In [1]:
# Load libraries necessary for demo
from elasticsearch import Elasticsearch
from elasticsearch import helpers
from elasticsearch_dsl import Search
import es # This is part of this GitHub Repo
import retention # This is part of this GitHub Repo
import rollover # This is part of this GitHub Repo
import pandas as pd
import toml
import os
import json

In [2]:
# Connect to Elasticsearch
es_connection = Elasticsearch('http://localhost:9200')

In [3]:
# Cleanup previous demo data - optional
# Will throw errors if index does not exist - not a big deal
es_connection.indices.delete(index="demo-nessus*")
es_connection.indices.delete(index="demo-suricata*")

{'acknowledged': True}

In [4]:
# This creates a rollover instance with an index aliases to demo-nessus
es_connection.indices.create(index="demo-nessus-000001", body='{"aliases": { "demo-nessus": { "is_write_index": true }}}')
# Load Nessus sample data - Uses bulk insertion
nessus_data = es.load_json_file('demo/logs/nessus.json')
es.bulk_insert_data_to_es(es_connection, nessus_data, "demo-nessus")

True

In [5]:
# This creates a rollover instance with an index aliases to demo-suricata
# This can take a minute or two to run
es_connection.indices.create(index="demo-suricata-000001", body='{"aliases": { "demo-suricata": { "is_write_index": true }}}')
# Load Suricata sample data - Uses bulk insertion
suricata_data = es.load_json_file('demo/logs/suricata.json')
es.bulk_insert_data_to_es(es_connection, suricata_data, "demo-suricata")

True

In [None]:
# Set our demo search context - will search suricata and nessus data
search_context = Search(using=es_connection, index='demo-*', doc_type='doc')

In [None]:
# Test query data from Suricata
s = search_context.query('query_string', query='src_ip:172.16.0.2 AND dest_port:80')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))
df

In [None]:
def query_es(index, query):
    search_context = Search(using=es_connection, index=index, doc_type=query)
    s = search_context.query('query_string', query=query)
    response = s.execute()
    if response.success():
        df = pd.DataFrame((d.to_dict() for d in s.scan()))
        return df

In [None]:
# Test the new function
query_es("demo-nessus","Category:Services")

In [None]:
# In case you don't want a DataFrame, this function returns a standard list
def query_es_return_list(index, query):
    search_context = Search(using=es_connection, index=index, doc_type=query)
    s = search_context.query('query_string', query=query)
    response = s.execute()
    if response.success():
        return response['hits']['hits']

In [None]:
# Test the new function - results may be easier for standard Python automation
query_es_return_list("demo-nessus","Category:Services")

In [None]:
# Get all indices in Elasticsearch Cluster
es_connection.cat.indices(format="json")

In [None]:
# Get all indices in Elasticsearch Cluster but with specific fields and format bytes to raw number
# Also set full field names instead of short and sort by creation.date
es_connection.cat.indices(format="json", h=("health","status","index","uuid","shardsPrimary","shardsReplica","docsCount","docsDeleted","storeSize","creation.date.string","creation.date","memory.total", "pri.store.size"), s="creation.date", bytes="b")

In [6]:
# Find out what the newest document creation date is of a given index
date = es.get_newest_document_date_in_index("", "demo-suricata", es_connection)
date.isoformat()

'2021-01-08T00:22:46.255000'

In [7]:
# Forcemerge an index - Will timeout on normal-to-large indices
# When this times out it continues to run in the background
es_connection.indices.forcemerge(index='demo-suricata', max_num_segments=1)

{'_shards': {'total': 2, 'successful': 1, 'failed': 0}}

In [8]:
# Check cluster health
es_connection.cluster.health()

{'cluster_name': 'demo',
 'status': 'yellow',
 'timed_out': False,
 'number_of_nodes': 1,
 'number_of_data_nodes': 1,
 'active_primary_shards': 3,
 'active_shards': 3,
 'relocating_shards': 0,
 'initializing_shards': 0,
 'unassigned_shards': 2,
 'delayed_unassigned_shards': 0,
 'number_of_pending_tasks': 0,
 'number_of_in_flight_fetch': 0,
 'task_max_waiting_in_queue_millis': 0,
 'active_shards_percent_as_number': 60.0}

In [9]:
# Load sample settings.toml and override a few settings for demo use
settings = toml.load("settings.toml.example")
settings['settings']['client_json_folder'] = os.getcwd()
settings['retention']['enabled'] = True
settings['rollover']['enabled'] = True
print(settings)

{'settings': {'client_json_folder': '/opt/elastic-ilm', 'debug': False, 'limit_to_client': '', 'password_authentication': False, 'ssl_enabled': False, 'ssl_certificate': 'disabled', 'check_hostname': False}, 'notification': {'smtp': 'disabled', 'ms-teams': 'disabled', 'jira': 'disabled'}, 'smtp': {'from_email': 'from@domain.com', 'username': 'user@domain.com', 'password': '', 'smtp_host': 'smtp.office365.com', 'smtp_port': 587}, 'ms-teams': {'webhook': ''}, 'retention': {'enabled': True, 'minutes_between_run': 60, 'health_check_level': 'yellow', 'ms-teams': True, 'jira': False}, 'rollover': {'enabled': True, 'minutes_between_run': 10, 'health_check_level': 'yellow', 'ms-teams': True, 'jira': False}, 'accounting': {'enabled': False, 'minutes_between_run': 240, 'output_folder': '', 'output_to_es': True, 'send_copy_to_client_name': '', 'health_check_level': 'green', 'retry_attempts': 10, 'retry_wait_in_seconds': 1200, 'fallback_health_check_level': 'yellow', 'ssd_cost': 0.03, 'sata_cost':

In [10]:
# Load sample client.json.example and override a few settings for demo use
with open('client.json.example') as f:
    client_config = json.load(f)
client_config['es_host'] = "localhost"
client_config['policy']['retention']['demo'] = 45
print(client_config)

{'ca_file': '/home/jhenderson/elastic/ca.crt', 'es_host': 'localhost', 'es_port': 9200, 'ssl_enabled': False, 'ssl_certificate': 'required', 'check_hostname': False, 'password_authentication': False, 'es_user': 'elastic', 'es_password': 'password', 'policy': {'allocation': {'global': 30, '.monitoring': 7}, 'rollover': {'global': {'size': 'auto', 'days': 30}}, 'retention': {'global': 90, '.monitoring': 7, 'demo': 45}}}


In [11]:
# Let's validate the retention policy is applying correcly against an index starting with demo
retention_policies = es.get_retention_policy(client_config)
index_policy = es.check_index_retention_policy("demo-suricata-000001", retention_policies)
# This should print demo if it grabbed the retention policy starting with demo
print(index_policy)

demo


In [12]:
# Let's simulate having a policy apply for demo* but a more specific one winning for demo-suricata
client_config['policy']['retention']['demo-suricata'] = 40
index_policy = es.check_index_retention_policy("demo-suricata-000001", retention_policies)
# This should print demo-suricata if it grabbed the retention policy starting with demo-suricata
print(index_policy)

demo-suricata


In [13]:
# Same concept applies for rollover policies
rollover_policies = rollover.get_rollover_policy(client_config)
index_policy = es.check_index_rollover_policy("demo-suricata-000001", rollover_policies)
# This should print global because no rollover policy was created for demo
print(index_policy)

global


In [14]:
# Set rollover policy for demo and then test again
client_config['policy']['rollover']['demo'] = {}
client_config['policy']['rollover']['demo']['size'] = "auto"
client_config['policy']['rollover']['demo']['days'] = 30
index_policy = es.check_index_rollover_policy("demo-suricata-000001", rollover_policies)
# This should print demo because there now is a policy applying against indices starting with demo
print(index_policy)

demo


In [15]:
# Policy is used to validate if something should be deleted, rolled over, etc.
# Let's test a force rollover
es.rollover_index_with_connection(client_config, "demo-nessus-000001", 'demo-nessus', es_connection)

{'acknowledged': True}

In [20]:
# Check to see if demo-nessus index was rolled over - if it did it should now be demo-nessus-000002
es_connection.cat.aliases('demo-nessus', format="json", h=("index","is_write_index"))

[{'index': 'demo-nessus-000002', 'is_write_index': 'true'},
 {'index': 'demo-nessus-000001', 'is_write_index': 'false'}]

In [4]:
# THIS SECTION ONLY WORKS IF YOU COPY settings.toml.example TO settings.toml
# AND client.json.example to client.json and make them able to connect to your demo cluster
#rollover.apply_rollover_policies("")
retention.apply_retention_policies("yellow", "")

TypeError: apply_retention_policies() missing 1 required positional argument: 'manual_client'