diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 86117e13..e9cbcb37 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -1,4 +1,4 @@ -FROM kibana:5.0.2 +FROM kibana:latest RUN apt-get update && apt-get install -y curl diff --git a/logstash/Dockerfile b/logstash/Dockerfile index df989255..65dfa6e7 100644 --- a/logstash/Dockerfile +++ b/logstash/Dockerfile @@ -1,10 +1,10 @@ -FROM logstash:5 +FROM logstash:latest RUN apt-get update RUN groupadd -g 1000 ossec && useradd -u 1000 -g 1000 ossec &&\ usermod -a -G ossec logstash COPY config/logstash.conf /etc/logstash/conf.d/logstash.conf -COPY config/elastic5-ossec-template.json /etc/logstash/elastic5-ossec-template.json +COPY config/wazuh-elastic5-template.json /etc/logstash/wazuh-elastic5-template.json ADD config/run.sh /tmp/run.sh diff --git a/logstash/config/logstash.conf b/logstash/config/logstash.conf index 7bd4a2ad..c346b51b 100644 --- a/logstash/config/logstash.conf +++ b/logstash/config/logstash.conf @@ -1,43 +1,35 @@ +# Wazuh - Logstash configuration file +## Remote Wazuh Manager - Filebeat input +#input { +# beats { +# port => 5000 +# codec => "json_lines" +# } +#} +## Local Wazuh Manager - JSON file input input { - file { - type => "ossec-alerts" - path => "/var/ossec/data/logs/alerts/alerts.json" - codec => "json" + file { + type => "wazuh-alerts" + path => "/var/ossec/logs/alerts/alerts.json" + codec => "json" + } +} +filter { + geoip { + source => "srcip" + target => "GeoLocation" + } + mutate { + remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count" ] } } - -filter { - geoip { - source => "srcip" - target => "GeoLocation" - } - if [SyscheckFile][path] { - mutate { - add_field => {"file" => "%{[SyscheckFile][path]}"} - } - } - grok { - match=> { - "file" => ["^/.+/(?(.+)$)|^[A-Z]:.+\\(?(.+)$)|^[A-Z]:\\.+/(?(.+)$)"] - } - } - mutate { - rename => [ "hostname", "AgentName" ] - rename => [ "agentip", "AgentIP" ] - rename => [ "[rule][comment]", "[rule][description]" ] - rename => [ "[rule][level]", "[rule][AlertLevel]" ] - remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count" ] - } -} - output { - #stdout { codec => rubydebug } - elasticsearch { - hosts => ["elasticsearch:9200"] - index => "ossec-%{+YYYY.MM.dd}" - document_type => "ossec" - template => "/etc/logstash/elastic5-ossec-template.json" - template_name => "ossec" - template_overwrite => true - } -} + elasticsearch { + hosts => ["elasticsearch:9200"] + index => "wazuh-alerts-%{+YYYY.MM.dd}" + document_type => "wazuh" + template => "/etc/logstash/wazuh-elastic5-template.json" + template_name => "wazuh" + template_overwrite => true + } +} \ No newline at end of file diff --git a/logstash/config/elastic5-ossec-template.json b/logstash/config/wazuh-elastic5-template.json similarity index 74% rename from logstash/config/elastic5-ossec-template.json rename to logstash/config/wazuh-elastic5-template.json index d0a3c6b9..0105facd 100644 --- a/logstash/config/elastic5-ossec-template.json +++ b/logstash/config/wazuh-elastic5-template.json @@ -1,13 +1,11 @@ { "order": 0, - "template": "ossec*", + "template": "wazuh*", "settings": { - "number_of_shards": 1, - "number_of_replicas": 0, "index.refresh_interval": "5s" }, "mappings": { - "ossec": { + "wazuh": { "dynamic_templates": [ { "notanalyzed": { @@ -27,13 +25,29 @@ "@version": { "type": "text" }, - "AgentIP": { - "type": "keyword", - "doc_values": "true" + "agent": { + "properties": { + "ip": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + } + } }, - "AgentID": { - "type": "keyword", - "doc_values": "true" + "manager": { + "properties": { + "name": { + "type": "keyword", + "doc_values": "true" + } + } }, "dstuser": { "type": "keyword", @@ -110,11 +124,7 @@ "type": "keyword", "doc_values": "true" }, - "AgentName": { - "type": "keyword", - "doc_values": "true" - }, - "SyscheckFile": { + "syscheck": { "properties": { "path": { "type": "keyword", @@ -128,19 +138,15 @@ "type": "keyword", "doc_values": "true" }, - "owner_before": { + "uid_before": { "type": "keyword", "doc_values": "true" }, - "owner_after": { + "uid_after": { "type": "keyword", "doc_values": "true" }, - "gowner_before": { - "type": "keyword", - "doc_values": "true" - }, - "gowner_after": { + "gid_before": { "type": "keyword", "doc_values": "true" }, @@ -232,11 +238,11 @@ "type": "keyword", "doc_values": "true" }, - "AlertLevel": { + "level": { "type": "long", "doc_values": "true" }, - "sidid": { + "id": { "type": "long", "doc_values": "true" }, @@ -256,11 +262,11 @@ "type": "long", "doc_values": "true" }, - "CIS": { + "cis": { "type": "keyword", "doc_values": "true" }, - "PCI_DSS": { + "pci_dss": { "type": "keyword", "doc_values": "true" } @@ -338,7 +344,7 @@ "type": "keyword", "doc_values": "true" }, - "systemname": { + "system_name": { "type": "keyword", "doc_values": "true" }, @@ -350,70 +356,93 @@ "doc_values": "true" }, "oscap": { - "properties": { - "check.title": { - "type": "keyword", - "doc_values": "true" - }, - "check.id": { - "type": "keyword", - "doc_values": "true" - }, - "check.result": { - "type": "keyword", - "doc_values": "true" - }, - "check.severity": { - "type": "keyword", - "doc_values": "true" - }, - "check.description": { - "type": "text" - }, - "check.rationale": { - "type": "text" - }, - "check.references": { - "type": "text" - }, - "check.identifiers": { - "type": "text" - }, - "check.oval.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.content": { - "type": "keyword", - "doc_values": "true" - }, - "scan.benchmark.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.title": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.score": { - "type": "double", - "doc_values": "true" - }, - "scan.return_code": { - "type": "long", - "doc_values": "true" - } + "properties": { + "check.title": { + "type": "keyword", + "doc_values": "true" + }, + "check.id": { + "type": "keyword", + "doc_values": "true" + }, + "check.result": { + "type": "keyword", + "doc_values": "true" + }, + "check.severity": { + "type": "keyword", + "doc_values": "true" + }, + "check.description": { + "type": "text" + }, + "check.rationale": { + "type": "text" + }, + "check.references": { + "type": "text" + }, + "check.identifiers": { + "type": "text" + }, + "check.oval.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.content": { + "type": "keyword", + "doc_values": "true" + }, + "scan.benchmark.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.profile.title": { + "type": "keyword", + "doc_values": "true" + }, + "scan.profile.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.score": { + "type": "double", + "doc_values": "true" + }, + "scan.return_code": { + "type": "long", + "doc_values": "true" } + } } } - } + }, + "agent": { + "properties": { + "@timestamp": { + "type": "date", + "format": "dateOptionalTime" + }, + "status": { + "type": "keyword" + }, + "ip": { + "type": "keyword" + }, + "host": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "id": { + "type": "keyword" + } + } + } } -} +} \ No newline at end of file diff --git a/wazuh/config/run.sh b/wazuh/config/run.sh index 9d0098cd..1b442a74 100644 --- a/wazuh/config/run.sh +++ b/wazuh/config/run.sh @@ -97,7 +97,7 @@ sleep 15 # give ossec a reasonable amount of time to start before checking statu LAST_OK_DATE=`date +%s` ## Update rules and decoders with Wazuh Ruleset -cd /var/ossec/update/ruleset && python ossec_ruleset.py +#cd /var/ossec/update/ruleset && python ossec_ruleset.py /bin/node /var/ossec/api/app.js & /var/ossec/bin/ossec-control restart