diff --git a/docker-compose.yml b/docker-compose.yml index f248c553..3f859585 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -12,8 +12,8 @@ services: - "55000:55000" networks: - docker_elk - volumes: - - my-path:/var/ossec/data +# volumes: +# - my-path:/var/ossec/data depends_on: - elasticsearch logstash: @@ -41,8 +41,8 @@ services: - "9300:9300" environment: ES_JAVA_OPTS: "-Xms2g -Xmx2g" - volumes: - - my-path:/var/ossec/data +# volumes: +# - my-path:/var/ossec/data networks: - docker_elk kibana: diff --git a/logstash/config/wazuh-elastic2-template.json b/logstash/config/wazuh-elastic2-template.json new file mode 100644 index 00000000..98eab199 --- /dev/null +++ b/logstash/config/wazuh-elastic2-template.json @@ -0,0 +1,732 @@ +{ + "order": 0, + "template": "wazuh*", + "settings": { + "index.refresh_interval": "5s" + }, + "mappings": { + "wazuh": { + "dynamic_templates": [ + { + "notanalyzed": { + "match": "*", + "mapping": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + } + } + } + ], + "properties": { + "@timestamp": { + "type": "date", + "format": "dateOptionalTime" + }, + "@version": { + "type": "string" + }, + "agent": { + "properties": { + "ip": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "id": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "name": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + } + } + }, + "manager": { + "properties": { + "name": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + } + } + }, + "dstuser": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "AlertsFile": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "full_log": { + "type": "string" + }, + "previous_log": { + "type": "string" + }, + "GeoLocation": { + "properties": { + "area_code": { + "type": "long" + }, + "city_name": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "continent_code": { + "type": "string" + }, + "coordinates": { + "type": "double" + }, + "country_code2": { + "type": "string" + }, + "country_code3": { + "type": "string" + }, + "country_name": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "dma_code": { + "type": "long" + }, + "ip": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "latitude": { + "type": "double" + }, + "location": { + "type": "geo_point" + }, + "longitude": { + "type": "double" + }, + "postal_code": { + "type": "string" + }, + "real_region_name": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "region_name": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "timezone": { + "type": "string" + } + } + }, + "host": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "syscheck": { + "properties": { + "path": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "sha1_before": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "sha1_after": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "uid_before": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "uid_after": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "gid_before": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "perm_before": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "perm_after": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "md5_after": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "md5_before": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "gname_after": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "gname_before": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "inode_after": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "inode_before": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "mtime_after": { + "type": "date", + "format": "dateOptionalTime", + "index": "not_analyzed", + "doc_values": "true" + }, + "mtime_before": { + "type": "date", + "format": "dateOptionalTime", + "index": "not_analyzed", + "doc_values": "true" + }, + "uname_after": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "uname_before": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "size_before": { + "type": "long", + "index": "not_analyzed", + "doc_values": "true" + }, + "size_after": { + "type": "long", + "index": "not_analyzed", + "doc_values": "true" + }, + "diff": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "event": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + } + } + }, + "location": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "message": { + "type": "string" + }, + "offset": { + "type": "string" + }, + "rule": { + "properties": { + "description": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "groups": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "level": { + "type": "long", + "doc_values": "true" + }, + "id": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "cve": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "info": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "frequency": { + "type": "long", + "doc_values": "true" + }, + "firedtimes": { + "type": "long", + "doc_values": "true" + }, + "cis": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "pci_dss": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + } + } + }, + "decoder": { + "properties": { + "parent": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "name": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "ftscomment": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "fts": { + "type": "long", + "doc_values": "true" + }, + "accumulate": { + "type": "long", + "doc_values": "true" + } + } + }, + "srcip": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "protocol": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "action": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "dstip": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "dstport": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "srcuser": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "program_name": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "id": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "status": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "command": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "url": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "data": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "system_name": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "type": { + "type": "string" + }, + "title": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "oscap": { + "properties": { + "check": { + "properties": { + "title": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "id": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "result": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "severity": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "description": { + "type": "string" + }, + "rationale": { + "type": "string" + }, + "references": { + "type": "string" + }, + "identifiers": { + "type": "string" + }, + "oval": { + "properties": { + "id": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + } + } + } + } + }, + "scan": { + "properties": { + "id": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "content": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "benchmark": { + "properties": { + "id": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + } + } + }, + "profile": { + "properties": { + "title": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "id": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + } + } + }, + "score": { + "type": "double", + "doc_values": "true" + }, + "return_code": { + "type": "long", + "doc_values": "true" + } + } + } + } + }, + "audit": { + "properties": { + "type": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "id": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "syscall": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "exit": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "ppid": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "pid": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "auid": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "uid": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "gid": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "euid": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "suid": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "fsuid": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "egid": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "sgid": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "fsgid": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "tty": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "session": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "command": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "exe": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "key": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "cwd": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "directory": { + "properties": { + "name": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "inode": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "mode": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + } + } + }, + "file": { + "properties": { + "name": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "inode": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "mode": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + } + } + }, + "acct": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "dev": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "enforcing": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "list": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "old-auid": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "old-ses": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "old_enforcing": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "old_prom": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "op": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "prom": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "res": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "srcip": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "subj": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + }, + "success": { + "type": "string", + "index": "not_analyzed", + "doc_values": "true" + } + } + } + } + } + } +} diff --git a/logstash/config/wazuh-elastic5-template.json b/logstash/config/wazuh-elastic5-template.json deleted file mode 100644 index 3c9be60d..00000000 --- a/logstash/config/wazuh-elastic5-template.json +++ /dev/null @@ -1,620 +0,0 @@ -{ - "order": 0, - "template": "wazuh*", - "settings": { - "index.refresh_interval": "5s" - }, - "mappings": { - "wazuh": { - "dynamic_templates": [ - { - "notanalyzed": { - "match": "*", - "mapping": { - "type": "keyword", - "doc_values": "true" - } - } - } - ], - "properties": { - "@timestamp": { - "type": "date", - "format": "dateOptionalTime" - }, - "@version": { - "type": "text" - }, - "agent": { - "properties": { - "ip": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "name": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "manager": { - "properties": { - "name": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "dstuser": { - "type": "keyword", - "doc_values": "true" - }, - "AlertsFile": { - "type": "keyword", - "doc_values": "true" - }, - "full_log": { - "type": "text" - }, - "previous_log": { - "type": "text" - }, - "GeoLocation": { - "properties": { - "area_code": { - "type": "long" - }, - "city_name": { - "type": "keyword", - "doc_values": "true" - }, - "continent_code": { - "type": "text" - }, - "coordinates": { - "type": "double" - }, - "country_code2": { - "type": "text" - }, - "country_code3": { - "type": "text" - }, - "country_name": { - "type": "keyword", - "doc_values": "true" - }, - "dma_code": { - "type": "long" - }, - "ip": { - "type": "keyword", - "doc_values": "true" - }, - "latitude": { - "type": "double" - }, - "location": { - "type": "geo_point" - }, - "longitude": { - "type": "double" - }, - "postal_code": { - "type": "keyword" - }, - "real_region_name": { - "type": "keyword", - "doc_values": "true" - }, - "region_name": { - "type": "keyword", - "doc_values": "true" - }, - "timezone": { - "type": "text" - } - } - }, - "host": { - "type": "keyword", - "doc_values": "true" - }, - "syscheck": { - "properties": { - "path": { - "type": "keyword", - "doc_values": "true" - }, - "sha1_before": { - "type": "keyword", - "doc_values": "true" - }, - "sha1_after": { - "type": "keyword", - "doc_values": "true" - }, - "uid_before": { - "type": "keyword", - "doc_values": "true" - }, - "uid_after": { - "type": "keyword", - "doc_values": "true" - }, - "gid_before": { - "type": "keyword", - "doc_values": "true" - }, - "gid_after": { - "type": "keyword", - "doc_values": "true" - }, - "perm_before": { - "type": "keyword", - "doc_values": "true" - }, - "perm_after": { - "type": "keyword", - "doc_values": "true" - }, - "md5_after": { - "type": "keyword", - "doc_values": "true" - }, - "md5_before": { - "type": "keyword", - "doc_values": "true" - }, - "gname_after": { - "type": "keyword", - "doc_values": "true" - }, - "gname_before": { - "type": "keyword", - "doc_values": "true" - }, - "inode_after": { - "type": "keyword", - "doc_values": "true" - }, - "inode_before": { - "type": "keyword", - "doc_values": "true" - }, - "mtime_after": { - "type": "date", - "format": "dateOptionalTime", - "doc_values": "true" - }, - "mtime_before": { - "type": "date", - "format": "dateOptionalTime", - "doc_values": "true" - }, - "uname_after": { - "type": "keyword", - "doc_values": "true" - }, - "uname_before": { - "type": "keyword", - "doc_values": "true" - }, - "size_before": { - "type": "long", - "doc_values": "true" - }, - "size_after": { - "type": "long", - "doc_values": "true" - }, - "diff": { - "type": "keyword", - "doc_values": "true" - }, - "event": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "location": { - "type": "keyword", - "doc_values": "true" - }, - "message": { - "type": "text" - }, - "offset": { - "type": "keyword" - }, - "rule": { - "properties": { - "description": { - "type": "keyword", - "doc_values": "true" - }, - "groups": { - "type": "keyword", - "doc_values": "true" - }, - "level": { - "type": "long", - "doc_values": "true" - }, - "id": { - "type": "long", - "doc_values": "true" - }, - "cve": { - "type": "keyword", - "doc_values": "true" - }, - "info": { - "type": "keyword", - "doc_values": "true" - }, - "frequency": { - "type": "long", - "doc_values": "true" - }, - "firedtimes": { - "type": "long", - "doc_values": "true" - }, - "cis": { - "type": "keyword", - "doc_values": "true" - }, - "pci_dss": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "decoder": { - "properties": { - "parent": { - "type": "keyword", - "doc_values": "true" - }, - "name": { - "type": "keyword", - "doc_values": "true" - }, - "ftscomment": { - "type": "keyword", - "doc_values": "true" - }, - "fts": { - "type": "long", - "doc_values": "true" - }, - "accumulate": { - "type": "long", - "doc_values": "true" - } - } - }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "protocol": { - "type": "keyword", - "doc_values": "true" - }, - "action": { - "type": "keyword", - "doc_values": "true" - }, - "dstip": { - "type": "keyword", - "doc_values": "true" - }, - "dstport": { - "type": "keyword", - "doc_values": "true" - }, - "srcuser": { - "type": "keyword", - "doc_values": "true" - }, - "program_name": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "status": { - "type": "keyword", - "doc_values": "true" - }, - "command": { - "type": "keyword", - "doc_values": "true" - }, - "url": { - "type": "keyword", - "doc_values": "true" - }, - "data": { - "type": "keyword", - "doc_values": "true" - }, - "system_name": { - "type": "keyword", - "doc_values": "true" - }, - "type": { - "type": "text" - }, - "title": { - "type": "keyword", - "doc_values": "true" - }, - "oscap": { - "properties": { - "check.title": { - "type": "keyword", - "doc_values": "true" - }, - "check.id": { - "type": "keyword", - "doc_values": "true" - }, - "check.result": { - "type": "keyword", - "doc_values": "true" - }, - "check.severity": { - "type": "keyword", - "doc_values": "true" - }, - "check.description": { - "type": "text" - }, - "check.rationale": { - "type": "text" - }, - "check.references": { - "type": "text" - }, - "check.identifiers": { - "type": "text" - }, - "check.oval.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.content": { - "type": "keyword", - "doc_values": "true" - }, - "scan.benchmark.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.title": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.score": { - "type": "double", - "doc_values": "true" - }, - "scan.return_code": { - "type": "long", - "doc_values": "true" - } - } - }, - "audit": { - "properties": { - "type": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "syscall": { - "type": "keyword", - "doc_values": "true" - }, - "exit": { - "type": "keyword", - "doc_values": "true" - }, - "ppid": { - "type": "keyword", - "doc_values": "true" - }, - "pid": { - "type": "keyword", - "doc_values": "true" - }, - "auid": { - "type": "keyword", - "doc_values": "true" - }, - "uid": { - "type": "keyword", - "doc_values": "true" - }, - "gid": { - "type": "keyword", - "doc_values": "true" - }, - "euid": { - "type": "keyword", - "doc_values": "true" - }, - "suid": { - "type": "keyword", - "doc_values": "true" - }, - "fsuid": { - "type": "keyword", - "doc_values": "true" - }, - "egid": { - "type": "keyword", - "doc_values": "true" - }, - "sgid": { - "type": "keyword", - "doc_values": "true" - }, - "fsgid": { - "type": "keyword", - "doc_values": "true" - }, - "tty": { - "type": "keyword", - "doc_values": "true" - }, - "session": { - "type": "keyword", - "doc_values": "true" - }, - "command": { - "type": "keyword", - "doc_values": "true" - }, - "exe": { - "type": "keyword", - "doc_values": "true" - }, - "key": { - "type": "keyword", - "doc_values": "true" - }, - "cwd": { - "type": "keyword", - "doc_values": "true" - }, - "directory.name": { - "type": "keyword", - "doc_values": "true" - }, - "directory.inode": { - "type": "keyword", - "doc_values": "true" - }, - "directory.mode": { - "type": "keyword", - "doc_values": "true" - }, - "file.name": { - "type": "keyword", - "doc_values": "true" - }, - "file.inode": { - "type": "keyword", - "doc_values": "true" - }, - "file.mode": { - "type": "keyword", - "doc_values": "true" - }, - "acct": { - "type": "keyword", - "doc_values": "true" - }, - "dev": { - "type": "keyword", - "doc_values": "true" - }, - "enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "list": { - "type": "keyword", - "doc_values": "true" - }, - "old-auid": { - "type": "keyword", - "doc_values": "true" - }, - "old-ses": { - "type": "keyword", - "doc_values": "true" - }, - "old_enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "old_prom": { - "type": "keyword", - "doc_values": "true" - }, - "op": { - "type": "keyword", - "doc_values": "true" - }, - "prom": { - "type": "keyword", - "doc_values": "true" - }, - "res": { - "type": "keyword", - "doc_values": "true" - }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "subj": { - "type": "keyword", - "doc_values": "true" - }, - "success": { - "type": "keyword", - "doc_values": "true" - } - } - } - } - }, - "agent": { - "properties": { - "@timestamp": { - "type": "date", - "format": "dateOptionalTime" - }, - "status": { - "type": "keyword" - }, - "ip": { - "type": "keyword" - }, - "host": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "id": { - "type": "keyword" - } - } - } - } -}