update to the last template versions

docker-compose.yml

@@ -2,7 +2,7 @@ version: '2'
 
 services:
   wazuh:
-    image: wazuh/wazuh:latest
+    build: wazuh/
     ports:
       - "1514/udp:1514/udp"
       - "1515:1515"
@@ -44,7 +44,6 @@ services:
     depends_on:
       - elasticsearch
     entrypoint: ./wait-for-it.sh elasticsearch
-
 #networks:
 #  docker_elk:
 #    driver: bridge

kibana/Dockerfile

@@ -1,9 +1,9 @@
-FROM kibana:latest
+FROM kibana:5.1.2
 
 RUN apt-get update && apt-get install -y curl
 
 COPY ./config/kibana.yml /opt/kibana/config/kibana.yml
 
-RUN /usr/share/kibana/bin/kibana-plugin install http://wazuh.com/resources/wazuh-app.zip
+RUN /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp.zip
 
 COPY config/wait-for-it.sh /

logstash/config/logstash.conf

@@ -4,6 +4,9 @@
 #    beats {
 #        port => 5000
 #        codec => "json_lines"
+#        ssl => true
+#        ssl_certificate => "/etc/logstash/logstash.crt"
+#        ssl_key => "/etc/logstash/logstash.key"
 #    }
 #}
 ## Local Wazuh Manager - JSON file input
@@ -25,7 +28,7 @@ filter {
 }
 output {
     elasticsearch {
-        hosts => ["elasticsearch:9200"]
+        hosts => ["localhost:9200"]
         index => "wazuh-alerts-%{+YYYY.MM.dd}"
         document_type => "wazuh"
         template => "/etc/logstash/wazuh-elastic5-template.json"

logstash/config/wazuh-elastic5-template.json

@@ -150,6 +150,10 @@
               "type": "keyword",
               "doc_values": "true"
             },
+            "gid_after": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
             "perm_before": {
               "type": "keyword",
               "doc_values": "true"
@@ -418,6 +422,174 @@
               "doc_values": "true"
             }
           }
+        },
+        "audit": {
+          "properties": {
+            "type": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "id": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "syscall": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "exit": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "ppid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "pid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "auid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "uid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "gid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "euid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "suid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "fsuid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "egid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "sgid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "fsgid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "tty": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "session": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "command": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "exe": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "key": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "cwd": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "directory.name": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "directory.inode": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "directory.mode": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "file.name": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "file.inode": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "file.mode": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "acct": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "dev": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "enforcing": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "list": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "old-auid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "old-ses": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "old_enforcing": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "old_prom": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "op": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "prom": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "res": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "srcip": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "subj": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "success": {
+              "type": "keyword",
+              "doc_values": "true"
+            }
+          }
         }
       }
     },

wait-for-it.sh

@@ -1,15 +0,0 @@
-#!/bin/bash
-
-set -e
-
-host="$1"
-shift
-cmd="$@"
-
-until curl -XGET $host:9200; do
-  >&2 echo "Elastic is unavailable - sleeping"
-  sleep 1
-done
-
->&2 echo "Elastic is up - executing command"
-exec $cmd

wazuh/config/data_dirs.env

@@ -1,6 +1,6 @@
 i=0
 DATA_DIRS[((i++))]="etc"
-DATA_DIRS[((i++))]="rules"
+DATA_DIRS[((i++))]="ruleset"
 DATA_DIRS[((i++))]="logs"
 DATA_DIRS[((i++))]="stats"
 DATA_DIRS[((i++))]="queue"

wazuh/config/wazuh.repo

@@ -1,7 +1,7 @@
 [wazuh_repo]
 gpgcheck=1
-gpgkey=https://packages.wazuh.com/key/RPM-GPG-KEY-WAZUH
+gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
 enabled=1
 name=CENTOS-$releasever - Wazuh
-baseurl=https://packages.wazuh.com/yumtest/el/$releasever/$basearch
+baseurl=https://packages.wazuh.com/yum/el/$releasever/$basearch
 protect=1