paulmataruso/wazuh-docker-mirror
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-docker.git synced 2025-11-04 05:53:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #603 from wazuh/change-directories

Browse Source 
Change directories structure
This commit is contained in:
Alberto Rodríguez
2022-04-01 11:10:55 +02:00
committed by GitHub
parent 73901f9753 2f4b127787
commit 0ff309d1fc
62 changed files with 1192 additions and 268 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
.goss.yaml → .github/.goss.yaml vendored
View File

2
.github/workflows/push.yml vendored
View File

@@ -28,4 +28,4 @@ jobs:
run: dgoss run wazuh/wazuh-manager:4.3.0 run: dgoss run wazuh/wazuh-manager:4.3.0
env: env:
GOSS_SLEEP: 30 GOSS_SLEEP: 30
GOSS_FILE: .goss.yaml GOSS_FILE: .github/.goss.yaml

159
README.md
View File

@@ -39,7 +39,7 @@ API_USERNAME="wazuh" # Wazuh API username
API_PASSWORD="wazuh" # Wazuh API password - Must comply with requirements API_PASSWORD="wazuh" # Wazuh API password - Must comply with requirements
# (8+ length, uppercase, lowercase, specials chars) # (8+ length, uppercase, lowercase, specials chars)
INDEXER_URL=https://wazuh.indexer:9200 # Wazuh indexer URL INDEXER_URL=https://wazuh.indexer:9200 # Wazuh indexer URL
INDEXER_USERNAME=admin # Wazuh indexer Username INDEXER_USERNAME=admin # Wazuh indexer Username
INDEXER_PASSWORD=admin # Wazuh indexer Password INDEXER_PASSWORD=admin # Wazuh indexer Password
FILEBEAT_SSL_VERIFICATION_MODE=full # Filebeat SSL Verification mode (full or none) FILEBEAT_SSL_VERIFICATION_MODE=full # Filebeat SSL Verification mode (full or none)
@@ -87,73 +87,102 @@ ADMIN_PRIVILEGES=true # App privileges
## Directory structure ## Directory structure
├── build-wazuh-images.yml ├── build-docker-images
│   ├── docker-compose.yml
│   ├── wazuh-dashboard
│   │   ├── config
│   │   │   ├── config.sh
│   │   │   ├── config.yml
│   │   │   ├── entrypoint.sh
│   │   │   ├── opensearch_dashboards.yml
│   │   │   ├── wazuh_app_config.sh
│   │   │   └── wazuh.yml
│   │   └── Dockerfile
│   ├── wazuh-indexer
│   │   ├── config
│   │   │   ├── config.sh
│   │   │   ├── config.yml
│   │   │   ├── entrypoint.sh
│   │   │   ├── internal_users.yml
│   │   │   ├── opensearch.yml
│   │   │   ├── roles_mapping.yml
│   │   │   ├── roles.yml
│   │   │   └── securityadmin.sh
│   │   └── Dockerfile
│   └── wazuh-manager
│   ├── config
│   │   ├── create_user.py
│   │   ├── etc
│   │   │   ├── cont-init.d
│   │   │   │   ├── 0-wazuh-init
│   │   │   │   ├── 1-config-filebeat
│   │   │   │   └── 2-manager
│   │   │   └── services.d
│   │   │   ├── filebeat
│   │   │   │   ├── finish
│   │   │   │   └── run
│   │   │   └── ossec-logs
│   │   │   └── run
│   │   ├── filebeat.yml
│   │   ├── permanent_data.env
│   │   ├── permanent_data.sh
│   │   └── wazuh.repo
│   └── Dockerfile
├── CHANGELOG.md ├── CHANGELOG.md
├── docker-compose.yml ├── indexer-certs-creator
├── generate-indexer-certs.yml │   ├── config
├── indexer_certs_creator │   │   └── entrypoint.sh
├── config    └── Dockerfile
│ │ └── entrypoint.sh
│ └── Dockerfile
├── LICENSE ├── LICENSE
├── production_cluster ├── multi-node
├── nginx    ├── config
├── nginx.conf    │   ├── nginx
│ └── ssl    │   │   └── nginx.conf
│ └── generate-self-signed-cert.sh    │   ├── wazuh_cluster
├── wazuh_cluster    │   │   ├── wazuh_manager.conf
│ ├── wazuh_manager.conf    │   │   └── wazuh_worker.conf
│ └── wazuh_worker.conf    │   ├── wazuh_dashboard
├── wazuh_dashboard    │   │   ├── opensearch_dashboards.yml
│ ├── opensearch_dashboards.yml    │   │   └── wazuh.yml
│ └── wazuh.yml    │   ├── wazuh_indexer
├── wazuh-indexer    │   │   ├── internal_users.yml
│ ├── internal_users.yml    │   │   ├── wazuh1.indexer.yml
├── wazuh1.indexer.yml    │   │   ├── wazuh2.indexer.yml
│ ├── wazuh2.indexer.yml    │   │   └── wazuh3.indexer.yml
└── wazuh3.indexer.yml    │   └── wazuh_indexer_ssl_certs
│ └── wazuh_indexer_ssl_certs    │   └── certs.yml
└── certs.yml    ├── docker-compose.yml
├── production-cluster.yml │   ├── generate-indexer-certs.yml
│   ├── Migration-to-Wazuh-4.3.md
│   └── volume-migrator.sh
├── README.md ├── README.md
├── VERSION ├── single-node
├── wazuh-dashboard │   ├── config
├── config    │   ├── wazuh_cluster
│ ├── entrypoint.sh    │   │   └── wazuh_manager.conf
│ ├── opensearch_dashboards.yml    │   ├── wazuh_dashboard
│ ├── wazuh_app_config.sh    │   │   ├── opensearch_dashboards.yml
└── wazuh.yml    │   │   └── wazuh.yml
└── Dockerfile    │   ├── wazuh_indexer
├── wazuh-indexer │   │   │   ├── internal_users.yml
├── config    │   │   └── wazuh.indexer.yml
│ ├── config.sh    │   └── wazuh_indexer_ssl_certs
├── config.yml    │   ├── admin-key.pem
├── entrypoint.sh    │   ├── admin.pem
├── internal_users.yml    │   ├── certs.yml
├── opensearch.yml    │   ├── root-ca.key
├── roles_mapping.yml    │   ├── root-ca.pem
├── roles.yml    │   ├── wazuh.dashboard-key.pem
── securityadmin.sh    │   ── wazuh.dashboard.pem
└── Dockerfile    │   ├── wazuh.indexer-key.pem
└── wazuh-manager │   │   ├── wazuh.indexer.pem
├── config │   │   ├── wazuh.manager-key.pem
── create_user.py │   │   ── wazuh.manager.pem
├── etc    ├── docker-compose.yml
│ ├── cont-init.d    ├── generate-indexer-certs.yml
│ │ ├── 0-wazuh-init    └── README.md
│ │ │ ├── 1-config-filebeat └── VERSION
│ │ │ └── 2-manager
│ │ └── services.d
│ │ ├── filebeat
│ │ │ ├── finish
│ │ │ └── run
│ │ └── ossec-logs
│ │ └── run
│ ├── filebeat.yml
│ ├── permanent_data.env
│ ├── permanent_data.sh
│ └── wazuh.repo
└── Dockerfile
## Branches ## Branches

16
build-docker-images/README.md Normal file
View File

@@ -0,0 +1,16 @@
# Wazuh Docker Image Builder
By executing this stack, the Docker images of Wazuh manager, indexer and dashboard are created.
This process can be used in case of any problem accessing the Docker images that are hosted on Docker Hub.
To execute this process, the following command must be executed:
```
$ docker-compose up -d --build
```
Once the image creation process is finished, a Wazuh test stack will also be executed, which must be terminated with the following command:
```
$ docker-compose down
```

0
build-wazuh-images.yml → build-docker-images/docker-compose.yml
View File

0
wazuh-dashboard/Dockerfile → build-docker-images/wazuh-dashboard/Dockerfile
View File

0
wazuh-dashboard/config/config.sh → build-docker-images/wazuh-dashboard/config/config.sh
View File

0
wazuh-dashboard/config/config.yml → build-docker-images/wazuh-dashboard/config/config.yml
View File

0
wazuh-dashboard/config/entrypoint.sh → build-docker-images/wazuh-dashboard/config/entrypoint.sh
View File

0
wazuh-dashboard/config/opensearch_dashboards.yml → build-docker-images/wazuh-dashboard/config/opensearch_dashboards.yml
View File

0
wazuh-dashboard/config/wazuh.yml → build-docker-images/wazuh-dashboard/config/wazuh.yml
View File

0
wazuh-dashboard/config/wazuh_app_config.sh → build-docker-images/wazuh-dashboard/config/wazuh_app_config.sh
View File

0
wazuh-indexer/Dockerfile → build-docker-images/wazuh-indexer/Dockerfile
View File

0
wazuh-indexer/config/config.sh → build-docker-images/wazuh-indexer/config/config.sh
View File

0
wazuh-indexer/config/config.yml → build-docker-images/wazuh-indexer/config/config.yml
View File

0
wazuh-indexer/config/entrypoint.sh → build-docker-images/wazuh-indexer/config/entrypoint.sh
View File

0
wazuh-indexer/config/internal_users.yml → build-docker-images/wazuh-indexer/config/internal_users.yml
View File

0
wazuh-indexer/config/opensearch.yml → build-docker-images/wazuh-indexer/config/opensearch.yml
View File

0
wazuh-indexer/config/roles.yml → build-docker-images/wazuh-indexer/config/roles.yml
View File

0
wazuh-indexer/config/roles_mapping.yml → build-docker-images/wazuh-indexer/config/roles_mapping.yml
View File

0
wazuh-indexer/config/securityadmin.sh → build-docker-images/wazuh-indexer/config/securityadmin.sh
View File

0
wazuh-manager/Dockerfile → build-docker-images/wazuh-manager/Dockerfile
View File

0
wazuh-manager/config/create_user.py → build-docker-images/wazuh-manager/config/create_user.py
View File

0
wazuh-manager/config/etc/cont-init.d/0-wazuh-init → build-docker-images/wazuh-manager/config/etc/cont-init.d/0-wazuh-init
View File

0
wazuh-manager/config/etc/cont-init.d/1-config-filebeat → build-docker-images/wazuh-manager/config/etc/cont-init.d/1-config-filebeat
View File

0
wazuh-manager/config/etc/cont-init.d/2-manager → build-docker-images/wazuh-manager/config/etc/cont-init.d/2-manager
View File

0
wazuh-manager/config/etc/services.d/filebeat/finish → build-docker-images/wazuh-manager/config/etc/services.d/filebeat/finish
View File

0
wazuh-manager/config/etc/services.d/filebeat/run → build-docker-images/wazuh-manager/config/etc/services.d/filebeat/run
View File

0
wazuh-manager/config/etc/services.d/ossec-logs/run → build-docker-images/wazuh-manager/config/etc/services.d/ossec-logs/run
View File

0
wazuh-manager/config/filebeat.yml → build-docker-images/wazuh-manager/config/filebeat.yml
View File

0
wazuh-manager/config/permanent_data.env → build-docker-images/wazuh-manager/config/permanent_data.env
View File

0
wazuh-manager/config/permanent_data.sh → build-docker-images/wazuh-manager/config/permanent_data.sh
View File

0
wazuh-manager/config/wazuh.repo → build-docker-images/wazuh-manager/config/wazuh.repo
View File

75
docker-compose.yml
View File

@@ -1,75 +0,0 @@
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh.manager:
image: wazuh/wazuh-manager:4.3.0
hostname: wazuh.manager
restart: always
ports:
- "1514:1514"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- INDEXER_URL=https://wazuh.indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=admin
- FILEBEAT_SSL_VERIFICATION_MODE=none
volumes:
- wazuh_api_configuration:/var/ossec/api/configuration
- wazuh_etc:/var/ossec/etc
- wazuh_logs:/var/ossec/logs
- wazuh_queue:/var/ossec/queue
- wazuh_var_multigroups:/var/ossec/var/multigroups
- wazuh_integrations:/var/ossec/integrations
- wazuh_active_response:/var/ossec/active-response/bin
- wazuh_agentless:/var/ossec/agentless
- wazuh_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
wazuh.indexer:
image: wazuh/wazuh-indexer:4.3.0
hostname: wazuh.indexer
restart: always
ports:
- "9200:9200"
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
wazuh.dashboard:
image: wazuh/wazuh-dashboard:4.3.0
hostname: wazuh.dashboard
restart: always
ports:
- 443:443
environment:
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=admin
- WAZUH_API_URL=https://wazuh.manager
depends_on:
- wazuh.indexer
links:
- wazuh.indexer:wazuh.indexer
- wazuh.manager:wazuh.manager
volumes:
wazuh_api_configuration:
wazuh_etc:
wazuh_logs:
wazuh_queue:
wazuh_var_multigroups:
wazuh_integrations:
wazuh_active_response:
wazuh_agentless:
wazuh_wodles:
filebeat_etc:
filebeat_var:

0
indexer_certs_creator/Dockerfile → indexer-certs-creator/Dockerfile
View File

9
indexer-certs-creator/README.md Normal file
View File

@@ -0,0 +1,9 @@
# Certificate creation image build
The dockerfile hosted in this directory is used to build the image used to boot Wazuh's single node and multi node stacks.
To create the image, the following command must be executed:
```
$ docker build -t wazuh/wazuh-certs-generator:0.0.1 .
```

0
indexer_certs_creator/config/entrypoint.sh → indexer-certs-creator/config/entrypoint.sh
View File

190
Migration-to-Wazuh-4.3.md → multi-node/Migration-to-Wazuh-4.3.md
View File

@@ -1,328 +1,360 @@
# Opendistro data migration to Wazuh indexer on docker. # Opendistro data migration to Wazuh indexer on docker.
This procedure explains how to migrate Opendistro data from Opendistro to Wazuh indexer in docker production deployments. This procedure explains how to migrate Opendistro data from Opendistro to Wazuh indexer in docker production deployments.
The example is migrating from v4.2.5 to v4.3.0. The example is migrating from v4.2 to v4.3.
## Procedure ## Procedure
Assuming that you have a v4.2.5 production deployment, perform the following steps. Assuming that you have a v4.2 production deployment, perform the following steps.
**1. Stop 4.2.5 environment** **1. Stop 4.2 environment**
`docker-compose -f production-cluster.yml stop` `docker-compose -f production-cluster.yml stop`
**2. List Elastic volumesStop 4.2.5 environment** **2. List Elastic volumesStop 4.2 environment**
`docker volume ls --filter name='wazuh-docker_elastic-data'` `docker volume ls --filter name='wazuh-docker_elastic-data'`
**3. Inspect Elastic volume** **3. Inspect Elastic volume**
`docker volume inspect wazuh-docker_elastic-data-1` `docker volume inspect wazuh-docker_elastic-data-1`
**4. Run the volume create command:** create new Indexer and Wazuh Manager volumes using the `com.docker.compose.version` label value from the previous command. **4. down the 4.2 environment.**
`docker-compose -f production-cluster.yml down`
**5. Run the volume create command:** create new Indexer and Wazuh Manager volumes using the `com.docker.compose.version` label value from the previous command.
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=wazuh-indexer-data-1 \ --label com.docker.compose.volume=wazuh-indexer-data-1 \
wazuh-docker_wazuh-indexer-data-1 multi-node_wazuh-indexer-data-1
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=wazuh-indexer-data-2 \ --label com.docker.compose.volume=wazuh-indexer-data-2 \
wazuh-docker_wazuh-indexer-data-2 multi-node_wazuh-indexer-data-2
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=wazuh-indexer-data-3 \ --label com.docker.compose.volume=wazuh-indexer-data-3 \
wazuh-docker_wazuh-indexer-data-3 multi-node_wazuh-indexer-data-3
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master_wazuh_api_configuration \ --label com.docker.compose.volume=master_wazuh_api_configuration \
wazuh-docker_master_wazuh_api_configuration multi-node_master_wazuh_api_configuration
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master_wazuh_etc \ --label com.docker.compose.volume=master_wazuh_etc \
wazuh-master_docker_wazuh_etc multi-node_docker_wazuh_etc
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-logs \ --label com.docker.compose.volume=master-wazuh-logs \
wazuh-docker_master-wazuh-logs multi-node_master-wazuh-logs
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-queue \ --label com.docker.compose.volume=master-wazuh-queue \
wazuh-docker_master-wazuh-queue multi-node_master-wazuh-queue
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-var-multigroups \ --label com.docker.compose.volume=master-wazuh-var-multigroups \
wazuh-docker_master-wazuh-var-multigroups multi-node_master-wazuh-var-multigroups
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-integrations \ --label com.docker.compose.volume=master-wazuh-integrations \
wazuh-docker_master-wazuh-integrations multi-node_master-wazuh-integrations
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-active-response \ --label com.docker.compose.volume=master-wazuh-active-response \
wazuh-docker_master-wazuh-active-response multi-node_master-wazuh-active-response
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-agentless \ --label com.docker.compose.volume=master-wazuh-agentless \
wazuh-docker_master-wazuh-agentless multi-node_master-wazuh-agentless
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-wodles \ --label com.docker.compose.volume=master-wazuh-wodles \
wazuh-docker_master-wazuh-wodles multi-node_master-wazuh-wodles
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-filebeat-etc \ --label com.docker.compose.volume=master-filebeat-etc \
wazuh-docker_master-filebeat-etc multi-node_master-filebeat-etc
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-filebeat-var \ --label com.docker.compose.volume=master-filebeat-var \
wazuh-docker_master-filebeat-var multi-node_master-filebeat-var
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker_wazuh_api_configuration \ --label com.docker.compose.volume=worker_wazuh_api_configuration \
wazuh-docker_worker_wazuh_api_configuration multi-node_worker_wazuh_api_configuration
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker_wazuh_etc \ --label com.docker.compose.volume=worker_wazuh_etc \
wazuh-worker_docker_wazuh_etc multi-node_worker-wazuh-etc
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-logs \ --label com.docker.compose.volume=worker-wazuh-logs \
wazuh-docker_worker-wazuh-logs multi-node_worker-wazuh-logs
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-queue \ --label com.docker.compose.volume=worker-wazuh-queue \
wazuh-docker_worker-wazuh-queue multi-node_worker-wazuh-queue
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-var-multigroups \ --label com.docker.compose.volume=worker-wazuh-var-multigroups \
wazuh-docker_worker-wazuh-var-multigroups multi-node_worker-wazuh-var-multigroups
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-integrations \ --label com.docker.compose.volume=worker-wazuh-integrations \
wazuh-docker_worker-wazuh-integrations multi-node_worker-wazuh-integrations
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-active-response \ --label com.docker.compose.volume=worker-wazuh-active-response \
wazuh-docker_worker-wazuh-active-response multi-node_worker-wazuh-active-response
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-agentless \ --label com.docker.compose.volume=worker-wazuh-agentless \
wazuh-docker_worker-wazuh-agentless multi-node_worker-wazuh-agentless
``` ```
``` ```
docker volume create \ docker volume create \
--label com.docker.compose.project=wazuh-docker \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-wodles \ --label com.docker.compose.volume=worker-wazuh-wodles \
wazuh-docker_worker-wazuh-wodles multi-node_worker-wazuh-wodles
``` ```
**5. Copy the volume content from Elastic to Wazuh indexer volumes and old Wazuh Manager content to new volumes.** ```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-filebeat-etc \
multi-node_worker-filebeat-etc
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-filebeat-var \
multi-node_worker-filebeat-var
```
**6. Copy the volume content from Elastic to Wazuh indexer volumes and old Wazuh Manager content to new volumes.**
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_elastic-data-1:/from \ -v wazuh-docker_elastic-data-1:/from \
-v wazuh-docker_wazuh-indexer-data-1:/to \ -v multi-node_wazuh-indexer-data-1:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_elastic-data-2:/from \ -v wazuh-docker_elastic-data-2:/from \
-v wazuh-docker_wazuh-indexer-data-2:/to \ -v multi-node_wazuh-indexer-data-2:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_elastic-data-3:/from \ -v wazuh-docker_elastic-data-3:/from \
-v wazuh-docker_wazuh-indexer-data-3:/to \ -v multi-node_wazuh-indexer-data-3:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_ossec-api-configuration:/from \ -v wazuh-docker_ossec-api-configuration:/from \
-v wazuh-docker_master-wazuh-api-configuration:/to \ -v multi-node_master-wazuh-api-configuration:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_ossec-etc:/from \ -v wazuh-docker_ossec-etc:/from \
-v wazuh-docker_master-wazuh-etc:/to \ -v multi-node_master-wazuh-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_ossec-logs:/from \ -v wazuh-docker_ossec-logs:/from \
-v wazuh-docker_master-wazuh-logs:/to \ -v multi-node_master-wazuh-logs:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_ossec-queue:/from \ -v wazuh-docker_ossec-queue:/from \
-v wazuh-docker_master-wazuh-queue:/to \ -v multi-node_master-wazuh-queue:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_ossec-var-multigroups:/from \ -v wazuh-docker_ossec-var-multigroups:/from \
-v wazuh-docker_master-wazuh-var-multigroups:/to \ -v multi-node_master-wazuh-var-multigroups:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_ossec-integrations:/from \ -v wazuh-docker_ossec-integrations:/from \
-v wazuh-docker_master-wazuh-integrations:/to \ -v multi-node_master-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_ossec-active-response:/from \ -v wazuh-docker_ossec-active-response:/from \
-v wazuh-docker_master-wazuh-active-response:/to \ -v multi-node_master-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_ossec-agentless:/from \ -v wazuh-docker_ossec-agentless:/from \
-v wazuh-docker_master-wazuh-agentless:/to \ -v multi-node_master-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_ossec-wodles:/from \ -v wazuh-docker_ossec-wodles:/from \
-v wazuh-docker_master-wazuh-wodles:/to \ -v multi-node_master-wazuh-wodles:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_filebeat-etc:/from \ -v wazuh-docker_filebeat-etc:/from \
-v wazuh-docker_master-filebeat-etc:/to \ -v multi-node_master-filebeat-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_filebeat-var:/from \ -v wazuh-docker_filebeat-var:/from \
-v wazuh-docker_master-filebeat-var:/to \ -v multi-node_master-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_worker-ossec-api-configuration:/from \ -v wazuh-docker_worker-ossec-api-configuration:/from \
-v wazuh-docker_worker-wazuh-api-configuration:/to \ -v multi-node_worker-wazuh-api-configuration:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_worker-ossec-etc:/from \ -v wazuh-docker_worker-ossec-etc:/from \
-v wazuh-docker_worker-wazuh-etc:/to \ -v multi-node_worker-wazuh-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_worker-ossec-logs:/from \ -v wazuh-docker_worker-ossec-logs:/from \
-v wazuh-docker_worker-wazuh-logs:/to \ -v multi-node_worker-wazuh-logs:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_worker-ossec-queue:/from \ -v wazuh-docker_worker-ossec-queue:/from \
-v wazuh-docker_worker-wazuh-queue:/to \ -v multi-node_worker-wazuh-queue:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_worker-ossec-var-multigroups:/from \ -v wazuh-docker_worker-ossec-var-multigroups:/from \
-v wazuh-docker_worker-wazuh-var-multigroups:/to \ -v multi-node_worker-wazuh-var-multigroups:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_worker-ossec-integrations:/from \ -v wazuh-docker_worker-ossec-integrations:/from \
-v wazuh-docker_worker-wazuh-integrations:/to \ -v multi-node_worker-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_worker-ossec-active-response:/from \ -v wazuh-docker_worker-ossec-active-response:/from \
-v wazuh-docker_worker-wazuh-active-response:/to \ -v multi-node_worker-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_worker-ossec-agentless:/from \ -v wazuh-docker_worker-ossec-agentless:/from \
-v wazuh-docker_worker-wazuh-agentless:/to \ -v multi-node_worker-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_worker-ossec-wodles:/from \ -v wazuh-docker_worker-ossec-wodles:/from \
-v wazuh-docker_worker-wazuh-wodles:/to \ -v multi-node_worker-wazuh-wodles:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
**6. Delete the 4.2.5 environment.** ```
`docker-compose -f production-cluster.yml down` docker container run --rm -it \
-v wazuh-docker_worker-filebeat-etc:/from \
-v multi-node_worker-filebeat-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-filebeat-var:/from \
-v multi-node_worker-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
**Steps 5 and 6 can be done with the volume-migrator.sh script, specifying Docker Version and project name as parameters.**
Ex: $ multi-node/volume-migrator.sh 1.25.0 multi-node
**7. Start the 4.3 environment.** **7. Start the 4.3 environment.**
``` ```
git checkout 4.3 git checkout 4.3
cd multi-node
docker-compose -f generate-indexer-certs.yml run --rm generator docker-compose -f generate-indexer-certs.yml run --rm generator
docker-compose -f production-cluster.yml up -d docker-compose up -d
``` ```
**8. Check the access to Wazuh dashboard**: go to the Wazuh Dashboard WebUI and check if everything is working. **8. Check the access to Wazuh dashboard**: go to the Wazuh Dashboard WebUI and check if everything is working.

31
multi-node/README.md Normal file
View File

@@ -0,0 +1,31 @@
# Deploy Wazuh Docker in multi node configuration
This deployment generates a Docker Compose stack with 2 Wazuh Manager container, 3 Wazuh Indexer container and 1 Wazuh Dashboard container.
For the next deployment, the following steps must be performed:
1) Increase max_map_count on your host (Linux)
```
$ sysctl -w vm.max_map_count=262144
```
This command must be run with root permissions
2) Run the certificate creation script:
```
$ docker-compose -f generate-indexer-certs.yml run --rm generator
```
3) Start the stack with docker-compose:
In Foregroud:
```
$ docker-compose up
```
In Background:
```
$ docker-compose up -d
```
The stack takes about 1 minute to get up for the first time, since Wazuh Indexer must be started for the first time and the Indexes and Index Patterns must be generated.

0
production_cluster/nginx/nginx.conf → multi-node/config/nginx/nginx.conf
View File

2
production_cluster/wazuh_cluster/wazuh_manager.conf → multi-node/config/wazuh_cluster/wazuh_manager.conf
View File

@@ -332,7 +332,7 @@
<port>1516</port> <port>1516</port>
<bind_addr>0.0.0.0</bind_addr> <bind_addr>0.0.0.0</bind_addr>
<nodes> <nodes>
<node>wazuh-master</node> <node>wazuh.master</node>
</nodes> </nodes>
<hidden>no</hidden> <hidden>no</hidden>
<disabled>no</disabled> <disabled>no</disabled>

2
production_cluster/wazuh_cluster/wazuh_worker.conf → multi-node/config/wazuh_cluster/wazuh_worker.conf
View File

@@ -332,7 +332,7 @@
<port>1516</port> <port>1516</port>
<bind_addr>0.0.0.0</bind_addr> <bind_addr>0.0.0.0</bind_addr>
<nodes> <nodes>
<node>wazuh-master</node> <node>wazuh.master</node>
</nodes> </nodes>
<hidden>no</hidden> <hidden>no</hidden>
<disabled>no</disabled> <disabled>no</disabled>

0
production_cluster/wazuh_dashboard/opensearch_dashboards.yml → multi-node/config/wazuh_dashboard/opensearch_dashboards.yml
View File

0
production_cluster/wazuh_dashboard/wazuh.yml → multi-node/config/wazuh_dashboard/wazuh.yml
View File

0
production_cluster/wazuh-indexer/internal_users.yml → multi-node/config/wazuh_indexer/internal_users.yml
View File

0
production_cluster/wazuh-indexer/wazuh1.indexer.yml → multi-node/config/wazuh_indexer/wazuh1.indexer.yml
View File

0
production_cluster/wazuh-indexer/wazuh2.indexer.yml → multi-node/config/wazuh_indexer/wazuh2.indexer.yml
View File

0
production_cluster/wazuh-indexer/wazuh3.indexer.yml → multi-node/config/wazuh_indexer/wazuh3.indexer.yml
View File

0
production_cluster/wazuh_indexer_ssl_certs/certs.yml → multi-node/config/wazuh_indexer_ssl_certs/certs.yml
View File

63
production-cluster.yml → multi-node/docker-compose.yml
View File

@@ -32,10 +32,10 @@ services:
- master-wazuh-wodles:/var/ossec/wodles - master-wazuh-wodles:/var/ossec/wodles
- master-filebeat-etc:/etc/filebeat - master-filebeat-etc:/etc/filebeat
- master-filebeat-var:/var/lib/filebeat - master-filebeat-var:/var/lib/filebeat
- ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
- ./production_cluster/wazuh_indexer_ssl_certs/wazuh.master.pem:/etc/ssl/filebeat.pem - ./config/wazuh_indexer_ssl_certs/wazuh.master.pem:/etc/ssl/filebeat.pem
- ./production_cluster/wazuh_indexer_ssl_certs/wazuh.master-key.pem:/etc/ssl/filebeat.key - ./config/wazuh_indexer_ssl_certs/wazuh.master-key.pem:/etc/ssl/filebeat.key
- ./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
wazuh.worker: wazuh.worker:
image: wazuh/wazuh-manager:4.3.0 image: wazuh/wazuh-manager:4.3.0
@@ -61,10 +61,10 @@ services:
- worker-wazuh-wodles:/var/ossec/wodles - worker-wazuh-wodles:/var/ossec/wodles
- worker-filebeat-etc:/etc/filebeat - worker-filebeat-etc:/etc/filebeat
- worker-filebeat-var:/var/lib/filebeat - worker-filebeat-var:/var/lib/filebeat
- ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
- ./production_cluster/wazuh_indexer_ssl_certs/wazuh.worker.pem:/etc/ssl/filebeat.pem - ./config/wazuh_indexer_ssl_certs/wazuh.worker.pem:/etc/ssl/filebeat.pem
- ./production_cluster/wazuh_indexer_ssl_certs/wazuh.worker-key.pem:/etc/ssl/filebeat.key - ./config/wazuh_indexer_ssl_certs/wazuh.worker-key.pem:/etc/ssl/filebeat.key
- ./production_cluster/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf - ./config/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
wazuh1.indexer: wazuh1.indexer:
image: wazuh/wazuh-indexer:4.3.0 image: wazuh/wazuh-indexer:4.3.0
@@ -84,13 +84,13 @@ services:
hard: 65536 hard: 65536
volumes: volumes:
- wazuh-indexer-data-1:/var/lib/wazuh-indexer - wazuh-indexer-data-1:/var/lib/wazuh-indexer
- ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/root-ca.pem - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/root-ca.pem
- ./production_cluster/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/config/wazuh1.indexer.key - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/config/wazuh1.indexer.key
- ./production_cluster/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/config/wazuh1.indexer.pem - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/config/wazuh1.indexer.pem
- ./production_cluster/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/config/admin.pem - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/config/admin.pem
- ./production_cluster/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/config/admin-key.pem - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/config/admin-key.pem
- ./production_cluster/wazuh-indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml - ./config/wazuh_indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
- ./production_cluster/wazuh-indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
wazuh2.indexer: wazuh2.indexer:
image: wazuh/wazuh-indexer:4.3.0 image: wazuh/wazuh-indexer:4.3.0
@@ -108,11 +108,11 @@ services:
hard: 65536 hard: 65536
volumes: volumes:
- wazuh-indexer-data-2:/var/lib/wazuh-indexer - wazuh-indexer-data-2:/var/lib/wazuh-indexer
- ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/root-ca.pem - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/root-ca.pem
- ./production_cluster/wazuh_indexer_ssl_certs/wazuh2.indexer-key.pem:/usr/share/wazuh-indexer/config/wazuh2.indexer.key - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer-key.pem:/usr/share/wazuh-indexer/config/wazuh2.indexer.key
- ./production_cluster/wazuh_indexer_ssl_certs/wazuh2.indexer.pem:/usr/share/wazuh-indexer/config/wazuh2.indexer.pem - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer.pem:/usr/share/wazuh-indexer/config/wazuh2.indexer.pem
- ./production_cluster/wazuh-indexer/wazuh2.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml - ./config/wazuh_indexer/wazuh2.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
- ./production_cluster/wazuh-indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
wazuh3.indexer: wazuh3.indexer:
image: wazuh/wazuh-indexer:4.3.0 image: wazuh/wazuh-indexer:4.3.0
@@ -130,11 +130,11 @@ services:
hard: 65536 hard: 65536
volumes: volumes:
- wazuh-indexer-data-3:/var/lib/wazuh-indexer - wazuh-indexer-data-3:/var/lib/wazuh-indexer
- ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/root-ca.pem - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/root-ca.pem
- ./production_cluster/wazuh_indexer_ssl_certs/wazuh3.indexer-key.pem:/usr/share/wazuh-indexer/config/wazuh3.indexer.key - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer-key.pem:/usr/share/wazuh-indexer/config/wazuh3.indexer.key
- ./production_cluster/wazuh_indexer_ssl_certs/wazuh3.indexer.pem:/usr/share/wazuh-indexer/config/wazuh3.indexer.pem - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer.pem:/usr/share/wazuh-indexer/config/wazuh3.indexer.pem
- ./production_cluster/wazuh-indexer/wazuh3.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml - ./config/wazuh_indexer/wazuh3.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
- ./production_cluster/wazuh-indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
wazuh.dashboard: wazuh.dashboard:
image: wazuh/wazuh-dashboard:4.3.0 image: wazuh/wazuh-dashboard:4.3.0
@@ -148,11 +148,11 @@ services:
- API_USERNAME=acme-user - API_USERNAME=acme-user
- API_PASSWORD=MyS3cr37P450r.*- - API_PASSWORD=MyS3cr37P450r.*-
volumes: volumes:
- ./production_cluster/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
- ./production_cluster/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
- ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
- ./production_cluster/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
- ./production_cluster/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
depends_on: depends_on:
- wazuh1.indexer - wazuh1.indexer
links: links:
@@ -174,8 +174,7 @@ services:
- wazuh.worker:wazuh.worker - wazuh.worker:wazuh.worker
- wazuh.dashboard:wazuh.dashboard - wazuh.dashboard:wazuh.dashboard
volumes: volumes:
- ./production_cluster/nginx/nginx.conf:/etc/nginx/nginx.conf:ro - ./config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./production_cluster/nginx/ssl:/etc/nginx/ssl:ro
volumes: volumes:
master-wazuh-api-configuration: master-wazuh-api-configuration:

4
generate-indexer-certs.yml → multi-node/generate-indexer-certs.yml
View File

@@ -6,5 +6,5 @@ services:
image: wazuh/wazuh-certs-generator:0.0.1 image: wazuh/wazuh-certs-generator:0.0.1
hostname: wazuh-certs-generator hostname: wazuh-certs-generator
volumes: volumes:
- ./production_cluster/wazuh_indexer_ssl_certs/certs.yml:/config.yml - ./config/wazuh_indexer_ssl_certs/certs.yml:/config.yml
- ./production_cluster/wazuh_indexer_ssl_certs/:/certificates/ - ./config/wazuh_indexer_ssl_certs/:/certificates/

279
multi-node/volume-migrator.sh Executable file
View File

@@ -0,0 +1,279 @@
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=wazuh-indexer-data-1 \
$2_wazuh-indexer-data-1
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=wazuh-indexer-data-2 \
$2_wazuh-indexer-data-2
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=wazuh-indexer-data-3 \
$2_wazuh-indexer-data-3
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master_wazuh_api_configuration \
$2_master_wazuh_api_configuration
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master_wazuh_etc \
$2_docker_wazuh_etc
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-logs \
$2_master-wazuh-logs
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-queue \
$2_master-wazuh-queue
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-var-multigroups \
$2_master-wazuh-var-multigroups
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-integrations \
$2_master-wazuh-integrations
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-active-response \
$2_master-wazuh-active-response
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-agentless \
$2_master-wazuh-agentless
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-wodles \
$2_master-wazuh-wodles
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-filebeat-etc \
$2_master-filebeat-etc
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-filebeat-var \
$2_master-filebeat-var
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker_wazuh_api_configuration \
$2_worker_wazuh_api_configuration
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker_wazuh_etc \
$2_worker-wazuh-etc
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-logs \
$2_worker-wazuh-logs
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-queue \
$2_worker-wazuh-queue
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-var-multigroups \
$2_worker-wazuh-var-multigroups
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-integrations \
$2_worker-wazuh-integrations
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-active-response \
$2_worker-wazuh-active-response
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-agentless \
$2_worker-wazuh-agentless
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-wodles \
$2_worker-wazuh-wodles
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-filebeat-etc \
$2_worker-filebeat-etc
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-filebeat-var \
$2_worker-filebeat-var
docker container run --rm -it \
-v wazuh-docker_worker-filebeat-var:/from \
-v $2_worker-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_elastic-data-1:/from \
-v $2_wazuh-indexer-data-1:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_elastic-data-2:/from \
-v $2_wazuh-indexer-data-2:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_elastic-data-3:/from \
-v $2_wazuh-indexer-data-3:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-api-configuration:/from \
-v $2_master-wazuh-api-configuration:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-etc:/from \
-v $2_master-wazuh-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-logs:/from \
-v $2_master-wazuh-logs:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-queue:/from \
-v $2_master-wazuh-queue:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-var-multigroups:/from \
-v $2_master-wazuh-var-multigroups:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-integrations:/from \
-v $2_master-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-active-response:/from \
-v $2_master-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-agentless:/from \
-v $2_master-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-wodles:/from \
-v $2_master-wazuh-wodles:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_filebeat-etc:/from \
-v $2_master-filebeat-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_filebeat-var:/from \
-v $2_master-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-api-configuration:/from \
-v $2_worker-wazuh-api-configuration:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-etc:/from \
-v $2_worker-wazuh-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-logs:/from \
-v $2_worker-wazuh-logs:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-queue:/from \
-v $2_worker-wazuh-queue:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-var-multigroups:/from \
-v $2_worker-wazuh-var-multigroups:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-integrations:/from \
-v $2_worker-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-active-response:/from \
-v $2_worker-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-agentless:/from \
-v $2_worker-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-wodles:/from \
-v $2_worker-wazuh-wodles:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-filebeat-etc:/from \
-v $2_worker-filebeat-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-filebeat-var:/from \
-v $2_worker-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to"

12
production_cluster/nginx/ssl/generate-self-signed-cert.sh
View File

@@ -1,12 +0,0 @@
#!/bin/bash
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
cd $DIR
if [ -s key.pem ]
then
echo "Certificate already exists"
exit
else
openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
fi

33
single-node/README.md Normal file
View File

@@ -0,0 +1,33 @@
# Deploy Wazuh Docker in single node configuration
This deployment generates a Docker Compose stack with 1 Wazuh Manager container, 1 Wazuh Indexer container and 1 Wazuh Dashboard container.
In case of upgrading from 4.2, the deployment hosted in the multi-node directory should be reviewed
For the next deployment, the following steps must be performed:
1) Increase max_map_count on your host (Linux)
```
$ sysctl -w vm.max_map_count=262144
```
This command must be run with root permissions
2) Run the certificate creation script:
```
$ docker-compose -f generate-indexer-certs.yml run --rm generator
```
3) Start the stack with docker-compose:
In Foregroud:
```
$ docker-compose up
```
In Background:
```
$ docker-compose up -d
```
The stack takes about 1 minute to get up for the first time, since Wazuh Indexer must be started for the first time and the Indexes and Index Patterns must be generated.

353
single-node/config/wazuh_cluster/wazuh_manager.conf Normal file
View File

@@ -0,0 +1,353 @@
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wazuh@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>stretch</os>
<os>buster</os>
<os>bullseye</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<update_interval>1h</update_interval>
</provider>
<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
<enabled>no</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<update_interval>1h</update_interval>
</provider>
<!-- Arch OS vulnerabilities -->
<provider name="arch">
<enabled>no</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>10.0.0.106</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>node01</node_name>
<node_type>master</node_type>
<key></key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>NODE_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>yes</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
</ossec_config>

12
single-node/config/wazuh_dashboard/opensearch_dashboards.yml Normal file
View File

@@ -0,0 +1,12 @@
server.host: 0.0.0.0
server.port: 443
opensearch.hosts: https://wazuh.indexer:9200
opensearch.ssl.verificationMode: certificate
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh?security_tenant=global

7
single-node/config/wazuh_dashboard/wazuh.yml Normal file
View File

@@ -0,0 +1,7 @@
hosts:
- 1513629884013:
url: "https://wazuh.manager"
port: 55000
username: acme-user
password: MyS3cr37P450r.*-
run_as: false

56
single-node/config/wazuh_indexer/internal_users.yml Normal file
View File

@@ -0,0 +1,56 @@
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
## Demo users
admin:
hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
kibanaserver:
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
description: "Demo kibanaserver user"
kibanaro:
hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
reserved: false
backend_roles:
- "kibanauser"
- "readall"
attributes:
attribute1: "value1"
attribute2: "value2"
attribute3: "value3"
description: "Demo kibanaro user"
logstash:
hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
reserved: false
backend_roles:
- "logstash"
description: "Demo logstash user"
readall:
hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
reserved: false
backend_roles:
- "readall"
description: "Demo readall user"
snapshotrestore:
hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
reserved: false
backend_roles:
- "snapshotrestore"
description: "Demo snapshotrestore user"

27
single-node/config/wazuh_indexer/wazuh.indexer.yml Normal file
View File

@@ -0,0 +1,27 @@
network.host: "0.0.0.0"
node.name: "wazuh.indexer"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
discovery.type: single-node
compatibility.override_main_response_version: true
plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/wazuh.indexer.pem
plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/wazuh.indexer.key
plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/wazuh.indexer.pem
plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/wazuh.indexer.key
plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.audit.type: internal_opensearch
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

16
single-node/config/wazuh_indexer_ssl_certs/certs.yml Normal file
View File

@@ -0,0 +1,16 @@
nodes:
# Wazuh indexer server nodes
indexer:
name: wazuh.indexer
ip: wazuh.indexer
# Wazuh server nodes
# Use node_type only with more than one Wazuh manager
server:
name: wazuh.manager
ip: wazuh.manager
# Wazuh dashboard node
dashboard:
name: wazuh.dashboard
ip: wazuh.dashboard

102
single-node/docker-compose.yml Normal file
View File

@@ -0,0 +1,102 @@
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh.manager:
image: wazuh/wazuh-manager:4.3.0
hostname: wazuh.manager
restart: always
ports:
- "1514:1514"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- INDEXER_URL=https://wazuh.indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=SecretPassword
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
- SSL_CERTIFICATE=/etc/ssl/filebeat.pem
- SSL_KEY=/etc/ssl/filebeat.key
- API_USERNAME=acme-user
- API_PASSWORD=MyS3cr37P450r.*-
volumes:
- wazuh_api_configuration:/var/ossec/api/configuration
- wazuh_etc:/var/ossec/etc
- wazuh_logs:/var/ossec/logs
- wazuh_queue:/var/ossec/queue
- wazuh_var_multigroups:/var/ossec/var/multigroups
- wazuh_integrations:/var/ossec/integrations
- wazuh_active_response:/var/ossec/active-response/bin
- wazuh_agentless:/var/ossec/agentless
- wazuh_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
wazuh.indexer:
image: wazuh/wazuh-indexer:4.3.0
hostname: wazuh.indexer
restart: always
ports:
- "9200:9200"
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- wazuh-indexer-data:/var/lib/wazuh-indexer
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/config/wazuh.indexer.key
- ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/config/wazuh.indexer.pem
- ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/config/admin.pem
- ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/config/admin-key.pem
- ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
- ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
wazuh.dashboard:
image: wazuh/wazuh-dashboard:4.3.0
hostname: wazuh.dashboard
restart: always
ports:
- 443:443
environment:
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=admin
- WAZUH_API_URL=https://wazuh.manager
- API_USERNAME=acme-user
- API_PASSWORD=MyS3cr37P450r.*-
volumes:
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
- ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
- ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
depends_on:
- wazuh.indexer
links:
- wazuh.indexer:wazuh.indexer
- wazuh.manager:wazuh.manager
volumes:
wazuh_api_configuration:
wazuh_etc:
wazuh_logs:
wazuh_queue:
wazuh_var_multigroups:
wazuh_integrations:
wazuh_active_response:
wazuh_agentless:
wazuh_wodles:
filebeat_etc:
filebeat_var:
wazuh-indexer-data:

10
single-node/generate-indexer-certs.yml Normal file
View File

@@ -0,0 +1,10 @@
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
version: '3'
services:
generator:
image: wazuh/wazuh-certs-generator:0.0.1
hostname: wazuh-certs-generator
volumes:
- ./config/wazuh_indexer_ssl_certs/certs.yml:/config.yml
- ./config/wazuh_indexer_ssl_certs/:/certificates/