mirror of
https://github.com/wazuh/wazuh-docker.git
synced 2025-10-24 00:23:44 +00:00
Compare commits
29 Commits
2.0
...
2.1.0_5.5.
Author | SHA1 | Date | |
---|---|---|---|
|
9f192202fd | ||
|
d8cd0ba7d0 | ||
|
349213bac5 | ||
|
845398d7c7 | ||
|
6e6912c380 | ||
|
a2ba029918 | ||
|
160bf4bbe9 | ||
|
8547b3b45a | ||
|
a70c127228 | ||
|
c2213165f2 | ||
|
d0565d913a | ||
|
d1cb67a822 | ||
|
e69d9d0efc | ||
|
08824ad4a9 | ||
|
a4d4c40ad5 | ||
|
84005d8145 | ||
|
aef418c75e | ||
|
5cffb99d67 | ||
|
1c935bbf07 | ||
|
38608d1f26 | ||
|
eae7328f16 | ||
|
82ef76ed4d | ||
|
548a738d69 | ||
|
bed3307dfc | ||
|
835466f25b | ||
|
df7c963eab | ||
|
f6ad536e99 | ||
|
e6e30ab3aa | ||
|
754915cb35 |
45
README.md
45
README.md
@@ -1,21 +1,42 @@
|
||||
# IMPORTANT NOTE
|
||||
# Wazuh containers for Docker
|
||||
|
||||
The first time than you runt this container can take a while until kibana finish the configuration, the Wazuh plugin can take a few minutes until finish the instalation, please be patient.
|
||||
In this repository you will find the containers to run:
|
||||
|
||||
# Docker container Wazuh + ELK(5.3.0)
|
||||
* wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
|
||||
* wazuh-logstash: It is used to receive alerts generated by the manager and feed Elasticsearch using an alerts template
|
||||
* wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
|
||||
|
||||
This Docker container source files can be found in our [Wazuh Github repository](https://github.com/wazuh/wazuh). It includes both an OSSEC manager and an Elasticsearch single-node cluster, with Logstash and Kibana. You can find more information on how these components work together in our documentation.
|
||||
In addition, a docker-compose file is provided to launch the containers mentioned above. It also launches an Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images.
|
||||
|
||||
## Documentation
|
||||
## Current release
|
||||
|
||||
* [Full documentation](http://documentation.wazuh.com)
|
||||
* [Wazug-docker module documentation](https://documentation.wazuh.com/current/docker/index.html)
|
||||
* [Hub docker](https://hub.docker.com/u/wazuh)
|
||||
Containers are currently tested on Wazuh version 2.0 and Elastic Stack version 5.5.2. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
|
||||
|
||||
## Credits and thank you
|
||||
## Installation notes
|
||||
|
||||
These Docker containers are based on "deviantony" dockerfiles which can be found at [https://github.com/deviantony/docker-elk] (https://github.com/deviantony/docker-elk), and "xetus-oss" dockerfiles, which can be found at [https://github.com/xetus-oss/docker-ossec-server](https://github.com/xetus-oss/docker-ossec-server). We created our own fork, which we test and maintain. Thank you Anthony Lapenna for your contribution to the community.
|
||||
To run all docker instances you can just run ``docker-compose up``, from the directory where you have docker-compose.yml file. The following is part of the expected behavior when setting up the system:
|
||||
|
||||
## References
|
||||
* Both wazuh-kibana and wazuh-logstash containers will run multiple queries to Elasticsearch API using curl, to learn when Elasticsearch is up. It is expected to see several ``Failed to connect to elasticsearch port 9200`` log messages, until Elasticesearch is started. Then the set up process will continue normally.
|
||||
* Kibana container can take a few minutes to install Wazuh plugin, this takes place after ``Optimizing and caching browser bundles...`` is printed out.
|
||||
* It is recommended to set Docker host preferences to give at least 4GB memory per container (this doesn't necessarily mean they all will use it, but Elasticsearch requires them to work properly).
|
||||
|
||||
* [Wazuh website](http://wazuh.com)
|
||||
Once installed you can browse through the interface at: http://127.0.0.1:5601
|
||||
|
||||
## More documentation
|
||||
|
||||
* [Wazuh full documentation](http://documentation.wazuh.com)
|
||||
* [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html)
|
||||
* [Docker hub](https://hub.docker.com/u/wazuh)
|
||||
|
||||
## Credits
|
||||
|
||||
These Docker containers are based on:
|
||||
|
||||
* "deviantony" dockerfiles which can be found at [https://github.com/deviantony/docker-elk](https://github.com/deviantony/docker-elk)
|
||||
* "xetus-oss" dockerfiles, which can be found at [https://github.com/xetus-oss/docker-ossec-server](https://github.com/xetus-oss/docker-ossec-server)
|
||||
|
||||
We thank you them and everyone else who has contributed to this project.
|
||||
|
||||
## Wazuh official website
|
||||
|
||||
[Wazuh website](http://wazuh.com)
|
||||
|
@@ -6,9 +6,9 @@ services:
|
||||
hostname: wazuh-manager
|
||||
restart: always
|
||||
ports:
|
||||
- "1514/udp:1514/udp"
|
||||
- "1514:1514/udp"
|
||||
- "1515:1515"
|
||||
- "514/udp:514/udp"
|
||||
- "514:514/udp"
|
||||
- "55000:55000"
|
||||
networks:
|
||||
- docker_elk
|
||||
@@ -26,7 +26,7 @@ services:
|
||||
# - my-path:/etc/logstash/conf.d
|
||||
links:
|
||||
- kibana
|
||||
- elasticsearch
|
||||
- elasticsearch:elasticsearch
|
||||
ports:
|
||||
- "5000:5000"
|
||||
networks:
|
||||
@@ -36,7 +36,7 @@ services:
|
||||
environment:
|
||||
- LS_HEAP_SIZE=2048m
|
||||
elasticsearch:
|
||||
image: elasticsearch:5.3.0
|
||||
image: elasticsearch:5.5.2
|
||||
hostname: elasticsearch
|
||||
restart: always
|
||||
command: elasticsearch -E node.name="node-1" -E cluster.name="wazuh" -E network.host=0.0.0.0
|
||||
@@ -59,9 +59,12 @@ services:
|
||||
- docker_elk
|
||||
depends_on:
|
||||
- elasticsearch
|
||||
links:
|
||||
- elasticsearch:elasticsearch
|
||||
- wazuh
|
||||
entrypoint: sh wait-for-it.sh elasticsearch
|
||||
# environment:
|
||||
# - "WAZUH_KIBANA_PLUGIN_URL=http://your.repo/wazuhapp-2.0_5.3.0.zip"
|
||||
# - "WAZUH_KIBANA_PLUGIN_URL=http://your.repo/wazuhapp-2.1.0-5.5.1.zip"
|
||||
|
||||
networks:
|
||||
docker_elk:
|
||||
|
@@ -1,4 +1,4 @@
|
||||
FROM kibana:5.3.0
|
||||
FROM kibana:5.5.2
|
||||
|
||||
RUN apt-get update && apt-get install -y curl
|
||||
|
||||
|
@@ -81,7 +81,7 @@ elasticsearch.url: "http://elasticsearch:9200"
|
||||
# logging.silent: false
|
||||
|
||||
# Set the value of this setting to true to suppress all logging output other than error messages.
|
||||
# logging.quiet: false
|
||||
logging.quiet: true
|
||||
|
||||
# Set the value of this setting to true to log all events, including system usage information
|
||||
# and all requests.
|
||||
|
@@ -5,7 +5,7 @@ set -e
|
||||
host="$1"
|
||||
shift
|
||||
cmd="kibana"
|
||||
WAZUH_KIBANA_PLUGIN_URL=${WAZUH_KIBANA_PLUGIN_URL:-https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_5.3.0.zip}
|
||||
WAZUH_KIBANA_PLUGIN_URL=${WAZUH_KIBANA_PLUGIN_URL:-https://packages.wazuh.com/wazuhapp/wazuhapp-2.1.0_5.5.2.zip}
|
||||
|
||||
until curl -XGET $host:9200; do
|
||||
>&2 echo "Elastic is unavailable - sleeping"
|
||||
@@ -22,4 +22,37 @@ else
|
||||
/usr/share/kibana/bin/kibana-plugin install ${WAZUH_KIBANA_PLUGIN_URL}
|
||||
fi
|
||||
|
||||
sleep 30
|
||||
|
||||
echo "Configuring defaultIndex to wazuh-alerts-*"
|
||||
|
||||
curl -s -XPUT http://$host:9200/.kibana/config/5.5.2 -d '{"defaultIndex" : "wazuh-alerts-*"}' > /dev/null
|
||||
|
||||
sleep 30
|
||||
|
||||
echo "Setting API credentials into Wazuh APP"
|
||||
|
||||
CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET http://$host:9200/.wazuh/wazuh-configuration/apiconfig)
|
||||
if [ "x$CONFIG_CODE" = "x404" ]; then
|
||||
curl -s -XPOST http://$host:9200/.wazuh/wazuh-configuration/apiconfig -H 'Content-Type: application/json' -d'
|
||||
{
|
||||
"api_user": "foo",
|
||||
"api_password": "YmFy",
|
||||
"url": "http://wazuh",
|
||||
"api_port": "55000",
|
||||
"insecure": "true",
|
||||
"component": "API",
|
||||
"active": "true",
|
||||
"manager": "wazuh-manager",
|
||||
"extensions": {
|
||||
"oscap": true,
|
||||
"audit": true,
|
||||
"pci": true
|
||||
}
|
||||
}
|
||||
' > /dev/null
|
||||
else
|
||||
echo "Wazuh APP already configured"
|
||||
fi
|
||||
|
||||
exec $cmd
|
||||
|
@@ -1,4 +1,4 @@
|
||||
FROM logstash:5.3.0
|
||||
FROM logstash:5.5.2
|
||||
|
||||
RUN apt-get update
|
||||
|
||||
|
@@ -13,7 +13,7 @@ input {
|
||||
#input {
|
||||
# file {
|
||||
# type => "wazuh-alerts"
|
||||
# path => "/var/ossec/data/logs/alerts/alerts.json"
|
||||
# path => "/var/ossec/logs/alerts/alerts.json"
|
||||
# codec => "json"
|
||||
# }
|
||||
#}
|
||||
@@ -21,13 +21,14 @@ filter {
|
||||
geoip {
|
||||
source => "srcip"
|
||||
target => "GeoLocation"
|
||||
fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
|
||||
}
|
||||
date {
|
||||
match => ["timestamp", "ISO8601"]
|
||||
target => "@timestamp"
|
||||
}
|
||||
mutate {
|
||||
remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count" ]
|
||||
remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count", "@version", "log", "offset", "type"]
|
||||
}
|
||||
}
|
||||
output {
|
||||
|
@@ -1,5 +1,5 @@
|
||||
FROM centos:latest
|
||||
|
||||
ARG FILEBEAT_VERSION=5.5.2
|
||||
COPY config/*.repo /etc/yum.repos.d/
|
||||
|
||||
RUN yum -y update; yum clean all;
|
||||
@@ -7,6 +7,8 @@ RUN yum -y install epel-release openssl useradd; yum clean all
|
||||
RUN yum -y install postfix mailx cyrus-sasl cyrus-sasl-plain; yum clean all
|
||||
RUN groupadd -g 1000 ossec
|
||||
RUN useradd -u 1000 -g 1000 ossec
|
||||
RUN curl --silent --location https://rpm.nodesource.com/setup_6.x | bash - &&\
|
||||
yum install -y nodejs
|
||||
RUN yum install -y wazuh-manager wazuh-api
|
||||
|
||||
|
||||
@@ -18,8 +20,8 @@ RUN chmod 755 /init.bash &&\
|
||||
sync && rm /init.bash
|
||||
|
||||
|
||||
RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.1.2-x86_64.rpm &&\
|
||||
rpm -vi filebeat-5.1.2-x86_64.rpm && rm filebeat-5.1.2-x86_64.rpm
|
||||
RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-x86_64.rpm &&\
|
||||
rpm -vi filebeat-${FILEBEAT_VERSION}-x86_64.rpm && rm filebeat-${FILEBEAT_VERSION}-x86_64.rpm
|
||||
|
||||
COPY config/filebeat.yml /etc/filebeat/
|
||||
|
||||
|
Reference in New Issue
Block a user