack/default/salt/curator/init.sls into your customized /opt/so/saltstack/local/salt/curator/init.sls. See also #4441.

[TheN00bBuilder]

Great work! I'll go ahead and try it myself. After that, would you mind if I typed it up prettily and submitted a pull request to the docs to get this added? It'd help a lot of people, myself included. If you planned on doing that, perfectly fine, just thought I'd help if I can!

[TheN00bBuilder]

Just tried it, worked great! Two things of note however, First, I'd note is that copying the current init.sls from /opt/so/saltstack/local/salt/curator/ somewhere safe as a backup and modifying it as you go may be a smarter move than copying over the changes from that file into a default / fresh init.sls file in case of any missed modifications. The worst that can happen is a failed curator start, in which you can copy the backup back in and start again. Secondly, just a really nit-picky thing (but makes it a lot faster!) for step 3, all jobs are going to have nearly the same settings (minus cronjob times and names) so you can just "yank" and "paste" the groups of lines in vi instead of typing them out, leaving less room for error.

[TheN00bBuilder]

And also, thank you for typing this up! Saved me so much headache.

[gebhard73]

Thanks for your comments.

Personally I would not alter anything below local at all because this would be overwritten by an update and is "owned" by SO - so the original distribution is never touched. I'd always work on a copy in local and do a diff after the update from my local to the new global to see if I would have to add or modify anything in my local (see #4441). This way around I know that after an update my stuff is still included and normally I won't break production. So for me it's the safer way - but it depends on your set up and environment... - and it is more ore less a philosophical question ;-) (see also #3175 for the same idea for other configuration work)

Ideal would be a solution to include a local sls into a global one automagically, if present. I haven't found anything similar yet ...

Feel free to create a pull request for the docs - It's hard for me to free me some time to do it myself. Thanks!

[TheN00bBuilder]

Ah, well understood. I'm still a little new to SO but I can see where that is an issue now. I'll go ahead and get this added to a pull request and Doug or whoever else can then confirm if it's exactly what they had in mind for adding custom jobs. I'll also leave credit to you in the docs!

[gebhard73]

Many thanks for taking care of the docs - no credit needed ;-) Glad s/o noticed this thread and pushed me documenting the stuff ...

[facyber]

Just small notes from my side:

1. Not sure if that is important or not, but in my case my files are owned by socore:socore just like in default folder, by default.
2. Not sure what kind of deployment type you have, but in case of Manager + Heavy Node(s), instead of sudo so-curator-restart I have to apply salt with salt-call state.apply curator on Heavy Node, as Manager node does not contain curator.

Hope this helps to others. :)

[gebhard73]

Thanks for the hints - valuable information :-)

[Git-Me-Some-Hub]

@gebhard73 - Would you be able to provide any help for someone trying to follow your instruction additions for SO-Curator section, and having issues when I copy the warm action file template over into a new file. It says I have an extra argument.
Discussion: #4896

This is my first one, and I do not have a self created working action file to base anything off of.

It would be much appreciated if you could.

[gebhard73]

It seems you have a typo in the script / bin file. The last line must be something like this:
docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/delete.yml > /dev/null 2>&1
It looks like you have a $ in there ... and not > /dev/null 2>&1

And why have you defined two cron jobs?

[Git-Me-Some-Hub]

Thanks, I must have copied it from nano and did not have the space... really stupid mistake.

After letting stuff replicate, and restarting the curator service I do show that the so-beats-warm, and the cron job are no longer creating log entries.... Which I suppose is a good thing. I guess I am going to have to wait to see if it will start moving any files to the warm state.
Thanks!

[Git-Me-Some-Hub]

I should also include that I went ahead and removed the second cron job that was in error (messed up init entry) via the root cron file: /var/spool/cron/root. Hoping this gives me a good start to next do some snapshots for proper backups.

[TheN00bBuilder]

Glad you got it working! If you want to confirm that the job is showing up, run crontab -l and see if your new curator job has a cron job. That's the sign of a successful addition! :D

[Git-Me-Some-Hub]

I do actually see it there, just not sure how I confirm these moves/allocations are actually happening.