update containers to work with filebeat

2025-11-02 13:03:23 +00:00 · 2017-01-28 21:29:26 +01:00
parent 8f05ef3ac6
commit b597b78036
10 changed files with 54 additions and 24 deletions
--- a/.DS_Store
+++ b/.DS_Store
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -27,8 +27,6 @@ services:
    command: -f /etc/logstash/conf.d/
    ports:
      - "5000:5000"
-    volumes_from:
-      - wazuh
 #    networks:
 #      - docker_elk
    depends_on:
@@ -43,7 +41,7 @@ services:
 #      - docker_elk
    depends_on:
      - elasticsearch
-    entrypoint: ./wait-for-it.sh elasticsearch
+    entrypoint: sh wait-for-it.sh elasticsearch

 #networks:
 #  docker_elk:
--- a/kibana/Dockerfile
+++ b/kibana/Dockerfile
@@ -4,6 +4,6 @@ RUN apt-get update && apt-get install -y curl

 COPY ./config/kibana.yml /opt/kibana/config/kibana.yml

-RUN /usr/share/kibana/bin/kibana-plugin install http://packages.wazuh.com.s3-website-us-west-1.amazonaws.com/wazuhapp/wazuhapp-5.1.2.zip
+RUN /usr/share/kibana/bin/kibana-plugin install http://packages.wazuh.com.s3-website-us-west-1.amazonaws.com/wazuhapp/wazuhapp.zip

-#COPY config/wait-for-it.sh /
+COPY config/wait-for-it.sh /
--- a/logstash/config/logstash.conf
+++ b/logstash/config/logstash.conf
@@ -1,22 +1,22 @@
 # Wazuh - Logstash configuration file
 ## Remote Wazuh Manager - Filebeat input
-#input {
-#    beats {
-#        port => 5000
-#        codec => "json_lines"
+input {
+    beats {
+        port => 5000
+        codec => "json_lines"
 #        ssl => true
 #        ssl_certificate => "/etc/logstash/logstash.crt"
 #        ssl_key => "/etc/logstash/logstash.key"
-#    }
-#}
-## Local Wazuh Manager - JSON file input
-input {
-   file {
-       type => "wazuh-alerts"
-       path => "/var/ossec/logs/alerts/alerts.json"
-       codec => "json"
-   }
+    }
 }
+## Local Wazuh Manager - JSON file input
+#input {
+#   file {
+#       type => "wazuh-alerts"
+#       path => "/var/ossec/data/logs/alerts/alerts.json"
+#       codec => "json"
+#   }
+#}
 filter {
    geoip {
        source => "srcip"
@@ -28,7 +28,7 @@ filter {
 }
 output {
    elasticsearch {
-        hosts => ["localhost:9200"]
+        hosts => ["elasticsearch:9200"]
        index => "wazuh-alerts-%{+YYYY.MM.dd}"
        document_type => "wazuh"
        template => "/etc/logstash/wazuh-elastic5-template.json"
--- a/logstash/config/run.sh
+++ b/logstash/config/run.sh
@@ -24,7 +24,3 @@ if [ "$1" = 'logstash' ]; then
 fi

 exec "$@"
-
-#echo "Wait one min to logstash restart"
-#sleep 60
-#curl -XPUT -v -H "Expect:"  "http://elasticsearch:9200/_template/ossec" -d@/etc/logstash/elastic5-ossec-template.json
--- a/wait-for-it.sh
+++ b/wait-for-it.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -e
+
+host="$1"
+shift
+cmd="$@"
+
+until curl -XGET $host:9200; do
+  >&2 echo "Elastic is unavailable - sleeping"
+  sleep 1
+done
+
+>&2 echo "Elastic is up - executing command"
+exec $cmd
--- a/wazuh/Dockerfile
+++ b/wazuh/Dockerfile
@@ -16,6 +16,11 @@ RUN chmod 755 /init.bash &&\
  sync && rm /init.bash


+RUN  curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.1.2-x86_64.rpm &&\
+  rpm -vi filebeat-5.1.2-x86_64.rpm && rm filebeat-5.1.2-x86_64.rpm
+
+COPY config/filebeat.yml /etc/filebeat/
+
 ADD config/run.sh /tmp/run.sh
 RUN chmod 755 /tmp/run.sh

--- a/wazuh/config/default_agent
+++ b/wazuh/config/default_agent
@@ -1 +0,0 @@
-127.0.0.1,DEFAULT_LOCAL_AGENT
--- a/wazuh/config/filebeat.yml
+++ b/wazuh/config/filebeat.yml
@@ -0,0 +1,16 @@
+filebeat:
+ prospectors:
+  - input_type: log
+    paths:
+     - "/var/ossec/data/logs/alerts/alerts.json"
+    document_type: wazuh-alerts
+    json.message_key: log
+    json.keys_under_root: true
+    json.overwrite_keys: true
+
+output:
+ logstash:
+   # The Logstash hosts
+   hosts: ["logstash:5000"]
+#   ssl:
+#     certificate_authorities: ["/etc/filebeat/logstash.crt"]
--- a/wazuh/config/run.sh
+++ b/wazuh/config/run.sh
@@ -100,6 +100,7 @@ LAST_OK_DATE=`date +%s`
 #cd /var/ossec/update/ruleset && python ossec_ruleset.py

 /bin/node /var/ossec/api/app.js &
+/usr/bin/filebeat.sh &
 /var/ossec/bin/ossec-control restart