Add trap for sbin my init (#310)

Former-commit-id: 7e7f97c4cd

CHANGELOG.md

@@ -1,18 +1,51 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
-## Wazuh Docker v3.9.4_6.8.1
+## Wazuh Docker v3.10.2_7.3.2
+
+### Added
+
+- Update to Wazuh version 3.10.2_7.3.2
+
+## Wazuh Docker v3.10.0_7.3.2
+
+### Added
+
+- Update to Wazuh version 3.10.0_7.3.2
+
+## Wazuh Docker v3.9.5_7.2.1
+
+### Added
+
+- Update to Wazuh version 3.9.5_7.2.1
+
+## Wazuh Docker v3.9.4_7.2.0
+
+### Added
+
+- Update to Wazuh version 3.9.4_7.2.0
+- Implemented Wazuh Filebeat Module ([jm404](https://www.github.com/jm404)) [#2a77c6a](https://github.com/wazuh/wazuh-docker/commit/2a77c6a6e6bf78f2492adeedbade7a507d9974b2)
+
+
+## Wazuh Docker v3.9.3_7.2.0
+
+### Fixed
+- Wazuh-docker reinserts cluster settings after resuming containers ([@manuasir](https://github.com/manuasir)) [#213](https://github.com/wazuh/wazuh-docker/pull/213)
+
+## Wazuh Docker v3.9.2_7.1.1
+
+### Added
+
+- Update to Wazuh version 3.9.2_7.1.1
 
 ## Wazuh Docker v3.9.3_6.8.1
 
 ### Added
 
 - Update to Wazuh version 3.9.3_6.8.1
-
-### Added
-
 - Option to disable additionals X-Pack applications and hide unnecesary management links ([@SitoRBJ](https://github.com/SitoRBJ)) ([#163](https://github.com/wazuh/wazuh-docker/pull/163))
 
+
 ## Wazuh Docker v3.9.2_6.8.0
 
 ### Added
@@ -20,6 +53,13 @@ All notable changes to this project will be documented in this file.
 - Update to Wazuh version 3.9.2_6.8.0
 
 
+## Wazuh Docker v3.9.1_7.1.0
+
+### Added
+
+- Support for Elastic v7.1.0
+- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88)
+
 ## Wazuh Docker v3.9.1_6.8.0
 
 ### Added
@@ -31,6 +71,15 @@ All notable changes to this project will be documented in this file.
 
 - Fixed `ELASTICSEARCH_KIBANA_IP` environment variable ([@manuasir](https://github.com/manuasir)) ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
 
+
+## Wazuh Docker v3.9.1_7.1.0
+
+### Added
+
+- Support for Elastic v7.1.0
+- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88)
+
+
 ## Wazuh Docker v3.9.0_6.7.2
 
 ### Changed

README.md

@@ -8,7 +8,6 @@
 In this repository you will find the containers to run:
 
 * wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
-* wazuh-logstash: It is used to receive alerts generated by the manager and feed Elasticsearch using an alerts template
 * wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
 * wazuh-nginx: Proxies the Kibana container, adding HTTPS (via self-signed SSL certificate) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme).
 * wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).** 
@@ -33,11 +32,6 @@ In addition, a docker-compose file is provided to launch the containers mentione
 	│   │   └── kibana.yml
 	│   └── Dockerfile
 	├── LICENSE
-	├── logstash
-	│   ├── config
-	│   │   ├── 01-wazuh.conf
-	│   │   └── run.sh
-	│   └── Dockerfile
 	├── nginx
 	│   ├── config
 	│   │   └── entrypoint.sh
@@ -63,7 +57,7 @@ In addition, a docker-compose file is provided to launch the containers mentione
 
 * `stable` branch on correspond to the latest Wazuh-Docker stable version.
 * `master` branch contains the latest code, be aware of possible bugs on this branch.
-* `Wazuh.Version_ElasticStack.Version` (for example 3.9.3_6.8.1) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
+* `Wazuh.Version_ElasticStack.Version` (for example 3.10.2_7.3.2) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
 
 ## Credits and Thank you
 
@@ -76,7 +70,7 @@ We thank you them and everyone else who has contributed to this project.
 
 ## License and copyright
 
-Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 ## Web references
 

VERSION

@@ -1,2 +1,2 @@
-WAZUH-DOCKER_VERSION="3.9.4_6.8.1"
-REVISION="3942"
+WAZUH-DOCKER_VERSION="3.10.2_7.3.2"
+REVISION="31020"

docker-compose.yml

@@ -3,7 +3,7 @@ version: '2'
 
 services:
   wazuh:
-    image: wazuh/wazuh:3.9.3_6.8.1
+    image: wazuh/wazuh:3.10.2_7.3.2
     hostname: wazuh-manager
     restart: always
     ports:
@@ -11,65 +11,54 @@ services:
       - "1515:1515"
       - "514:514/udp"
       - "55000:55000"
-    depends_on:
-      - logstash
-  logstash:
-    image: wazuh/wazuh-logstash:3.9.3_6.8.1
-    hostname: logstash
-    restart: always
-    links:
-      - elasticsearch:elasticsearch
-    ports:
-      - "5000:5000"
-    depends_on:
-      - elasticsearch
-    environment:
-      - LS_HEAP_SIZE=2048m
-      - SECURITY_ENABLED=yes
-      - SECURITY_LOGSTASH_USER=service_logstash
-      - SECURITY_LOGSTASH_PASS=logstash_pass
-      - LOGSTASH_OUTPUT=https://elasticsearch:9200
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
+  #   depends_on:
+  #     - logstash
+  # logstash:
+  #   image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2
+  #   hostname: logstash
+  #   restart: always
+  #   links:
+  #     - elasticsearch:elasticsearch
+  #   ports:
+  #     - "5000:5000"
+  #   depends_on:
+  #     - elasticsearch
+  #   environment:
+  #     - LS_HEAP_SIZE=2048m
+  #     - SECURITY_ENABLED=no
+  #     - SECURITY_LOGSTASH_USER=service_logstash
+  #     - SECURITY_LOGSTASH_PASS=logstash_pass
+  #     - LOGSTASH_OUTPUT=https://elasticsearch:9200
+  #     - ELASTICSEARCH_URL=https://elasticsearch:9200
+  #     - SECURITY_CA_PEM=server.TEST-CA-signed.pem
   elasticsearch:
-    image: wazuh/wazuh-elasticsearch:3.9.3_6.8.1
+    image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2
     hostname: elasticsearch
     restart: always
     ports:
       - "9200:9200"
     environment:
-      - node.name=node-1
-      - cluster.name=wazuh
-      - network.host=0.0.0.0
-      - bootstrap.memory_lock=true
       - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
-      - ELASTICSEARCH_PROTOCOL=https
+      - ELASTICSEARCH_PROTOCOL=http
       - ELASTICSEARCH_IP=elasticsearch
       - ELASTICSEARCH_PORT=9200
-      - SECURITY_ENABLED=yes
-      - SECURITY_ADMIN_USER=wazuh_admin
-      - SECURITY_ADMIN_PASS=admin_pass
+      - SECURITY_ENABLED=no
       - SECURITY_ELASTIC_PASSWORD=elastic_pass
-      - SECURITY_KIBANA_USER=service_kibana
-      - SECURITY_KIBANA_PASS=kibana_pass
-      - SECURITY_LOGSTASH_USER=service_logstash 
-      - SECURITY_LOGSTASH_PASS=logstash_pass
-      - SECURITY_CA_PASSPHRASE=ca_pass
-      - SECURITY_CERTIFICATE_DNS=elasticsearch
-      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
-      - SECURITY_CA_KEY=server.TEST-CA.key
-      - SECURITY_CA_TRUST=server.TEST-CA-signed.pem
       - SECURITY_MAIN_NODE=elasticsearch
-      - SECURITY_OPENSSL_CONF=TEST_openssl.cnf
-      - SECURITY_MONITORING_USER=service_monitoring
-      - SECURITY_MONITORING_PASS=monitoring_pass
+      - ELASTIC_CLUSTER=true
+      - CLUSTER_NODE_MASTER=true
+      - CLUSTER_MASTER_NODE_NAME=elasticsearch
+      - CLUSTER_NODE_DATA=true
+      - CLUSTER_NODE_INGEST=true
+      - CLUSTER_MAX_NODES=3
     ulimits:
       memlock:
         soft: -1
         hard: -1
     mem_limit: 2g
+
   kibana:
-    image: wazuh/wazuh-kibana:3.9.3_6.8.1
+    image: wazuh/wazuh-kibana:3.10.2_7.3.2
     hostname: kibana
     restart: always
     depends_on:
@@ -79,12 +68,25 @@ services:
       - wazuh:wazuh
     environment:
       - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - SECURITY_ENABLED=yes
+      - SECURITY_ENABLED=no
       - SECURITY_KIBANA_USER=service_kibana
       - SECURITY_KIBANA_PASS=kibana_pass
-      - SECURITY_KIBANA_SSL_KEY_PATH=/usr/share/kibana/config/ssl/private
-      - SECURITY_KIBANA_SSL_CERT_PATH=/usr/share/kibana/config/ssl/certs
       - ELASTICSEARCH_KIBANA_IP=https://elasticsearch:9200
       - SECURITY_CA_PEM=server.TEST-CA-signed.pem
     ports:
       - "5601:5601"
+
+  nginx:
+    image: wazuh/wazuh-nginx:3.10.2_7.3.2
+    hostname: nginx
+    restart: always
+    environment:
+      - NGINX_PORT=443
+      - NGINX_CREDENTIALS
+    ports:
+      - "80:80"
+      - "443:443"
+    depends_on:
+      - kibana
+    links:
+      - kibana:kibana

elasticsearch/Dockerfile

@@ -1,8 +1,9 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/elasticsearch/elasticsearch:6.8.2
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+ARG ELASTIC_VERSION=7.3.2
+FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION}
+ARG TEMPLATE_VERSION=v3.10.2
 
-ENV ALERTS_SHARDS="1" \
-    ALERTS_REPLICAS="0"
+ENV ELASTICSEARCH_URL="http://elasticsearch:9200"
 
 ENV API_USER="foo" \
     API_PASS="bar"
@@ -11,8 +12,13 @@ ENV XPACK_ML="true"
 
 ENV ENABLE_CONFIGURE_S3="false"
 
-ENV TEMPLATE_VERSION=v3.9.4
+ENV WAZUH_ALERTS_SHARDS="1" \
+    WAZUH_ALERTS_REPLICAS="0"
 
+ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /usr/share/elasticsearch/config
+
+RUN yum install epel-release -y && \
+    yum install jq -y
 
 # This CA is created for testing. Please set your own CA zip containing the key and the signed certificate. 
 # command: $ docker build <elasticsearch_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_KEY_LOCATION=<CA_KEY_LOCATION>
@@ -29,19 +35,19 @@ ARG SECURITY_CA_TRUST_LOCATION=""
 
 # Elasticearch cluster configuration environment variables
 # If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration
+# CLUSTER_INITIAL_MASTER_NODES set to own node by default.
 ENV ELASTIC_CLUSTER="false" \
     CLUSTER_NAME="wazuh" \
-    CLUSTER_NODE_MASTER="true" \
+    CLUSTER_NODE_MASTER="false" \
     CLUSTER_NODE_DATA="true" \
     CLUSTER_NODE_INGEST="true" \
-    CLUSTER_NODE_NAME="wazuh-elasticsearch" \
     CLUSTER_MEMORY_LOCK="true" \
     CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" \
     CLUSTER_NUMBER_OF_MASTERS="2" \
     CLUSTER_MAX_NODES="1" \
-    CLUSTER_DELAYED_TIMEOUT="1m"
-
-ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/6.x/wazuh-template.json /usr/share/elasticsearch/config
+    CLUSTER_DELAYED_TIMEOUT="1m" \
+    CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch" \
+    CLUSTER_DISCOVERY_SEED="elasticsearch"
 
 # CA cert for Transport SSL
 ADD $SECURITY_CA_PEM_LOCATION /usr/share/elasticsearch/config
@@ -49,31 +55,42 @@ ADD $SECURITY_CA_KEY_LOCATION /usr/share/elasticsearch/config
 ADD $SECURITY_OPENSSL_CONF_LOCATION /usr/share/elasticsearch/config 
 ADD $SECURITY_CA_TRUST_LOCATION /usr/share/elasticsearch/config 
 
-RUN yum install openssl -y
-
 RUN mkdir /entrypoint-scripts
 
 COPY config/entrypoint.sh /entrypoint.sh
 
 RUN chmod 755 /entrypoint.sh
 
-COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./
-
-RUN chmod +x ./load_settings.sh
-
-RUN bin/elasticsearch-plugin install --batch https://artifacts.elastic.co/downloads/elasticsearch-plugins/repository-s3/repository-s3-6.8.2.zip
-
-COPY config/configure_s3.sh ./config/configure_s3.sh
-RUN chmod 755 ./config/configure_s3.sh
+RUN bin/elasticsearch-plugin install repository-s3 -b
 
 COPY --chown=elasticsearch:elasticsearch ./config/10-config_cluster.sh /entrypoint-scripts/10-config_cluster.sh
-RUN chmod +x /entrypoint-scripts/10-config_cluster.sh
-
-COPY --chown=elasticsearch:elasticsearch ./config/20-config_secure.sh /entrypoint-scripts/20-config_secure.sh
-RUN chmod +x /entrypoint-scripts/10-config_cluster.sh
-
-COPY --chown=elasticsearch:elasticsearch ./config/30-entrypoint.sh /entrypoint-scripts/30-entrypoint.sh
-RUN chmod +x /entrypoint-scripts/30-entrypoint.sh
+COPY --chown=elasticsearch:elasticsearch ./config/15-get_CA_key.sh /entrypoint-scripts/15-get_CA_key.sh
+COPY --chown=elasticsearch:elasticsearch ./config/20-security_instances.sh /entrypoint-scripts/20-security_instances.sh
+COPY --chown=elasticsearch:elasticsearch ./config/22-security_certs.sh /entrypoint-scripts/22-security_certs.sh
+COPY --chown=elasticsearch:elasticsearch ./config/24-security_configuration.sh /entrypoint-scripts/24-security_configuration.sh
+COPY --chown=elasticsearch:elasticsearch ./config/26-security_keystore.sh /entrypoint-scripts/26-security_keystore.sh
+COPY --chown=elasticsearch:elasticsearch ./config/30-decrypt_credentials.sh /entrypoint-scripts/30-decrypt_credentials.sh
+COPY --chown=elasticsearch:elasticsearch ./config/35-entrypoint.sh /entrypoint-scripts/35-entrypoint.sh
+COPY --chown=elasticsearch:elasticsearch ./config/35-entrypoint_load_settings.sh ./
+COPY config/35-load_settings_configure_s3.sh ./config/35-load_settings_configure_s3.sh
+COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_users_management.sh ./
+COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_policies.sh ./
+COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_templates.sh ./
+COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_aliases.sh ./
+RUN chmod +x /entrypoint-scripts/10-config_cluster.sh && \
+    chmod +x /entrypoint-scripts/15-get_CA_key.sh && \
+    chmod +x /entrypoint-scripts/20-security_instances.sh && \
+    chmod +x /entrypoint-scripts/22-security_certs.sh && \
+    chmod +x /entrypoint-scripts/24-security_configuration.sh && \
+    chmod +x /entrypoint-scripts/26-security_keystore.sh && \
+    chmod +x /entrypoint-scripts/30-decrypt_credentials.sh && \
+    chmod +x /entrypoint-scripts/35-entrypoint.sh && \
+    chmod +x ./35-entrypoint_load_settings.sh && \
+    chmod 755 ./config/35-load_settings_configure_s3.sh && \
+    chmod +x ./35-load_settings_users_management.sh && \
+    chmod +x ./35-load_settings_policies.sh && \
+    chmod +x ./35-load_settings_templates.sh && \
+    chmod +x ./35-load_settings_aliases.sh
 
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["elasticsearch"]

elasticsearch/config/10-config_cluster.sh

@@ -1,36 +1,93 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
-
 original_file="/usr/share/elasticsearch/config/original-elasticsearch.yml"
+ELASTIC_HOSTAME=`hostname`
+
+echo "CLUSTER: - Prepare Configuration"
+echo "CLUSTER: - Hostname"
+echo $ELASTIC_HOSTAME
+echo "CLUSTER: - Security main node"
+echo $SECURITY_MAIN_NODE
+echo "CLUSTER: - Discovery seed"
+echo $CLUSTER_DISCOVERY_SEED
+echo "CLUSTER: - Elastic cluster flag"
+echo $ELASTIC_CLUSTER
+echo "CLUSTER: - Node Master"
+echo $CLUSTER_NODE_MASTER
+echo "CLUSTER: - Node Data"
+echo $CLUSTER_NODE_DATA
+echo "CLUSTER: - Node Ingest"
+echo $CLUSTER_NODE_INGEST
 
 cp $elastic_config_file $original_file 
 
-# If Elasticsearch cluster is enable
-if [[ $ELASTIC_CLUSTER == "true" ]]
-then
-  
-  # Set the cluster.name and discovery.zen.minimun_master_nodes variables
-  sed -i 's:cluster.name\: "docker-cluster":cluster.name\: "'$CLUSTER_NAME'":g' $elastic_config_file
-
-  # Add the cluster configuration
-  echo "
-#cluster node
-node:
-  master: ${CLUSTER_NODE_MASTER}
-  data: ${CLUSTER_NODE_DATA}
-  ingest: ${CLUSTER_NODE_INGEST}
-  name: ${CLUSTER_NODE_NAME}
-  max_local_storage_nodes: ${CLUSTER_MAX_NODES}
-
-bootstrap:
-  memory_lock: ${CLUSTER_MEMORY_LOCK}
-
-discovery:
-  zen:
-    ping.unicast.hosts: ${CLUSTER_DISCOVERY_SERVICE}
-    minimum_master_nodes: ${CLUSTER_NUMBER_OF_MASTERS}
-  
-" >> $elastic_config_file
+remove_single_node_conf(){
+  if grep -Fq "discovery.type" $1; then
+    sed -i '/discovery.type\: /d' $1 
   fi
+}
+
+remove_cluster_config(){
+  sed -i '/# cluster node/,/# end cluster config/d' $1
+}
+
+# If Elasticsearch cluster is enable, then set up the elasticsearch.yml
+if [[ $ELASTIC_CLUSTER == "true" && $CLUSTER_NODE_MASTER != "" && $CLUSTER_NODE_DATA != "" && $CLUSTER_NODE_INGEST != "" && $ELASTIC_HOSTAME != "" ]]; then
+  # Remove the old configuration
+  remove_single_node_conf $elastic_config_file
+  remove_cluster_config $elastic_config_file
+  echo "CLUSTER: - Remove old configuration"
+
+if [[ $ELASTIC_HOSTAME == $SECURITY_MAIN_NODE ]]; then
+# Add the master configuration
+# cluster.initial_master_nodes for bootstrap the cluster
+echo "CLUSTER: - Add the master configuration"
+
+cat > $elastic_config_file << EOF
+# cluster node
+cluster.name: $CLUSTER_NAME
+bootstrap.memory_lock: $CLUSTER_MEMORY_LOCK
+network.host: 0.0.0.0
+node.name: $ELASTIC_HOSTAME
+node.master: $CLUSTER_NODE_MASTER
+node.data: $CLUSTER_NODE_DATA
+node.ingest: $CLUSTER_NODE_INGEST
+node.max_local_storage_nodes: $CLUSTER_MAX_NODES
+cluster.initial_master_nodes: 
+  - $ELASTIC_HOSTAME
+# end cluster config" 
+EOF
+
+elif [[ $CLUSTER_DISCOVERY_SEED != "" ]]; then
+# Remove the old configuration
+remove_single_node_conf $elastic_config_file
+remove_cluster_config $elastic_config_file
+echo "CLUSTER: - Add standard cluster configuration."
+
+cat > $elastic_config_file << EOF
+# cluster node
+cluster.name: $CLUSTER_NAME
+bootstrap.memory_lock: $CLUSTER_MEMORY_LOCK
+network.host: 0.0.0.0
+node.name: $ELASTIC_HOSTAME
+node.master: $CLUSTER_NODE_MASTER
+node.data: $CLUSTER_NODE_DATA
+node.ingest: $CLUSTER_NODE_INGEST
+node.max_local_storage_nodes: $CLUSTER_MAX_NODES
+discovery.seed_hosts: 
+  - $CLUSTER_DISCOVERY_SEED
+# end cluster config" 
+EOF
+fi
+# If the cluster is disabled, then set a single-node configuration
+else
+  # Remove the old configuration
+  remove_single_node_conf $elastic_config_file
+  remove_cluster_config $elastic_config_file
+  echo "discovery.type: single-node" >> $elastic_config_file
+  echo "CLUSTER: - Discovery type: single-node"
+fi
+
+echo "CLUSTER: - Configured"

elasticsearch/config/15-get_CA_key.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Decrypt credentials.
+# If the CA key is encrypted, it must be decrypted for later use. 
+##############################################################################
+
+echo "TO DO"
+
+# TO DO

elasticsearch/config/20-config_secure.sh

@@ -1,111 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
-
-##############################################################################
-# Setup bootstrap password to chagne all Elastic Stack passwords.
-# Set xpack.security.enabled to true. In Elastic 7 must add ssl options
-##############################################################################
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-
-  echo "Creating certificate."
-
-  pushd /usr/share/elasticsearch/config/
-
-  echo "Setting configuration options."
-
-  # Create instances.yml for elasticsearch .p12 certificate and key
-  echo "
-instances:
-- name: \"elasticsearch\"
-  dns: 
-    - $SECURITY_CERTIFICATE_DNS
-" > instances.yml
-
-  # Change permissions and owner of ca
-  chown elasticsearch: /usr/share/elasticsearch/config/$SECURITY_CA_PEM
-  chmod 440 /usr/share/elasticsearch/config/$SECURITY_CA_PEM
- 
-
-  # Genereate .p12 certificate and key
-  SECURITY_KEY_PASSPHRASE=`date +%s | sha256sum | base64 | head -c 32 ; echo`
-  /usr/share/elasticsearch/bin/elasticsearch-certutil csr --in instances.yml --out certs.zip --pass $SECURITY_KEY_PASSPHRASE
-  unzip certs.zip
-  rm certs.zip 
-
-  # Change permissions and owner of certificates
-  chown -R elasticsearch: /usr/share/elasticsearch/config/elasticsearch
-  chmod -R 770 /usr/share/elasticsearch/config/elasticsearch
-  chmod 400 /usr/share/elasticsearch/config/elasticsearch/elasticsearch.csr
-
-  # Prepare directories for openssl
-  mkdir /root/ca
-  mkdir /root/ca/certs /root/ca/crl /root/ca/newcerts /root/ca/private
-  chmod 700 /root/ca/private
-  touch /root/ca/index.txt
-  echo 1000 > /root/ca/serial
-
-  mkdir /root/ca/intermediate
-  mkdir /root/ca/intermediate/certs /root/ca/intermediate/crl /root/ca/intermediate/csr /root/ca/intermediate/newcerts /root/ca/intermediate/private
-  chmod 700 /root/ca/intermediate/private
-  touch /root/ca/intermediate/index.txt
-  echo 1000 > /root/ca/intermediate/serial
-  echo 1000 > /root/ca/intermediate/crlnumber
-
-  if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-
-    openssl ca -batch -config $SECURITY_OPENSSL_CONF  -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM  -keyfile $SECURITY_CA_KEY  -key $SECURITY_CA_PASSPHRASE -out elasticsearch.cert.pem
-  
-  else
-    input=${SECURITY_CREDENTIALS_FILE}
-    CA_PASSPHRASE_FROM_FILE=""
-    while IFS= read -r line
-    do
-      if [[ $line == *"CA_PASSPHRASE"* ]]; then
-        arrIN=(${line//:/ })
-        CA_PASSPHRASE_FROM_FILE=${arrIN[1]}
-      fi
-    done < "$input"
-    
-    openssl ca -batch -config $SECURITY_OPENSSL_CONF  -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM  -keyfile $SECURITY_CA_KEY  -key $CA_PASSPHRASE_FROM_FILE -out elasticsearch.cert.pem 
-  
-  fi
-  
-  chmod 440 /usr/share/elasticsearch/config/elasticsearch.cert.pem
-
-  # remove CA key
-  rm $SECURITY_CA_KEY
-
-  popd
-
-  echo "Setting configuration options."
-  
-  # Settings for elasticsearch.yml
-  echo "
-# Required to set the passwords and TLS options
-xpack.security.enabled: true
-xpack.security.transport.ssl.enabled: true
-xpack.security.transport.ssl.verification_mode: certificate
-xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
-xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
-xpack.security.transport.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"]
-
-# HTTP layer
-xpack.security.http.ssl.enabled: true
-xpack.security.http.ssl.verification_mode: certificate
-xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
-xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
-xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"]
-" >> $elastic_config_file
-
-  # Create keystore
-  /usr/share/elasticsearch/bin/elasticsearch-keystore create
-
-  # Add keys to keystore
-  echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase --stdin
-  echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin
-
-fi
-

elasticsearch/config/20-security_instances.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# instances.yml
+# This file is necessary for the creation of the Elasticsaerch certificate.
+##############################################################################
+
+if [[ $SECURITY_ENABLED == "yes" ]]; then
+    echo "SECURITY - Setting Elasticserach security."
+
+    # instance.yml to be added by the user. 
+    # Example:
+    #       echo "
+    # instances:
+    # - name: \"elasticsearch\"
+    #   dns:
+    #     - \"elasticsearch\"
+    # " > /user/share/elasticsearch/instances.yml
+
+fi

elasticsearch/config/22-security_certs.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Creation and management of certificates. 
+##############################################################################
+
+if [[ $SECURITY_ENABLED == "yes" ]]; then
+    echo "SECURITY - Elasticserach security certificates."
+    
+    # Creation of the certificate for Elasticsearch.
+    # After the execution of this script will have generated 
+    # the Elasticsearch certificate and related keys and passphrase. 
+    # Example: TO DO
+
+fi

elasticsearch/config/24-security_configuration.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Adapt elasticsearch.yml configuration file 
+##############################################################################
+
+if [[ $SECURITY_ENABLED == "yes" ]]; then
+    echo "SECURITY - Elasticserach security configuration."
+
+    echo "SECURITY - Setting configuration options."
+
+    # Settings for elasticsearch.yml to be added by the user. 
+    # Example: 
+    #     echo "
+    # # Required to set the passwords and TLS options
+    # xpack.security.enabled: true
+    # xpack.security.transport.ssl.enabled: true
+    # xpack.security.transport.ssl.verification_mode: certificate
+    # xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
+    # xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
+    # xpack.security.transport.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/ca.cert.pem\"]
+
+    # # HTTP layer
+    # xpack.security.http.ssl.enabled: true
+    # xpack.security.http.ssl.verification_mode: certificate
+    # xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
+    # xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
+    # xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/ca.cert.pem\"]
+    # " >> /usr/share/elasticsearch/config/elasticsearch.yml
+
+fi

elasticsearch/config/26-security_keystore.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Adapt elasticsearch.yml keystore management
+##############################################################################
+
+if [[ $SECURITY_ENABLED == "yes" ]]; then
+    echo "SECURITY - Elasticserach keystore management."
+
+    # Create keystore
+    # /usr/share/elasticsearch/bin/elasticsearch-keystore create
+
+    # Add keys to keystore by the user. 
+    # Example
+    # echo -e "$abcd_1234" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase --stdin
+    # echo -e "$abcd_1234" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin
+
+else
+    echo "SECURITY - Elasticsearch security not established."
+fi

elasticsearch/config/30-decrypt_credentials.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Decrypt credentials.
+# If the credentials of the users to be created are encrypted,
+# they must be decrypted for later use. 
+##############################################################################
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+    echo "Security credentials file not used. Nothing to do."
+else
+    echo "TO DO"
+fi
+# TO DO

elasticsearch/config/35-entrypoint.sh

@@ -43,7 +43,7 @@ fi
 
 # Run load settings script.
 
-bash /usr/share/elasticsearch/load_settings.sh &
+bash /usr/share/elasticsearch/35-entrypoint_load_settings.sh &
 
 # Execute elasticsearch
 

elasticsearch/config/35-entrypoint_load_settings.sh

@@ -0,0 +1,265 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+##############################################################################
+# Set Elasticsearch API url and Wazuh API url.
+##############################################################################
+
+if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
+  el_url="http://elasticsearch:9200"
+else
+  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
+fi
+
+if [[ "x${WAZUH_API_URL}" = "x" ]]; then
+  wazuh_url="https://wazuh"
+else
+  wazuh_url="${WAZUH_API_URL}"
+fi
+
+echo "LOAD SETTINGS - Elasticsearch url: $el_url"
+
+
+##############################################################################
+# If Elasticsearch security is enabled get the elastic user password and
+# WAZUH API credentials.
+##############################################################################
+
+ELASTIC_PASS=""
+WAZH_API_USER=""
+WAZH_API_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
+  WAZH_API_USER=${API_USER}
+  WAZH_API_PASS=${API_PASS}
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      ELASTIC_PASS=${arrIN[1]}
+    elif [[ $line == *"WAZUH_API_USER"* ]]; then
+      arrIN=(${line//:/ })
+      WAZH_API_USER=${arrIN[1]}
+    elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      WAZH_API_PASS=${arrIN[1]}
+    fi
+  done < "$input"
+ 
+fi
+
+
+##############################################################################
+# Set authentication for curl if Elasticsearch security is enabled.
+##############################################################################
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-uelastic:${ELASTIC_PASS} -k"
+  echo "LOAD SETTINGS - authentication for curl established."
+elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
+  auth=""
+  echo "LOAD SETTINGS - authentication for curl not established."
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+  echo "LOAD SETTINGS - authentication for curl established."
+fi
+
+
+##############################################################################
+# Wait until Elasticsearch is active. 
+##############################################################################
+
+until curl ${auth} -XGET $el_url; do
+  >&2 echo "LOAD SETTINGS - Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+>&2 echo "LOAD SETTINGS - Elastic is up - executing command"
+
+
+##############################################################################
+# Configure S3 repository for Elasticsearch snapshots. 
+##############################################################################
+
+if [ $ENABLE_CONFIGURE_S3 ]; then
+  #Wait for Elasticsearch to be ready to create the repository
+  sleep 10
+  >&2 echo "S3 - Configure S3"
+  if [ "x$S3_PATH" != "x" ]; then
+    >&2 echo "S3 - Path: $S3_PATH"
+    if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then
+      >&2 echo "S3 - Elasticsearch major version: $S3_ELASTIC_MAJOR"
+      echo "LOAD SETTINGS - Run 35-load_settings_configure_s3.sh."
+      bash /usr/share/elasticsearch/config/35-load_settings_configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR
+    else
+      >&2 echo "S3 - Elasticserach major version not given."
+      echo "LOAD SETTINGS - Run 35-load_settings_configure_s3.sh."
+      bash /usr/share/elasticsearch/config/35-load_settings_configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME
+    fi
+
+  fi
+
+fi
+
+
+##############################################################################
+# Load custom policies.
+##############################################################################
+
+echo "LOAD SETTINGS - Loading custom Elasticsearch policies."
+bash /usr/share/elasticsearch/35-load_settings_policies.sh
+
+
+##############################################################################
+# Modify wazuh-alerts template shards and replicas
+##############################################################################
+
+echo "LOAD SETTINGS - Change shards and replicas of wazuh-alerts template."
+sed -i 's:"index.number_of_shards"\: "3":"index.number_of_shards"\: "'$WAZUH_ALERTS_SHARDS'":g' /usr/share/elasticsearch/config/wazuh-template.json
+sed -i 's:"index.number_of_replicas"\: "0":"index.number_of_replicas"\: "'$WAZUH_ALERTS_REPLICAS'":g' /usr/share/elasticsearch/config/wazuh-template.json
+
+
+##############################################################################
+# Load default templates
+##############################################################################
+
+echo "LOAD SETTINGS - Loading wazuh-alerts template"
+bash /usr/share/elasticsearch/35-load_settings_templates.sh
+
+
+##############################################################################
+# Load custom aliases.
+##############################################################################
+
+echo "LOAD SETTINGS - Loading custom Elasticsearch aliases."
+bash /usr/share/elasticsearch/35-load_settings_aliases.sh
+
+
+##############################################################################
+# Elastic Stack users creation. 
+# Only security main node can manage users. 
+##############################################################################
+
+echo "LOAD SETTINGS - Run users_management.sh."
+MY_HOSTNAME=`hostname`
+echo "LOAD SETTINGS - Hostname: $MY_HOSTNAME"
+if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then
+  bash /usr/share/elasticsearch/35-load_settings_users_management.sh &
+fi
+
+
+##############################################################################
+# Prepare Wazuh API credentials
+##############################################################################
+
+API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'`
+API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'`
+API_PASSWORD=`echo -n $API_PASS_Q | base64`
+
+echo "LOAD SETTINGS - Setting API credentials into Wazuh APP"
+CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth})
+
+if [ "x$CONFIG_CODE" != "x200" ]; then
+  curl -s -XPOST $el_url/.wazuh/_doc/1513629884013 ${auth} -H 'Content-Type: application/json' -d'
+  {
+    "api_user": "'"$API_USER_Q"'",
+    "api_password": "'"$API_PASSWORD"'",
+    "url": "'"$wazuh_url"'",
+    "api_port": "55000",
+    "insecure": "true",
+    "component": "API",
+    "cluster_info": {
+      "manager": "wazuh-manager",
+      "cluster": "Disabled",
+      "status": "disabled"
+    },
+    "extensions": {
+      "oscap": true,
+      "audit": true,
+      "pci": true,
+      "aws": true,
+      "virustotal": true,
+      "gdpr": true,
+      "ciscat": true
+    }
+  }
+  ' > /dev/null
+else
+  echo "LOAD SETTINGS - Wazuh APP already configured"
+  echo "LOAD SETTINGS - Check if it is an upgrade from Elasticsearch 6.x to 7.x"
+  wazuh_search_request=`curl -s ${auth} "$el_url/.wazuh/_search?pretty"`
+  full_type=`echo $wazuh_search_request | jq .hits.hits | jq .[] | jq ._type`
+  elasticsearch_request=`curl -s $auth "$el_url"`
+  full_elasticsearch_version=`echo $elasticsearch_request | jq .version.number`
+  type=`echo "$full_type" | tr -d '"'`
+  elasticsearch_version=`echo "$full_elasticsearch_version" | tr -d '"'`
+  elasticsearch_major="${elasticsearch_version:0:1}"
+
+  if [[ $type == "wazuh-configuration" ]] && [[ $elasticsearch_major == "7" ]]; then
+    echo "LOAD SETTINGS - Elasticsearch major = $elasticsearch_major."
+    echo "LOAD SETTINGS - Reindex .wazuh in .wazuh-backup."
+    
+    curl -s ${auth} -XPOST "$el_url/_reindex" -H 'Content-Type: application/json' -d'
+    {
+      "source": {
+        "index": ".wazuh"
+      },
+      "dest": {
+        "index": ".wazuh-backup"
+      }
+    }
+    '
+    echo "LOAD SETTINGS - Remove .wazuh index."
+    curl -s  ${auth} -XDELETE "$el_url/.wazuh"
+
+    echo "LOAD SETTINGS - Reindex .wazuh-backup in .wazuh."
+    curl -s ${auth} -XPOST "$el_url/_reindex" -H 'Content-Type: application/json' -d'
+    {
+      "source": {
+        "index": ".wazuh-backup"
+      },
+      "dest": {
+        "index": ".wazuh"
+      }
+    }
+    '
+    curl -s ${auth} -XPUT "https://elasticsearch:9200/.wazuh-backup/_settings?pretty" -H 'Content-Type: application/json' -d'
+    {
+        "index" : {
+            "number_of_replicas" : 0
+        }
+    }
+    '
+
+  fi
+
+fi
+sleep 5
+
+curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d'
+{
+  "persistent": {
+    "xpack.monitoring.collection.enabled": true
+  }
+}
+'
+
+##############################################################################
+# Set cluster delayed timeout when node falls
+##############################################################################
+
+curl -X PUT "$el_url/_all/_settings" ${auth} -H 'Content-Type: application/json' -d'
+{
+  "settings": {
+    "index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'"
+  }
+}
+'
+echo "LOAD SETTINGS - cluster delayed timeout changed."
+
+echo "LOAD SETTINGS - Elasticsearch is ready."

elasticsearch/config/35-load_settings_aliases.sh

@@ -0,0 +1,86 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+
+##############################################################################
+# Set Elasticsearch API url
+##############################################################################
+
+if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
+  el_url="http://elasticsearch:9200"
+else
+  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
+fi
+
+echo "ALIASES - Elasticsearch url: $el_url"
+
+
+##############################################################################
+# If Elasticsearch security is enabled get the elastic user password.
+##############################################################################
+
+ELASTIC_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      ELASTIC_PASS=${arrIN[1]}
+    fi
+  done < "$input"
+ 
+fi
+
+
+##############################################################################
+# If Elasticsearch security is enabled get the users credentials.
+##############################################################################
+
+# The user must get the credentials of the users.
+# TO DO. 
+
+##############################################################################
+# Set authentication for curl if Elasticsearch security is enabled.
+##############################################################################
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-uelastic:${ELASTIC_PASS} -k"
+  echo "ALIASES - authentication for curl established."
+elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
+  auth=""
+  echo "ALIASES - authentication for curl not established."
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+  echo "ALIASES - authentication for curl established."
+fi
+
+
+##############################################################################
+# Wait until Elasticsearch is active. 
+##############################################################################
+
+until curl ${auth} -XGET $el_url; do
+  >&2 echo "ALIASES - Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+>&2 echo "ALIASES - Elastic is up - executing command"
+
+
+##############################################################################
+# Add custom aliases.
+##############################################################################
+
+# The user must add the credentials of the users.
+# TO DO.
+# Example 
+# echo "ALIASES - Add custom_user password and role:"
+# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_ilm/policy/my_policy?pretty' -d'
+# {  "policy": { "phases": { "hot": { "actions": { "rollover": {"max_size": "50GB", "max_age": "5m"}}}}}}'
+

elasticsearch/config/35-load_settings_configure_s3.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 set -e
 

elasticsearch/config/35-load_settings_policies.sh

@@ -0,0 +1,86 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+
+##############################################################################
+# Set Elasticsearch API url
+##############################################################################
+
+if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
+  el_url="http://elasticsearch:9200"
+else
+  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
+fi
+
+echo "POLICIES - Elasticsearch url: $el_url"
+
+
+##############################################################################
+# If Elasticsearch security is enabled get the elastic user password.
+##############################################################################
+
+ELASTIC_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      ELASTIC_PASS=${arrIN[1]}
+    fi
+  done < "$input"
+ 
+fi
+
+
+##############################################################################
+# If Elasticsearch security is enabled get the users credentials.
+##############################################################################
+
+# The user must get the credentials of the users.
+# TO DO. 
+
+##############################################################################
+# Set authentication for curl if Elasticsearch security is enabled.
+##############################################################################
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-uelastic:${ELASTIC_PASS} -k"
+  echo "POLICIES - authentication for curl established."
+elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
+  auth=""
+  echo "POLICIES - authentication for curl not established."
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+  echo "POLICIES - authentication for curl established."
+fi
+
+
+##############################################################################
+# Wait until Elasticsearch is active. 
+##############################################################################
+
+until curl ${auth} -XGET $el_url; do
+  >&2 echo "POLICIES - Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+>&2 echo "POLICIES - Elastic is up - executing command"
+
+
+##############################################################################
+# Add custom policies.
+##############################################################################
+
+# The user must add the credentials of the users.
+# TO DO.
+# Example 
+# echo "POLICIES - Add custom_user password and role:"
+# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_ilm/policy/my_policy?pretty' -d'
+# {  "policy": { "phases": { "hot": { "actions": { "rollover": {"max_size": "50GB", "max_age": "5m"}}}}}}'
+

elasticsearch/config/35-load_settings_templates.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+
+##############################################################################
+# Set Elasticsearch API url
+##############################################################################
+
+if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
+  el_url="http://elasticsearch:9200"
+else
+  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
+fi
+
+echo "TEMPLATES - Elasticsearch url: $el_url"
+
+
+##############################################################################
+# If Elasticsearch security is enabled get the elastic user password.
+##############################################################################
+
+ELASTIC_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      ELASTIC_PASS=${arrIN[1]}
+    fi
+  done < "$input"
+ 
+fi
+
+
+##############################################################################
+# If Elasticsearch security is enabled get the users credentials.
+##############################################################################
+
+# The user must get the credentials of the users.
+# TO DO. 
+
+##############################################################################
+# Set authentication for curl if Elasticsearch security is enabled.
+##############################################################################
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-uelastic:${ELASTIC_PASS} -k"
+  echo "TEMPLATES - authentication for curl established."
+elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
+  auth=""
+  echo "TEMPLATES - authentication for curl not established."
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+  echo "TEMPLATES - authentication for curl established."
+fi
+
+
+##############################################################################
+# Wait until Elasticsearch is active. 
+##############################################################################
+
+until curl ${auth} -XGET $el_url; do
+  >&2 echo "TEMPLATES - Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+>&2 echo "TEMPLATES - Elastic is up - executing command"
+
+
+##############################################################################
+# Add wazuh-alerts templates.
+##############################################################################
+
+echo "TEMPLATES - Loading default wazuh-alerts template."
+cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @-

elasticsearch/config/35-load_settings_users_management.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+
+##############################################################################
+# Set Elasticsearch API url
+##############################################################################
+
+if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
+  el_url="http://elasticsearch:9200"
+else
+  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
+fi
+
+echo "USERS - Elasticsearch url: $el_url"
+
+
+##############################################################################
+# If Elasticsearch security is enabled get the elastic user password.
+##############################################################################
+
+ELASTIC_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      ELASTIC_PASS=${arrIN[1]}
+    fi
+  done < "$input"
+ 
+fi
+
+
+##############################################################################
+# If Elasticsearch security is enabled get the users credentials.
+##############################################################################
+
+# The user must get the credentials of the users.
+# TO DO. 
+
+##############################################################################
+# Set authentication for curl if Elasticsearch security is enabled.
+##############################################################################
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-uelastic:${ELASTIC_PASS} -k"
+  echo "USERS - authentication for curl established."
+elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
+  auth=""
+  echo "USERS - authentication for curl not established."
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+  echo "USERS - authentication for curl established."
+fi
+
+
+##############################################################################
+# Wait until Elasticsearch is active. 
+##############################################################################
+
+until curl ${auth} -XGET $el_url; do
+  >&2 echo "USERS - Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+>&2 echo "USERS - Elastic is up - executing command"
+
+
+##############################################################################
+# Setup passwords for Elastic Stack users.
+##############################################################################
+
+# The user must add the credentials of the users.
+# TO DO.
+# Example 
+# echo "USERS - Add custom_user password and role:"
+# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/custom_user_role ' -d '
+# { "indices": [ { "names": [ ".kibana*" ],  "privileges": ["read"] }, { "names": [ "wazuh-monitoring*"],  "privileges": ["all"] }] }'
+# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/custom_user'  -d '
+# { "password":"'$CUSTOM_USER_PASSWORD'", "roles" : [ "kibana_system", "custom_user_role"],  "full_name" : "Custom User" }'
+
+
+##############################################################################
+# Remove credentials file.
+##############################################################################
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  echo "USERS - Security credentials file not used. Nothing to do."
+else
+  shred -zvu ${SECURITY_CREDENTIALS_FILE}
+  echo "USERS - Security credentials file removed."
+fi
+

elasticsearch/config/entrypoint.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 # It will run every .sh script located in entrypoint-scripts folder in lexicographical order
 for script in `ls /entrypoint-scripts/*.sh | sort -n`; do

elasticsearch/config/load_settings.sh

@@ -1,232 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-set -e
-
-if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
-fi
-
-if [[ "x${WAZUH_API_URL}" = "x" ]]; then
-  wazuh_url="https://wazuh"
-else
-  wazuh_url="${WAZUH_API_URL}"
-fi
-
-ELASTIC_PASS=""
-KIBANA_USER=""
-KIBANA_PASS=""
-LOGSTASH_USER=""
-LOGSTASH_PASS=""
-ADMIN_USER=""
-ADMIN_PASS=""
-WAZH_API_USER=""
-WAZH_API_PASS=""
-MONITORING_USER=""
-MONITORING_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
-  KIBANA_USER=${SECURITY_KIBANA_USER}
-  KIBANA_PASS=${SECURITY_KIBANA_PASS}
-  LOGSTASH_USER=${SECURITY_LOGSTASH_USER}
-  LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS}
-  ADMIN_USER=${SECURITY_ADMIN_USER}
-  ADMIN_PASS=${SECURITY_ADMIN_PASS}
-  WAZH_API_USER=${API_USER}
-  WAZH_API_PASS=${API_PASS}
-  MONITORING_USER=${SECURITY_MONITORING_USER}
-  MONITORING_PASS=${SECURITY_MONITORING_PASS}
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      ELASTIC_PASS=${arrIN[1]}
-    elif [[ $line == *"KIBANA_USER"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_USER=${arrIN[1]}
-    elif [[ $line == *"KIBANA_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_PASS=${arrIN[1]}
-    elif [[ $line == *"LOGSTASH_USER"* ]]; then
-      arrIN=(${line//:/ })
-      LOGSTASH_USER=${arrIN[1]}
-    elif [[ $line == *"LOGSTASH_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      LOGSTASH_PASS=${arrIN[1]}
-    elif [[ $line == *"ADMIN_USER"* ]]; then
-      arrIN=(${line//:/ })
-      ADMIN_USER=${arrIN[1]}
-    elif [[ $line == *"ADMIN_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      ADMIN_PASS=${arrIN[1]}
-    elif [[ $line == *"WAZUH_API_USER"* ]]; then
-      arrIN=(${line//:/ })
-      WAZH_API_USER=${arrIN[1]}
-    elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      WAZH_API_PASS=${arrIN[1]}
-    elif [[ $line == *"MONITORING_USER"* ]]; then
-      arrIN=(${line//:/ })
-      MONITORING_USER=${arrIN[1]}
-    elif [[ $line == *"MONITORING_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      MONITORING_PASS=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-uelastic:${ELASTIC_PASS} -k"
-elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
-  auth=""
-else
-  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
-fi
-
-until curl ${auth} -XGET $el_url; do
-  >&2 echo "Elastic is unavailable - sleeping"
-  sleep 5
-done
-
->&2 echo "Elastic is up - executing command"
-
-if [ $ENABLE_CONFIGURE_S3 ]; then
-  #Wait for Elasticsearch to be ready to create the repository
-  sleep 10
-  >&2 echo "Configure S3"
-  if [ "x$S3_PATH" != "x" ]; then
-    >&2 echo "S3_PATH"
-    >&2 echo $S3_PATH
-    if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then
-      >&2 echo "Elasticsearch major version:"
-      >&2 echo $S3_ELASTIC_MAJOR
-      bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR
-    else
-      >&2 echo "Elasticserach major version not given"
-      bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME
-
-    fi
-
-  fi
-
-fi
-
-##############################################################################
-# Setup passwords for Elastic Stack users
-##############################################################################
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-  MY_HOSTNAME=`hostname`
-  echo "Hostname:"
-  echo $MY_HOSTNAME
-  if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then
-    echo "Setting up passwords for all Elastic Stack users"
-
-    echo "Setting remote monitoring password"
-    SECURITY_REMOTE_USER_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
-    until curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/remote_monitoring_user/_password ' -d '{ "password":"'$SECURITY_REMOTE_USER_PASS'" }'; do
-      >&2 echo "Unavailable password seeting- sleeping"
-      sleep 2
-    done
-    echo "Setting Kibana password"
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_wazuh_app ' -d ' { "indices": [ { "names": [ ".kibana*", ".reporting*", ".monitoring*" ],  "privileges": ["read"] }, { "names": [ "wazuh-monitoring*", ".wazuh*" ],  "privileges": ["all"] } , { "names": [ "wazuh-alerts*" ],  "privileges": ["read", "view_index_metadata"] }  ] }'
-    sleep 5
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$KIBANA_USER"  -d '{ "password":"'$KIBANA_PASS'", "roles" : [ "kibana_system", "service_wazuh_app"],  "full_name" : "Service Internal Kibana User" }'
-    echo "Setting APM password"
-    SECURITY_APM_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
-    curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/apm_system/_password ' -d '{ "password":"'$SECURITY_APM_SYSTEM_PASS'" }'
-    echo "Setting Beats password"
-    SECURITY_BEATS_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
-    curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/beats_system/_password ' -d '{ "password":"'$SECURITY_BEATS_SYSTEM_PASS'" }'
-    echo "Setting Logstash password"
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_logstash_writer ' -d '{ "cluster": ["manage_index_templates", "monitor", "manage_ilm"], "indices": [ { "names": [ "*" ],  "privileges": ["write","delete","create_index","manage","manage_ilm"] } ] }'
-    sleep 5
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$LOGSTASH_USER" -d '{ "password":"'$LOGSTASH_PASS'", "roles" : [ "service_logstash_writer", "logstash_system"],  "full_name" : "Service Internal Logstash User" }'
-    echo "Passwords established for all Elastic Stack users"
-    echo "Creating Admin user"
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$ADMIN_USER" -d '{ "password":"'$ADMIN_PASS'", "roles" : [ "superuser"],  "full_name" : "Wazuh admin" }'
-    echo "Admin user created"
-    echo "Setting monitoring user"
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_monitoring_reader ' -d '{ "cluster": ["manage", "monitor"], "indices": [ { "names": [ "*" ],  "privileges": ["write","create_index","manage","read", "index"] } ] }'
-    sleep 5
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$MONITORING_USER" -d '{ "password":"'$MONITORING_PASS'", "roles" : [ "service_monitoring_reader", "snapshot_user"],  "full_name" : "Service Internal Monitoring User" }'
-  fi
-fi
-
-#Insert default templates
-
-sed -i 's|    "index.refresh_interval": "5s"|    "index.refresh_interval": "5s",    "number_of_shards" :   '"${ALERTS_SHARDS}"',    "number_of_replicas" : '"${ALERTS_REPLICAS}"'|' /usr/share/elasticsearch/config/wazuh-template.json
-
-cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @-
-sleep 5
-
-
-API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'`
-API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'`
-API_PASSWORD=`echo -n $API_PASS_Q | base64`
-
-echo "Setting API credentials into Wazuh APP"
-CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013 ${auth})
-if [ "x$CONFIG_CODE" = "x404" ]; then
-  curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 ${auth} -H 'Content-Type: application/json' -d'
-  {
-    "api_user": "'"$API_USER_Q"'",
-    "api_password": "'"$API_PASSWORD"'",
-    "url": "'"$wazuh_url"'",
-    "api_port": "55000",
-    "insecure": "true",
-    "component": "API",
-    "cluster_info": {
-      "manager": "wazuh-manager",
-      "cluster": "Disabled",
-      "status": "disabled"
-    },
-    "extensions": {
-      "oscap": true,
-      "audit": true,
-      "pci": true,
-      "aws": true,
-      "virustotal": true,
-      "gdpr": true,
-      "ciscat": true
-    }
-  }
-  ' > /dev/null
-else
-  echo "Wazuh APP already configured"
-fi
-sleep 5
-
-curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d'
-{
-  "persistent": {
-    "xpack.monitoring.collection.enabled": true
-  }
-}
-'
-
-# Set cluster delayed timeout when node falls
-curl -X PUT "$el_url/_all/_settings" ${auth} -H 'Content-Type: application/json' -d'
-{
-  "settings": {
-    "index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'"
-  }
-}
-'
-
-# Remove credentials file.
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  echo "Security credentials file not used. Nothing to do."
-else
-  shred -zvu ${SECURITY_CREDENTIALS_FILE}
-fi
-
-echo "Elasticsearch is ready."

kibana/Dockerfile

@@ -1,25 +1,18 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/kibana/kibana:6.8.2
-ARG WAZUH_APP_VERSION=3.9.4_6.8.2
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+FROM docker.elastic.co/kibana/kibana:7.3.2
+ARG ELASTIC_VERSION=7.3.2
+ARG WAZUH_VERSION=3.10.2
+ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
+
 USER root
 
-ADD https://packages-dev.wazuh.com/pre-release/app/kibana/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
-
-# This CA is created for testing. Please set your own CA pem signed certificate. 
-# command: $ docker build <kibana_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION>
-# ENV variables are necessary: SECURITY_CA_PEM 
-# Sample:
-# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
-ARG SECURITY_CA_PEM_LOCATION=""
-
-# CA for secure communication with Elastic
-ADD $SECURITY_CA_PEM_LOCATION /usr/share/kibana/config
-
-RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\
-    chown -R kibana:kibana /usr/share/kibana &&\
-    rm -rf /tmp/*
-
-RUN yum install openssl -y
+# App: 3.10.2 - 7.3.2 with this fix: https://github.com/wazuh/wazuh-kibana-app/issues/1815
+#ADD  https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
+COPY config/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
+USER kibana
+RUN /usr/share/kibana/bin/kibana-plugin install  --allow-root file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip 
+USER root
+RUN rm -rf /tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
 
 COPY config/entrypoint.sh ./entrypoint.sh
 RUN chmod 755 ./entrypoint.sh
@@ -27,6 +20,8 @@ RUN mkdir /entrypoint-scripts
 
 USER kibana
 
+ENV CONFIGURATION_FROM_FILE="false"
+
 ENV PATTERN="" \
     CHECKS_PATTERN="" \
     CHECKS_TEMPLATE="" \
@@ -63,18 +58,22 @@ ARG XPACK_MONITORING="false"
 ARG XPACK_APM="false"
 ARG XPACK_MAPS="false"
 ARG XPACK_UPTIME="false"
+ARG XPACK_SIEM="false"
 
 ARG CHANGE_WELCOME="true"
 
 COPY --chown=kibana:kibana ./config/10-wazuh_app_config.sh /entrypoint-scripts/10-wazuh_app_config.sh
-RUN chmod +x /entrypoint-scripts/10-wazuh_app_config.sh
-
+COPY --chown=kibana:kibana ./config/12-custom_logos.sh /entrypoint-scripts/12-custom_logos.sh
+COPY --chown=kibana:kibana ./config/15-decrypt_credentials.sh /entrypoint-scripts/15-decrypt_credentials.sh
 COPY --chown=kibana:kibana ./config/20-entrypoint.sh /entrypoint-scripts/20-entrypoint.sh
-RUN chmod +x /entrypoint-scripts/20-entrypoint.sh
-
-COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
-
-RUN chmod +x ./kibana_settings.sh
+COPY --chown=kibana:kibana ./config/20-entrypoint_kibana_settings.sh ./
+COPY --chown=kibana:kibana ./config/20-entrypoint_certs_management.sh ./
+RUN chmod +x /entrypoint-scripts/10-wazuh_app_config.sh && \
+    chmod +x /entrypoint-scripts/12-custom_logos.sh && \
+    chmod +x /entrypoint-scripts/15-decrypt_credentials.sh && \
+    chmod +x /entrypoint-scripts/20-entrypoint.sh && \
+    chmod +x ./20-entrypoint_kibana_settings.sh && \
+    chmod +x ./20-entrypoint_certs_management.sh
 
 COPY --chown=kibana:kibana ./config/xpack_config.sh ./
 
@@ -90,4 +89,13 @@ RUN ./welcome_wazuh.sh
 
 RUN /usr/local/bin/kibana-docker --optimize
 
+USER root
+
+RUN chmod 660 /usr/share/kibana/plugins/wazuh/config.yml && \
+    chmod 775 /usr/share/kibana/plugins/wazuh && \
+    chown root:kibana /usr/share/kibana/plugins/wazuh/config.yml && \
+    chown root:kibana /usr/share/kibana/plugins/wazuh
+
+USER kibana
+
 ENTRYPOINT ./entrypoint.sh

kibana/config/10-wazuh_app_config.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 kibana_config_file="/usr/share/kibana/plugins/wazuh/config.yml"
 

kibana/config/12-custom_logos.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Kibana logos
+##############################################################################
+
+if [[ $CUSTOM_LOGO == "true" ]]; then
+
+
+    echo "CUSTOM LOGO - Change Kibana logos."
+    # TO DO
+
+fi

kibana/config/15-decrypt_credentials.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Decrypt credentials.
+# If the credentials of the users to be created are encrypted,
+# they must be decrypted for later use. 
+##############################################################################
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+    echo "Security credentials file not used. Nothing to do."
+else
+    echo "TO DO"
+fi
+# TO DO

kibana/config/20-entrypoint.sh

@@ -4,7 +4,7 @@
 set -e
 
 ##############################################################################
-# Waiting for elasticsearch
+# Set Elasticsearch API url.
 ##############################################################################
 
 if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
@@ -13,6 +13,13 @@ else
   el_url="${ELASTICSEARCH_URL}"
 fi
 
+echo "ENTRYPOINT - Set Elasticsearc url:${ELASTICSEARCH_URL}"
+
+
+##############################################################################
+# If there are credentials for Kibana they are obtained. 
+##############################################################################
+
 KIBANA_USER=""
 KIBANA_PASS=""
 
@@ -34,6 +41,11 @@ else
  
 fi
 
+echo "ENTRYPOINT - Kibana credentials obtained."
+
+##############################################################################
+# Establish the way to run the curl command, with or without authentication. 
+##############################################################################
 
 if [ ${SECURITY_ENABLED} != "no" ]; then
   auth="-u ${KIBANA_USER}:${KIBANA_PASS} -k"
@@ -43,18 +55,24 @@ else
   auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
 fi
 
+echo "ENTRYPOINT - Kibana authentication established."
+
+##############################################################################
+# Waiting for elasticsearch.
+##############################################################################
+
 until curl -XGET $el_url ${auth}; do
-  >&2 echo "Elastic is unavailable - sleeping"
+  >&2 echo "ENTRYPOINT - Elastic is unavailable: sleeping"
   sleep 5
 done
 
 sleep 2
 
->&2 echo "Elasticsearch is up."
+>&2 echo "ENTRYPOINT - Elasticsearch is up."
 
 
 ##############################################################################
-# Waiting for wazuh alerts template
+# Waiting for wazuh alerts template.
 ##############################################################################
 
 strlen=0
@@ -63,71 +81,46 @@ while [[ $strlen -eq 0 ]]
 do
   template=$(curl $auth $el_url/_cat/templates/wazuh -s)
   strlen=${#template}
-  >&2 echo "Wazuh alerts template not loaded - sleeping."
+  >&2 echo "ENTRYPOINT - Wazuh alerts template not loaded - sleeping."
   sleep 2
 done
 
 sleep 2
 
->&2 echo "Wazuh alerts template is loaded."
+>&2 echo "ENTRYPOINT - Wazuh alerts template is loaded."
 
 
 ##############################################################################
-# If Secure access to Kibana is enabled, we must set the credentials.
-# We must create the ssl certificate.
+# Create keystore if security is enabled.
 ##############################################################################
 
 if [[ $SECURITY_ENABLED == "yes" ]]; then
 
-
-  # Create keystore
+  echo "ENTRYPOINT - Create Keystore."
   /usr/share/kibana/bin/kibana-keystore create
-  
-  echo "Setting security Kibana configuiration options."
-
-  echo "
-# Elasticsearch from/to Kibana
-elasticsearch.ssl.certificateAuthorities: [\"/usr/share/kibana/config/$SECURITY_CA_PEM\"]
-
-server.ssl.enabled: true
-server.ssl.certificate: $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem
-server.ssl.key: $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key
-server.ssl.supportedProtocols: 
-  - TLSv1.1
-  - TLSv1.2
-" >> /usr/share/kibana/config/kibana.yml
-
-  echo "Create SSL directories."
-
-  mkdir -p $SECURITY_KIBANA_SSL_KEY_PATH $SECURITY_KIBANA_SSL_CERT_PATH
-  CA_PATH="/usr/share/kibana/config"
-
-  echo "Creating SSL certificates."
-  
-  pushd $CA_PATH
-
-  chown kibana: $CA_PATH/$SECURITY_CA_PEM
-  chmod 400 $CA_PATH/$SECURITY_CA_PEM
-  SECURITY_KEY_PASS=`openssl rand -base64 32`
-  openssl req -batch -x509 -days 18250 -newkey rsa:2048 -keyout $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key -out $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem -passout pass:"$SECURITY_KEY_PASS" >/dev/null
-  chown -R kibana: $CA_PATH/ssl
-  chmod -R 770 $CA_PATH/ssl
-  chmod 440 $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem
-
-  popd
-  echo "SSL certificates created."
-
   # Add keys to keystore
   echo -e "$KIBANA_PASS" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.password --stdin
-  echo -e "$SECURITY_KEY_PASS" | /usr/share/kibana/bin/kibana-keystore add server.ssl.keyPassphrase --stdin
   echo -e "$KIBANA_USER" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.username --stdin
 
+  echo "ENTRYPOINT - Keystore created."
 fi
 
 ##############################################################################
-# Run more configuration scripts.
+# If security is enabled set Kibana configuration.
+# Create the ssl certificate.
 ##############################################################################
 
-bash /usr/share/kibana/kibana_settings.sh &
+if [[ $SECURITY_ENABLED == "yes" ]]; then
+
+  bash /usr/share/kibana/20-entrypoint_certs_management.sh
+
+fi
+
+
+##############################################################################
+# Run kibana_settings.sh script.
+##############################################################################
+
+bash /usr/share/kibana/20-entrypoint_kibana_settings.sh &
 
 /usr/local/bin/kibana-docker

kibana/config/20-entrypoint_certs_management.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Kibana certs and keystore management 
+##############################################################################
+
+if [[ $SECURITY_ENABLED == "yes" ]]; then
+
+
+    echo "CERTS_MANAGEMENT - Create certificates. TO DO."
+    # TO DO
+
+fi

kibana/config/20-entrypoint_kibana_settings.sh

@@ -0,0 +1,183 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+WAZUH_MAJOR=3
+
+##############################################################################
+# Wait for the Kibana API to start. It is necessary to do it in this container
+# because the others are running Elastic Stack and we can not interrupt them.
+#
+# The following actions are performed:
+#
+# Add the wazuh alerts index as default.
+# Set the Discover time interval to 24 hours instead of 15 minutes.
+# Do not ask user to help providing usage statistics to Elastic.
+##############################################################################
+
+##############################################################################
+# Customize elasticsearch ip
+##############################################################################
+if [[ "$ELASTICSEARCH_KIBANA_IP" != "" && "$CONFIGURATION_FROM_FILE" == "false" ]]; then
+  sed -i "s:#elasticsearch.hosts:elasticsearch.hosts:g" /usr/share/kibana/config/kibana.yml
+  sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
+fi
+
+echo "SETTINGS - Update Elasticsearch host."
+
+# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
+if [[ "$KIBANA_INDEX" != "" && "$CONFIGURATION_FROM_FILE" == "false" ]]; then
+  if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
+    sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
+  fi
+    echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
+fi
+
+# If XPACK_SECURITY_ENABLED was set, then change the xpack.security.enabled option from true (default) to false.
+if [[ "$XPACK_SECURITY_ENABLED" != "" && "$CONFIGURATION_FROM_FILE" == "false" ]]; then
+  if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then
+    sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml
+  fi
+    echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml
+fi
+
+##############################################################################
+# Get Kibana credentials
+##############################################################################
+
+if [ "$KIBANA_IP" != "" ]; then
+  kibana_ip="$KIBANA_IP"
+else
+  kibana_ip="kibana"
+fi
+
+KIBANA_USER=""
+KIBANA_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  KIBANA_USER=${SECURITY_KIBANA_USER}
+  KIBANA_PASS=${SECURITY_KIBANA_PASS}
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"KIBANA_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      KIBANA_PASS=${arrIN[1]}
+    elif [[ $line == *"KIBANA_USER"* ]]; then
+      arrIN=(${line//:/ })
+      KIBANA_USER=${arrIN[1]}
+    fi
+  done < "$input"
+ 
+fi
+
+echo "SETTINGS - Kibana credentials obtained."
+
+
+##############################################################################
+# Set url authentication.
+##############################################################################
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-k -u $KIBANA_USER:${KIBANA_PASS}"
+  kibana_secure_ip="https://$kibana_ip"
+else
+  auth=""
+  kibana_secure_ip="http://$kibana_ip"
+fi
+
+echo "SETTINGS - Kibana authentication established."
+
+
+##############################################################################
+# Waiting for Kibana.
+##############################################################################
+
+while [[ "$(curl $auth -XGET -I  -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do
+  echo "SETTINGS - Waiting for Kibana API. Sleeping 5 seconds"
+  sleep 5
+done
+
+echo "SETTINGS - Kibana API is running"
+
+
+##############################################################################
+# Prepare index selection.
+##############################################################################
+
+echo "SETTINGS - Prepare index selection."
+
+default_index="/tmp/default_index.json"
+
+if [[ $PATTERN == "" ]]; then
+
+  cat > ${default_index} << EOF
+{
+  "changes": {
+    "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
+  }
+}
+EOF
+
+else
+
+  cat > ${default_index} << EOF
+{
+  "changes": {
+    "defaultIndex": "$PATTERN"
+  }
+}
+EOF
+
+fi
+
+
+sleep 5
+
+
+##############################################################################
+# Add the wazuh alerts index as default.
+##############################################################################
+
+echo "SETTINGS - Add the wazuh alerts index as default."
+
+curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
+rm -f ${default_index}
+
+sleep 5
+
+
+##############################################################################
+# Configuring Kibana TimePicker.
+##############################################################################
+
+echo "SETTINGS - Configuring Kibana TimePicker."
+
+curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
+'{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-24h\",\n  \"to\": \"now\",\n  \"mode\": \"quick\"}"}}'
+
+sleep 5
+
+
+##############################################################################
+# Do not ask user to help providing usage statistics to Elastic.
+##############################################################################
+
+echo "SETTINGS - Do not ask user to help providing usage statistics to Elastic."
+
+curl $auth -POST "$kibana_secure_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
+
+
+##############################################################################
+# Remove credentials file.
+##############################################################################
+
+echo "SETTINGS - Remove credentials file."
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  echo "Security credentials file not used. Nothing to do."
+else
+  shred -zvu ${SECURITY_CREDENTIALS_FILE}
+fi
+
+echo "End settings"

kibana/config/entrypoint.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 # It will run every .sh script located in entrypoint-scripts folder in lexicographical order
 for script in `ls /entrypoint-scripts/*.sh | sort -n`; do

kibana/config/kibana_settings.sh

@@ -1,101 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-
-WAZUH_MAJOR=3
-
-##############################################################################
-# Wait for the Kibana API to start. It is necessary to do it in this container
-# because the others are running Elastic Stack and we can not interrupt them.
-#
-# The following actions are performed:
-#
-# Add the wazuh alerts index as default.
-# Set the Discover time interval to 24 hours instead of 15 minutes.
-# Do not ask user to help providing usage statistics to Elastic.
-##############################################################################
-
-##############################################################################
-# Customize elasticsearch ip
-##############################################################################
-if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then
-  sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
-fi
-
-if [ "$KIBANA_IP" != "" ]; then
-  kibana_ip="$KIBANA_IP"
-else
-  kibana_ip="kibana"
-fi
-
-KIBANA_USER=""
-KIBANA_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  KIBANA_USER=${SECURITY_KIBANA_USER}
-  KIBANA_PASS=${SECURITY_KIBANA_PASS}
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"KIBANA_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_PASS=${arrIN[1]}
-    elif [[ $line == *"KIBANA_USER"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_USER=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-u $KIBANA_USER:${KIBANA_PASS}"
-  kibana_secure_ip="https://$kibana_ip"
-else
-  auth=""
-  kibana_secure_ip="http://$kibana_ip"
-fi
-
-
-while [[ "$(curl $auth -k -XGET -I  -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do
-  echo "Waiting for Kibana API. Sleeping 5 seconds"
-  sleep 5
-done
-
-# Prepare index selection.
-echo "Kibana API is running"
-
-default_index="/tmp/default_index.json"
-
-cat > ${default_index} << EOF
-{
-  "changes": {
-    "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
-  }
-}
-EOF
-
-sleep 5
-# Add the wazuh alerts index as default.
-curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
-rm -f ${default_index}
-
-sleep 5
-# Configuring Kibana TimePicker.
-curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
-'{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-24h\",\n  \"to\": \"now\",\n  \"mode\": \"quick\"}"}}'
-
-sleep 5
-# Do not ask user to help providing usage statistics to Elastic
-curl $auth -k -POST "$kibana_secure_ip:5601/api/telemetry/v1/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
-
-# Remove credentials file
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  echo "Security credentials file not used. Nothing to do."
-else
-  shred -zvu ${SECURITY_CREDENTIALS_FILE}
-fi
-
-echo "End settings"

kibana/config/wazuhapp-3.10.2_7.3.2.zip.REMOVED.git-id

@@ -0,0 +1 @@
+1bda3f0db629fab2a64f859fe0769afc8a359fc7

kibana/config/welcome_wazuh.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 if [[ $CHANGE_WELCOME == "true" ]]
 then
@@ -8,20 +9,22 @@ then
     kibana_path="/usr/share/kibana"
     # Set Wazuh app as the default landing page
     echo "Set Wazuh app as the default landing page"
-    echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml
+    echo "server.defaultRoute: /app/wazuh" >> $kibana_path/config/kibana.yml
 
     # Redirect Kibana welcome screen to Discover
     echo "Redirect Kibana welcome screen to Discover"
-    sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/global_nav/global_nav.html
-    sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/header_global_nav/header_global_nav.js
+    sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/core/public/chrome/chrome_service.js
 
     # Hide management undesired links
     echo "Hide management undesired links"
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/rollup/public/crud_app/index.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/license_management/public/management_section.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/index_lifecycle_management/public/register_management_section.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/cross_cluster_replication/public/register_routes.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/remote_clusters/public/index.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/upgrade_assistant/public/index.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/rollup/public/crud_app/index.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/license_management/public/management_section.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/index_lifecycle_management/public/register_management_section.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/cross_cluster_replication/public/register_routes.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/remote_clusters/public/index.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/upgrade_assistant/public/index.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/snapshot_restore/public/plugin.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/remote_clusters/public/plugin.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/index_management/public/register_management_section.js
 fi
 

kibana/config/xpack_config.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 kibana_config_file="/usr/share/kibana/config/kibana.yml"
 if grep -Fq  "#xpack features" "$kibana_config_file";
@@ -14,6 +15,7 @@ then
     [xpack.monitoring.enabled]=$XPACK_MONITORING
     [xpack.maps.enabled]=$XPACK_MAPS
     [xpack.uptime.enabled]=$XPACK_UPTIME
+    [xpack.siem.enabled]=$XPACK_SIEM
     [console.enabled]=$XPACK_DEVTOOLS
   )
   for i in "${!CONFIG_MAP[@]}"
@@ -35,6 +37,7 @@ xpack.infra.enabled: $XPACK_INFRA
 xpack.monitoring.enabled: $XPACK_MONITORING
 xpack.maps.enabled: $XPACK_MAPS
 xpack.uptime.enabled: $XPACK_UPTIME
+xpack.siem.enabled: $XPACK_SIEM
 console.enabled: $XPACK_DEVTOOLS
 " >> $kibana_config_file
 fi

logstash/Dockerfile

@@ -1,5 +1,7 @@
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/logstash/logstash:6.8.2
+
+ARG LOGSTASH_VERSION=7.3.2
+FROM docker.elastic.co/logstash/logstash:${LOGSTASH_VERSION}
 
 COPY --chown=logstash:logstash config/entrypoint.sh /entrypoint.sh
 
@@ -7,6 +9,7 @@ RUN chmod 755 /entrypoint.sh
 
 RUN rm -f /usr/share/logstash/pipeline/logstash.conf
 
+ENV PIPELINE_FROM_FILE="false"
 COPY config/01-wazuh.conf /usr/share/logstash/pipeline/01-wazuh.conf
 
 # This CA is created for testing. Please set your own CA pem signed certificate. 
@@ -30,8 +33,14 @@ RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else
 RUN mkdir /entrypoint-scripts
 RUN chmod -R 774 /entrypoint-scripts
 RUN chown -R logstash:logstash /entrypoint-scripts
+
+COPY --chown=logstash:logstash ./config/05-decrypt_credentials.sh /entrypoint-scripts/05-decrypt_credentials.sh
 COPY --chown=logstash:logstash ./config/10-entrypoint.sh /entrypoint-scripts/10-entrypoint.sh
-RUN chmod +x /entrypoint-scripts/10-entrypoint.sh
+COPY --chown=logstash:logstash ./config/10-entrypoint_configuration.sh ./config/10-entrypoint_configuration.sh
+RUN chmod +x /entrypoint-scripts/05-decrypt_credentials.sh && \
+    chmod +x /entrypoint-scripts/10-entrypoint.sh && \
+    chmod +x ./config/10-entrypoint_configuration.sh
+
 USER logstash
 
 ENTRYPOINT /entrypoint.sh

logstash/config/01-wazuh.conf

@@ -4,12 +4,16 @@
 input {
     beats {
         port => 5000
-        codec => "json_lines"
 #       ssl => true
 #       ssl_certificate => "/etc/logstash/logstash.crt"
 #       ssl_key => "/etc/logstash/logstash.key"
     }
 }
+filter {
+    json {
+      source => "message"
+    }
+}
 filter {
     if [data][srcip] {
         mutate {
@@ -33,17 +37,28 @@ filter {
         target => "@timestamp"
     }
     mutate {
-        remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
+        remove_field => [ "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
+    }
+}
+filter {
+    # Workarounds for vulnerability-detector
+    if "vulnerability-detector" in [rule][groups] {
+        # Drop vulnerability-detector events from Manager
+        if [agent][id] == "000"{
+            drop { }
+        }
+
+        # if exists, remove data.vulnerability.published field due to conflicts
+        if [data][vulnerability][published] {
+            mutate {
+                remove_field => [ "[data][vulnerability][published]" ]
+            }
+        }
     }
 }
 output {
     elasticsearch {
         hosts => ["elasticsearch:9200"]
         index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
-        document_type => "wazuh"
-        #user => service_logstash
-        #password => service_logstash_internal_password
-        #ssl => true
-        #cacert => "/path/to/cert.pem"
     }
 }

logstash/config/05-decrypt_credentials.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Decrypt credentials.
+# If the credentials of the users to be created are encrypted,
+# they must be decrypted for later use. 
+##############################################################################
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+    echo "Security credentials file not used. Nothing to do."
+else
+    echo "TO DO"
+fi
+# TO DO

logstash/config/10-entrypoint.sh

@@ -8,7 +8,7 @@
 set -e
 
 ##############################################################################
-# Waiting for elasticsearch
+# Set elasticsearch url.
 ##############################################################################
 
 if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
@@ -17,6 +17,12 @@ else
   el_url="${ELASTICSEARCH_URL}"
 fi
 
+echo "ENTRYPOINT - Elasticsearch url: $el_url"
+
+##############################################################################
+# Get Logstash credentials.
+##############################################################################
+
 LOGSTASH_USER=""
 LOGSTASH_PASS=""
 
@@ -38,6 +44,12 @@ else
  
 fi
 
+echo "ENTRYPOINT - Logstash credentials obtained."
+
+##############################################################################
+# Set authentication for curl command. 
+##############################################################################
+
 if [ ${SECURITY_ENABLED} != "no" ]; then
   auth="-u ${LOGSTASH_USER}:${LOGSTASH_PASS} -k"
 elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
@@ -46,67 +58,57 @@ else
   auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
 fi
 
+echo "ENTRYPOINT - curl authentication established"
+
 
 ##############################################################################
-# Customize logstash output ip
+# Customize logstash output ip.
 ##############################################################################
 
 if [ "$LOGSTASH_OUTPUT" != "" ]; then
-  >&2 echo "Customize Logstash ouput ip."
-  sed -i 's|elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/pipeline/01-wazuh.conf
+  >&2 echo "ENTRYPOINT - Customize Logstash ouput ip."
   sed -i 's|http://elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/config/logstash.yml
+
+  if [[ "$PIPELINE_FROM_FILE" == "false" ]]; then
+    sed -i 's|elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/pipeline/01-wazuh.conf
+  fi
 fi
 
+
+##############################################################################
+# Waiting for elasticsearch.
+##############################################################################
+
 until curl $auth -XGET $el_url; do
-  >&2 echo "Elastic is unavailable - sleeping."
+  >&2 echo "ENTRYPOINT - Elastic is unavailable - sleeping."
   sleep 5
 done
 
 sleep 2
 
->&2 echo "Elasticsearch is up."
+>&2 echo "ENTRYPOINT - Elasticsearch is up."
 
 
 ##############################################################################
-# Set Logstash password
-##############################################################################
-
-##############################################################################
-# If Secure access to Kibana is enabled, we must set the credentials.
+# Create keystore if security is enabled.
 ##############################################################################
 
 if [[ $SECURITY_ENABLED == "yes" ]]; then
 
+  echo "ENTRYPOINT - Create Keystore."
+
   ## Create secure keystore
   SECURITY_RANDOM_PASS=`date +%s | sha256sum | base64 | head -c 32 ; echo`
   export LOGSTASH_KEYSTORE_PASS=$SECURITY_RANDOM_PASS
   /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config create
 
   ## Settings for logstash.yml
-  echo "
-# Required set the passwords
-xpack.monitoring.enabled: true
-xpack.monitoring.elasticsearch.username: \${LOGSTASH_KS_USER}
-xpack.monitoring.elasticsearch.password: \${LOGSTASH_KS_PASS}
-xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/$SECURITY_CA_PEM
-
-xpack.management.elasticsearch.hosts: \"$LOGSTASH_OUTPUT/\"
-xpack.management.elasticsearch.username: \${LOGSTASH_KS_USER}
-xpack.management.elasticsearch.password: \${LOGSTASH_KS_PASS}
-xpack.management.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/$SECURITY_CA_PEM
-" >> /usr/share/logstash/config/logstash.yml
-
-  ## Settings for 01-wazuh.conf
-  sed -i 's:#user => service_logstash:user => "${LOGSTASH_KS_USER}":g' /usr/share/logstash/pipeline/01-wazuh.conf
-  sed -i 's:#password => service_logstash_internal_password:password => "${LOGSTASH_KS_PASS}":g' /usr/share/logstash/pipeline/01-wazuh.conf
-  sed -i 's:#ssl => true:ssl => true:g' /usr/share/logstash/pipeline/01-wazuh.conf
-  sed -i 's:#cacert => "/path/to/cert.pem":cacert => "/usr/share/logstash/config/'$SECURITY_CA_PEM'":g' /usr/share/logstash/pipeline/01-wazuh.conf 
+  bash /usr/share/logstash/config/10-entrypoint_configuration.sh 
 
   ## Add keys to the keystore
   echo -e "$LOGSTASH_USER" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_USER
   echo -e "$LOGSTASH_PASS" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_PASS
 
-  
 fi
   
 
@@ -120,25 +122,28 @@ while [[ $strlen -eq 0 ]]
 do
   template=$(curl $auth $el_url/_cat/templates/wazuh -s)
   strlen=${#template}
-  >&2 echo "Wazuh alerts template not loaded - sleeping."
+  >&2 echo "ENTRYPOINT - Wazuh alerts template not loaded - sleeping."
   sleep 2
 done
 
 sleep 2
 
->&2 echo "Wazuh alerts template is loaded."
+>&2 echo "ENTRYPOINT - Wazuh alerts template is loaded."
 
 
 ##############################################################################
 # Remove credentials file
 ##############################################################################
 
+>&2 echo "ENTRYPOINT - Removing unnecessary files."
+
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  echo "Security credentials file not used. Nothing to do."
+  echo "ENTRYPOINT - Security credentials file not used. Nothing to do."
 else
   shred -zvu ${SECURITY_CREDENTIALS_FILE}
 fi
 
+>&2 echo "ENTRYPOINT - Unnecessary files removed."
 
 ##############################################################################
 # Map environment variables to entries in logstash.yml.

logstash/config/10-entrypoint_configuration.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+#
+# OSSEC container bootstrap. See the README for information of the environment
+# variables expected by this script.
+#
+
+set -e
+
+##############################################################################
+# Adapt logstash.yml configuration. 
+##############################################################################
+
+if [[ $SECURITY_ENABLED == "yes" ]]; then
+
+    echo "CONFIGURATION - TO DO"
+
+    # Settings for logstash.yml
+    # Example:
+    #   echo "
+    # xpack.monitoring.enabled: true
+    # xpack.monitoring.elasticsearch.username: LOGSTASH_USER
+    # xpack.monitoring.elasticsearch.password: LOGSTASH_PASS
+    # xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/CA.pem
+    # " >> /usr/share/logstash/config/logstash.yml
+
+fi

nginx/Dockerfile

@@ -1,4 +1,4 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 FROM nginx:latest
 
 ENV DEBIAN_FRONTEND noninteractive

nginx/config/entrypoint.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 set -e
 

wazuh/Dockerfile

@@ -1,14 +1,17 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 FROM phusion/baseimage:latest
 
 # Arguments
-ARG FILEBEAT_VERSION=6.8.2
-ARG WAZUH_VERSION=3.9.4-1
+ARG FILEBEAT_VERSION=7.3.2
+ARG WAZUH_VERSION=3.10.2-1
 
 # Environment variables
 ENV API_USER="foo" \
    API_PASS="bar"
 
+ARG TEMPLATE_VERSION="v3.10.2"
+ENV FILEBEAT_DESTINATION="elasticsearch"
+
 # Install packages
 RUN set -x && \
     echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \
@@ -54,8 +57,8 @@ RUN chmod +x /etc/service/wazuh-api/run && \
    chmod +x /etc/service/filebeat/run 
 
 # Copy configuration files from repository
-COPY config/filebeat.yml /etc/filebeat/
-RUN chmod go-w /etc/filebeat/filebeat.yml 
+COPY config/filebeat_to_elasticsearch.yml ./
+COPY config/filebeat_to_logstash.yml ./
 
 # Prepare permanent data
 # Sync calls are due to https://github.com/docker/docker/issues/9547
@@ -90,10 +93,21 @@ VOLUME ["/var/lib/filebeat"]
 RUN mkdir /entrypoint-scripts
 
 COPY config/entrypoint.sh /entrypoint.sh
+COPY config/00-decrypt_credentials.sh /entrypoint-scripts/00-decrypt_credentials.sh
 COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh
-
+COPY config/02-set_filebeat_destination.sh /entrypoint-scripts/02-set_filebeat_destination.sh
+COPY config/03-config_filebeat.sh /entrypoint-scripts/03-config_filebeat.sh
+COPY config/05-remove_credentials_file.sh /entrypoint-scripts/05-remove_credentials_file.sh
+COPY config/10-backups.sh /entrypoint-scripts/10-backups.sh
+COPY config/20-ossec-configuration.sh /entrypoint-scripts/20-ossec-configuration.sh
 RUN chmod 755 /entrypoint.sh && \
-    chmod 755 /entrypoint-scripts/01-wazuh.sh
+    chmod 755 /entrypoint-scripts/00-decrypt_credentials.sh && \
+    chmod 755 /entrypoint-scripts/01-wazuh.sh && \
+    chmod 755 /entrypoint-scripts/02-set_filebeat_destination.sh && \
+    chmod 755 /entrypoint-scripts/03-config_filebeat.sh && \
+    chmod 755 /entrypoint-scripts/05-remove_credentials_file.sh && \
+    chmod 755 /entrypoint-scripts/10-backups.sh && \
+    chmod 755 /entrypoint-scripts/20-ossec-configuration.sh
 
 # Workaround. 
 # Issues: Wazuh-api
@@ -102,5 +116,9 @@ RUN chmod 755 /entrypoint.sh && \
 COPY --chown=root:ossec config/agents.js /var/ossec/api/controllers/agents.js
 RUN chmod 770 /var/ossec/api/controllers/agents.js
 
+# Load wazuh alerts template.
+ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
+RUN chmod go-w /etc/filebeat/wazuh-template.json 
+
 # Run all services
 ENTRYPOINT ["/entrypoint.sh"]

wazuh/config/00-decrypt_credentials.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Decrypt credentials.
+# If the credentials of the API user to be created are encrypted,
+# it must be decrypted for later use. 
+##############################################################################
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+    echo "CREDENTIALS - Security credentials file not used. Nothing to do."
+else
+    echo "CREDENTIALS - TO DO"
+fi
+# TO DO

wazuh/config/01-wazuh.sh

@@ -197,20 +197,6 @@ change_api_user_credentials() {
 }
 
 
-
-
-##############################################################################
-# Customize filebeat output ip
-##############################################################################
-
-
-custom_filebeat_output_ip() {
-  if [ "$FILEBEAT_OUTPUT" != "" ]; then
-    sed -i "s/logstash:5000/$FILEBEAT_OUTPUT:5000/" /etc/filebeat/filebeat.yml
-  fi
-}
-
-
 ##############################################################################
 # Main function
 ##############################################################################
@@ -255,9 +241,6 @@ main() {
   # Change API user credentials
   change_api_user_credentials
 
-  # Update filebeat configuration
-  custom_filebeat_output_ip
-
   # Delete temporary data folder
   rm -rf ${WAZUH_INSTALL_PATH}/data_tmp
 

wazuh/config/02-set_filebeat_destination.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Set Filebeat destination.  
+##############################################################################
+
+if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then
+
+    echo "FILEBEAT - Set destination to Elasticsearch"
+    cp filebeat_to_elasticsearch.yml /etc/filebeat/filebeat.yml
+    if [[ $FILEBEAT_OUTPUT != "" ]]; then
+        sed -i "s/elasticsearch:9200/$FILEBEAT_OUTPUT:9200/" /etc/filebeat/filebeat.yml
+    fi
+
+elif [[ $FILEBEAT_DESTINATION == "logstash" ]]; then
+
+    echo "FILEBEAT - Set destination to Logstash"
+    cp filebeat_to_logstash.yml /etc/filebeat/filebeat.yml
+    if [[ $FILEBEAT_OUTPUT != "" ]]; then
+        sed -i "s/logstash:5000/$FILEBEAT_OUTPUT:5000/" /etc/filebeat/filebeat.yml
+    fi
+
+else
+    echo "FILEBEAT - Error choosing destination. Set default filebeat.yml "
+fi
+
+echo "FILEBEAT - Set permissions"
+
+chmod go-w /etc/filebeat/filebeat.yml

wazuh/config/03-config_filebeat.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then
+
+    WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz
+
+    # Modify the output to Elasticsearch if th ELASTICSEARCH_URL is set
+    if [ "$ELASTICSEARCH_URL" != "" ]; then
+    >&2 echo "FILEBEAT - Customize Elasticsearch ouput IP."
+    sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml
+    fi
+
+    # Install Wazuh Filebeat Module
+
+    >&2 echo "FILEBEAT - Install Wazuh Filebeat Module."
+    curl -s "https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module
+    mkdir -p /usr/share/filebeat/module/wazuh
+    chmod 755 -R /usr/share/filebeat/module/wazuh
+
+fi

wazuh/config/05-remove_credentials_file.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Decrypt credentials.
+# Remove the credentials file for security reasons.
+##############################################################################
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  echo "CREDENTIALS - Security credentials file not used. Nothing to do."
+else
+  echo "CREDENTIALS - Remove credentiasl file."
+  shred -zvu ${SECURITY_CREDENTIALS_FILE}
+fi

wazuh/config/10-backups.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Enable Wazuh backups and store them in a repository. 
+##############################################################################
+
+
+# TO DO
+echo "BACKUPS - TO DO"

wazuh/config/20-ossec-configuration.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Change Wazuh manager configuration. 
+##############################################################################
+
+# # Example: 
+# # Change remote protocol from udp to tcp
+# PROTOCOL="tcp"
+# sed -i -e '/<remote>/,/<\/remote>/ s|<protocol>udp</protocol>|<protocol>'$PROTOCOL'</protocol>|g' /var/ossec/etc/ossec.conf
+# # It is necessary to restart the service in order to apply the new configuration. 
+# service wazuh-manager restart

wazuh/config/entrypoint.sh

@@ -1,6 +1,8 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
+# Trap to kill container if it is necessary.
+trap "exit" SIGINT SIGTERM
 # It will run every .sh script located in entrypoint-scripts folder in lexicographical order
 for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
   bash "$script"

wazuh/config/filebeat.runit.service

@@ -1,3 +1,4 @@
 #!/bin/sh
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 service filebeat start
 tail -f /var/log/filebeat/filebeat

wazuh/config/filebeat.yml

@@ -1,18 +0,0 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-filebeat:
- prospectors:
-  - type: log
-    paths:
-     - "/var/ossec/logs/alerts/alerts.json"
-    document_type: json
-    json.message_key: log
-    json.keys_under_root: true
-    json.overwrite_keys: true
-    tail_files: true
-
-output:
- logstash:
-   # The Logstash hosts
-   hosts: ["logstash:5000"]
-#   ssl:
-#     certificate_authorities: ["/etc/filebeat/logstash.crt"]

wazuh/config/filebeat_to_elasticsearch.yml

@@ -0,0 +1,55 @@
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+# Wazuh - Filebeat configuration file
+filebeat.inputs:
+  - type: log
+    paths:
+      - '/var/ossec/logs/alerts/alerts.json'
+
+setup.template.json.enabled: true
+setup.template.json.path: "/etc/filebeat/wazuh-template.json"
+setup.template.json.name: "wazuh"
+setup.template.overwrite: true
+
+processors:
+  - decode_json_fields:
+      fields: ['message']
+      process_array: true
+      max_depth: 200
+      target: ''
+      overwrite_keys: true
+  - drop_fields:
+      fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
+  - rename:
+      fields:
+        - from: "data.aws.sourceIPAddress"
+          to: "@src_ip"
+      ignore_missing: true
+      fail_on_error: false
+      when:
+        regexp:
+          data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+  - rename:
+      fields:
+        - from: "data.srcip"
+          to: "@src_ip"
+      ignore_missing: true
+      fail_on_error: false
+      when:
+        regexp:
+          data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+  - rename:
+      fields:
+        - from: "data.win.eventdata.ipAddress"
+          to: "@src_ip"
+      ignore_missing: true
+      fail_on_error: false
+      when:
+        regexp:
+          data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+
+output.elasticsearch:
+  hosts: ['http://elasticsearch:9200']
+  #pipeline: geoip
+  indices:
+    - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'

wazuh/config/filebeat_to_logstash.yml

@@ -0,0 +1,15 @@
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+# Wazuh - Filebeat configuration file
+filebeat:
+ inputs:
+  - type: log
+    paths:
+     - "/var/ossec/logs/alerts/alerts.json"
+
+output:
+ logstash:
+   # The Logstash hosts
+         hosts: ["logstash:5000"]
+#   ssl:
+#     certificate_authorities: ["/etc/filebeat/logstash.crt"]

wazuh/config/postfix.runit.service

@@ -1,3 +1,4 @@
 #!/bin/sh
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 service postfix start
 tail -f /var/log/mail.log

wazuh/config/wazuh-api.runit.service

@@ -1,4 +1,5 @@
 #!/bin/sh
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 service wazuh-api start
 tail -f /var/ossec/logs/api.log
 

wazuh/config/wazuh.runit.service

@@ -1,4 +1,5 @@
 #!/bin/sh
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 service wazuh-manager start
 tail -f /var/ossec/logs/ossec.log