From ca1578ed27e4fd0e2a538f29ae654048c42fe362 Mon Sep 17 00:00:00 2001 From: AlfonsoRBJ Date: Thu, 3 Oct 2019 17:38:43 +0200 Subject: [PATCH] Fixes for cloud Elastic 7 (#260) --- CHANGELOG.md | 22 ++++++- README.md | 2 +- VERSION | 4 +- docker-compose.yml | 59 ++++++++++++------- elasticsearch/Dockerfile | 3 + .../config/35-entrypoint_load_settings.sh | 47 +++++++++++++++ kibana/Dockerfile | 19 ++---- kibana/config/xpack_config.sh | 2 + wazuh/Dockerfile | 15 ++++- wazuh/config/02-set_filebeat_destination.sh | 24 ++++++++ wazuh/config/03-config_filebeat.sh | 23 ++++++++ wazuh/config/filebeat_to_elasticsearch.yml | 55 +++++++++++++++++ ...{filebeat.yml => filebeat_to_logstash.yml} | 4 +- 13 files changed, 233 insertions(+), 46 deletions(-) create mode 100644 wazuh/config/02-set_filebeat_destination.sh create mode 100644 wazuh/config/03-config_filebeat.sh create mode 100644 wazuh/config/filebeat_to_elasticsearch.yml rename wazuh/config/{filebeat.yml => filebeat_to_logstash.yml} (63%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 570175ae..8e382c40 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,13 +1,24 @@ # Change Log All notable changes to this project will be documented in this file. +## Wazuh Docker v3.10.2_7.3.2 + +### Added + +- Update to Wazuh version 3.10.2_7.3.2 + +## Wazuh Docker v3.10.0_7.3.2 + +### Added + +- Update to Wazuh version 3.10.0_7.3.2 + ## Wazuh Docker v3.9.5_7.2.1 ### Added - Update to Wazuh version 3.9.5_7.2.1 - ## Wazuh Docker v3.9.4_7.2.0 ### Added @@ -15,8 +26,6 @@ All notable changes to this project will be documented in this file. - Update to Wazuh version 3.9.4_7.2.0 - Implemented Wazuh Filebeat Module ([jm404](https://www.github.com/jm404)) [#2a77c6a](https://github.com/wazuh/wazuh-docker/commit/2a77c6a6e6bf78f2492adeedbade7a507d9974b2) -## Wazuh Docker v3.9.4_6.8.1 - ## Wazuh Docker v3.9.3_7.2.0 @@ -44,6 +53,13 @@ All notable changes to this project will be documented in this file. - Update to Wazuh version 3.9.2_6.8.0 +## Wazuh Docker v3.9.1_7.1.0 + +### Added + +- Support for Elastic v7.1.0 +- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88) + ## Wazuh Docker v3.9.1_6.8.0 ### Added diff --git a/README.md b/README.md index 7fdb7802..4635ac1b 100644 --- a/README.md +++ b/README.md @@ -57,7 +57,7 @@ In addition, a docker-compose file is provided to launch the containers mentione * `stable` branch on correspond to the latest Wazuh-Docker stable version. * `master` branch contains the latest code, be aware of possible bugs on this branch. -* `Wazuh.Version_ElasticStack.Version` (for example 3.9.5_7.2.1) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch. +* `Wazuh.Version_ElasticStack.Version` (for example 3.10.2_7.3.2) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch. ## Credits and Thank you diff --git a/VERSION b/VERSION index b1f431ca..1f3f87cd 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -WAZUH-DOCKER_VERSION="3.9.5_7.2.1" -REVISION="3950" +WAZUH-DOCKER_VERSION="3.10.2_7.3.2" +REVISION="31020" diff --git a/docker-compose.yml b/docker-compose.yml index ac9b06d4..2f59ee73 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,7 +3,7 @@ version: '2' services: wazuh: - image: wazuh/wazuh:3.9.5_7.2.1 + image: wazuh/wazuh:3.10.2_7.3.2 hostname: wazuh-manager restart: always ports: @@ -13,26 +13,26 @@ services: - "55000:55000" depends_on: - logstash - logstash: - image: wazuh/wazuh-logstash:3.9.3_6.8.1 - hostname: logstash - restart: always - links: - - elasticsearch:elasticsearch - ports: - - "5000:5000" - depends_on: - - elasticsearch - environment: - - LS_HEAP_SIZE=2048m - - SECURITY_ENABLED=yes - - SECURITY_LOGSTASH_USER=service_logstash - - SECURITY_LOGSTASH_PASS=logstash_pass - - LOGSTASH_OUTPUT=https://elasticsearch:9200 - - ELASTICSEARCH_URL=https://elasticsearch:9200 - - SECURITY_CA_PEM=server.TEST-CA-signed.pem + # logstash: + # image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2 + # hostname: logstash + # restart: always + # links: + # - elasticsearch:elasticsearch + # ports: + # - "5000:5000" + # depends_on: + # - elasticsearch + # environment: + # - LS_HEAP_SIZE=2048m + # - SECURITY_ENABLED=no + # - SECURITY_LOGSTASH_USER=service_logstash + # - SECURITY_LOGSTASH_PASS=logstash_pass + # - LOGSTASH_OUTPUT=https://elasticsearch:9200 + # - ELASTICSEARCH_URL=https://elasticsearch:9200 + # - SECURITY_CA_PEM=server.TEST-CA-signed.pem elasticsearch: - image: wazuh/wazuh-elasticsearch:3.9.5_7.2.1 + image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2 hostname: elasticsearch restart: always ports: @@ -58,7 +58,7 @@ services: mem_limit: 2g kibana: - image: wazuh/wazuh-kibana:3.9.5_7.2.1 + image: wazuh/wazuh-kibana:3.10.2_7.3.2 hostname: kibana restart: always depends_on: @@ -68,7 +68,7 @@ services: - wazuh:wazuh environment: - ELASTICSEARCH_URL=https://elasticsearch:9200 - - SECURITY_ENABLED=yes + - SECURITY_ENABLED=no - SECURITY_KIBANA_USER=service_kibana - SECURITY_KIBANA_PASS=kibana_pass - SECURITY_KIBANA_SSL_KEY_PATH=/usr/share/kibana/config/ssl/private @@ -77,3 +77,18 @@ services: - SECURITY_CA_PEM=server.TEST-CA-signed.pem ports: - "5601:5601" + + nginx: + image: wazuh/wazuh-nginx:3.10.2_7.3.2 + hostname: nginx + restart: always + environment: + - NGINX_PORT=443 + - NGINX_CREDENTIALS + ports: + - "80:80" + - "443:443" + depends_on: + - kibana + links: + - kibana:kibana \ No newline at end of file diff --git a/elasticsearch/Dockerfile b/elasticsearch/Dockerfile index db85afda..cabac130 100644 --- a/elasticsearch/Dockerfile +++ b/elasticsearch/Dockerfile @@ -17,6 +17,9 @@ ENV WAZUH_ALERTS_SHARDS="1" \ ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /usr/share/elasticsearch/config +RUN yum install epel-release -y && \ + yum install jq -y + # This CA is created for testing. Please set your own CA zip containing the key and the signed certificate. # command: $ docker build --build-arg SECURITY_CA_PEM_LOCATION= --build-arg SECURITY_CA_KEY_LOCATION= # ENV variables are necessary: SECURITY_CA_PEM, SECURITY_CA_KEY, SECURITY_CA_TRUST, SECURITY_OPENSSL_CONF diff --git a/elasticsearch/config/35-entrypoint_load_settings.sh b/elasticsearch/config/35-entrypoint_load_settings.sh index 8d6bb788..3c24c068 100644 --- a/elasticsearch/config/35-entrypoint_load_settings.sh +++ b/elasticsearch/config/35-entrypoint_load_settings.sh @@ -174,6 +174,53 @@ if [ "x$CONFIG_CODE" != "x200" ]; then ' > /dev/null else echo "LOAD SETTINGS - Wazuh APP already configured" + echo "LOAD SETTINGS - Check if it is an upgrade from Elasticsearch 6.x to 7.x" + wazuh_search_request=`curl -s ${auth} "$el_url/.wazuh/_search?pretty"` + full_type=`echo $wazuh_search_request | jq .hits.hits | jq .[] | jq ._type` + elasticsearch_request=`curl -s $auth "$el_url"` + full_elasticsearch_version=`echo $elasticsearch_request | jq .version.number` + type=`echo "$full_type" | tr -d '"'` + elasticsearch_version=`echo "$full_elasticsearch_version" | tr -d '"'` + elasticsearch_major="${elasticsearch_version:0:1}" + + if [[ $type == "wazuh-configuration" ]] && [[ $elasticsearch_major == "7" ]]; then + echo "LOAD SETTINGS - Elasticsearch major = $elasticsearch_major." + echo "LOAD SETTINGS - Reindex .wazuh in .wazuh-backup." + + curl -s ${auth} -XPOST "$el_url/_reindex" -H 'Content-Type: application/json' -d' + { + "source": { + "index": ".wazuh" + }, + "dest": { + "index": ".wazuh-backup" + } + } + ' + echo "LOAD SETTINGS - Remove .wazuh index." + curl -s ${auth} -XDELETE "$el_url/.wazuh" + + echo "LOAD SETTINGS - Reindex .wazuh-backup in .wazuh." + curl -s ${auth} -XPOST "$el_url/_reindex" -H 'Content-Type: application/json' -d' + { + "source": { + "index": ".wazuh-backup" + }, + "dest": { + "index": ".wazuh" + } + } + ' + curl -s ${auth} -XPUT "https://elasticsearch:9200/.wazuh-backup/_settings?pretty" -H 'Content-Type: application/json' -d' + { + "index" : { + "number_of_replicas" : 0 + } + } + ' + + fi + fi sleep 5 diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 2b9d1fd2..fcf38f7d 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -1,4 +1,4 @@ -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) FROM docker.elastic.co/kibana/kibana:7.3.2 ARG ELASTIC_VERSION=7.3.2 ARG WAZUH_VERSION=3.10.2 @@ -7,17 +7,6 @@ ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" USER root ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp - -# This CA is created for testing. Please set your own CA pem signed certificate. -# command: $ docker build --build-arg SECURITY_CA_PEM_LOCATION= -# ENV variables are necessary: SECURITY_CA_PEM -# Sample: -# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem" -ARG SECURITY_CA_PEM_LOCATION="" - -# CA for secure communication with Elastic -ADD $SECURITY_CA_PEM_LOCATION /usr/share/kibana/config - RUN /usr/share/kibana/bin/kibana-plugin install --allow-root file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip RUN rm -rf /tmp/wazuhapp-${WAZUH_APP_VERSION}.zip @@ -96,8 +85,10 @@ RUN /usr/local/bin/kibana-docker --optimize USER root -RUN chmod 777 /usr/share/kibana/plugins/wazuh/config.yml -RUN chmod 777 /usr/share/kibana/plugins/wazuh +RUN chmod 660 /usr/share/kibana/plugins/wazuh/config.yml && \ + chmod 775 /usr/share/kibana/plugins/wazuh && \ + chown root:kibana /usr/share/kibana/plugins/wazuh/config.yml && \ + chown root:kibana /usr/share/kibana/plugins/wazuh USER kibana diff --git a/kibana/config/xpack_config.sh b/kibana/config/xpack_config.sh index 9015e719..8817480a 100644 --- a/kibana/config/xpack_config.sh +++ b/kibana/config/xpack_config.sh @@ -10,6 +10,7 @@ then [xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS [xpack.ml.enabled]=$XPACK_ML [xpack.canvas.enabled]=$XPACK_CANVAS + [xpack.logstash.enabled]=$XPACK_LOGS [xpack.infra.enabled]=$XPACK_INFRA [xpack.monitoring.enabled]=$XPACK_MONITORING [xpack.maps.enabled]=$XPACK_MAPS @@ -31,6 +32,7 @@ xpack.grokdebugger.enabled: $XPACK_DEVTOOLS xpack.searchprofiler.enabled: $XPACK_DEVTOOLS xpack.ml.enabled: $XPACK_ML xpack.canvas.enabled: $XPACK_CANVAS +xpack.logstash.enabled: $XPACK_LOGS xpack.infra.enabled: $XPACK_INFRA xpack.monitoring.enabled: $XPACK_MONITORING xpack.maps.enabled: $XPACK_MAPS diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index 5fa90987..7b43eae5 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -10,6 +10,7 @@ ENV API_USER="foo" \ API_PASS="bar" ARG TEMPLATE_VERSION="v3.10.2" +ENV FILEBEAT_DESTINATION="elasticsearch" # Install packages RUN set -x && \ @@ -56,8 +57,8 @@ RUN chmod +x /etc/service/wazuh-api/run && \ chmod +x /etc/service/filebeat/run # Copy configuration files from repository -COPY config/filebeat.yml /etc/filebeat/ -RUN chmod go-w /etc/filebeat/filebeat.yml +COPY config/filebeat_to_elasticsearch.yml ./ +COPY config/filebeat_to_logstash.yml ./ # Prepare permanent data # Sync calls are due to https://github.com/docker/docker/issues/9547 @@ -94,12 +95,16 @@ RUN mkdir /entrypoint-scripts COPY config/entrypoint.sh /entrypoint.sh COPY config/00-decrypt_credentials.sh /entrypoint-scripts/00-decrypt_credentials.sh COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh +COPY config/02-set_filebeat_destination.sh /entrypoint-scripts/02-set_filebeat_destination.sh +COPY config/03-config_filebeat.sh /entrypoint-scripts/03-config_filebeat.sh COPY config/05-remove_credentials_file.sh /entrypoint-scripts/05-remove_credentials_file.sh COPY config/10-backups.sh /entrypoint-scripts/10-backups.sh COPY config/20-ossec-configuration.sh /entrypoint-scripts/20-ossec-configuration.sh RUN chmod 755 /entrypoint.sh && \ - chmod 755 /entrypoint-scripts/01-wazuh.sh && \ chmod 755 /entrypoint-scripts/00-decrypt_credentials.sh && \ + chmod 755 /entrypoint-scripts/01-wazuh.sh && \ + chmod 755 /entrypoint-scripts/02-set_filebeat_destination.sh && \ + chmod 755 /entrypoint-scripts/03-config_filebeat.sh && \ chmod 755 /entrypoint-scripts/05-remove_credentials_file.sh && \ chmod 755 /entrypoint-scripts/10-backups.sh && \ chmod 755 /entrypoint-scripts/20-ossec-configuration.sh @@ -111,5 +116,9 @@ RUN chmod 755 /entrypoint.sh && \ COPY --chown=root:ossec config/agents.js /var/ossec/api/controllers/agents.js RUN chmod 770 /var/ossec/api/controllers/agents.js +# Load wazuh alerts template. +ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat +RUN chmod go-w /etc/filebeat/wazuh-template.json + # Run all services ENTRYPOINT ["/entrypoint.sh"] \ No newline at end of file diff --git a/wazuh/config/02-set_filebeat_destination.sh b/wazuh/config/02-set_filebeat_destination.sh new file mode 100644 index 00000000..dc7478c2 --- /dev/null +++ b/wazuh/config/02-set_filebeat_destination.sh @@ -0,0 +1,24 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +############################################################################## +# Set Filebeat destination. +############################################################################## + +if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then + + echo "FILEBEAT - Set destination to Elasticsearch" + cp filebeat_to_elasticsearch.yml /etc/filebeat/filebeat.yml + +elif [[ $FILEBEAT_DESTINATION == "logstash" ]]; then + + echo "FILEBEAT - Set destination to Logstash" + cp filebeat_to_logstash.yml /etc/filebeat/filebeat.yml + +else + echo "FILEBEAT - Error choosing destination. Set default filebeat.yml " +fi + +echo "FILEBEAT - Set permissions" + +chmod go-w /etc/filebeat/filebeat.yml \ No newline at end of file diff --git a/wazuh/config/03-config_filebeat.sh b/wazuh/config/03-config_filebeat.sh new file mode 100644 index 00000000..9edc4b07 --- /dev/null +++ b/wazuh/config/03-config_filebeat.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +set -e + +if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then + + WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz + + # Modify the output to Elasticsearch if th ELASTICSEARCH_URL is set + if [ "$ELASTICSEARCH_URL" != "" ]; then + >&2 echo "FILEBEAT - Customize Elasticsearch ouput IP." + sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml + fi + + # Install Wazuh Filebeat Module + + >&2 echo "FILEBEAT - Install Wazuh Filebeat Module." + curl -s "https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module + mkdir -p /usr/share/filebeat/module/wazuh + chmod 755 -R /usr/share/filebeat/module/wazuh + +fi \ No newline at end of file diff --git a/wazuh/config/filebeat_to_elasticsearch.yml b/wazuh/config/filebeat_to_elasticsearch.yml new file mode 100644 index 00000000..3d1b145d --- /dev/null +++ b/wazuh/config/filebeat_to_elasticsearch.yml @@ -0,0 +1,55 @@ +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +# Wazuh - Filebeat configuration file +filebeat.inputs: + - type: log + paths: + - '/var/ossec/logs/alerts/alerts.json' + +setup.template.json.enabled: true +setup.template.json.path: "/etc/filebeat/wazuh-template.json" +setup.template.json.name: "wazuh" +setup.template.overwrite: true + +processors: + - decode_json_fields: + fields: ['message'] + process_array: true + max_depth: 200 + target: '' + overwrite_keys: true + - drop_fields: + fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host'] + - rename: + fields: + - from: "data.aws.sourceIPAddress" + to: "@src_ip" + ignore_missing: true + fail_on_error: false + when: + regexp: + data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b + - rename: + fields: + - from: "data.srcip" + to: "@src_ip" + ignore_missing: true + fail_on_error: false + when: + regexp: + data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b + - rename: + fields: + - from: "data.win.eventdata.ipAddress" + to: "@src_ip" + ignore_missing: true + fail_on_error: false + when: + regexp: + data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b + +output.elasticsearch: + hosts: ['http://elasticsearch:9200'] + #pipeline: geoip + indices: + - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}' \ No newline at end of file diff --git a/wazuh/config/filebeat.yml b/wazuh/config/filebeat_to_logstash.yml similarity index 63% rename from wazuh/config/filebeat.yml rename to wazuh/config/filebeat_to_logstash.yml index f7879997..8eec470b 100644 --- a/wazuh/config/filebeat.yml +++ b/wazuh/config/filebeat_to_logstash.yml @@ -1,3 +1,5 @@ +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + # Wazuh - Filebeat configuration file filebeat: inputs: @@ -10,4 +12,4 @@ output: # The Logstash hosts hosts: ["logstash:5000"] # ssl: -# certificate_authorities: ["/etc/filebeat/logstash.crt"] \ No newline at end of file +# certificate_authorities: ["/etc/filebeat/logstash.crt"]