Merge pull request #244 from wazuh/243-fix-s3-plugin

Fixed S3 plugin

CHANGELOG.md

@@ -1,17 +1,29 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
-## Wazuh Docker v3.9.4_6.8.1
-
-## Wazuh Docker v3.9.3_6.8.1
+## Wazuh Docker v3.9.5_7.2.1
 
 ### Added
 
-- Update to Wazuh version 3.9.3_6.8.1
+- Update to Wazuh version 3.9.5_7.2.1
+
+## Wazuh Docker v3.9.4_7.2.0
 
 ### Added
 
-- Option to disable additionals X-Pack applications and hide unnecesary management links ([@SitoRBJ](https://github.com/SitoRBJ)) ([#163](https://github.com/wazuh/wazuh-docker/pull/163))
+- Update to Wazuh version 3.9.4_7.2.0
+- Implemented Wazuh Filebeat Module ([jm404](https://www.github.com/jm404)) [#2a77c6a](https://github.com/wazuh/wazuh-docker/commit/2a77c6a6e6bf78f2492adeedbade7a507d9974b2)
+
+## Wazuh Docker v3.9.3_7.2.0
+
+### Fixed
+- Wazuh-docker reinserts cluster settings after resuming containers ([@manuasir](https://github.com/manuasir)) [#213](https://github.com/wazuh/wazuh-docker/pull/213)
+
+## Wazuh Docker v3.9.2_7.1.1
+
+### Added
+
+- Update to Wazuh version 3.9.2_7.1.1
 
 ## Wazuh Docker v3.9.2_6.8.0
 
@@ -19,13 +31,18 @@ All notable changes to this project will be documented in this file.
 
 - Update to Wazuh version 3.9.2_6.8.0
 
+## Wazuh Docker v3.9.1_7.1.0
+
+### Added
+
+- Support for Elastic v7.1.0
+- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88)
 
 ## Wazuh Docker v3.9.1_6.8.0
 
 ### Added
 
 - Update to Wazuh version 3.9.1_6.8.0 ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
-- Security for Elastic Stack in Docker implemented ([#186](https://github.com/wazuh/wazuh-docker/issues/186))
 
 ### Fixed
 
@@ -39,7 +56,6 @@ All notable changes to this project will be documented in this file.
 
 ## Wazuh Docker v3.9.0_6.7.1
 
-
 ### Added
 
 - Support for xPACK authorized requests ([@manuasir](https://github.com/manuasir)) ([#119](https://github.com/wazuh/wazuh-docker/pull/119))

README.md

@@ -8,7 +8,6 @@
 In this repository you will find the containers to run:
 
 * wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
-* wazuh-logstash: It is used to receive alerts generated by the manager and feed Elasticsearch using an alerts template
 * wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
 * wazuh-nginx: Proxies the Kibana container, adding HTTPS (via self-signed SSL certificate) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme).
 * wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).** 
@@ -33,11 +32,6 @@ In addition, a docker-compose file is provided to launch the containers mentione
 	│   │   └── kibana.yml
 	│   └── Dockerfile
 	├── LICENSE
-	├── logstash
-	│   ├── config
-	│   │   ├── 01-wazuh.conf
-	│   │   └── run.sh
-	│   └── Dockerfile
 	├── nginx
 	│   ├── config
 	│   │   └── entrypoint.sh
@@ -63,7 +57,7 @@ In addition, a docker-compose file is provided to launch the containers mentione
 
 * `stable` branch on correspond to the latest Wazuh-Docker stable version.
 * `master` branch contains the latest code, be aware of possible bugs on this branch.
-* `Wazuh.Version_ElasticStack.Version` (for example 3.9.3_6.8.1) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
+* `Wazuh.Version_ElasticStack.Version` (for example 3.9.5_7.2.1) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
 
 ## Credits and Thank you
 
@@ -76,7 +70,7 @@ We thank you them and everyone else who has contributed to this project.
 
 ## License and copyright
 
-Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 ## Web references
 

VERSION

@@ -1,2 +1,2 @@
-WAZUH-DOCKER_VERSION="3.9.4_6.8.1"
-REVISION="3942"
+WAZUH-DOCKER_VERSION="3.9.5_7.2.1"
+REVISION="3950"

docker-compose.yml

@@ -1,9 +1,9 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 version: '2'
 
 services:
   wazuh:
-    image: wazuh/wazuh:3.9.3_6.8.1
+    build: wazuh
     hostname: wazuh-manager
     restart: always
     ports:
@@ -11,65 +11,27 @@ services:
       - "1515:1515"
       - "514:514/udp"
       - "55000:55000"
-    depends_on:
-      - logstash
-  logstash:
-    image: wazuh/wazuh-logstash:3.9.3_6.8.1
-    hostname: logstash
-    restart: always
-    links:
-      - elasticsearch:elasticsearch
-    ports:
-      - "5000:5000"
-    depends_on:
-      - elasticsearch
-    environment:
-      - LS_HEAP_SIZE=2048m
-      - SECURITY_ENABLED=yes
-      - SECURITY_LOGSTASH_USER=service_logstash
-      - SECURITY_LOGSTASH_PASS=logstash_pass
-      - LOGSTASH_OUTPUT=https://elasticsearch:9200
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
+    volumes:
+      - '/mnt/wazuh/:/var/ossec/data:z'
   elasticsearch:
-    image: wazuh/wazuh-elasticsearch:3.9.3_6.8.1
+    build: elasticsearch
     hostname: elasticsearch
     restart: always
     ports:
       - "9200:9200"
     environment:
-      - node.name=node-1
-      - cluster.name=wazuh
-      - network.host=0.0.0.0
-      - bootstrap.memory_lock=true
       - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
-      - ELASTICSEARCH_PROTOCOL=https
-      - ELASTICSEARCH_IP=elasticsearch
-      - ELASTICSEARCH_PORT=9200
-      - SECURITY_ENABLED=yes
-      - SECURITY_ADMIN_USER=wazuh_admin
-      - SECURITY_ADMIN_PASS=admin_pass
-      - SECURITY_ELASTIC_PASSWORD=elastic_pass
-      - SECURITY_KIBANA_USER=service_kibana
-      - SECURITY_KIBANA_PASS=kibana_pass
-      - SECURITY_LOGSTASH_USER=service_logstash 
-      - SECURITY_LOGSTASH_PASS=logstash_pass
-      - SECURITY_CA_PASSPHRASE=ca_pass
-      - SECURITY_CERTIFICATE_DNS=elasticsearch
-      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
-      - SECURITY_CA_KEY=server.TEST-CA.key
-      - SECURITY_CA_TRUST=server.TEST-CA-signed.pem
-      - SECURITY_MAIN_NODE=elasticsearch
-      - SECURITY_OPENSSL_CONF=TEST_openssl.cnf
-      - SECURITY_MONITORING_USER=service_monitoring
-      - SECURITY_MONITORING_PASS=monitoring_pass
+      - ELASTIC_CLUSTER=true
+      - CLUSTER_NODE_MASTER=true
+      - CLUSTER_MASTER_NODE_NAME=es01
     ulimits:
       memlock:
         soft: -1
         hard: -1
     mem_limit: 2g
+
   kibana:
-    image: wazuh/wazuh-kibana:3.9.3_6.8.1
+    build: kibana
     hostname: kibana
     restart: always
     depends_on:
@@ -77,14 +39,18 @@ services:
     links:
       - elasticsearch:elasticsearch
       - wazuh:wazuh
+
+  nginx:
+    build: nginx
+    hostname: nginx
+    restart: always
     environment:
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - SECURITY_ENABLED=yes
-      - SECURITY_KIBANA_USER=service_kibana
-      - SECURITY_KIBANA_PASS=kibana_pass
-      - SECURITY_KIBANA_SSL_KEY_PATH=/usr/share/kibana/config/ssl/private
-      - SECURITY_KIBANA_SSL_CERT_PATH=/usr/share/kibana/config/ssl/certs
-      - ELASTICSEARCH_KIBANA_IP=https://elasticsearch:9200
-      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
+      - NGINX_PORT=443
+      - NGINX_CREDENTIALS
     ports:
-      - "5601:5601"
+      - "80:80"
+      - "443:443"
+    depends_on:
+      - kibana
+    links:
+      - kibana:kibana

elasticsearch/Dockerfile

@@ -1,5 +1,8 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/elasticsearch/elasticsearch:6.8.2
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+ARG ELASTIC_VERSION=7.3.0
+FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION}
+
+ENV ELASTICSEARCH_URL="http://elasticsearch:9200"
 
 ENV ALERTS_SHARDS="1" \
     ALERTS_REPLICAS="0"
@@ -11,49 +14,26 @@ ENV XPACK_ML="true"
 
 ENV ENABLE_CONFIGURE_S3="false"
 
-ENV TEMPLATE_VERSION=v3.9.4
-
-
-# This CA is created for testing. Please set your own CA zip containing the key and the signed certificate. 
-# command: $ docker build <elasticsearch_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_KEY_LOCATION=<CA_KEY_LOCATION>
-# ENV variables are necessary: SECURITY_CA_PEM, SECURITY_CA_KEY, SECURITY_CA_TRUST, SECURITY_OPENSSL_CONF 
-# Example:
-# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
-# ARG SECURITY_CA_KEY_LOCATION="config/server.TEST-CA.key"
-# ARG SECURITY_OPENSSL_CONF_LOCATION="config/TEST_openssl.cnf"
-# ARG SECURITY_CA_TRUST_LOCATION="config/server.TEST-CA-signed.pem"
-ARG SECURITY_CA_PEM_LOCATION=""
-ARG SECURITY_CA_KEY_LOCATION=""
-ARG SECURITY_OPENSSL_CONF_LOCATION=""
-ARG SECURITY_CA_TRUST_LOCATION=""
+ARG TEMPLATE_VERSION=v3.9.5
 
 # Elasticearch cluster configuration environment variables
 # If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration
+# CLUSTER_INITIAL_MASTER_NODES set to own node by default.
 ENV ELASTIC_CLUSTER="false" \
     CLUSTER_NAME="wazuh" \
-    CLUSTER_NODE_MASTER="true" \
+    CLUSTER_NODE_MASTER="false" \
     CLUSTER_NODE_DATA="true" \
     CLUSTER_NODE_INGEST="true" \
     CLUSTER_NODE_NAME="wazuh-elasticsearch" \
+    CLUSTER_MASTER_NODE_NAME="master-node" \
     CLUSTER_MEMORY_LOCK="true" \
     CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" \
     CLUSTER_NUMBER_OF_MASTERS="2" \
     CLUSTER_MAX_NODES="1" \
-    CLUSTER_DELAYED_TIMEOUT="1m"
+    CLUSTER_DELAYED_TIMEOUT="1m" \
+    CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch"
 
-ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/6.x/wazuh-template.json /usr/share/elasticsearch/config
-
-# CA cert for Transport SSL
-ADD $SECURITY_CA_PEM_LOCATION /usr/share/elasticsearch/config
-ADD $SECURITY_CA_KEY_LOCATION /usr/share/elasticsearch/config 
-ADD $SECURITY_OPENSSL_CONF_LOCATION /usr/share/elasticsearch/config 
-ADD $SECURITY_CA_TRUST_LOCATION /usr/share/elasticsearch/config 
-
-RUN yum install openssl -y
-
-RUN mkdir /entrypoint-scripts
-
-COPY config/entrypoint.sh /entrypoint.sh
+COPY config/entrypoint.sh /entrypoint.sh 
 
 RUN chmod 755 /entrypoint.sh
 
@@ -61,19 +41,13 @@ COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./
 
 RUN chmod +x ./load_settings.sh
 
-RUN bin/elasticsearch-plugin install --batch https://artifacts.elastic.co/downloads/elasticsearch-plugins/repository-s3/repository-s3-6.8.2.zip
+RUN ${bin/elasticsearch-plugin install --batch repository-s3}
 
 COPY config/configure_s3.sh ./config/configure_s3.sh
 RUN chmod 755 ./config/configure_s3.sh
 
-COPY --chown=elasticsearch:elasticsearch ./config/10-config_cluster.sh /entrypoint-scripts/10-config_cluster.sh
-RUN chmod +x /entrypoint-scripts/10-config_cluster.sh
-
-COPY --chown=elasticsearch:elasticsearch ./config/20-config_secure.sh /entrypoint-scripts/20-config_secure.sh
-RUN chmod +x /entrypoint-scripts/10-config_cluster.sh
-
-COPY --chown=elasticsearch:elasticsearch ./config/30-entrypoint.sh /entrypoint-scripts/30-entrypoint.sh
-RUN chmod +x /entrypoint-scripts/30-entrypoint.sh
+COPY --chown=elasticsearch:elasticsearch ./config/config_cluster.sh ./
+RUN chmod +x ./config_cluster.sh
 
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["elasticsearch"]

elasticsearch/config/10-config_cluster.sh

@@ -1,36 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
-
-original_file="/usr/share/elasticsearch/config/original-elasticsearch.yml"
-
-cp $elastic_config_file $original_file 
-
-# If Elasticsearch cluster is enable
-if [[ $ELASTIC_CLUSTER == "true" ]]
-then
-  
-  # Set the cluster.name and discovery.zen.minimun_master_nodes variables
-  sed -i 's:cluster.name\: "docker-cluster":cluster.name\: "'$CLUSTER_NAME'":g' $elastic_config_file
-
-  # Add the cluster configuration
-  echo "
-#cluster node
-node:
-  master: ${CLUSTER_NODE_MASTER}
-  data: ${CLUSTER_NODE_DATA}
-  ingest: ${CLUSTER_NODE_INGEST}
-  name: ${CLUSTER_NODE_NAME}
-  max_local_storage_nodes: ${CLUSTER_MAX_NODES}
-
-bootstrap:
-  memory_lock: ${CLUSTER_MEMORY_LOCK}
-
-discovery:
-  zen:
-    ping.unicast.hosts: ${CLUSTER_DISCOVERY_SERVICE}
-    minimum_master_nodes: ${CLUSTER_NUMBER_OF_MASTERS}
-  
-" >> $elastic_config_file
-fi

elasticsearch/config/20-config_secure.sh

@@ -1,111 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
-
-##############################################################################
-# Setup bootstrap password to chagne all Elastic Stack passwords.
-# Set xpack.security.enabled to true. In Elastic 7 must add ssl options
-##############################################################################
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-
-  echo "Creating certificate."
-
-  pushd /usr/share/elasticsearch/config/
-
-  echo "Setting configuration options."
-
-  # Create instances.yml for elasticsearch .p12 certificate and key
-  echo "
-instances:
-- name: \"elasticsearch\"
-  dns: 
-    - $SECURITY_CERTIFICATE_DNS
-" > instances.yml
-
-  # Change permissions and owner of ca
-  chown elasticsearch: /usr/share/elasticsearch/config/$SECURITY_CA_PEM
-  chmod 440 /usr/share/elasticsearch/config/$SECURITY_CA_PEM
- 
-
-  # Genereate .p12 certificate and key
-  SECURITY_KEY_PASSPHRASE=`date +%s | sha256sum | base64 | head -c 32 ; echo`
-  /usr/share/elasticsearch/bin/elasticsearch-certutil csr --in instances.yml --out certs.zip --pass $SECURITY_KEY_PASSPHRASE
-  unzip certs.zip
-  rm certs.zip 
-
-  # Change permissions and owner of certificates
-  chown -R elasticsearch: /usr/share/elasticsearch/config/elasticsearch
-  chmod -R 770 /usr/share/elasticsearch/config/elasticsearch
-  chmod 400 /usr/share/elasticsearch/config/elasticsearch/elasticsearch.csr
-
-  # Prepare directories for openssl
-  mkdir /root/ca
-  mkdir /root/ca/certs /root/ca/crl /root/ca/newcerts /root/ca/private
-  chmod 700 /root/ca/private
-  touch /root/ca/index.txt
-  echo 1000 > /root/ca/serial
-
-  mkdir /root/ca/intermediate
-  mkdir /root/ca/intermediate/certs /root/ca/intermediate/crl /root/ca/intermediate/csr /root/ca/intermediate/newcerts /root/ca/intermediate/private
-  chmod 700 /root/ca/intermediate/private
-  touch /root/ca/intermediate/index.txt
-  echo 1000 > /root/ca/intermediate/serial
-  echo 1000 > /root/ca/intermediate/crlnumber
-
-  if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-
-    openssl ca -batch -config $SECURITY_OPENSSL_CONF  -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM  -keyfile $SECURITY_CA_KEY  -key $SECURITY_CA_PASSPHRASE -out elasticsearch.cert.pem
-  
-  else
-    input=${SECURITY_CREDENTIALS_FILE}
-    CA_PASSPHRASE_FROM_FILE=""
-    while IFS= read -r line
-    do
-      if [[ $line == *"CA_PASSPHRASE"* ]]; then
-        arrIN=(${line//:/ })
-        CA_PASSPHRASE_FROM_FILE=${arrIN[1]}
-      fi
-    done < "$input"
-    
-    openssl ca -batch -config $SECURITY_OPENSSL_CONF  -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM  -keyfile $SECURITY_CA_KEY  -key $CA_PASSPHRASE_FROM_FILE -out elasticsearch.cert.pem 
-  
-  fi
-  
-  chmod 440 /usr/share/elasticsearch/config/elasticsearch.cert.pem
-
-  # remove CA key
-  rm $SECURITY_CA_KEY
-
-  popd
-
-  echo "Setting configuration options."
-  
-  # Settings for elasticsearch.yml
-  echo "
-# Required to set the passwords and TLS options
-xpack.security.enabled: true
-xpack.security.transport.ssl.enabled: true
-xpack.security.transport.ssl.verification_mode: certificate
-xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
-xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
-xpack.security.transport.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"]
-
-# HTTP layer
-xpack.security.http.ssl.enabled: true
-xpack.security.http.ssl.verification_mode: certificate
-xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
-xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
-xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"]
-" >> $elastic_config_file
-
-  # Create keystore
-  /usr/share/elasticsearch/bin/elasticsearch-keystore create
-
-  # Add keys to keystore
-  echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase --stdin
-  echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin
-
-fi
-

elasticsearch/config/30-entrypoint.sh

@@ -1,70 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-# For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.1/build/elasticsearch/bin/docker-entrypoint.sh
-
-set -e
-
-# Files created by Elasticsearch should always be group writable too
-umask 0002
-
-run_as_other_user_if_needed() {
-  if [[ "$(id -u)" == "0" ]]; then
-    # If running as root, drop to specified UID and run command
-    exec chroot --userspec=1000 / "${@}"
-  else
-    # Either we are running in Openshift with random uid and are a member of the root group
-    # or with a custom --user
-    exec "${@}"
-  fi
-}
-
-
-#Disabling xpack features
-
-elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
-if grep -Fq  "#xpack features" "$elasticsearch_config_file" ;
-then 
-  declare -A CONFIG_MAP=(
-  [xpack.ml.enabled]=$XPACK_ML
-  )
-  for i in "${!CONFIG_MAP[@]}"
-  do
-    if [ "${CONFIG_MAP[$i]}" != "" ]; then
-      sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file
-    fi
-  done
-else
-  echo "
-#xpack features
-xpack.ml.enabled: $XPACK_ML
- " >> $elasticsearch_config_file
-fi
-
-# Run load settings script.
-
-bash /usr/share/elasticsearch/load_settings.sh &
-
-# Execute elasticsearch
-
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-  echo "Change Elastic password"
-  if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-    run_as_other_user_if_needed echo "$SECURITY_ELASTIC_PASSWORD" | elasticsearch-keystore add -xf 'bootstrap.password'
-  else
-    input=${SECURITY_CREDENTIALS_FILE}
-    ELASTIC_PASSWORD_FROM_FILE=""
-    while IFS= read -r line
-    do
-      if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
-        arrIN=(${line//:/ })
-        ELASTIC_PASSWORD_FROM_FILE=${arrIN[1]}
-      fi
-    done < "$input"
-    run_as_other_user_if_needed echo "$ELASTIC_PASSWORD_FROM_FILE" | elasticsearch-keystore add -xf 'bootstrap.password'
-  fi
-  echo "Elastic password changed"
-fi
-
-run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch 

elasticsearch/config/TEST_openssl.cnf

@@ -1,132 +0,0 @@
-# OpenSSL intermediate CA configuration file.
-# Copy to `/root/ca/intermediate/openssl.cnf`.
-
-[ ca ]
-# `man ca`
-default_ca = CA_default
-
-[ CA_default ]
-# Directory and file locations.
-dir               = /root/ca/intermediate
-certs             = $dir/certs
-crl_dir           = $dir/crl
-new_certs_dir     = $dir/newcerts
-database          = $dir/index.txt
-serial            = $dir/serial
-RANDFILE          = $dir/private/.rand
-
-# The root key and root certificate.
-private_key       = $dir/private/intermediate.key.pem
-certificate       = $dir/certs/intermediate.cert.pem
-
-# For certificate revocation lists.
-crlnumber         = $dir/crlnumber
-crl               = $dir/crl/intermediate.crl.pem
-crl_extensions    = crl_ext
-default_crl_days  = 30
-
-# SHA-1 is deprecated, so use SHA-2 instead.
-default_md        = sha256
-
-name_opt          = ca_default
-cert_opt          = ca_default
-default_days      = 375
-preserve          = no
-policy            = policy_loose
-
-[ policy_strict ]
-# The root CA should only sign intermediate certificates that match.
-# See the POLICY FORMAT section of `man ca`.
-countryName             = match
-stateOrProvinceName     = match
-organizationName        = match
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-
-[ policy_loose ]
-# Allow the intermediate CA to sign a more diverse range of certificates.
-# See the POLICY FORMAT section of the `ca` man page.
-countryName             = optional
-stateOrProvinceName     = optional
-localityName            = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-
-[ req ]
-# Options for the `req` tool (`man req`).
-default_bits        = 2048
-distinguished_name  = req_distinguished_name
-string_mask         = utf8only
-
-# SHA-1 is deprecated, so use SHA-2 instead.
-default_md          = sha256
-
-# Extension to add when the -x509 option is used.
-x509_extensions     = v3_ca
-
-[ req_distinguished_name ]
-# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
-countryName                     = Country Name (2 letter code)
-stateOrProvinceName             = State or Province Name
-localityName                    = Locality Name
-0.organizationName              = Organization Name
-organizationalUnitName          = Organizational Unit Name
-commonName                      = Common Name
-emailAddress                    = Email Address
-
-# Optionally, specify some defaults.
-countryName_default             = GB
-stateOrProvinceName_default     = England
-localityName_default            =
-0.organizationName_default      = Alice Ltd
-organizationalUnitName_default  =
-emailAddress_default            =
-
-[ v3_ca ]
-# Extensions for a typical CA (`man x509v3_config`).
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = critical, CA:true
-keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-
-[ v3_intermediate_ca ]
-# Extensions for a typical intermediate CA (`man x509v3_config`).
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = critical, CA:true, pathlen:0
-keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-
-[ usr_cert ]
-# Extensions for client certificates (`man x509v3_config`).
-basicConstraints = CA:FALSE
-nsCertType = client, email
-nsComment = "OpenSSL Generated Client Certificate"
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer
-keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
-extendedKeyUsage = clientAuth, emailProtection
-
-[ server_cert ]
-# Extensions for server certificates (`man x509v3_config`).
-basicConstraints = CA:FALSE
-nsCertType = server
-nsComment = "OpenSSL Generated Server Certificate"
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer:always
-keyUsage = critical, digitalSignature, keyEncipherment
-extendedKeyUsage = serverAuth
-
-[ crl_ext ]
-# Extension for CRLs (`man x509v3_config`).
-authorityKeyIdentifier=keyid:always
-
-[ ocsp ]
-# Extension for OCSP signing certificates (`man ocsp`).
-basicConstraints = CA:FALSE
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer
-keyUsage = critical, digitalSignature
-extendedKeyUsage = critical, OCSPSigning

elasticsearch/config/config_cluster.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
+
+remove_single_node_conf(){
+  if grep -Fq "discovery.type" $1; then
+    sed -i '/discovery.type\: /d' $1 
+  fi
+}
+
+remove_cluster_config(){
+  sed -i '/# cluster node/,/# end cluster config/d' $1
+}
+
+# If Elasticsearch cluster is enable, then set up the elasticsearch.yml
+if [[ $ELASTIC_CLUSTER == "true" && $CLUSTER_NODE_MASTER != "" && $CLUSTER_NODE_DATA != "" && $CLUSTER_NODE_INGEST != "" && $CLUSTER_MASTER_NODE_NAME != "" ]]; then
+  # Remove the old configuration
+  remove_single_node_conf $elastic_config_file
+  remove_cluster_config $elastic_config_file
+
+if [[ $CLUSTER_NODE_MASTER == "true" ]]; then
+# Add the master configuration
+# cluster.initial_master_nodes for bootstrap the cluster
+cat > $elastic_config_file << EOF
+# cluster node
+network.host: 0.0.0.0
+node.name: $CLUSTER_MASTER_NODE_NAME
+node.master: $CLUSTER_NODE_MASTER
+cluster.initial_master_nodes: 
+  - $CLUSTER_MASTER_NODE_NAME
+# end cluster config" 
+EOF
+
+elif [[ $CLUSTER_NODE_NAME != "" ]];then
+# Remove the old configuration
+remove_single_node_conf $elastic_config_file
+remove_cluster_config $elastic_config_file
+
+cat > $elastic_config_file << EOF
+# cluster node
+network.host: 0.0.0.0
+node.name: $CLUSTER_NODE_NAME
+node.master: false
+discovery.seed_hosts: 
+  - $CLUSTER_MASTER_NODE_NAME
+  - $CLUSTER_NODE_NAME
+# end cluster config" 
+EOF
+fi
+# If the cluster is disabled, then set a single-node configuration
+else
+  # Remove the old configuration
+  remove_single_node_conf $elastic_config_file
+  remove_cluster_config $elastic_config_file
+  echo "discovery.type: single-node" >> $elastic_config_file
+fi

elasticsearch/config/configure_s3.sh

@@ -1,37 +1,8 @@
 #!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 set -e
 
-
-##############################################################################
-# If Secure access to Kibana is enabled, we must set the credentials for 
-# monitoring
-##############################################################################
-
-ELASTIC_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
-
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      ELASTIC_PASS=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-u elastic:${ELASTIC_PASS} -k"
-else
-  auth=""
-fi
-
 # Check number of arguments passed to configure_s3.sh. If it is different from 4 or 5, the process will finish with error.
 # param 1: number of arguments passed to configure_s3.sh
 
@@ -65,7 +36,7 @@ function CreateRepo()
     if [ $1 == 5 ];then
         version="$6"
     else
-        version=`curl ${auth} -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1`
+        version=`curl -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1`
     fi
 
     if ! [[ "$version" =~ ^[0-9]+$ ]];then
@@ -76,15 +47,15 @@ function CreateRepo()
     repository="$repository_name-$version"
     s3_path="$path/$version"
 
-    >&2 echo "Create S3 repository"
-
-    until curl ${auth} -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d' {"type": "s3", "settings": { "bucket": "'$bucket_name'", "base_path": "'$s3_path'"} }'; do
-      >&2 echo "Elastic is unavailable, S3 repository not created - sleeping"
-      sleep 5
-    done
-
-    >&2 echo "S3 repository created"
-
+    curl -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d'
+        {
+            "type": "s3",
+            "settings": {
+            "bucket": "'$bucket_name'",
+            "base_path": "'$s3_path'"
+        }
+    }
+    '
 
 }
 

elasticsearch/config/entrypoint.sh

@@ -1,8 +1,52 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
-# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
-for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
-  bash "$script"
+# For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.0/build/elasticsearch/bin/docker-entrypoint.sh
 
-done
+set -e
+
+# Files created by Elasticsearch should always be group writable too
+umask 0002
+
+run_as_other_user_if_needed() {
+  if [[ "$(id -u)" == "0" ]]; then
+    # If running as root, drop to specified UID and run command
+    exec chroot --userspec=1000 / "${@}"
+  else
+    # Either we are running in Openshift with random uid and are a member of the root group
+    # or with a custom --user
+    exec "${@}"
+  fi
+}
+
+
+#Disabling xpack features
+
+elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
+if grep -Fq  "#xpack features" "$elasticsearch_config_file";
+then 
+  declare -A CONFIG_MAP=(
+  [xpack.ml.enabled]=$XPACK_ML
+  )
+  for i in "${!CONFIG_MAP[@]}"
+  do
+    if [ "${CONFIG_MAP[$i]}" != "" ]; then
+      sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file
+    fi
+  done
+else
+  echo "
+#xpack features
+xpack.ml.enabled: $XPACK_ML
+ " >> $elasticsearch_config_file
+fi
+
+# Run load settings script.
+
+./config_cluster.sh
+
+./load_settings.sh &
+
+# Execute elasticsearch
+
+run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch 

elasticsearch/config/load_settings.sh

@@ -1,90 +1,17 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 set -e
 
-if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
-fi
+el_url=${ELASTICSEARCH_URL}
 
-if [[ "x${WAZUH_API_URL}" = "x" ]]; then
+if [ "x${WAZUH_API_URL}" = "x" ]; then
   wazuh_url="https://wazuh"
 else
   wazuh_url="${WAZUH_API_URL}"
 fi
 
-ELASTIC_PASS=""
-KIBANA_USER=""
-KIBANA_PASS=""
-LOGSTASH_USER=""
-LOGSTASH_PASS=""
-ADMIN_USER=""
-ADMIN_PASS=""
-WAZH_API_USER=""
-WAZH_API_PASS=""
-MONITORING_USER=""
-MONITORING_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
-  KIBANA_USER=${SECURITY_KIBANA_USER}
-  KIBANA_PASS=${SECURITY_KIBANA_PASS}
-  LOGSTASH_USER=${SECURITY_LOGSTASH_USER}
-  LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS}
-  ADMIN_USER=${SECURITY_ADMIN_USER}
-  ADMIN_PASS=${SECURITY_ADMIN_PASS}
-  WAZH_API_USER=${API_USER}
-  WAZH_API_PASS=${API_PASS}
-  MONITORING_USER=${SECURITY_MONITORING_USER}
-  MONITORING_PASS=${SECURITY_MONITORING_PASS}
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      ELASTIC_PASS=${arrIN[1]}
-    elif [[ $line == *"KIBANA_USER"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_USER=${arrIN[1]}
-    elif [[ $line == *"KIBANA_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_PASS=${arrIN[1]}
-    elif [[ $line == *"LOGSTASH_USER"* ]]; then
-      arrIN=(${line//:/ })
-      LOGSTASH_USER=${arrIN[1]}
-    elif [[ $line == *"LOGSTASH_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      LOGSTASH_PASS=${arrIN[1]}
-    elif [[ $line == *"ADMIN_USER"* ]]; then
-      arrIN=(${line//:/ })
-      ADMIN_USER=${arrIN[1]}
-    elif [[ $line == *"ADMIN_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      ADMIN_PASS=${arrIN[1]}
-    elif [[ $line == *"WAZUH_API_USER"* ]]; then
-      arrIN=(${line//:/ })
-      WAZH_API_USER=${arrIN[1]}
-    elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      WAZH_API_PASS=${arrIN[1]}
-    elif [[ $line == *"MONITORING_USER"* ]]; then
-      arrIN=(${line//:/ })
-      MONITORING_USER=${arrIN[1]}
-    elif [[ $line == *"MONITORING_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      MONITORING_PASS=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-uelastic:${ELASTIC_PASS} -k"
-elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
+if [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
   auth=""
 else
   auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
@@ -100,17 +27,15 @@ done
 if [ $ENABLE_CONFIGURE_S3 ]; then
   #Wait for Elasticsearch to be ready to create the repository
   sleep 10
-  >&2 echo "Configure S3"
-  if [ "x$S3_PATH" != "x" ]; then
-    >&2 echo "S3_PATH"
-    >&2 echo $S3_PATH
-    if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then
-      >&2 echo "Elasticsearch major version:"
-      >&2 echo $S3_ELASTIC_MAJOR
-      bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR
+  IP_PORT="${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
+
+  if [ "x$S3_PATH" != "x" ]; then 
+
+    if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then 
+      ./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR 
+
     else
-      >&2 echo "Elasticserach major version not given"
-      bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME
+      ./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME 
 
     fi
 
@@ -118,64 +43,17 @@ if [ $ENABLE_CONFIGURE_S3 ]; then
 
 fi
 
-##############################################################################
-# Setup passwords for Elastic Stack users
-##############################################################################
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-  MY_HOSTNAME=`hostname`
-  echo "Hostname:"
-  echo $MY_HOSTNAME
-  if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then
-    echo "Setting up passwords for all Elastic Stack users"
-
-    echo "Setting remote monitoring password"
-    SECURITY_REMOTE_USER_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
-    until curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/remote_monitoring_user/_password ' -d '{ "password":"'$SECURITY_REMOTE_USER_PASS'" }'; do
-      >&2 echo "Unavailable password seeting- sleeping"
-      sleep 2
-    done
-    echo "Setting Kibana password"
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_wazuh_app ' -d ' { "indices": [ { "names": [ ".kibana*", ".reporting*", ".monitoring*" ],  "privileges": ["read"] }, { "names": [ "wazuh-monitoring*", ".wazuh*" ],  "privileges": ["all"] } , { "names": [ "wazuh-alerts*" ],  "privileges": ["read", "view_index_metadata"] }  ] }'
-    sleep 5
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$KIBANA_USER"  -d '{ "password":"'$KIBANA_PASS'", "roles" : [ "kibana_system", "service_wazuh_app"],  "full_name" : "Service Internal Kibana User" }'
-    echo "Setting APM password"
-    SECURITY_APM_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
-    curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/apm_system/_password ' -d '{ "password":"'$SECURITY_APM_SYSTEM_PASS'" }'
-    echo "Setting Beats password"
-    SECURITY_BEATS_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
-    curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/beats_system/_password ' -d '{ "password":"'$SECURITY_BEATS_SYSTEM_PASS'" }'
-    echo "Setting Logstash password"
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_logstash_writer ' -d '{ "cluster": ["manage_index_templates", "monitor", "manage_ilm"], "indices": [ { "names": [ "*" ],  "privileges": ["write","delete","create_index","manage","manage_ilm"] } ] }'
-    sleep 5
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$LOGSTASH_USER" -d '{ "password":"'$LOGSTASH_PASS'", "roles" : [ "service_logstash_writer", "logstash_system"],  "full_name" : "Service Internal Logstash User" }'
-    echo "Passwords established for all Elastic Stack users"
-    echo "Creating Admin user"
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$ADMIN_USER" -d '{ "password":"'$ADMIN_PASS'", "roles" : [ "superuser"],  "full_name" : "Wazuh admin" }'
-    echo "Admin user created"
-    echo "Setting monitoring user"
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_monitoring_reader ' -d '{ "cluster": ["manage", "monitor"], "indices": [ { "names": [ "*" ],  "privileges": ["write","create_index","manage","read", "index"] } ] }'
-    sleep 5
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$MONITORING_USER" -d '{ "password":"'$MONITORING_PASS'", "roles" : [ "service_monitoring_reader", "snapshot_user"],  "full_name" : "Service Internal Monitoring User" }'
-  fi
-fi
-
 #Insert default templates
 
-sed -i 's|    "index.refresh_interval": "5s"|    "index.refresh_interval": "5s",    "number_of_shards" :   '"${ALERTS_SHARDS}"',    "number_of_replicas" : '"${ALERTS_REPLICAS}"'|' /usr/share/elasticsearch/config/wazuh-template.json
-
-cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @-
-sleep 5
-
-
-API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'`
-API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'`
+API_PASS_Q=`echo "$API_PASS" | tr -d '"'`
+API_USER_Q=`echo "$API_USER" | tr -d '"'`
 API_PASSWORD=`echo -n $API_PASS_Q | base64`
 
 echo "Setting API credentials into Wazuh APP"
-CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013 ${auth})
-if [ "x$CONFIG_CODE" = "x404" ]; then
-  curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 ${auth} -H 'Content-Type: application/json' -d'
+CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth})
+
+if [ "x$CONFIG_CODE" != "x200" ]; then
+  curl -s -XPOST $el_url/.wazuh/_doc/1513629884013 ${auth} -H 'Content-Type: application/json' -d'
   {
     "api_user": "'"$API_USER_Q"'",
     "api_password": "'"$API_PASSWORD"'",
@@ -213,7 +91,7 @@ curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/jso
 '
 
 # Set cluster delayed timeout when node falls
-curl -X PUT "$el_url/_all/_settings" ${auth} -H 'Content-Type: application/json' -d'
+curl -X PUT "$el_url/_all/_settings" -H 'Content-Type: application/json' -d'
 {
   "settings": {
     "index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'"
@@ -221,12 +99,5 @@ curl -X PUT "$el_url/_all/_settings" ${auth} -H 'Content-Type: application/json'
 }
 '
 
-# Remove credentials file.
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  echo "Security credentials file not used. Nothing to do."
-else
-  shred -zvu ${SECURITY_CREDENTIALS_FILE}
-fi
 
 echo "Elasticsearch is ready."

kibana/Dockerfile

@@ -1,29 +1,18 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/kibana/kibana:6.8.2
-ARG WAZUH_APP_VERSION=3.9.4_6.8.2
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+FROM docker.elastic.co/kibana/kibana:7.3.0
+ARG ELASTIC_VERSION=7.3.0
+ARG WAZUH_VERSION=3.9.5
+ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
+
 USER root
 
-ADD https://packages-dev.wazuh.com/pre-release/app/kibana/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
+ADD  https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
 
-# This CA is created for testing. Please set your own CA pem signed certificate. 
-# command: $ docker build <kibana_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION>
-# ENV variables are necessary: SECURITY_CA_PEM 
-# Sample:
-# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
-ARG SECURITY_CA_PEM_LOCATION=""
-
-# CA for secure communication with Elastic
-ADD $SECURITY_CA_PEM_LOCATION /usr/share/kibana/config
-
-RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\
-    chown -R kibana:kibana /usr/share/kibana &&\
-    rm -rf /tmp/*
-
-RUN yum install openssl -y
+RUN /usr/share/kibana/bin/kibana-plugin install --allow-root file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip 
+RUN rm -rf /tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
 
 COPY config/entrypoint.sh ./entrypoint.sh
 RUN chmod 755 ./entrypoint.sh
-RUN mkdir /entrypoint-scripts
 
 USER kibana
 
@@ -54,23 +43,19 @@ ENV PATTERN="" \
     WAZUH_MONITORING_REPLICAS="" \
     ADMIN_PRIVILEGES=""
 
-ARG XPACK_CANVAS="false"
-ARG XPACK_LOGS="false"
-ARG XPACK_INFRA="false"
-ARG XPACK_ML="false"
-ARG XPACK_DEVTOOLS="false"
-ARG XPACK_MONITORING="false"
-ARG XPACK_APM="false"
-ARG XPACK_MAPS="false"
-ARG XPACK_UPTIME="false"
+ARG XPACK_CANVAS="true"
+ARG XPACK_LOGS="true"
+ARG XPACK_INFRA="true"
+ARG XPACK_ML="true"
+ARG XPACK_DEVTOOLS="true"
+ARG XPACK_MONITORING="true"
+ARG XPACK_APM="true"
 
-ARG CHANGE_WELCOME="true"
+ARG CHANGE_WELCOME="false"
 
-COPY --chown=kibana:kibana ./config/10-wazuh_app_config.sh /entrypoint-scripts/10-wazuh_app_config.sh
-RUN chmod +x /entrypoint-scripts/10-wazuh_app_config.sh
+COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./
 
-COPY --chown=kibana:kibana ./config/20-entrypoint.sh /entrypoint-scripts/20-entrypoint.sh
-RUN chmod +x /entrypoint-scripts/20-entrypoint.sh
+RUN chmod +x ./wazuh_app_config.sh
 
 COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
 

kibana/config/20-entrypoint.sh

@@ -1,133 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-set -e
-
-##############################################################################
-# Waiting for elasticsearch
-##############################################################################
-
-if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_URL}"
-fi
-
-KIBANA_USER=""
-KIBANA_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  KIBANA_USER=${SECURITY_KIBANA_USER}
-  KIBANA_PASS=${SECURITY_KIBANA_PASS}
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"KIBANA_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_PASS=${arrIN[1]}
-    elif [[ $line == *"KIBANA_USER"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_USER=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-u ${KIBANA_USER}:${KIBANA_PASS} -k"
-elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
-  auth=""
-else
-  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
-fi
-
-until curl -XGET $el_url ${auth}; do
-  >&2 echo "Elastic is unavailable - sleeping"
-  sleep 5
-done
-
-sleep 2
-
->&2 echo "Elasticsearch is up."
-
-
-##############################################################################
-# Waiting for wazuh alerts template
-##############################################################################
-
-strlen=0
-
-while [[ $strlen -eq 0 ]]
-do
-  template=$(curl $auth $el_url/_cat/templates/wazuh -s)
-  strlen=${#template}
-  >&2 echo "Wazuh alerts template not loaded - sleeping."
-  sleep 2
-done
-
-sleep 2
-
->&2 echo "Wazuh alerts template is loaded."
-
-
-##############################################################################
-# If Secure access to Kibana is enabled, we must set the credentials.
-# We must create the ssl certificate.
-##############################################################################
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-
-
-  # Create keystore
-  /usr/share/kibana/bin/kibana-keystore create
-  
-  echo "Setting security Kibana configuiration options."
-
-  echo "
-# Elasticsearch from/to Kibana
-elasticsearch.ssl.certificateAuthorities: [\"/usr/share/kibana/config/$SECURITY_CA_PEM\"]
-
-server.ssl.enabled: true
-server.ssl.certificate: $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem
-server.ssl.key: $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key
-server.ssl.supportedProtocols: 
-  - TLSv1.1
-  - TLSv1.2
-" >> /usr/share/kibana/config/kibana.yml
-
-  echo "Create SSL directories."
-
-  mkdir -p $SECURITY_KIBANA_SSL_KEY_PATH $SECURITY_KIBANA_SSL_CERT_PATH
-  CA_PATH="/usr/share/kibana/config"
-
-  echo "Creating SSL certificates."
-  
-  pushd $CA_PATH
-
-  chown kibana: $CA_PATH/$SECURITY_CA_PEM
-  chmod 400 $CA_PATH/$SECURITY_CA_PEM
-  SECURITY_KEY_PASS=`openssl rand -base64 32`
-  openssl req -batch -x509 -days 18250 -newkey rsa:2048 -keyout $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key -out $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem -passout pass:"$SECURITY_KEY_PASS" >/dev/null
-  chown -R kibana: $CA_PATH/ssl
-  chmod -R 770 $CA_PATH/ssl
-  chmod 440 $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem
-
-  popd
-  echo "SSL certificates created."
-
-  # Add keys to keystore
-  echo -e "$KIBANA_PASS" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.password --stdin
-  echo -e "$SECURITY_KEY_PASS" | /usr/share/kibana/bin/kibana-keystore add server.ssl.keyPassphrase --stdin
-  echo -e "$KIBANA_USER" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.username --stdin
-
-fi
-
-##############################################################################
-# Run more configuration scripts.
-##############################################################################
-
-bash /usr/share/kibana/kibana_settings.sh &
-
-/usr/local/bin/kibana-docker

kibana/config/entrypoint.sh

@@ -1,8 +1,57 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
-# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
-for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
-  bash "$script"
+set -e
 
-done
+##############################################################################
+# Waiting for elasticsearch
+##############################################################################
+
+if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
+  el_url="http://elasticsearch:9200"
+else
+  el_url="${ELASTICSEARCH_URL}"
+fi
+
+if [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
+  auth=""
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+fi
+
+until curl -XGET $el_url ${auth}; do
+  >&2 echo "Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+sleep 2
+
+>&2 echo "Elasticsearch is up."
+
+
+##############################################################################
+# Waiting for wazuh alerts template
+##############################################################################
+
+strlen=0
+
+while [[ $strlen -eq 0 ]]
+do
+  template=$(curl $el_url/_cat/templates/wazuh -s)
+  strlen=${#template}
+  >&2 echo "Wazuh alerts template not loaded - sleeping."
+  sleep 2
+done
+
+sleep 2
+
+>&2 echo "Wazuh alerts template is loaded."
+
+
+./wazuh_app_config.sh
+
+sleep 5
+
+./kibana_settings.sh &
+
+/usr/local/bin/kibana-docker

kibana/config/kibana_settings.sh

@@ -1,13 +1,12 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 WAZUH_MAJOR=3
 
 ##############################################################################
 # Wait for the Kibana API to start. It is necessary to do it in this container
-# because the others are running Elastic Stack and we can not interrupt them.
-#
+# because the others are running Elastic Stack and we can not interrupt them. 
+# 
 # The following actions are performed:
 #
 # Add the wazuh alerts index as default.
@@ -19,52 +18,38 @@ WAZUH_MAJOR=3
 # Customize elasticsearch ip
 ##############################################################################
 if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then
+  sed -i "s:#elasticsearch.hosts:elasticsearch.hosts:g" /usr/share/kibana/config/kibana.yml
   sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
 fi
 
+# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
+if [ "$KIBANA_INDEX" != "" ]; then
+  if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
+    sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
+  fi
+    echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
+fi
+
+# If XPACK_SECURITY_ENABLED was set, then change the xpack.security.enabled option from true (default) to false.
+if [ "$XPACK_SECURITY_ENABLED" != "" ]; then
+  if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then
+    sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml
+  fi
+    echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml
+fi
+
 if [ "$KIBANA_IP" != "" ]; then
   kibana_ip="$KIBANA_IP"
 else
   kibana_ip="kibana"
 fi
 
-KIBANA_USER=""
-KIBANA_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  KIBANA_USER=${SECURITY_KIBANA_USER}
-  KIBANA_PASS=${SECURITY_KIBANA_PASS}
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"KIBANA_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_PASS=${arrIN[1]}
-    elif [[ $line == *"KIBANA_USER"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_USER=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-u $KIBANA_USER:${KIBANA_PASS}"
-  kibana_secure_ip="https://$kibana_ip"
-else
-  auth=""
-  kibana_secure_ip="http://$kibana_ip"
-fi
-
-
-while [[ "$(curl $auth -k -XGET -I  -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do
+while [[ "$(curl -XGET -I  -s -o /dev/null -w ''%{http_code}'' $kibana_ip:5601/status)" != "200" ]]; do
   echo "Waiting for Kibana API. Sleeping 5 seconds"
   sleep 5
 done
 
-# Prepare index selection.
+# Prepare index selection. 
 echo "Kibana API is running"
 
 default_index="/tmp/default_index.json"
@@ -79,23 +64,16 @@ EOF
 
 sleep 5
 # Add the wazuh alerts index as default.
-curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
+curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
 rm -f ${default_index}
 
 sleep 5
 # Configuring Kibana TimePicker.
-curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
+curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
 '{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-24h\",\n  \"to\": \"now\",\n  \"mode\": \"quick\"}"}}'
 
 sleep 5
 # Do not ask user to help providing usage statistics to Elastic
-curl $auth -k -POST "$kibana_secure_ip:5601/api/telemetry/v1/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
-
-# Remove credentials file
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  echo "Security credentials file not used. Nothing to do."
-else
-  shred -zvu ${SECURITY_CREDENTIALS_FILE}
-fi
+curl -POST "http://$kibana_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
 
 echo "End settings"

kibana/config/wazuh_app_config.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 kibana_config_file="/usr/share/kibana/plugins/wazuh/config.yml"
 

kibana/config/welcome_wazuh.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 if [[ $CHANGE_WELCOME == "true" ]]
 then
@@ -15,13 +16,9 @@ then
     sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/global_nav/global_nav.html
     sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/header_global_nav/header_global_nav.js
 
-    # Hide management undesired links
-    echo "Hide management undesired links"
+    # Redirect Kibana welcome screen to Discover
+    echo "Hide undesired links"
     sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/rollup/public/crud_app/index.js
     sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/license_management/public/management_section.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/index_lifecycle_management/public/register_management_section.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/cross_cluster_replication/public/register_routes.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/remote_clusters/public/index.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/upgrade_assistant/public/index.js
 fi
 

kibana/config/xpack_config.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 kibana_config_file="/usr/share/kibana/config/kibana.yml"
 if grep -Fq  "#xpack features" "$kibana_config_file";
@@ -9,11 +10,8 @@ then
     [xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS
     [xpack.ml.enabled]=$XPACK_ML
     [xpack.canvas.enabled]=$XPACK_CANVAS
-    [xpack.logstash.enabled]=$XPACK_LOGS
     [xpack.infra.enabled]=$XPACK_INFRA
     [xpack.monitoring.enabled]=$XPACK_MONITORING
-    [xpack.maps.enabled]=$XPACK_MAPS
-    [xpack.uptime.enabled]=$XPACK_UPTIME
     [console.enabled]=$XPACK_DEVTOOLS
   )
   for i in "${!CONFIG_MAP[@]}"
@@ -30,11 +28,8 @@ xpack.grokdebugger.enabled: $XPACK_DEVTOOLS
 xpack.searchprofiler.enabled: $XPACK_DEVTOOLS
 xpack.ml.enabled: $XPACK_ML
 xpack.canvas.enabled: $XPACK_CANVAS
-xpack.logstash.enabled: $XPACK_LOGS
 xpack.infra.enabled: $XPACK_INFRA
 xpack.monitoring.enabled: $XPACK_MONITORING
-xpack.maps.enabled: $XPACK_MAPS
-xpack.uptime.enabled: $XPACK_UPTIME
 console.enabled: $XPACK_DEVTOOLS
 " >> $kibana_config_file
 fi

logstash/Dockerfile

@@ -1,37 +0,0 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/logstash/logstash:6.8.2
-
-COPY --chown=logstash:logstash config/entrypoint.sh /entrypoint.sh
-
-RUN chmod 755 /entrypoint.sh
-
-RUN rm -f /usr/share/logstash/pipeline/logstash.conf
-
-COPY config/01-wazuh.conf /usr/share/logstash/pipeline/01-wazuh.conf
-
-# This CA is created for testing. Please set your own CA pem signed certificate. 
-# command: $ docker build <logstash_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_PEM_ARG=<CA_PEM_NAME>
-# ENV variables are necessary: SECURITY_CA_PEM 
-# Sample:
-# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
-# ARG SECURITY_CA_PEM_ARG="server.TEST-CA-signed.pem"
-ARG SECURITY_CA_PEM_LOCATION=""
-ARG SECURITY_CA_PEM_ARG=""
-
-# CA for secure communication with Elastic
-ADD $SECURITY_CA_PEM_LOCATION /usr/share/logstash/config
-
-# Set permissions for CA
-USER root
-RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chown logstash: /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi
-RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chmod 400 /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi
-
-# Add entrypoint scripts
-RUN mkdir /entrypoint-scripts
-RUN chmod -R 774 /entrypoint-scripts
-RUN chown -R logstash:logstash /entrypoint-scripts
-COPY --chown=logstash:logstash ./config/10-entrypoint.sh /entrypoint-scripts/10-entrypoint.sh
-RUN chmod +x /entrypoint-scripts/10-entrypoint.sh
-USER logstash
-
-ENTRYPOINT /entrypoint.sh

logstash/config/01-wazuh.conf

@@ -1,49 +0,0 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-# Wazuh - Logstash configuration file
-## Remote Wazuh Manager - Filebeat input
-input {
-    beats {
-        port => 5000
-        codec => "json_lines"
-#       ssl => true
-#       ssl_certificate => "/etc/logstash/logstash.crt"
-#       ssl_key => "/etc/logstash/logstash.key"
-    }
-}
-filter {
-    if [data][srcip] {
-        mutate {
-            add_field => [ "@src_ip", "%{[data][srcip]}" ]
-        }
-    }
-    if [data][aws][sourceIPAddress] {
-        mutate {
-            add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
-        }
-    }
-}
-filter {
-    geoip {
-        source => "@src_ip"
-        target => "GeoLocation"
-        fields => ["city_name", "country_name", "region_name", "location"]
-    }
-    date {
-        match => ["timestamp", "ISO8601"]
-        target => "@timestamp"
-    }
-    mutate {
-        remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
-    }
-}
-output {
-    elasticsearch {
-        hosts => ["elasticsearch:9200"]
-        index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
-        document_type => "wazuh"
-        #user => service_logstash
-        #password => service_logstash_internal_password
-        #ssl => true
-        #cacert => "/path/to/cert.pem"
-    }
-}

logstash/config/10-entrypoint.sh

@@ -1,158 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-#
-# OSSEC container bootstrap. See the README for information of the environment
-# variables expected by this script.
-#
-
-set -e
-
-##############################################################################
-# Waiting for elasticsearch
-##############################################################################
-
-if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_URL}"
-fi
-
-LOGSTASH_USER=""
-LOGSTASH_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  LOGSTASH_USER=${SECURITY_LOGSTASH_USER}
-  LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS}
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"LOGSTASH_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      LOGSTASH_PASS=${arrIN[1]}
-    elif [[ $line == *"LOGSTASH_USER"* ]]; then
-      arrIN=(${line//:/ })
-      LOGSTASH_USER=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-u ${LOGSTASH_USER}:${LOGSTASH_PASS} -k"
-elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
-  auth=""
-else
-  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
-fi
-
-
-##############################################################################
-# Customize logstash output ip
-##############################################################################
-
-if [ "$LOGSTASH_OUTPUT" != "" ]; then
-  >&2 echo "Customize Logstash ouput ip."
-  sed -i 's|elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/pipeline/01-wazuh.conf
-  sed -i 's|http://elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/config/logstash.yml
-fi
-
-until curl $auth -XGET $el_url; do
-  >&2 echo "Elastic is unavailable - sleeping."
-  sleep 5
-done
-
-sleep 2
-
->&2 echo "Elasticsearch is up."
-
-
-##############################################################################
-# Set Logstash password
-##############################################################################
-
-##############################################################################
-# If Secure access to Kibana is enabled, we must set the credentials.
-##############################################################################
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-
-  ## Create secure keystore
-  SECURITY_RANDOM_PASS=`date +%s | sha256sum | base64 | head -c 32 ; echo`
-  export LOGSTASH_KEYSTORE_PASS=$SECURITY_RANDOM_PASS
-  /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config create
-
-  ## Settings for logstash.yml
-  echo "
-# Required set the passwords
-xpack.monitoring.enabled: true
-xpack.monitoring.elasticsearch.username: \${LOGSTASH_KS_USER}
-xpack.monitoring.elasticsearch.password: \${LOGSTASH_KS_PASS}
-xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/$SECURITY_CA_PEM
-
-xpack.management.elasticsearch.hosts: \"$LOGSTASH_OUTPUT/\"
-xpack.management.elasticsearch.username: \${LOGSTASH_KS_USER}
-xpack.management.elasticsearch.password: \${LOGSTASH_KS_PASS}
-xpack.management.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/$SECURITY_CA_PEM
-" >> /usr/share/logstash/config/logstash.yml
-
-  ## Settings for 01-wazuh.conf
-  sed -i 's:#user => service_logstash:user => "${LOGSTASH_KS_USER}":g' /usr/share/logstash/pipeline/01-wazuh.conf
-  sed -i 's:#password => service_logstash_internal_password:password => "${LOGSTASH_KS_PASS}":g' /usr/share/logstash/pipeline/01-wazuh.conf
-  sed -i 's:#ssl => true:ssl => true:g' /usr/share/logstash/pipeline/01-wazuh.conf
-  sed -i 's:#cacert => "/path/to/cert.pem":cacert => "/usr/share/logstash/config/'$SECURITY_CA_PEM'":g' /usr/share/logstash/pipeline/01-wazuh.conf 
-
-  ## Add keys to the keystore
-  echo -e "$LOGSTASH_USER" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_USER
-  echo -e "$LOGSTASH_PASS" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_PASS
-  
-  
-fi
-  
-
-##############################################################################
-# Waiting for wazuh alerts template
-##############################################################################
-
-strlen=0
-
-while [[ $strlen -eq 0 ]]
-do
-  template=$(curl $auth $el_url/_cat/templates/wazuh -s)
-  strlen=${#template}
-  >&2 echo "Wazuh alerts template not loaded - sleeping."
-  sleep 2
-done
-
-sleep 2
-
->&2 echo "Wazuh alerts template is loaded."
-
-
-##############################################################################
-# Remove credentials file
-##############################################################################
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  echo "Security credentials file not used. Nothing to do."
-else
-  shred -zvu ${SECURITY_CREDENTIALS_FILE}
-fi
-
-
-##############################################################################
-# Map environment variables to entries in logstash.yml.
-# Note that this will mutate logstash.yml in place if any such settings are found.
-# This may be undesirable, especially if logstash.yml is bind-mounted from the
-# host system.
-##############################################################################
-
-env2yaml /usr/share/logstash/config/logstash.yml
-
-export LS_JAVA_OPTS="-Dls.cgroup.cpuacct.path.override=/ -Dls.cgroup.cpu.path.override=/ $LS_JAVA_OPTS"
-
-if [[ -z $1 ]] || [[ ${1:0:1} == '-' ]] ; then
-  exec logstash "$@"
-else
-  exec "$@"
-fi

logstash/config/entrypoint.sh

@@ -1,8 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
-for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
-  bash "$script"
-
-done

migration/volumes.sh

@@ -0,0 +1,138 @@
+#!/bin/bash 
+# Copyright (C) 2019, Wazuh Inc.
+
+# Script to update old environments containing /var/ossec/data with symbolic links the new structure
+
+wazuh_path=/var/ossec/
+data_path=/var/ossec/data/
+wazuh_dirs=(api/configuration etc logs queue var/multigroups active-response/bin integrations)
+no_wazuh_dirs=(/etc/filebeat)
+
+wazuh_preserve_links=(/var/ossec/api/configuration/auth/htpasswd /var/ossec/etc/ossec-init.conf)
+wazuh_files=(/var/ossec/queue/agents-timestamp)
+filebeat_files=(/var/lib/filebeat/registry /var/lib/filebeat/meta.json)
+postfix_files=(/etc/postfix/dynamicmaps.cf /etc/postfix/main.cf /etc/postfix/main.cf.proto /etc/postfix/master.cf /etc/postfix/master.cf.proto /etc/postfix/postfix-files /etc/postfix/sasl /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db /etc/postfix/postfix-script /etc/postfix/post-install)
+
+for dir in "${wazuh_dirs[@]}"; do
+  if [ ! -e $data_path"wazuh"$wazuh_path$dir ]
+  then
+    mkdir -p $data_path"wazuh"$wazuh_path$dir
+  fi
+  echo "Copying $wazuh_path$dir to $data_path"wazuh"$wazuh_path$dir"
+  cp -LR --preserve=all $wazuh_path$dir/* $data_path"wazuh"$wazuh_path$dir
+done
+
+for dir in "${no_wazuh_dirs[@]}"; do
+  base=$(basename $dir)
+  if [ ! -e $data_path$base$dir ]
+  then
+    mkdir -p $data_path$base$dir
+  fi
+  echo "Copying $dir to $data_path$base$dir"
+  cp -a $dir/* $data_path$base$dir
+done
+
+
+for file in "${wazuh_files[@]}"; do
+  echo "Copying $file to $data_path"wazuh"$file"
+  cp -LR --preserve=all $file $data_path"wazuh"$file
+done
+
+echo ">> Checking filebeat files" 
+mkdir -p $data_path"filebeat/var/lib/filebeat"
+
+for file in "${filebeat_files[@]}"; do
+  if [[ -e $file ]]; then
+    if [[ -d $file ]]; then
+        mkdir -p $data_path"filebeat"$file
+        echo "Copying $file to $data_path"filebeat"$file"
+        cp -a $file/* $data_path"filebeat"$file
+    else
+        echo "Copying $file to $data_path"filebeat"$file"
+        cp -a $file $data_path"filebeat"$file
+    fi
+  fi
+done
+
+echo ">> Checking postfix files"
+mkdir -p $data_path"postfix/etc/postfix"
+
+for file in "${postfix_files[@]}"; do
+  if [[ -e $file ]]; then
+    if [[ -d $file ]]; then
+        mkdir -p $data_path"postfix"$file
+        echo "Copying $file to $data_path"postfix"$file"
+        cp -a $file/* $data_path"postfix"$file
+    else
+        echo "Copying $file to $data_path"postfix"$file"
+        cp -a $file $data_path"postfix"$file
+    fi
+  fi
+done
+
+echo ">> Preserving Wazuh symbolic links files"
+for file in "${wazuh_preserve_links[@]}"; do
+  rm  $wazuh_path"data/wazuh"$file
+  cp -a $file $wazuh_path"data/wazuh"$file
+done
+
+# Grant proper permissions
+
+chmod 750 /var/ossec/data/wazuh/var/ossec/api/configuration
+chown root:ossec /var/ossec/data/wazuh/var/ossec/api/configuration
+chmod 750 /var/ossec/data/wazuh/var/ossec/api/configuration/auth
+chmod 740 /var/ossec/data/wazuh/var/ossec/api/configuration/config.js
+chmod 750 /var/ossec/data/wazuh/var/ossec/api/configuration/preloaded_vars.conf
+chmod 750 /var/ossec/data/wazuh/var/ossec/api/configuration/ssl
+chmod 400 /var/ossec/data/wazuh/var/ossec/api/configuration/ssl/server.crt
+chmod 400 /var/ossec/data/wazuh/var/ossec/api/configuration/ssl/server.key
+chmod 770 /var/ossec/data/wazuh/var/ossec/etc
+chown ossec:ossec /var/ossec/data/wazuh/var/ossec/etc
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/client.keys
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/decoders/local_decoder.xml
+chown root:ossec /var/ossec/data/wazuh/var/ossec/etc/decoders/local_decoder.xml
+chmod 660 /var/ossec/data/wazuh/var/ossec/etc/lists/amazon/aws-sources.cdb
+chown ossec:ossec /var/ossec/data/wazuh/var/ossec/etc/lists/amazon/aws-sources.cdb
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/lists/audit-keys
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/lists/audit-keys.cdb
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/lists/security-eventchannel
+chmod 640 /var/ossec/data/wazuh//var/ossec/etc/lists/security-eventchannel.cdb
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/local_internal_options.conf
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/localtime
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/ossec.conf
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/rules/local_rules.xml
+chown root:ossec /var/ossec/data/wazuh/var/ossec/etc/rules/local_rules.xml
+chown root:ossec /var/ossec/data/wazuh/var/ossec/etc/shared/default/agent.conf
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/sslmanager.cert
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/sslmanager.key
+chmod 770 /var/ossec/data/wazuh/var/ossec/logs
+chown ossec:ossec /var/ossec/data/wazuh/var/ossec/logs
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/alerts
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/alerts/2019
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/alerts/2019/May
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/api
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/archives
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/archives/2019
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/archives/2019/May
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/cluster
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/firewall
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/firewall/2019
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/firewall/2019/May
+chmod 640 /var/ossec/data/wazuh/var/ossec/logs/integrations.log
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/ossec
+chmod 750 /var/ossec/data/wazuh/var/ossec/queue
+chown root:ossec /var/ossec/data/wazuh/var/ossec/queue
+chmod 750 /var/ossec/data/wazuh/var/ossec/queue/agentless
+chmod 600 /var/ossec/data/wazuh/var/ossec/queue/agents-timestamp
+chmod 750 /var/ossec/data/wazuh/var/ossec/queue/db 
+chmod 640 /var/ossec/data/wazuh/var/ossec/queue/db/000.db
+chmod 640 /var/ossec/data/wazuh/var/ossec/queue/db/000.db-shm
+chmod 640 /var/ossec/data/wazuh/var/ossec/queue/db/000.db-wal
+chmod 750 /var/ossec/data/wazuh/var/ossec/queue/fts
+chmod 640 /var/ossec/data/wazuh/var/ossec/queue/fts/fts-queue
+chmod 640 /var/ossec/data/wazuh/var/ossec/queue/fts/hostinfo
+chmod 640 /var/ossec/data/wazuh/var/ossec/queue/fts/ig-queue
+chmod 644 /var/ossec/data/wazuh/var/ossec/queue/rids/sender_counter
+chmod 750 /var/ossec/data/wazuh/var/ossec/queue/rootcheck
+chmod 770 /var/ossec/data/wazuh/var/ossec/var/multigroups
+chown root:ossec /var/ossec/data/wazuh/var/ossec/var/multigroups

nginx/Dockerfile

@@ -1,4 +1,4 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 FROM nginx:latest
 
 ENV DEBIAN_FRONTEND noninteractive

nginx/config/entrypoint.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 set -e
 

wazuh/Dockerfile

@@ -1,16 +1,16 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM phusion/baseimage:latest
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+FROM phusion/baseimage:master
 
 # Arguments
-ARG FILEBEAT_VERSION=6.8.2
-ARG WAZUH_VERSION=3.9.4-1
+ARG FILEBEAT_VERSION=7.3.0
+ARG WAZUH_VERSION=3.9.5-1
 
 # Environment variables
 ENV API_USER="foo" \
     API_PASS="bar"
 
 # Install packages
-RUN set -x && \
+RUN set -x && \ 
     echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \
     curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \
     curl --silent --location https://deb.nodesource.com/setup_8.x | bash - && \
@@ -29,13 +29,18 @@ RUN set -x && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
     rm -f /var/ossec/logs/alerts/*/*/* && \
     rm -f /var/ossec/logs/archives/*/*/* && \
-    rm -f /var/ossec/logs/firewall/*/*/* && \
+    rm -f /var/ossec/logs/firewall/*/*/* && \ 
     rm -f /var/ossec/logs/api/*/*/* && \
     rm -f /var/ossec/logs/cluster/*/*/* && \
     rm -f /var/ossec/logs/ossec/*/*/* && \
     rm /var/ossec/var/run/* && \
     curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb && \
-    dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb
+    dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb && \
+    curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/elasticsearch/7.x/wazuh-template.json && \
+    chmod go+r /etc/filebeat/wazuh-template.json && \
+    curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module && \
+    mkdir -p /usr/share/filebeat/module/wazuh && \
+    chmod 755 -R /usr/share/filebeat/module/wazuh
 
 # Services
 RUN mkdir /etc/service/wazuh && \
@@ -65,7 +70,7 @@ RUN chmod 755 /permanent_data.sh && \
     sync && \
     /permanent_data.sh && \
     sync && \
-    rm /permanent_data.sh 
+    rm /permanent_data.sh
 
 # Expose ports
 EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
@@ -80,7 +85,6 @@ VOLUME ["/var/ossec/queue"]
 VOLUME ["/var/ossec/var/multigroups"]
 VOLUME ["/var/ossec/integrations"]
 VOLUME ["/var/ossec/active-response/bin"]
-VOLUME ["/var/ossec/wodles"]
 VOLUME ["/etc/filebeat"]
 VOLUME ["/etc/postfix"]
 VOLUME ["/var/lib/filebeat"]
@@ -92,15 +96,13 @@ RUN mkdir /entrypoint-scripts
 COPY config/entrypoint.sh /entrypoint.sh
 COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh
 
-RUN chmod 755 /entrypoint.sh && \
-    chmod 755 /entrypoint-scripts/01-wazuh.sh
+# Migration scripts
+COPY migration/data_dirs.env /data_dirs.env
+COPY migration/02-volume_loader.sh /entrypoint-scripts/02-volume_loader.sh
 
-# Workaround. 
-# Issues: Wazuh-api
-# https://github.com/wazuh/wazuh-api/issues/440  
-# https://github.com/wazuh/wazuh-api/issues/443
-COPY --chown=root:ossec config/agents.js /var/ossec/api/controllers/agents.js
-RUN chmod 770 /var/ossec/api/controllers/agents.js
+RUN chmod 755 /entrypoint.sh && \
+    chmod 755 /entrypoint-scripts/01-wazuh.sh && \
+    chmod 755 /entrypoint-scripts/02-volume_loader.sh
 
 # Run all services
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/entrypoint.sh"]

wazuh/config/01-wazuh.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 # Variables
 source /permanent_data.env
@@ -71,12 +71,6 @@ apply_exclusion_data() {
   for exclusion_file in "${PERMANENT_DATA_EXCP[@]}"; do
     if [  -e ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file}  ]
     then
-      DIR=$(dirname "${exclusion_file}")
-      if [ ! -e ${DIR}  ]
-      then
-        mkdir -p ${DIR}
-      fi
-      
       print "Updating ${exclusion_file}"
       exec_cmd "cp -p ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file} ${exclusion_file}"
     fi
@@ -206,7 +200,7 @@ change_api_user_credentials() {
 
 custom_filebeat_output_ip() {
   if [ "$FILEBEAT_OUTPUT" != "" ]; then
-    sed -i "s/logstash:5000/$FILEBEAT_OUTPUT:5000/" /etc/filebeat/filebeat.yml
+    sed 's|http://elasticsearch:9200|$FILEBEAT_OUTPUT|g' filebeat.yml
   fi
 }
 
@@ -261,6 +255,10 @@ main() {
   # Delete temporary data folder
   rm -rf ${WAZUH_INSTALL_PATH}/data_tmp
 
+  # Grant proper permissions
+  # When modifiying some files using the Wazuh API (i.e. /var/ossec/etc/ossec.conf), group rw permissions are needed for changes to take place.  
+  # https://github.com/wazuh/wazuh/issues/3647
+  chmod -R g+rw ${WAZUH_INSTALL_PATH}
 }
 
 main

wazuh/config/entrypoint.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 # It will run every .sh script located in entrypoint-scripts folder in lexicographical order
 for script in `ls /entrypoint-scripts/*.sh | sort -n`; do

wazuh/config/filebeat.yml

@@ -1,18 +1,53 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-filebeat:
- prospectors:
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+filebeat.inputs:
   - type: log
     paths:
-     - "/var/ossec/logs/alerts/alerts.json"
-    document_type: json
-    json.message_key: log
-    json.keys_under_root: true
-    json.overwrite_keys: true
-    tail_files: true
+      - '/var/ossec/logs/alerts/alerts.json'
 
-output:
- logstash:
-   # The Logstash hosts
-   hosts: ["logstash:5000"]
-#   ssl:
-#     certificate_authorities: ["/etc/filebeat/logstash.crt"]
+setup.template.json.enabled: true
+setup.template.json.path: "/etc/filebeat/wazuh-template.json"
+setup.template.json.name: "wazuh"
+setup.template.overwrite: true
+
+processors:
+  - decode_json_fields:
+      fields: ['message']
+      process_array: true
+      max_depth: 200
+      target: ''
+      overwrite_keys: true
+  - drop_fields:
+      fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
+  - rename:
+      fields:
+        - from: "data.aws.sourceIPAddress"
+          to: "@src_ip"
+      ignore_missing: true
+      fail_on_error: false
+      when:
+        regexp:
+          data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+  - rename:
+      fields:
+        - from: "data.srcip"
+          to: "@src_ip"
+      ignore_missing: true
+      fail_on_error: false
+      when:
+        regexp:
+          data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+  - rename:
+      fields:
+        - from: "data.win.eventdata.ipAddress"
+          to: "@src_ip"
+      ignore_missing: true
+      fail_on_error: false
+      when:
+        regexp:
+          data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+
+output.elasticsearch:
+  hosts: ['http://elasticsearch:9200']
+  #pipeline: geoip
+  indices:
+    - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'

wazuh/config/permanent_data.env

@@ -7,7 +7,6 @@ PERMANENT_DATA[((i++))]="/var/ossec/queue"
 PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups"
 PERMANENT_DATA[((i++))]="/var/ossec/integrations"
 PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin"
-PERMANENT_DATA[((i++))]="/var/ossec/wodles"
 PERMANENT_DATA[((i++))]="/etc/filebeat"
 PERMANENT_DATA[((i++))]="/etc/postfix"
 export PERMANENT_DATA
@@ -37,22 +36,6 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-ossec.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_oval.xsl"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_xccdf.xsl"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-debian-8-oval.xml"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-debian-9-oval.xml"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-ubuntu-xenial-oval.xml"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-debian-8-ds.xml"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-ubuntu-1404-ds.xml"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-ubuntu-1604-ds.xml"
 export PERMANENT_DATA_EXCP
 
 # Files mounted in a volume that should be deleted 

wazuh/config/permanent_data.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 # Variables
 source /permanent_data.env

wazuh/migration/02-volume_loader.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+source /data_dirs.env
+
+##############################################################################
+# Copy will be executed from the custom mounting path (key) 
+# to destination path (value) when iterating through the array  
+# For example in the first custom path:
+#    cp -pr "/migration/ossec_backup/ /var/ossec/" will be executed
+# Please ensure the key path is correctly mounted in the container
+# For more information please check:
+##############################################################################
+
+declare -A custom_paths
+
+custom_paths+=( ["/migration/ossec_backup/"]=/var/ossec/ )
+custom_paths+=( ["/migration/filebeat_backup/"]=/etc/filebeat/ )
+custom_paths+=( ["/migration/filebeat-lib_backup/"]=/var/lib/filebeat/ )
+custom_paths+=( ["/migration/postfix_backup/"]=/etc/postfix/ )
+
+### Auxiliar methods
+
+print() {
+    echo -e "$1"
+}
+
+error_and_exit() {
+    echo "Error executing command: '$1'."
+    echo 'Exiting.'
+    exit 1
+}
+
+exec_cmd() {
+    eval "$1" > /dev/null 2>&1 || error_and_exit "$1"
+}
+
+exec_cmd_stdout() {
+    eval "$1" 2>&1 || error_and_exit "$1"
+}
+
+### Restoring directories 
+
+declare -A custom_paths
+
+custom_paths+=( ["/migration/ossec_backup/"]=/var/ossec/ )
+custom_paths+=( ["/migration/filebeat_backup/"]=/etc/filebeat/ )
+custom_paths+=( ["/migration/filebeat-lib_backup/"]=/var/lib/filebeat/ )
+custom_paths+=( ["/migration/postfix_backup/"]=/etc/postfix/ )
+
+for sourcedir in "${!custom_paths[@]}"; do
+    if [[ ! -e "${custom_paths[${sourcedir}]}" ]]
+    then
+        print "BACKUP: The folder ${custom_paths[${sourcedir}]} doesn't exists in the container. Creating it..."
+        exec_cmd "mkdir -p ${custom_paths[${sourcedir}]}"
+    fi
+
+    if [[ -e "${sourcedir}" ]]
+    then
+        if [[ -d "${sourcedir}" ]]; then
+            print "BACKUP: Copying data from folder ${sourcedir} in 3.9 volume to ${custom_paths[${sourcedir}]}"
+            exec_cmd "cp -pr ${sourcedir}* ${custom_paths[${sourcedir}]}"
+        elif [[ -f "${sourcedir}" ]]; then
+            print "BACKUP: Copying file ${sourcedir} in 3.9 volume to ${custom_paths[${sourcedir}]}"
+            exec_cmd "cp -pr ${sourcedir} ${custom_paths[${sourcedir}]}"
+        fi
+    else
+        print "The folder ${sourcedir} doesn't exists in the volume. Ignoring it..."
+    fi
+
+done