Elastic 7-x cloud adaption (#255)

Former-commit-id: 6d9595327d
2025-10-23 04:51:57 +00:00 · 2019-10-01 11:28:04 +02:00
parent 303e0f6557
commit 086ba71c69
29 changed files with 266 additions and 128 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,18 +1,42 @@
 # Change Log
 All notable changes to this project will be documented in this file.

+## Wazuh Docker v3.9.5_7.2.1
+
+### Added
+
+- Update to Wazuh version 3.9.5_7.2.1
+
+
+## Wazuh Docker v3.9.4_7.2.0
+
+### Added
+
+- Update to Wazuh version 3.9.4_7.2.0
+- Implemented Wazuh Filebeat Module ([jm404](https://www.github.com/jm404)) [#2a77c6a](https://github.com/wazuh/wazuh-docker/commit/2a77c6a6e6bf78f2492adeedbade7a507d9974b2)
+
 ## Wazuh Docker v3.9.4_6.8.1

+
+## Wazuh Docker v3.9.3_7.2.0
+
+### Fixed
+- Wazuh-docker reinserts cluster settings after resuming containers ([@manuasir](https://github.com/manuasir)) [#213](https://github.com/wazuh/wazuh-docker/pull/213)
+
+## Wazuh Docker v3.9.2_7.1.1
+
+### Added
+
+- Update to Wazuh version 3.9.2_7.1.1
+
 ## Wazuh Docker v3.9.3_6.8.1

 ### Added

 - Update to Wazuh version 3.9.3_6.8.1
-
-### Added
-
 - Option to disable additionals X-Pack applications and hide unnecesary management links ([@SitoRBJ](https://github.com/SitoRBJ)) ([#163](https://github.com/wazuh/wazuh-docker/pull/163))

+
 ## Wazuh Docker v3.9.2_6.8.0

 ### Added
@@ -31,6 +55,15 @@ All notable changes to this project will be documented in this file.

 - Fixed `ELASTICSEARCH_KIBANA_IP` environment variable ([@manuasir](https://github.com/manuasir)) ([#181](https://github.com/wazuh/wazuh-docker/pull/181))

+
+## Wazuh Docker v3.9.1_7.1.0
+
+### Added
+
+- Support for Elastic v7.1.0
+- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88)
+
+
 ## Wazuh Docker v3.9.0_6.7.2

 ### Changed
--- a/README.md
+++ b/README.md
@@ -8,7 +8,6 @@
 In this repository you will find the containers to run:

 * wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
-* wazuh-logstash: It is used to receive alerts generated by the manager and feed Elasticsearch using an alerts template
 * wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
 * wazuh-nginx: Proxies the Kibana container, adding HTTPS (via self-signed SSL certificate) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme).
 * wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).** 
@@ -33,11 +32,6 @@ In addition, a docker-compose file is provided to launch the containers mentione
 	│   │   └── kibana.yml
 	│   └── Dockerfile
 	├── LICENSE
-	├── logstash
-	│   ├── config
-	│   │   ├── 01-wazuh.conf
-	│   │   └── run.sh
-	│   └── Dockerfile
 	├── nginx
 	│   ├── config
 	│   │   └── entrypoint.sh
@@ -63,7 +57,7 @@ In addition, a docker-compose file is provided to launch the containers mentione

 * `stable` branch on correspond to the latest Wazuh-Docker stable version.
 * `master` branch contains the latest code, be aware of possible bugs on this branch.
-* `Wazuh.Version_ElasticStack.Version` (for example 3.9.3_6.8.1) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
+* `Wazuh.Version_ElasticStack.Version` (for example 3.9.5_7.2.1) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.

 ## Credits and Thank you

@@ -76,7 +70,7 @@ We thank you them and everyone else who has contributed to this project.

 ## License and copyright

-Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)

 ## Web references

--- a/4
+++ b/4
@@ -1,2 +1,2 @@
-WAZUH-DOCKER_VERSION="3.9.4_6.8.1"
-REVISION="3942"
+WAZUH-DOCKER_VERSION="3.9.5_7.2.1"
+REVISION="3950"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,7 +3,7 @@ version: '2'

 services:
  wazuh:
-    image: wazuh/wazuh:3.9.3_6.8.1
+    image: wazuh/wazuh:3.9.5_7.2.1
    hostname: wazuh-manager
    restart: always
    ports:
@@ -32,16 +32,12 @@ services:
      - ELASTICSEARCH_URL=https://elasticsearch:9200
      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
  elasticsearch:
-    image: wazuh/wazuh-elasticsearch:3.9.3_6.8.1
+    image: wazuh/wazuh-elasticsearch:3.9.5_7.2.1
    hostname: elasticsearch
    restart: always
    ports:
      - "9200:9200"
    environment:
-      - node.name=node-1
-      - cluster.name=wazuh
-      - network.host=0.0.0.0
-      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
      - ELASTICSEARCH_PROTOCOL=https
      - ELASTICSEARCH_IP=elasticsearch
@@ -63,13 +59,20 @@ services:
      - SECURITY_OPENSSL_CONF=TEST_openssl.cnf
      - SECURITY_MONITORING_USER=service_monitoring
      - SECURITY_MONITORING_PASS=monitoring_pass
+      - ELASTIC_CLUSTER=true
+      - CLUSTER_NODE_MASTER=true
+      - CLUSTER_MASTER_NODE_NAME=elasticsearch
+      - CLUSTER_NODE_DATA=true
+      - CLUSTER_NODE_INGEST=true
+      - CLUSTER_MAX_NODES=3
    ulimits:
      memlock:
        soft: -1
        hard: -1
    mem_limit: 2g
+
  kibana:
-    image: wazuh/wazuh-kibana:3.9.3_6.8.1
+    image: wazuh/wazuh-kibana:3.9.5_7.2.1
    hostname: kibana
    restart: always
    depends_on:
--- a/elasticsearch/Dockerfile
+++ b/elasticsearch/Dockerfile
@@ -1,8 +1,9 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/elasticsearch/elasticsearch:6.8.2
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+ARG ELASTIC_VERSION=7.2.1
+FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION}
+ARG TEMPLATE_VERSION=v3.9.5

-ENV ALERTS_SHARDS="1" \
-    ALERTS_REPLICAS="0"
+ENV ELASTICSEARCH_URL="http://elasticsearch:9200"

 ENV API_USER="foo" \
    API_PASS="bar"
@@ -11,8 +12,10 @@ ENV XPACK_ML="true"

 ENV ENABLE_CONFIGURE_S3="false"

-ENV TEMPLATE_VERSION=v3.9.4
+ENV WAZUH_ALERTS_SHARDS="1" \
+    WAZUH_ALERTS_REPLICAS="0"

+ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /usr/share/elasticsearch/config

 # This CA is created for testing. Please set your own CA zip containing the key and the signed certificate. 
 # command: $ docker build <elasticsearch_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_KEY_LOCATION=<CA_KEY_LOCATION>
@@ -29,19 +32,19 @@ ARG SECURITY_CA_TRUST_LOCATION=""

 # Elasticearch cluster configuration environment variables
 # If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration
+# CLUSTER_INITIAL_MASTER_NODES set to own node by default.
 ENV ELASTIC_CLUSTER="false" \
    CLUSTER_NAME="wazuh" \
-    CLUSTER_NODE_MASTER="true" \
+    CLUSTER_NODE_MASTER="false" \
    CLUSTER_NODE_DATA="true" \
    CLUSTER_NODE_INGEST="true" \
-    CLUSTER_NODE_NAME="wazuh-elasticsearch" \
    CLUSTER_MEMORY_LOCK="true" \
    CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" \
    CLUSTER_NUMBER_OF_MASTERS="2" \
    CLUSTER_MAX_NODES="1" \
-    CLUSTER_DELAYED_TIMEOUT="1m"
-
-ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/6.x/wazuh-template.json /usr/share/elasticsearch/config
+    CLUSTER_DELAYED_TIMEOUT="1m" \
+    CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch" \
+    CLUSTER_DISCOVERY_SEED="elasticsearch"

 # CA cert for Transport SSL
 ADD $SECURITY_CA_PEM_LOCATION /usr/share/elasticsearch/config
@@ -49,7 +52,8 @@ ADD $SECURITY_CA_KEY_LOCATION /usr/share/elasticsearch/config
 ADD $SECURITY_OPENSSL_CONF_LOCATION /usr/share/elasticsearch/config 
 ADD $SECURITY_CA_TRUST_LOCATION /usr/share/elasticsearch/config 

-RUN yum install openssl -y
+RUN yum install openssl -y && \
+    yum install unzip -y

 RUN mkdir /entrypoint-scripts

@@ -61,7 +65,7 @@ COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./

 RUN chmod +x ./load_settings.sh

-RUN bin/elasticsearch-plugin install --batch https://artifacts.elastic.co/downloads/elasticsearch-plugins/repository-s3/repository-s3-6.8.2.zip
+RUN bin/elasticsearch-plugin install repository-s3 -b

 COPY config/configure_s3.sh ./config/configure_s3.sh
 RUN chmod 755 ./config/configure_s3.sh
@@ -70,7 +74,7 @@ COPY --chown=elasticsearch:elasticsearch ./config/10-config_cluster.sh /entrypoi
 RUN chmod +x /entrypoint-scripts/10-config_cluster.sh

 COPY --chown=elasticsearch:elasticsearch ./config/20-config_secure.sh /entrypoint-scripts/20-config_secure.sh
-RUN chmod +x /entrypoint-scripts/10-config_cluster.sh
+RUN chmod +x /entrypoint-scripts/20-config_cluster.sh

 COPY --chown=elasticsearch:elasticsearch ./config/30-entrypoint.sh /entrypoint-scripts/30-entrypoint.sh
 RUN chmod +x /entrypoint-scripts/30-entrypoint.sh
--- a/elasticsearch/config/10-config_cluster.sh
+++ b/elasticsearch/config/10-config_cluster.sh
@@ -1,36 +1,93 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)

 elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
-
 original_file="/usr/share/elasticsearch/config/original-elasticsearch.yml"
+ELASTIC_HOSTAME=`hostname`
+
+echo "CLUSTER: - Prepare Configuration"
+echo "CLUSTER: - Hostname"
+echo $ELASTIC_HOSTAME
+echo "CLUSTER: - Security main node"
+echo $SECURITY_MAIN_NODE
+echo "CLUSTER: - Discovery seed"
+echo $CLUSTER_DISCOVERY_SEED
+echo "CLUSTER: - Elastic cluster flag"
+echo $ELASTIC_CLUSTER
+echo "CLUSTER: - Node Master"
+echo $CLUSTER_NODE_MASTER
+echo "CLUSTER: - Node Data"
+echo $CLUSTER_NODE_DATA
+echo "CLUSTER: - Node Ingest"
+echo $CLUSTER_NODE_INGEST

 cp $elastic_config_file $original_file 

-# If Elasticsearch cluster is enable
-if [[ $ELASTIC_CLUSTER == "true" ]]
-then
-  
-  # Set the cluster.name and discovery.zen.minimun_master_nodes variables
-  sed -i 's:cluster.name\: "docker-cluster":cluster.name\: "'$CLUSTER_NAME'":g' $elastic_config_file
+remove_single_node_conf(){
+  if grep -Fq "discovery.type" $1; then
+    sed -i '/discovery.type\: /d' $1 
+  fi
+}

-  # Add the cluster configuration
-  echo "
-#cluster node
-node:
-  master: ${CLUSTER_NODE_MASTER}
-  data: ${CLUSTER_NODE_DATA}
-  ingest: ${CLUSTER_NODE_INGEST}
-  name: ${CLUSTER_NODE_NAME}
-  max_local_storage_nodes: ${CLUSTER_MAX_NODES}
+remove_cluster_config(){
+  sed -i '/# cluster node/,/# end cluster config/d' $1
+}

-bootstrap:
-  memory_lock: ${CLUSTER_MEMORY_LOCK}
+# If Elasticsearch cluster is enable, then set up the elasticsearch.yml
+if [[ $ELASTIC_CLUSTER == "true" && $CLUSTER_NODE_MASTER != "" && $CLUSTER_NODE_DATA != "" && $CLUSTER_NODE_INGEST != "" && $ELASTIC_HOSTAME != "" ]]; then
+  # Remove the old configuration
+  remove_single_node_conf $elastic_config_file
+  remove_cluster_config $elastic_config_file
+  echo "CLUSTER: - Remove old configuration"

-discovery:
-  zen:
-    ping.unicast.hosts: ${CLUSTER_DISCOVERY_SERVICE}
-    minimum_master_nodes: ${CLUSTER_NUMBER_OF_MASTERS}
-  
-" >> $elastic_config_file
+if [[ $ELASTIC_HOSTAME == $SECURITY_MAIN_NODE ]]; then
+# Add the master configuration
+# cluster.initial_master_nodes for bootstrap the cluster
+echo "CLUSTER: - Add the master configuration"
+
+cat > $elastic_config_file << EOF
+# cluster node
+cluster.name: $CLUSTER_NAME
+bootstrap.memory_lock: $CLUSTER_MEMORY_LOCK
+network.host: 0.0.0.0
+node.name: $ELASTIC_HOSTAME
+node.master: $CLUSTER_NODE_MASTER
+node.data: $CLUSTER_NODE_DATA
+node.ingest: $CLUSTER_NODE_INGEST
+node.max_local_storage_nodes: $CLUSTER_MAX_NODES
+cluster.initial_master_nodes: 
+  - $ELASTIC_HOSTAME
+# end cluster config" 
+EOF
+
+elif [[ $CLUSTER_DISCOVERY_SEED != "" ]]; then
+# Remove the old configuration
+remove_single_node_conf $elastic_config_file
+remove_cluster_config $elastic_config_file
+echo "CLUSTER: - Add standard cluster configuration."
+
+cat > $elastic_config_file << EOF
+# cluster node
+cluster.name: $CLUSTER_NAME
+bootstrap.memory_lock: $CLUSTER_MEMORY_LOCK
+network.host: 0.0.0.0
+node.name: $ELASTIC_HOSTAME
+node.master: $CLUSTER_NODE_MASTER
+node.data: $CLUSTER_NODE_DATA
+node.ingest: $CLUSTER_NODE_INGEST
+node.max_local_storage_nodes: $CLUSTER_MAX_NODES
+discovery.seed_hosts: 
+  - $CLUSTER_DISCOVERY_SEED
+# end cluster config" 
+EOF
 fi
+# If the cluster is disabled, then set a single-node configuration
+else
+  # Remove the old configuration
+  remove_single_node_conf $elastic_config_file
+  remove_cluster_config $elastic_config_file
+  echo "discovery.type: single-node" >> $elastic_config_file
+  echo "CLUSTER: - Discovery type: single-node"
+fi
+
+echo "CLUSTER: - Configured"
--- a/elasticsearch/config/20-config_secure.sh
+++ b/elasticsearch/config/20-config_secure.sh
@@ -16,14 +16,21 @@ if [[ $SECURITY_ENABLED == "yes" ]]; then

  echo "Setting configuration options."

+  ELASTIC_HOSTNAME=`hostname`
+  POD_DNS="$ELASTIC_HOSTNAME.$NAMESPACE.pod.cluster.local"
+  SVC_DNS="elasticsearch.$NAMESPACE.svc.cluster.local"
+
  # Create instances.yml for elasticsearch .p12 certificate and key
  echo "
 instances:
 - name: \"elasticsearch\"
-  dns: 
-    - $SECURITY_CERTIFICATE_DNS
+  dns:
+    - \"$POD_DNS\"
+    - \"$SVC_DNS\"
 " > instances.yml

+  cp instances.yml /usr/share/elasticsearch
+
  # Change permissions and owner of ca
  chown elasticsearch: /usr/share/elasticsearch/config/$SECURITY_CA_PEM
  chmod 440 /usr/share/elasticsearch/config/$SECURITY_CA_PEM
@@ -32,6 +39,7 @@ instances:
  # Genereate .p12 certificate and key
  SECURITY_KEY_PASSPHRASE=`date +%s | sha256sum | base64 | head -c 32 ; echo`
  /usr/share/elasticsearch/bin/elasticsearch-certutil csr --in instances.yml --out certs.zip --pass $SECURITY_KEY_PASSPHRASE
+  mv /usr/share/elasticsearch/certs.zip /usr/share/elasticsearch/config/certs.zip
  unzip certs.zip
  rm certs.zip 

@@ -108,4 +116,3 @@ xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/con
  echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin

 fi
-
--- a/elasticsearch/config/configure_s3.sh
+++ b/elasticsearch/config/configure_s3.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)

 set -e

--- a/elasticsearch/config/entrypoint.sh
+++ b/elasticsearch/config/entrypoint.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)

 # It will run every .sh script located in entrypoint-scripts folder in lexicographical order
 for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
--- a/elasticsearch/config/load_settings.sh
+++ b/elasticsearch/config/load_settings.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)

 set -e

@@ -84,7 +84,7 @@ fi

 if [ ${SECURITY_ENABLED} != "no" ]; then
  auth="-uelastic:${ELASTIC_PASS} -k"
-elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
+elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
  auth=""
 else
  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
@@ -160,22 +160,24 @@ if [[ $SECURITY_ENABLED == "yes" ]]; then
  fi
 fi

-#Insert default templates
-
-sed -i 's|    "index.refresh_interval": "5s"|    "index.refresh_interval": "5s",    "number_of_shards" :   '"${ALERTS_SHARDS}"',    "number_of_replicas" : '"${ALERTS_REPLICAS}"'|' /usr/share/elasticsearch/config/wazuh-template.json
+# Modify wazuh-alerts template shards and replicas
+sed -i 's:"index.number_of_shards"\: "3":"index.number_of_shards"\: "'$WAZUH_ALERTS_SHARDS'":g' /usr/share/elasticsearch/config/wazuh-template.json
+sed -i 's:"index.number_of_replicas"\: "0":"index.number_of_replicas"\: "'$WAZUH_ALERTS_REPLICAS'":g' /usr/share/elasticsearch/config/wazuh-template.json

+# Insert default templates
 cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @-
 sleep 5

-
+# Prepare Wazuh API credentials
 API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'`
 API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'`
 API_PASSWORD=`echo -n $API_PASS_Q | base64`

 echo "Setting API credentials into Wazuh APP"
-CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013 ${auth})
-if [ "x$CONFIG_CODE" = "x404" ]; then
-  curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 ${auth} -H 'Content-Type: application/json' -d'
+CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth})
+
+if [ "x$CONFIG_CODE" != "x200" ]; then
+  curl -s -XPOST $el_url/.wazuh/_doc/1513629884013 ${auth} -H 'Content-Type: application/json' -d'
  {
    "api_user": "'"$API_USER_Q"'",
    "api_password": "'"$API_PASSWORD"'",
--- a/kibana/Dockerfile
+++ b/kibana/Dockerfile
@@ -1,9 +1,12 @@
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/kibana/kibana:6.8.2
-ARG WAZUH_APP_VERSION=3.9.4_6.8.2
+FROM docker.elastic.co/kibana/kibana:7.2.1
+ARG ELASTIC_VERSION=7.2.1
+ARG WAZUH_VERSION=3.9.5
+ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
+
 USER root

-ADD https://packages-dev.wazuh.com/pre-release/app/kibana/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
+ADD  https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp

 # This CA is created for testing. Please set your own CA pem signed certificate. 
 # command: $ docker build <kibana_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION>
@@ -15,9 +18,8 @@ ARG SECURITY_CA_PEM_LOCATION=""
 # CA for secure communication with Elastic
 ADD $SECURITY_CA_PEM_LOCATION /usr/share/kibana/config

-RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\
-    chown -R kibana:kibana /usr/share/kibana &&\
-    rm -rf /tmp/*
+RUN /usr/share/kibana/bin/kibana-plugin install --allow-root file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip 
+RUN rm -rf /tmp/wazuhapp-${WAZUH_APP_VERSION}.zip

 RUN yum install openssl -y

@@ -90,4 +92,11 @@ RUN ./welcome_wazuh.sh

 RUN /usr/local/bin/kibana-docker --optimize

+USER root
+
+RUN chmod 777 /usr/share/kibana/plugins/wazuh/config.yml
+RUN chmod 777 /usr/share/kibana/plugins/wazuh
+
+USER kibana
+
 ENTRYPOINT ./entrypoint.sh
--- a/kibana/config/10-wazuh_app_config.sh
+++ b/kibana/config/10-wazuh_app_config.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)

 kibana_config_file="/usr/share/kibana/plugins/wazuh/config.yml"

--- a/kibana/config/20-entrypoint.sh
+++ b/kibana/config/20-entrypoint.sh
@@ -106,11 +106,11 @@ server.ssl.supportedProtocols:
  
  pushd $CA_PATH

-  chown kibana: $CA_PATH/$SECURITY_CA_PEM
-  chmod 400 $CA_PATH/$SECURITY_CA_PEM
+  # chown kibana: $CA_PATH/$SECURITY_CA_PEM
+  # chmod 400 $CA_PATH/$SECURITY_CA_PEM
  SECURITY_KEY_PASS=`openssl rand -base64 32`
  openssl req -batch -x509 -days 18250 -newkey rsa:2048 -keyout $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key -out $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem -passout pass:"$SECURITY_KEY_PASS" >/dev/null
-  chown -R kibana: $CA_PATH/ssl
+  # chown -R kibana: $CA_PATH/ssl
  chmod -R 770 $CA_PATH/ssl
  chmod 440 $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem

--- a/kibana/config/entrypoint.sh
+++ b/kibana/config/entrypoint.sh
@@ -1,8 +1,8 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)

 # It will run every .sh script located in entrypoint-scripts folder in lexicographical order
 for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
  bash "$script"

-done
+done
--- a/kibana/config/kibana_settings.sh
+++ b/kibana/config/kibana_settings.sh
@@ -1,6 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)

 WAZUH_MAJOR=3

@@ -19,9 +18,30 @@ WAZUH_MAJOR=3
 # Customize elasticsearch ip
 ##############################################################################
 if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then
+  sed -i "s:#elasticsearch.hosts:elasticsearch.hosts:g" /usr/share/kibana/config/kibana.yml
  sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
 fi

+# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
+if [ "$KIBANA_INDEX" != "" ]; then
+  if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
+    sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
+  fi
+    echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
+fi
+
+# If XPACK_SECURITY_ENABLED was set, then change the xpack.security.enabled option from true (default) to false.
+if [ "$XPACK_SECURITY_ENABLED" != "" ]; then
+  if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then
+    sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml
+  fi
+    echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml
+fi
+
+##############################################################################
+# Set url and credentials
+##############################################################################
+
 if [ "$KIBANA_IP" != "" ]; then
  kibana_ip="$KIBANA_IP"
 else
@@ -51,7 +71,7 @@ fi


 if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-u $KIBANA_USER:${KIBANA_PASS}"
+  auth="-k -u $KIBANA_USER:${KIBANA_PASS}"
  kibana_secure_ip="https://$kibana_ip"
 else
  auth=""
@@ -59,7 +79,7 @@ else
 fi


-while [[ "$(curl $auth -k -XGET -I  -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do
+while [[ "$(curl $auth -XGET -I  -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do
  echo "Waiting for Kibana API. Sleeping 5 seconds"
  sleep 5
 done
@@ -79,17 +99,17 @@ EOF

 sleep 5
 # Add the wazuh alerts index as default.
-curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
+curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
 rm -f ${default_index}

 sleep 5
 # Configuring Kibana TimePicker.
-curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
+curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
 '{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-24h\",\n  \"to\": \"now\",\n  \"mode\": \"quick\"}"}}'

 sleep 5
 # Do not ask user to help providing usage statistics to Elastic
-curl $auth -k -POST "$kibana_secure_ip:5601/api/telemetry/v1/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
+curl $auth -POST "$kibana_secure_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'

 # Remove credentials file
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
--- a/kibana/config/welcome_wazuh.sh
+++ b/kibana/config/welcome_wazuh.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)

 if [[ $CHANGE_WELCOME == "true" ]]
 then
@@ -8,20 +9,19 @@ then
    kibana_path="/usr/share/kibana"
    # Set Wazuh app as the default landing page
    echo "Set Wazuh app as the default landing page"
-    echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml
+    echo "server.defaultRoute: /app/wazuh" >> $kibana_path/config/kibana.yml

    # Redirect Kibana welcome screen to Discover
    echo "Redirect Kibana welcome screen to Discover"
-    sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/global_nav/global_nav.html
-    sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/header_global_nav/header_global_nav.js
+    sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/legacy/ui/public/chrome/directives/header_global_nav/header_global_nav.js

    # Hide management undesired links
    echo "Hide management undesired links"
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/rollup/public/crud_app/index.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/license_management/public/management_section.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/index_lifecycle_management/public/register_management_section.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/cross_cluster_replication/public/register_routes.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/remote_clusters/public/index.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/upgrade_assistant/public/index.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/plugins/rollup/public/crud_app/index.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/plugins/license_management/public/management_section.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/plugins/index_lifecycle_management/public/register_management_section.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/plugins/cross_cluster_replication/public/register_routes.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/plugins/remote_clusters/public/index.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/plugins/upgrade_assistant/public/index.js
 fi

--- a/kibana/config/xpack_config.sh
+++ b/kibana/config/xpack_config.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)

 kibana_config_file="/usr/share/kibana/config/kibana.yml"
 if grep -Fq  "#xpack features" "$kibana_config_file";
@@ -9,7 +10,6 @@ then
    [xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS
    [xpack.ml.enabled]=$XPACK_ML
    [xpack.canvas.enabled]=$XPACK_CANVAS
-    [xpack.logstash.enabled]=$XPACK_LOGS
    [xpack.infra.enabled]=$XPACK_INFRA
    [xpack.monitoring.enabled]=$XPACK_MONITORING
    [xpack.maps.enabled]=$XPACK_MAPS
@@ -30,7 +30,6 @@ xpack.grokdebugger.enabled: $XPACK_DEVTOOLS
 xpack.searchprofiler.enabled: $XPACK_DEVTOOLS
 xpack.ml.enabled: $XPACK_ML
 xpack.canvas.enabled: $XPACK_CANVAS
-xpack.logstash.enabled: $XPACK_LOGS
 xpack.infra.enabled: $XPACK_INFRA
 xpack.monitoring.enabled: $XPACK_MONITORING
 xpack.maps.enabled: $XPACK_MAPS
--- a/logstash/Dockerfile
+++ b/logstash/Dockerfile
@@ -1,5 +1,7 @@
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/logstash/logstash:6.8.2
+
+ARG LOGSTASH_VERSION=7.2.1
+FROM docker.elastic.co/logstash/logstash:${LOGSTASH_VERSION}

 COPY --chown=logstash:logstash config/entrypoint.sh /entrypoint.sh

--- a/logstash/config/01-wazuh.conf
+++ b/logstash/config/01-wazuh.conf
@@ -4,12 +4,16 @@
 input {
    beats {
        port => 5000
-        codec => "json_lines"
 #       ssl => true
 #       ssl_certificate => "/etc/logstash/logstash.crt"
 #       ssl_key => "/etc/logstash/logstash.key"
    }
 }
+filter {
+    json {
+      source => "message"
+    }
+}
 filter {
    if [data][srcip] {
        mutate {
@@ -30,17 +34,16 @@ filter {
    }
    date {
        match => ["timestamp", "ISO8601"]
-        target => "@timestamp"
+        target => "timestamp"
    }
    mutate {
-        remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
+        remove_field => [ "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
    }
 }
 output {
    elasticsearch {
        hosts => ["elasticsearch:9200"]
        index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
-        document_type => "wazuh"
        #user => service_logstash
        #password => service_logstash_internal_password
        #ssl => true
--- a/logstash/config/10-entrypoint.sh
+++ b/logstash/config/10-entrypoint.sh
@@ -133,12 +133,15 @@ sleep 2
 # Remove credentials file
 ##############################################################################

+>&2 echo "Removing unnecessary files."
+
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
  echo "Security credentials file not used. Nothing to do."
 else
  shred -zvu ${SECURITY_CREDENTIALS_FILE}
 fi

+>&2 echo "Unnecessary files removed."

 ##############################################################################
 # Map environment variables to entries in logstash.yml.
--- a/nginx/Dockerfile
+++ b/nginx/Dockerfile
@@ -1,4 +1,4 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 FROM nginx:latest

 ENV DEBIAN_FRONTEND noninteractive
--- a/nginx/config/entrypoint.sh
+++ b/nginx/config/entrypoint.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)

 set -e

--- a/wazuh/Dockerfile
+++ b/wazuh/Dockerfile
@@ -1,13 +1,15 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 FROM phusion/baseimage:latest

 # Arguments
-ARG FILEBEAT_VERSION=6.8.2
-ARG WAZUH_VERSION=3.9.4-1
+ARG FILEBEAT_VERSION=7.2.1
+ARG WAZUH_VERSION=3.9.5-1

 # Environment variables
 ENV API_USER="foo" \
-    API_PASS="bar"
+   API_PASS="bar"
+
+ARG TEMPLATE_VERSION="v3.9.5"

 # Install packages
 RUN set -x && \
@@ -39,9 +41,9 @@ RUN set -x && \

 # Services
 RUN mkdir /etc/service/wazuh && \
-    mkdir /etc/service/wazuh-api && \
-    mkdir /etc/service/postfix && \
-    mkdir /etc/service/filebeat
+   mkdir /etc/service/wazuh-api && \
+   mkdir /etc/service/postfix && \
+   mkdir /etc/service/filebeat

 COPY config/wazuh.runit.service /etc/service/wazuh/run
 COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run
@@ -49,9 +51,9 @@ COPY config/postfix.runit.service /etc/service/postfix/run
 COPY config/filebeat.runit.service /etc/service/filebeat/run

 RUN chmod +x /etc/service/wazuh-api/run && \
-    chmod +x /etc/service/wazuh/run && \
-    chmod +x /etc/service/postfix/run && \
-    chmod +x /etc/service/filebeat/run 
+   chmod +x /etc/service/wazuh/run && \
+   chmod +x /etc/service/postfix/run && \
+   chmod +x /etc/service/filebeat/run 

 # Copy configuration files from repository
 COPY config/filebeat.yml /etc/filebeat/
--- a/wazuh/config/entrypoint.sh
+++ b/wazuh/config/entrypoint.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)

 # It will run every .sh script located in entrypoint-scripts folder in lexicographical order
 for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
--- a/wazuh/config/filebeat.runit.service
+++ b/wazuh/config/filebeat.runit.service
@@ -1,3 +1,4 @@
 #!/bin/sh
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 service filebeat start
 tail -f /var/log/filebeat/filebeat
--- a/wazuh/config/filebeat.yml
+++ b/wazuh/config/filebeat.yml
@@ -1,18 +1,13 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh - Filebeat configuration file
 filebeat:
- prospectors:
+ inputs:
  - type: log
    paths:
     - "/var/ossec/logs/alerts/alerts.json"
-    document_type: json
-    json.message_key: log
-    json.keys_under_root: true
-    json.overwrite_keys: true
-    tail_files: true

 output:
 logstash:
   # The Logstash hosts
-   hosts: ["logstash:5000"]
+         hosts: ["logstash:5000"]
 #   ssl:
-#     certificate_authorities: ["/etc/filebeat/logstash.crt"]
+#     certificate_authorities: ["/etc/filebeat/logstash.crt"]
--- a/wazuh/config/postfix.runit.service
+++ b/wazuh/config/postfix.runit.service
@@ -1,3 +1,4 @@
 #!/bin/sh
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 service postfix start
 tail -f /var/log/mail.log
--- a/wazuh/config/wazuh-api.runit.service
+++ b/wazuh/config/wazuh-api.runit.service
@@ -1,4 +1,5 @@
 #!/bin/sh
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 service wazuh-api start
 tail -f /var/ossec/logs/api.log

--- a/wazuh/config/wazuh.runit.service
+++ b/wazuh/config/wazuh.runit.service
@@ -1,4 +1,5 @@
 #!/bin/sh
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 service wazuh-manager start
 tail -f /var/ossec/logs/ossec.log