paulmataruso/wazuh-docker-orginal
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-docker.git synced 2025-10-23 06:11:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update Elastic templates. Logstash conf. Disabled updateruleset

Browse Source
This commit is contained in:
Pedro S
2016-12-19 17:45:57 +01:00
parent 64e6c4743d
commit e2c4882fc2
5 changed files with 154 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
kibana/Dockerfile
View File

@@ -1,4 +1,4 @@
FROM kibana:5.0.2
FROM kibana:latest
RUN apt-get update && apt-get install -y curl

4
logstash/Dockerfile
View File

@@ -1,10 +1,10 @@
FROM logstash:5
FROM logstash:latest
RUN apt-get update
RUN groupadd -g 1000 ossec && useradd -u 1000 -g 1000 ossec &&\
usermod -a -G ossec logstash
COPY config/logstash.conf /etc/logstash/conf.d/logstash.conf
COPY config/elastic5-ossec-template.json /etc/logstash/elastic5-ossec-template.json
COPY config/wazuh-elastic5-template.json /etc/logstash/wazuh-elastic5-template.json
ADD config/run.sh /tmp/run.sh

70
logstash/config/logstash.conf
View File

@@ -1,43 +1,35 @@
# Wazuh - Logstash configuration file
## Remote Wazuh Manager - Filebeat input
#input {
# beats {
# port => 5000
# codec => "json_lines"
# }
#}
## Local Wazuh Manager - JSON file input
input {
file {
type => "ossec-alerts"
path => "/var/ossec/data/logs/alerts/alerts.json"
codec => "json"
file {
type => "wazuh-alerts"
path => "/var/ossec/logs/alerts/alerts.json"
codec => "json"
}
}
filter {
geoip {
source => "srcip"
target => "GeoLocation"
}
mutate {
remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count" ]
}
}
filter {
geoip {
source => "srcip"
target => "GeoLocation"
}
if [SyscheckFile][path] {
mutate {
add_field => {"file" => "%{[SyscheckFile][path]}"}
}
}
grok {
match=> {
"file" => ["^/.+/(?<audit_file>(.+)$)|^[A-Z]:.+\\(?<audit_file>(.+)$)|^[A-Z]:\\.+/(?<audit_file>(.+)$)"]
}
}
mutate {
rename => [ "hostname", "AgentName" ]
rename => [ "agentip", "AgentIP" ]
rename => [ "[rule][comment]", "[rule][description]" ]
rename => [ "[rule][level]", "[rule][AlertLevel]" ]
remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count" ]
}
}
output {
#stdout { codec => rubydebug }
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "ossec-%{+YYYY.MM.dd}"
document_type => "ossec"
template => "/etc/logstash/elastic5-ossec-template.json"
template_name => "ossec"
template_overwrite => true
}
}
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "wazuh-alerts-%{+YYYY.MM.dd}"
document_type => "wazuh"
template => "/etc/logstash/wazuh-elastic5-template.json"
template_name => "wazuh"
template_overwrite => true
}
}

209
logstash/config/elastic5-ossec-template.json → logstash/config/wazuh-elastic5-template.json
View File

@@ -1,13 +1,11 @@
{
"order": 0,
"template": "ossec*",
"template": "wazuh*",
"settings": {
"number_of_shards": 1,
"number_of_replicas": 0,
"index.refresh_interval": "5s"
},
"mappings": {
"ossec": {
"wazuh": {
"dynamic_templates": [
{
"notanalyzed": {
@@ -27,13 +25,29 @@
"@version": {
"type": "text"
},
"AgentIP": {
"type": "keyword",
"doc_values": "true"
"agent": {
"properties": {
"ip": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"AgentID": {
"type": "keyword",
"doc_values": "true"
"manager": {
"properties": {
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"dstuser": {
"type": "keyword",
@@ -110,11 +124,7 @@
"type": "keyword",
"doc_values": "true"
},
"AgentName": {
"type": "keyword",
"doc_values": "true"
},
"SyscheckFile": {
"syscheck": {
"properties": {
"path": {
"type": "keyword",
@@ -128,19 +138,15 @@
"type": "keyword",
"doc_values": "true"
},
"owner_before": {
"uid_before": {
"type": "keyword",
"doc_values": "true"
},
"owner_after": {
"uid_after": {
"type": "keyword",
"doc_values": "true"
},
"gowner_before": {
"type": "keyword",
"doc_values": "true"
},
"gowner_after": {
"gid_before": {
"type": "keyword",
"doc_values": "true"
},
@@ -232,11 +238,11 @@
"type": "keyword",
"doc_values": "true"
},
"AlertLevel": {
"level": {
"type": "long",
"doc_values": "true"
},
"sidid": {
"id": {
"type": "long",
"doc_values": "true"
},
@@ -256,11 +262,11 @@
"type": "long",
"doc_values": "true"
},
"CIS": {
"cis": {
"type": "keyword",
"doc_values": "true"
},
"PCI_DSS": {
"pci_dss": {
"type": "keyword",
"doc_values": "true"
}
@@ -338,7 +344,7 @@
"type": "keyword",
"doc_values": "true"
},
"systemname": {
"system_name": {
"type": "keyword",
"doc_values": "true"
},
@@ -350,70 +356,93 @@
"doc_values": "true"
},
"oscap": {
"properties": {
"check.title": {
"type": "keyword",
"doc_values": "true"
},
"check.id": {
"type": "keyword",
"doc_values": "true"
},
"check.result": {
"type": "keyword",
"doc_values": "true"
},
"check.severity": {
"type": "keyword",
"doc_values": "true"
},
"check.description": {
"type": "text"
},
"check.rationale": {
"type": "text"
},
"check.references": {
"type": "text"
},
"check.identifiers": {
"type": "text"
},
"check.oval.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.content": {
"type": "keyword",
"doc_values": "true"
},
"scan.benchmark.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.title": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.score": {
"type": "double",
"doc_values": "true"
},
"scan.return_code": {
"type": "long",
"doc_values": "true"
}
"properties": {
"check.title": {
"type": "keyword",
"doc_values": "true"
},
"check.id": {
"type": "keyword",
"doc_values": "true"
},
"check.result": {
"type": "keyword",
"doc_values": "true"
},
"check.severity": {
"type": "keyword",
"doc_values": "true"
},
"check.description": {
"type": "text"
},
"check.rationale": {
"type": "text"
},
"check.references": {
"type": "text"
},
"check.identifiers": {
"type": "text"
},
"check.oval.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.content": {
"type": "keyword",
"doc_values": "true"
},
"scan.benchmark.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.title": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.score": {
"type": "double",
"doc_values": "true"
},
"scan.return_code": {
"type": "long",
"doc_values": "true"
}
}
}
}
}
},
"agent": {
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"status": {
"type": "keyword"
},
"ip": {
"type": "keyword"
},
"host": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
}
}
}
}

2
wazuh/config/run.sh
View File

@@ -97,7 +97,7 @@ sleep 15 # give ossec a reasonable amount of time to start before checking statu
LAST_OK_DATE=`date +%s`
## Update rules and decoders with Wazuh Ruleset
cd /var/ossec/update/ruleset && python ossec_ruleset.py
#cd /var/ossec/update/ruleset && python ossec_ruleset.py
/bin/node /var/ossec/api/app.js &
/var/ossec/bin/ossec-control restart