Update Elastic templates. Logstash conf. Disabled updateruleset

kibana/Dockerfile

@@ -1,4 +1,4 @@
-FROM kibana:5.0.2
+FROM kibana:latest
 
 RUN apt-get update && apt-get install -y curl
 

logstash/Dockerfile

@@ -1,10 +1,10 @@
-FROM logstash:5
+FROM logstash:latest
 
 RUN apt-get update
 RUN groupadd -g 1000 ossec && useradd -u 1000 -g 1000 ossec &&\
     usermod -a -G ossec logstash
 COPY config/logstash.conf /etc/logstash/conf.d/logstash.conf
-COPY config/elastic5-ossec-template.json /etc/logstash/elastic5-ossec-template.json
+COPY config/wazuh-elastic5-template.json /etc/logstash/wazuh-elastic5-template.json
 
 
 ADD config/run.sh /tmp/run.sh

logstash/config/logstash.conf

@@ -1,43 +1,35 @@
+# Wazuh - Logstash configuration file
+## Remote Wazuh Manager - Filebeat input
+#input {
+#    beats {
+#        port => 5000
+#        codec => "json_lines"
+#    }
+#}
+## Local Wazuh Manager - JSON file input
 input {
    file {
-    type => "ossec-alerts"
+       type => "wazuh-alerts"
-    path => "/var/ossec/data/logs/alerts/alerts.json"
+       path => "/var/ossec/logs/alerts/alerts.json"
        codec => "json"
    }
 }
-
 filter {
     geoip {
         source => "srcip"
         target => "GeoLocation"
     }
-        if [SyscheckFile][path] {
     mutate {
-                        add_field => {"file" => "%{[SyscheckFile][path]}"}
-                }
-        }
-        grok {
-                match=> {
-                        "file" => ["^/.+/(?<audit_file>(.+)$)|^[A-Z]:.+\\(?<audit_file>(.+)$)|^[A-Z]:\\.+/(?<audit_file>(.+)$)"]
-                }
-        }
-        mutate {
-                rename => [ "hostname", "AgentName" ]
-                rename => [ "agentip", "AgentIP" ]
-                rename => [ "[rule][comment]", "[rule][description]" ]
-                rename => [ "[rule][level]", "[rule][AlertLevel]" ]
         remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count" ]
     }
 }
-
 output {
-        #stdout { codec => rubydebug }
     elasticsearch {
         hosts => ["elasticsearch:9200"]
-                 index => "ossec-%{+YYYY.MM.dd}"
+        index => "wazuh-alerts-%{+YYYY.MM.dd}"
-                 document_type => "ossec"
+        document_type => "wazuh"
-                 template => "/etc/logstash/elastic5-ossec-template.json"
+        template => "/etc/logstash/wazuh-elastic5-template.json"
-                 template_name => "ossec"
+        template_name => "wazuh"
         template_overwrite => true
     }
 }

logstash/config/wazuh-elastic5-template.json

@@ -1,13 +1,11 @@
 {
   "order": 0,
-  "template": "ossec*",
+  "template": "wazuh*",
   "settings": {
-    "number_of_shards": 1,
-    "number_of_replicas": 0,
     "index.refresh_interval": "5s"
   },
   "mappings": {
-    "ossec": {
+    "wazuh": {
       "dynamic_templates": [
         {
           "notanalyzed": {
@@ -27,14 +25,30 @@
         "@version": {
           "type": "text"
         },
-        "AgentIP": {
+        "agent": {
+          "properties": {
+            "ip": {
               "type": "keyword",
               "doc_values": "true"
             },
-        "AgentID": {
+            "id": {
               "type": "keyword",
               "doc_values": "true"
             },
+            "name": {
+              "type": "keyword",
+              "doc_values": "true"
+            }
+          }
+        },
+        "manager": {
+          "properties": {
+            "name": {
+              "type": "keyword",
+              "doc_values": "true"
+            }
+          }
+        },
         "dstuser": {
           "type": "keyword",
           "doc_values": "true"
@@ -110,11 +124,7 @@
           "type": "keyword",
           "doc_values": "true"
         },
-        "AgentName": {
+        "syscheck": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "SyscheckFile": {
           "properties": {
             "path": {
               "type": "keyword",
@@ -128,19 +138,15 @@
               "type": "keyword",
               "doc_values": "true"
             },
-            "owner_before": {
+            "uid_before": {
               "type": "keyword",
               "doc_values": "true"
             },
-            "owner_after": {
+            "uid_after": {
               "type": "keyword",
               "doc_values": "true"
             },
-            "gowner_before": {
+            "gid_before": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "gowner_after": {
               "type": "keyword",
               "doc_values": "true"
             },
@@ -232,11 +238,11 @@
               "type": "keyword",
               "doc_values": "true"
             },
-            "AlertLevel": {
+            "level": {
               "type": "long",
               "doc_values": "true"
             },
-            "sidid": {
+            "id": {
               "type": "long",
               "doc_values": "true"
             },
@@ -256,11 +262,11 @@
               "type": "long",
               "doc_values": "true"
             },
-            "CIS": {
+            "cis": {
               "type": "keyword",
               "doc_values": "true"
             },
-            "PCI_DSS": {
+            "pci_dss": {
               "type": "keyword",
               "doc_values": "true"
             }
@@ -338,7 +344,7 @@
           "type": "keyword",
           "doc_values": "true"
         },
-        "systemname": {
+        "system_name": {
           "type": "keyword",
           "doc_values": "true"
         },
@@ -414,6 +420,29 @@
           }
         }
       }
+    },
+	"agent": {
+	  "properties": {
+			"@timestamp": {
+			  "type": "date",
+			  "format": "dateOptionalTime"
+			},
+			"status": {
+			  "type": "keyword"
+			},
+			"ip": {
+			  "type": "keyword"
+			},
+			"host": {
+			  "type": "keyword"
+			},
+			"name": {
+			  "type": "keyword"
+			},
+			"id": {
+			  "type": "keyword"
+			}
+		}
 	}
   }
 }

wazuh/config/run.sh

@@ -97,7 +97,7 @@ sleep 15 # give ossec a reasonable amount of time to start before checking statu
 LAST_OK_DATE=`date +%s`
 
 ## Update rules and decoders with Wazuh Ruleset
-cd /var/ossec/update/ruleset && python ossec_ruleset.py
+#cd /var/ossec/update/ruleset && python ossec_ruleset.py
 
 /bin/node /var/ossec/api/app.js &
 /var/ossec/bin/ossec-control restart