From 99e708c1a98767de0a858300c11f766827b67e53 Mon Sep 17 00:00:00 2001 From: c-bordon Date: Thu, 4 Jan 2024 11:48:27 -0300 Subject: [PATCH 1/3] Updated indexer-ism-init.sh execution and removed wazuh-template push from Filebeat --- build-docker-images/wazuh-indexer/config/ism-check.sh | 3 ++- build-docker-images/wazuh-manager/config/filebeat.yml | 2 -- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/build-docker-images/wazuh-indexer/config/ism-check.sh b/build-docker-images/wazuh-indexer/config/ism-check.sh index 08900dc0..a913c7b0 100644 --- a/build-docker-images/wazuh-indexer/config/ism-check.sh +++ b/build-docker-images/wazuh-indexer/config/ism-check.sh @@ -3,6 +3,7 @@ MIN_SHARD_SIZE=${MIN_SHARD_SIZE:-25} MIN_INDEX_AGE=${MIN_INDEX_AGE:-"7d"} MIN_DOC_COUNT=${MIN_DOC_COUNT:-600000000} ISM_PRIORITY=${ISM_PRIORITY:-50} +WAZUH_TEMPLATE=${WAZUH_TEMPLATE:-"/usr/share/wazuh-indexer/wazuh-template.json"} SERVER=`hostname` if [[ -n "$INDEXER_PASSWORD" ]]; then until [[ `curl -XGET https://$SERVER:9200/_cat/indices -u admin:SecretPassword -k -s | grep .opendistro_security | wc -l` -eq 1 ]] @@ -10,5 +11,5 @@ if [[ -n "$INDEXER_PASSWORD" ]]; then echo "Wazuh indexer Security is not initiaized"; sleep 30 done - bash /usr/share/wazuh-indexer/bin/indexer-ism-init.sh -p $INDEXER_PASSWORD -i $SERVER -P $ISM_PRIORITY -d $MIN_DOC_COUNT -a $MIN_INDEX_AGE -s $MIN_SHARD_SIZE + bash /usr/share/wazuh-indexer/bin/indexer-ism-init.sh -p $INDEXER_PASSWORD -i $SERVER -P $ISM_PRIORITY -d $MIN_DOC_COUNT -a $MIN_INDEX_AGE -s $MIN_SHARD_SIZE -t $WAZUH_TEMPLATE fi \ No newline at end of file diff --git a/build-docker-images/wazuh-manager/config/filebeat.yml b/build-docker-images/wazuh-manager/config/filebeat.yml index 8d1823af..be56e2b1 100644 --- a/build-docker-images/wazuh-manager/config/filebeat.yml +++ b/build-docker-images/wazuh-manager/config/filebeat.yml @@ -8,8 +8,6 @@ filebeat.modules: enabled: false setup.template.json.enabled: true -setup.template.json.path: '/etc/filebeat/wazuh-template.json' -setup.template.json.name: 'wazuh' setup.template.overwrite: true setup.ilm.enabled: false output.elasticsearch: From 892822fe293fb98d689c6017db04a51a10581239 Mon Sep 17 00:00:00 2001 From: c-bordon Date: Thu, 4 Jan 2024 12:34:10 -0300 Subject: [PATCH 2/3] Update check test --- .github/workflows/push.yml | 41 +++++++++---------- .../wazuh-indexer/config/ism-check.sh | 2 +- 2 files changed, 21 insertions(+), 22 deletions(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 51077968..b9a8b215 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -124,6 +124,26 @@ jobs: exit 1 fi + - name: Check Wazuh manager start + run: | + services="`curl -k -s -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items | grep running | wc -l`" + if [[ $services -gt 9 ]]; then + echo "Wazuh Manager Services: ${services}" + echo "OK" + else + echo "Wazuh indexer nodes: ${nodes}" + curl -k -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items + exit 1 + fi + env: + TOKEN: $(curl -s -u wazuh-wui:MyS3cr37P450r.*- -k -X GET "https://0.0.0.0:55000/security/user/authenticate?raw=true") + + - name: Check errors in ossec.log + run: ./.github/single-node-log-check.sh + + - name: Check filebeat output + run: ./.github/single-node-filebeat-check.sh + - name: Check documents into wazuh-alerts index run: | docs="`curl -XGET "https://0.0.0.0:9200/wazuh-alerts*/_count" -u admin:SecretPassword -k -s | jq -r ".count"`" @@ -147,27 +167,6 @@ jobs: exit 1 fi - - name: Check Wazuh manager start - run: | - services="`curl -k -s -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items | grep running | wc -l`" - if [[ $services -gt 9 ]]; then - echo "Wazuh Manager Services: ${services}" - echo "OK" - else - echo "Wazuh indexer nodes: ${nodes}" - curl -k -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items - exit 1 - fi - env: - TOKEN: $(curl -s -u wazuh-wui:MyS3cr37P450r.*- -k -X GET "https://0.0.0.0:55000/security/user/authenticate?raw=true") - - - name: Check errors in ossec.log - run: ./.github/single-node-log-check.sh - - - - name: Check filebeat output - run: ./.github/single-node-filebeat-check.sh - - name: Check Wazuh dashboard service URL run: | status=$(curl -XGET --silent https://0.0.0.0:443/app/status -k -u admin:SecretPassword -I -s | grep -E "^HTTP" | awk '{print $2}') diff --git a/build-docker-images/wazuh-indexer/config/ism-check.sh b/build-docker-images/wazuh-indexer/config/ism-check.sh index a913c7b0..6aef3ee5 100644 --- a/build-docker-images/wazuh-indexer/config/ism-check.sh +++ b/build-docker-images/wazuh-indexer/config/ism-check.sh @@ -12,4 +12,4 @@ if [[ -n "$INDEXER_PASSWORD" ]]; then sleep 30 done bash /usr/share/wazuh-indexer/bin/indexer-ism-init.sh -p $INDEXER_PASSWORD -i $SERVER -P $ISM_PRIORITY -d $MIN_DOC_COUNT -a $MIN_INDEX_AGE -s $MIN_SHARD_SIZE -t $WAZUH_TEMPLATE -fi \ No newline at end of file +fi From caddf2893a37f7474a056cb562fe3236f41025c6 Mon Sep 17 00:00:00 2001 From: c-bordon Date: Thu, 4 Jan 2024 13:02:39 -0300 Subject: [PATCH 3/3] Testing with sleep --- .github/workflows/push.yml | 43 ++++++++++++++++++++------------------ 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index b9a8b215..f292275c 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -124,28 +124,9 @@ jobs: exit 1 fi - - name: Check Wazuh manager start - run: | - services="`curl -k -s -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items | grep running | wc -l`" - if [[ $services -gt 9 ]]; then - echo "Wazuh Manager Services: ${services}" - echo "OK" - else - echo "Wazuh indexer nodes: ${nodes}" - curl -k -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items - exit 1 - fi - env: - TOKEN: $(curl -s -u wazuh-wui:MyS3cr37P450r.*- -k -X GET "https://0.0.0.0:55000/security/user/authenticate?raw=true") - - - name: Check errors in ossec.log - run: ./.github/single-node-log-check.sh - - - name: Check filebeat output - run: ./.github/single-node-filebeat-check.sh - - name: Check documents into wazuh-alerts index run: | + sleep 120 docs="`curl -XGET "https://0.0.0.0:9200/wazuh-alerts*/_count" -u admin:SecretPassword -k -s | jq -r ".count"`" if [[ $docs -gt 100 ]]; then echo "wazuh-alerts index documents: ${docs}" @@ -167,6 +148,27 @@ jobs: exit 1 fi + - name: Check Wazuh manager start + run: | + services="`curl -k -s -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items | grep running | wc -l`" + if [[ $services -gt 9 ]]; then + echo "Wazuh Manager Services: ${services}" + echo "OK" + else + echo "Wazuh indexer nodes: ${nodes}" + curl -k -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items + exit 1 + fi + env: + TOKEN: $(curl -s -u wazuh-wui:MyS3cr37P450r.*- -k -X GET "https://0.0.0.0:55000/security/user/authenticate?raw=true") + + - name: Check errors in ossec.log + run: ./.github/single-node-log-check.sh + + + - name: Check filebeat output + run: ./.github/single-node-filebeat-check.sh + - name: Check Wazuh dashboard service URL run: | status=$(curl -XGET --silent https://0.0.0.0:443/app/status -k -u admin:SecretPassword -I -s | grep -E "^HTTP" | awk '{print $2}') @@ -249,6 +251,7 @@ jobs: - name: Check documents into wazuh-alerts index run: | + sleep 120 docs="`curl -XGET "https://0.0.0.0:9200/wazuh-alerts*/_count" -u admin:SecretPassword -k -s | jq -r ".count"`" if [[ $docs -gt 100 ]]; then echo "wazuh-alerts index documents: ${docs}"