I’m working in an environment where there’s a common piece of software, a SIEM event forwarder, that we use to forward events from multiple other pieces of software. I already have a cookbook that installs the SIEM forwarder and does a basic config. Here’s where I’m running into problems.
Because it’s a SIEM forwarder, I may have it forwarding events for the log files of multiple pieces of software on the same machine.
So I have software A and software B, the logs from both of which I want to forward to the SIEM. I have cookbooks for both software A and software B. Should the recipes to configure the SIEM forwarder for each piece of software be located in the cookbook for the SIEM forwarder or in the cookbooks for each of the pieces of software?
IE:
SIEM forwarder cookbook {configure_SIEM_software_A, configure_SIEM, software_b}
Software A cookbook {}
Software B cookbook {}
SIEM forwarder cookbook {}
Software A cookbook {configure_SIEM_software_A}
Software B cookbook {configure_SIEM_software_B}
I would create the SIEM forwarder cookbook to accept all the necessary configurations through attributes. This was you can configure dynamically the SIEM forwarder and adjust it to the binding softwares. If the software A and B are also handled by cookbooks, then the software cookbooks could define the SIEM cookbook as a dependency and include the SIEM forwarder recipe in the runlist. This way the software cookbook would act as a wrapper cookbook for SIEM forwarder installations and would provide the necessary configs that the different softwares need
Thanks for your answer. I think the one complication to this is that there might be multiple pieces of software on the same machine, and so in the same run list, that want to leverage the SIEM forwarder, which means multiple cookbooks needed to pass attributes to the SIEM cookbook, but not at the same time.
In this case the SIEM forwarder has a single file where the log files to be monitored are specified. It seems that either we need a template of that configuration file for every machine type that we have, or we need to need to have the recipes modify the configuration file.
Having a template SIEM configuration file for each machine type we have seems clunky and means that if we want to install a piece of software for which we already have an existing cookbook we still need to modify the template in the SIEM cookbook.
Modifying the SIEM configuration file as part of the software cookbook seems to go against Chef best practices, and again runs into this question of how I do that. Are you suggesting I would have a recipe in the SIEM cookbook that I could pass attributes of the software that adds what I need to the SIEM config file? That SIEM recipe would live in the SIEM cookbook, and would just be called by a recipe in the software deployment recipes.
You are right, templates should be used to generate the necessary configurations and erb logic should enable dynamic content generation through attributes… for example: https://github.com/chef-cookbooks/sql_server/issues/94
Iterating through array or hashes can provide a good flexibility. The question now is how to provide the full “attribute net” for the SIEM cookbook… If you have software A and B on the same node, do you know ahead what will be the monitored logs? Maybe you could just simply manually create the necessary attributes via an environment json file and feed it to the SIEM cookbook.
Are you using chef-server <-> chef-client framework or using solo/zero?
I’m using chef-server <-> chef client through AWS opsworks.
I do know what software will be on the machines right now, but I’d like to keep as much flexibility as possible, in case that changes. I’d like to avoid having the manually change a template file as the number of logs I want to monitor on these machines expands or contracts. That’s why having the configuration recipe in the software cookbook is appealing. Adding the recipes from the new software’s cookbook would also automatically add the needed log file to the SIEM forwarder configuration file.
We’re quickly getting out of my realm of experience with Chef. Is there a way to pass something like an array between cookbooks in a run list without having to statically declare it something like json attributes?
You do not need to modify the template if you build up the file content based on the logic I have sent earlier. You can “pass” attributes between cookbooks, which means defining the node object through wrapper (software A or B cookbook) for the SEM cokkbook
Recipe part of wrapper cookbook: node.default['siem']['attribute'] = node['softwareA']['siem']
So setting the node object for siem cookbook before running the siem recipe
You could also bind the the node on the chef-server to an environment and set the environment default attributes for the siem cookbook. This would require manual setting, but only once and if a new software installations is needed just update the environment attributes and the dynamic template negine of the siem cookbook will handle the job.