1+ #! /bin/bash
2+ # Wazuh Copyright (C) 2023 Wazuh Inc. (License GPLv2)
3+ # Wazuh - Indexer set rollover policy and templates
4+
5+ # Policy settings
6+ MIN_SHARD_SIZE=${MIN_SHARD_SIZE:- 25}
7+ MIN_INDEX_AGE=${MIN_INDEX_AGE:- " 7d"
8+ MIN_DOC_COUNT=${MIN_DOC_COUNT:- 200000000}
9+ ISM_INDEX_PATTERNS=${ISM_INDEX_PATTERNS:- ' ["wazuh-alerts-*", "wazuh-archives-*", "-wazuh-alerts-4.x-sample*"]'
10+ ISM_PRIORITY=${ISM_PRIORITY:- 50}
11+
12+ POLICY_NAME=" rollover_policy"
13+
14+ INDEXER_URL=" https://localhost:9200"
15+
16+ # curl settings shortcuts
17+ C_AUTH=" -u admin:admin"
18+
19+ # ########################################################################
20+ # Creates the rollover_policy ISM policy.
21+ # Globals:
22+ # MIN_SHARD_SIZE: The minimum shard size in GB.
23+ # MIN_INDEX_AGE: The minimum index age.
24+ # MIN_DOC_COUNT: The minimum document count.
25+ # ISM_INDEX_PATTERNS: The index patterns to apply the policy.
26+ # ISM_PRIORITY: The policy priority.
27+ # Arguments:
28+ # None.
29+ # Returns:
30+ # The rollover policy as a JSON string
31+ # ########################################################################
32+ function generate_rollover_policy() {
33+ cat << EOF
34+ {
35+ "policy": {
36+ "description": "Wazuh rollover and alias policy",
37+ "default_state": "active",
38+ "states": [
39+ {
40+ "name": "active",
41+ "actions": [
42+ {
43+ "rollover": {
44+ "min_primary_shard_size": "${MIN_SHARD_SIZE} gb",
45+ "min_index_age": "${MIN_INDEX_AGE} ",
46+ "min_doc_count": "${MIN_DOC_COUNT} "
47+ }
48+ }
49+ ]
50+ }
51+ ],
52+ "ism_template": {
53+ "index_patterns": $ISM_INDEX_PATTERNS ,
54+ "priority": "${ISM_PRIORITY} "
55+ }
56+ }
57+ }
58+ EOF
59+ }
60+
61+
62+ # ########################################################################
63+ # Creates an index template with order 3 to set the rollover alias.
64+ # Arguments:
65+ # - The alias name, a string. Also used as index pattern.
66+ # Returns:
67+ # The index template as a JSON string.
68+ # ########################################################################
69+ function generate_rollover_template() {
70+ cat << EOF
71+ {
72+ "order": 3,
73+ "index_patterns": ["$1 -*"],
74+ "settings": {
75+ "index.plugins.index_state_management.rollover_alias": "$1 "
76+ }
77+ }
78+ EOF
79+ }
80+
81+
82+ # ########################################################################
83+ # Loads the index templates for the rollover policy to the indexer.
84+ # ########################################################################
85+ function load_templates() {
86+ # Note: the wazuh-template.json could also be loaded here.
87+ for alias in " ${aliases[@]} " ; do
88+ echo " TEMPLATES AND POLICIES - Uploading ${alias} template"
89+ generate_rollover_template " ${alias} " | curl -s -k ${C_AUTH} \
90+ -X PUT " $INDEXER_URL /_template/${alias} -rollover"
91+ -H ' Content-Type: application/json'
92+ done
93+ }
94+
95+
96+ # ########################################################################
97+ # Uploads the rollover policy.
98+ # If the policy does not exist, the policy "${POLICY_NAME}" is created.
99+ # If the policy exists, but the rollover conditions are different, the
100+ # policy is updated.
101+ # Arguments:
102+ # None.
103+ # ########################################################################
104+ function upload_rollover_policy() {
105+ policy_exists=$(
106+ curl -s -k ${C_AUTH} \
107+ -X GET " $INDEXER_URL /_plugins/_ism/policies/${POLICY_NAME} "
108+ -o /dev/null \
109+ -w " %{http_code}"
110+ )
111+
112+ # Check if the ${POLICY_NAME} ISM policy was loaded (404 error if not found)
113+ if [[ $policy_exists == " 404" ; then
114+ echo " TEMPLATES AND POLICIES - Uploading ${POLICY_NAME} ISM policy"
115+ generate_rollover_policy | curl -s -k ${C_AUTH} -o /dev/null \
116+ -X PUT " $INDEXER_URL /_plugins/_ism/policies/${POLICY_NAME} "
117+ -H ' Content-Type: application/json'
118+ else
119+ if [[ $policy_exists == " 200" ; then
120+ echo " TEMPLATES AND POLICIES - ${POLICY_NAME} policy already exists"
121+ else
122+ echo " TEMPLATES AND POLICIES - Error uploading ${POLICY_NAME} policy"
123+ fi
124+ fi
125+ }
126+
127+
128+ # ########################################################################
129+ # Check if an alias exists in the indexer.
130+ # Arguments:
131+ # 1. The alias to look for. String.
132+ # ########################################################################
133+ function check_for_write_index() {
134+ curl -s -k ${C_AUTH} " $INDEXER_URL /_cat/aliases" | \
135+ grep -i " ${1} " | \
136+ grep -i true | \
137+ awk ' {print $2}'
138+ }
139+
140+
141+ # ########################################################################
142+ # Creates the settings for the aliased write index.
143+ # Arguments:
144+ # 1. The alias. String.
145+ # ########################################################################
146+ function generate_write_index_alias() {
147+ cat << EOF
148+ {
149+ "aliases": {
150+ "$1 ": {
151+ "is_write_index": true
152+ }
153+ }
154+ }
155+ EOF
156+ }
157+
158+
159+ # ########################################################################
160+ # Creates the initial aliased write index.
161+ # Arguments:
162+ # 1. The alias. String.
163+ # ########################################################################
164+ function create_write_index() {
165+ curl -s -k ${C_AUTH} -o /dev/null \
166+ -X PUT " $INDEXER_URL /%3C${1} -4.x-%7Bnow%2Fd%7D-000001%3E?pretty"
167+ -H ' Content-Type: application/json' " $( generate_write_index_alias " ${1} " ) "
168+ }
169+
170+
171+ # ########################################################################
172+ # Creates the write indices for the aliases given as parameter.
173+ # Arguments:
174+ # 1. List of aliases to initialize.
175+ # ########################################################################
176+ function create_indices() {
177+ echo " TEMPLATES AND POLICIES - Creating write indices"
178+ for alias in " ${aliases[@]} " ; do
179+ # Check if there are any write indices for the current alias
180+ write_index_exists=$( check_for_write_index " ${alias} " )
181+
182+ # Create the write index if it does not exist
183+ if [[ -z $write_index_exists ]]; then
184+ create_write_index " ${alias} "
185+ fi
186+ done
187+ }
188+
189+
190+ # ########################################################################
191+ # Main function.
192+ # ########################################################################
193+ function main() {
194+ # The list should contain every alias which indices implement the
195+ # rollover policy
196+ aliases=(" wazuh-alerts" " wazuh-archives"
197+
198+ # Load the Wazuh Indexer templates
199+ load_templates
200+
201+ # Upload the rollover policy
202+ upload_rollover_policy
203+
204+ # Create the initial write indices
205+ create_indices " ${aliases[@]} "
206+ }
207+
208+ main " $@ "
0 commit comments