Merge pull request #22 from wazuh/revert-21-dev

Revert "Adding Nginx container"

README.md

@@ -1,21 +1,42 @@
-# IMPORTANT NOTE
+# Wazuh containers for Docker
 
-The first time than you runt this container can take a while until kibana finish the configuration, the Wazuh plugin can take a few minutes until finish the instalation, please be patient.
+In this repository you will find the containers to run:
 
-# Docker container Wazuh + ELK(5.3.0)
+* wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
+* wazuh-logstash: It is used to receive alerts generated by the manager and feed Elasticsearch using an alerts template
+* wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
 
-This Docker container source files can be found in our [Wazuh Github repository](https://github.com/wazuh/wazuh). It includes both an OSSEC manager and an Elasticsearch single-node cluster, with Logstash and Kibana. You can find more information on how these components work together in our documentation.
+In addition, a docker-compose file is provided to launch the containers mentioned above. It also launches an Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images.
 
-## Documentation
+## Current release
 
-* [Full documentation](http://documentation.wazuh.com)
-* [Wazug-docker module documentation](https://documentation.wazuh.com/current/docker/index.html)
-* [Hub docker](https://hub.docker.com/u/wazuh)
+Containers are currently tested on Wazuh version 2.0 and Elastic Stack version 5.5.2. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
 
-## Credits and thank you
+## Installation notes
 
-These Docker containers are based on "deviantony" dockerfiles which can be found at [https://github.com/deviantony/docker-elk] (https://github.com/deviantony/docker-elk), and "xetus-oss" dockerfiles, which can be found at [https://github.com/xetus-oss/docker-ossec-server](https://github.com/xetus-oss/docker-ossec-server). We created our own fork, which we test and maintain. Thank you Anthony Lapenna for your contribution to the community.
+To run all docker instances you can just run ``docker-compose up``, from the directory where you have docker-compose.yml file. The following is part of the expected behavior when setting up the system:
 
-## References
+* Both wazuh-kibana and wazuh-logstash containers will run multiple queries to Elasticsearch API using curl, to learn when Elasticsearch is up. It is expected to see several ``Failed to connect to elasticsearch port 9200`` log messages, until Elasticesearch is started. Then the set up process will continue normally.
+* Kibana container can take a few minutes to install Wazuh plugin, this takes place after ``Optimizing and caching browser bundles...`` is printed out.
+* It is recommended to set Docker host preferences to give at least 4GB memory per container (this doesn't necessarily mean they all will use it, but Elasticsearch requires them to work properly).
 
-* [Wazuh website](http://wazuh.com)
+Once installed you can browse through the interface at: http://127.0.0.1:5601
+
+## More documentation
+
+* [Wazuh full documentation](http://documentation.wazuh.com)
+* [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html)
+* [Docker hub](https://hub.docker.com/u/wazuh)
+
+## Credits
+
+These Docker containers are based on:
+
+*  "deviantony" dockerfiles which can be found at [https://github.com/deviantony/docker-elk](https://github.com/deviantony/docker-elk)
+*  "xetus-oss" dockerfiles, which can be found at [https://github.com/xetus-oss/docker-ossec-server](https://github.com/xetus-oss/docker-ossec-server)
+
+We thank you them and everyone else who has contributed to this project.
+
+## Wazuh official website
+
+[Wazuh website](http://wazuh.com)

docker-compose.yml

@@ -6,9 +6,9 @@ services:
     hostname: wazuh-manager
     restart: always
     ports:
-      - "1514/udp:1514/udp"
+      - "1514:1514/udp"
       - "1515:1515"
-      - "514/udp:514/udp"
+      - "514:514/udp"
       - "55000:55000"
     networks:
         - docker_elk
@@ -26,7 +26,7 @@ services:
 #      - my-path:/etc/logstash/conf.d
     links:
      - kibana
-     - elasticsearch
+     - elasticsearch:elasticsearch
     ports:
       - "5000:5000"
     networks:
@@ -36,7 +36,7 @@ services:
     environment:
       - LS_HEAP_SIZE=2048m
   elasticsearch:
-    image: elasticsearch:5.3.0
+    image: elasticsearch:5.5.2
     hostname: elasticsearch
     restart: always
     command: elasticsearch -E node.name="node-1" -E cluster.name="wazuh" -E network.host=0.0.0.0
@@ -59,9 +59,12 @@ services:
         - docker_elk
     depends_on:
       - elasticsearch
+    links:
+      - elasticsearch:elasticsearch
+      - wazuh
     entrypoint: sh wait-for-it.sh elasticsearch
 #    environment:
-#      - "WAZUH_KIBANA_PLUGIN_URL=http://your.repo/wazuhapp-2.0_5.3.0.zip"
+#      - "WAZUH_KIBANA_PLUGIN_URL=http://your.repo/wazuhapp-2.1.0-5.5.1.zip"
 
 networks:
   docker_elk:

kibana/Dockerfile

@@ -1,4 +1,4 @@
-FROM kibana:5.3.0
+FROM kibana:5.5.2
 
 RUN apt-get update && apt-get install -y curl
 

kibana/config/kibana.yml

@@ -81,7 +81,7 @@ elasticsearch.url: "http://elasticsearch:9200"
 # logging.silent: false
 
 # Set the value of this setting to true to suppress all logging output other than error messages.
-# logging.quiet: false
+logging.quiet: true
 
 # Set the value of this setting to true to log all events, including system usage information
 # and all requests.

kibana/config/wait-for-it.sh

@@ -5,7 +5,7 @@ set -e
 host="$1"
 shift
 cmd="kibana"
-WAZUH_KIBANA_PLUGIN_URL=${WAZUH_KIBANA_PLUGIN_URL:-https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_5.3.0.zip}
+WAZUH_KIBANA_PLUGIN_URL=${WAZUH_KIBANA_PLUGIN_URL:-https://packages.wazuh.com/wazuhapp/wazuhapp-2.1.0_5.5.2.zip}
 
 until curl -XGET $host:9200; do
   >&2 echo "Elastic is unavailable - sleeping"
@@ -22,4 +22,37 @@ else
   /usr/share/kibana/bin/kibana-plugin install ${WAZUH_KIBANA_PLUGIN_URL}
 fi
 
+sleep 30
+
+echo "Configuring defaultIndex to wazuh-alerts-*"
+
+curl -s -XPUT http://$host:9200/.kibana/config/5.5.2 -d '{"defaultIndex" : "wazuh-alerts-*"}' > /dev/null
+
+sleep 30
+
+echo "Setting API credentials into Wazuh APP"
+
+CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET http://$host:9200/.wazuh/wazuh-configuration/apiconfig)
+if [ "x$CONFIG_CODE" = "x404" ]; then
+  curl -s -XPOST http://$host:9200/.wazuh/wazuh-configuration/apiconfig -H 'Content-Type: application/json' -d'
+  {
+    "api_user": "foo",
+    "api_password": "YmFy",
+    "url": "http://wazuh",
+    "api_port": "55000",
+    "insecure": "true",
+    "component": "API",
+    "active": "true",
+    "manager": "wazuh-manager",
+    "extensions": {
+      "oscap": true,
+      "audit": true,
+      "pci": true
+    }
+  }
+  ' > /dev/null
+else
+  echo "Wazuh APP already configured"
+fi
+
 exec $cmd

logstash/Dockerfile

@@ -1,4 +1,4 @@
-FROM logstash:5.3.0
+FROM logstash:5.5.2
 
 RUN apt-get update
 

logstash/config/logstash.conf

@@ -13,7 +13,7 @@ input {
 #input {
 #   file {
 #       type => "wazuh-alerts"
-#       path => "/var/ossec/data/logs/alerts/alerts.json"
+#       path => "/var/ossec/logs/alerts/alerts.json"
 #       codec => "json"
 #   }
 #}
@@ -21,13 +21,14 @@ filter {
     geoip {
         source => "srcip"
         target => "GeoLocation"
+        fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
     }
     date {
         match => ["timestamp", "ISO8601"]
         target => "@timestamp"
     }
     mutate {
-        remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count" ]
+        remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count", "@version", "log", "offset", "type"]
     }
 }
 output {

wazuh/Dockerfile

@@ -1,5 +1,5 @@
 FROM centos:latest
-
+ARG FILEBEAT_VERSION=5.5.2
 COPY config/*.repo /etc/yum.repos.d/
 
 RUN yum -y update; yum clean all;
@@ -7,6 +7,8 @@ RUN yum -y install epel-release openssl useradd; yum clean all
 RUN yum -y install postfix mailx cyrus-sasl cyrus-sasl-plain; yum clean all
 RUN groupadd -g 1000 ossec
 RUN useradd -u 1000 -g 1000 ossec
+RUN curl --silent --location https://rpm.nodesource.com/setup_6.x | bash - &&\
+    yum install -y nodejs
 RUN yum install -y wazuh-manager wazuh-api
 
 
@@ -18,8 +20,8 @@ RUN chmod 755 /init.bash &&\
   sync && rm /init.bash
 
 
-RUN  curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.1.2-x86_64.rpm &&\
-  rpm -vi filebeat-5.1.2-x86_64.rpm && rm filebeat-5.1.2-x86_64.rpm
+RUN  curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-x86_64.rpm &&\
+  rpm -vi filebeat-${FILEBEAT_VERSION}-x86_64.rpm && rm filebeat-${FILEBEAT_VERSION}-x86_64.rpm
 
 COPY config/filebeat.yml /etc/filebeat/