From be5fd14e16d795dbb3974032ad16dfac6b3d6ad3 Mon Sep 17 00:00:00 2001 From: Jose Luis Ruiz Date: Mon, 16 Jan 2017 23:41:25 +0100 Subject: [PATCH] update to the last template versions --- docker-compose.yml | 3 +- kibana/Dockerfile | 4 +- kibana/config/wait-for-it.sh | 0 logstash/config/logstash.conf | 7 +- logstash/config/wazuh-elastic5-template.json | 220 +++++++++++++++++-- wait-for-it.sh | 15 -- wazuh/config/data_dirs.env | 2 +- wazuh/config/wazuh.repo | 4 +- 8 files changed, 207 insertions(+), 48 deletions(-) mode change 100755 => 100644 kibana/config/wait-for-it.sh delete mode 100644 wait-for-it.sh diff --git a/docker-compose.yml b/docker-compose.yml index b72f2918..dea83f68 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,7 +2,7 @@ version: '2' services: wazuh: - image: wazuh/wazuh:latest + build: wazuh/ ports: - "1514/udp:1514/udp" - "1515:1515" @@ -44,7 +44,6 @@ services: depends_on: - elasticsearch entrypoint: ./wait-for-it.sh elasticsearch - #networks: # docker_elk: # driver: bridge diff --git a/kibana/Dockerfile b/kibana/Dockerfile index e9cbcb37..906a7111 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -1,9 +1,9 @@ -FROM kibana:latest +FROM kibana:5.1.2 RUN apt-get update && apt-get install -y curl COPY ./config/kibana.yml /opt/kibana/config/kibana.yml -RUN /usr/share/kibana/bin/kibana-plugin install http://wazuh.com/resources/wazuh-app.zip +RUN /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp.zip COPY config/wait-for-it.sh / diff --git a/kibana/config/wait-for-it.sh b/kibana/config/wait-for-it.sh old mode 100755 new mode 100644 diff --git a/logstash/config/logstash.conf b/logstash/config/logstash.conf index c346b51b..dadaa30b 100644 --- a/logstash/config/logstash.conf +++ b/logstash/config/logstash.conf @@ -4,6 +4,9 @@ # beats { # port => 5000 # codec => "json_lines" +# ssl => true +# ssl_certificate => "/etc/logstash/logstash.crt" +# ssl_key => "/etc/logstash/logstash.key" # } #} ## Local Wazuh Manager - JSON file input @@ -25,11 +28,11 @@ filter { } output { elasticsearch { - hosts => ["elasticsearch:9200"] + hosts => ["localhost:9200"] index => "wazuh-alerts-%{+YYYY.MM.dd}" document_type => "wazuh" template => "/etc/logstash/wazuh-elastic5-template.json" template_name => "wazuh" template_overwrite => true } -} \ No newline at end of file +} diff --git a/logstash/config/wazuh-elastic5-template.json b/logstash/config/wazuh-elastic5-template.json index 0105facd..3c9be60d 100644 --- a/logstash/config/wazuh-elastic5-template.json +++ b/logstash/config/wazuh-elastic5-template.json @@ -150,6 +150,10 @@ "type": "keyword", "doc_values": "true" }, + "gid_after": { + "type": "keyword", + "doc_values": "true" + }, "perm_before": { "type": "keyword", "doc_values": "true" @@ -418,31 +422,199 @@ "doc_values": "true" } } + }, + "audit": { + "properties": { + "type": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "syscall": { + "type": "keyword", + "doc_values": "true" + }, + "exit": { + "type": "keyword", + "doc_values": "true" + }, + "ppid": { + "type": "keyword", + "doc_values": "true" + }, + "pid": { + "type": "keyword", + "doc_values": "true" + }, + "auid": { + "type": "keyword", + "doc_values": "true" + }, + "uid": { + "type": "keyword", + "doc_values": "true" + }, + "gid": { + "type": "keyword", + "doc_values": "true" + }, + "euid": { + "type": "keyword", + "doc_values": "true" + }, + "suid": { + "type": "keyword", + "doc_values": "true" + }, + "fsuid": { + "type": "keyword", + "doc_values": "true" + }, + "egid": { + "type": "keyword", + "doc_values": "true" + }, + "sgid": { + "type": "keyword", + "doc_values": "true" + }, + "fsgid": { + "type": "keyword", + "doc_values": "true" + }, + "tty": { + "type": "keyword", + "doc_values": "true" + }, + "session": { + "type": "keyword", + "doc_values": "true" + }, + "command": { + "type": "keyword", + "doc_values": "true" + }, + "exe": { + "type": "keyword", + "doc_values": "true" + }, + "key": { + "type": "keyword", + "doc_values": "true" + }, + "cwd": { + "type": "keyword", + "doc_values": "true" + }, + "directory.name": { + "type": "keyword", + "doc_values": "true" + }, + "directory.inode": { + "type": "keyword", + "doc_values": "true" + }, + "directory.mode": { + "type": "keyword", + "doc_values": "true" + }, + "file.name": { + "type": "keyword", + "doc_values": "true" + }, + "file.inode": { + "type": "keyword", + "doc_values": "true" + }, + "file.mode": { + "type": "keyword", + "doc_values": "true" + }, + "acct": { + "type": "keyword", + "doc_values": "true" + }, + "dev": { + "type": "keyword", + "doc_values": "true" + }, + "enforcing": { + "type": "keyword", + "doc_values": "true" + }, + "list": { + "type": "keyword", + "doc_values": "true" + }, + "old-auid": { + "type": "keyword", + "doc_values": "true" + }, + "old-ses": { + "type": "keyword", + "doc_values": "true" + }, + "old_enforcing": { + "type": "keyword", + "doc_values": "true" + }, + "old_prom": { + "type": "keyword", + "doc_values": "true" + }, + "op": { + "type": "keyword", + "doc_values": "true" + }, + "prom": { + "type": "keyword", + "doc_values": "true" + }, + "res": { + "type": "keyword", + "doc_values": "true" + }, + "srcip": { + "type": "keyword", + "doc_values": "true" + }, + "subj": { + "type": "keyword", + "doc_values": "true" + }, + "success": { + "type": "keyword", + "doc_values": "true" + } + } } } }, - "agent": { - "properties": { - "@timestamp": { - "type": "date", - "format": "dateOptionalTime" - }, - "status": { - "type": "keyword" - }, - "ip": { - "type": "keyword" - }, - "host": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "id": { - "type": "keyword" - } - } - } + "agent": { + "properties": { + "@timestamp": { + "type": "date", + "format": "dateOptionalTime" + }, + "status": { + "type": "keyword" + }, + "ip": { + "type": "keyword" + }, + "host": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "id": { + "type": "keyword" + } + } + } } -} \ No newline at end of file +} diff --git a/wait-for-it.sh b/wait-for-it.sh deleted file mode 100644 index cdbc01d7..00000000 --- a/wait-for-it.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash - -set -e - -host="$1" -shift -cmd="$@" - -until curl -XGET $host:9200; do - >&2 echo "Elastic is unavailable - sleeping" - sleep 1 -done - ->&2 echo "Elastic is up - executing command" -exec $cmd diff --git a/wazuh/config/data_dirs.env b/wazuh/config/data_dirs.env index 5e5d25a2..3ed73da7 100644 --- a/wazuh/config/data_dirs.env +++ b/wazuh/config/data_dirs.env @@ -1,6 +1,6 @@ i=0 DATA_DIRS[((i++))]="etc" -DATA_DIRS[((i++))]="rules" +DATA_DIRS[((i++))]="ruleset" DATA_DIRS[((i++))]="logs" DATA_DIRS[((i++))]="stats" DATA_DIRS[((i++))]="queue" diff --git a/wazuh/config/wazuh.repo b/wazuh/config/wazuh.repo index 56108e78..6161b05c 100644 --- a/wazuh/config/wazuh.repo +++ b/wazuh/config/wazuh.repo @@ -1,7 +1,7 @@ [wazuh_repo] gpgcheck=1 -gpgkey=https://packages.wazuh.com/key/RPM-GPG-KEY-WAZUH +gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=CENTOS-$releasever - Wazuh -baseurl=https://packages.wazuh.com/yumtest/el/$releasever/$basearch +baseurl=https://packages.wazuh.com/yum/el/$releasever/$basearch protect=1