paulmataruso/wazuh-docker-orginal
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-docker.git synced 2025-10-30 11:33:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update Elastic templates. Logstash conf. Disabled updateruleset

Browse Source
This commit is contained in:
Pedro S
2016-12-19 17:45:57 +01:00
parent 64e6c4743d
commit e2c4882fc2
5 changed files with 154 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
kibana/Dockerfile
View File

@@ -1,4 +1,4 @@
FROM kibana:5.0.2 FROM kibana:latest
RUN apt-get update && apt-get install -y curl RUN apt-get update && apt-get install -y curl

4
logstash/Dockerfile
View File

@@ -1,10 +1,10 @@
FROM logstash:5 FROM logstash:latest
RUN apt-get update RUN apt-get update
RUN groupadd -g 1000 ossec && useradd -u 1000 -g 1000 ossec &&\ RUN groupadd -g 1000 ossec && useradd -u 1000 -g 1000 ossec &&\
usermod -a -G ossec logstash usermod -a -G ossec logstash
COPY config/logstash.conf /etc/logstash/conf.d/logstash.conf COPY config/logstash.conf /etc/logstash/conf.d/logstash.conf
COPY config/elastic5-ossec-template.json /etc/logstash/elastic5-ossec-template.json COPY config/wazuh-elastic5-template.json /etc/logstash/wazuh-elastic5-template.json
ADD config/run.sh /tmp/run.sh ADD config/run.sh /tmp/run.sh

70
logstash/config/logstash.conf
View File

@@ -1,43 +1,35 @@
# Wazuh - Logstash configuration file
## Remote Wazuh Manager - Filebeat input
#input {
# beats {
# port => 5000
# codec => "json_lines"
# }
#}
## Local Wazuh Manager - JSON file input
input { input {
file { file {
type => "ossec-alerts" type => "wazuh-alerts"
path => "/var/ossec/data/logs/alerts/alerts.json" path => "/var/ossec/logs/alerts/alerts.json"
codec => "json" codec => "json"
}
}
filter {
geoip {
source => "srcip"
target => "GeoLocation"
}
mutate {
remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count" ]
} }
} }
filter {
geoip {
source => "srcip"
target => "GeoLocation"
}
if [SyscheckFile][path] {
mutate {
add_field => {"file" => "%{[SyscheckFile][path]}"}
}
}
grok {
match=> {
"file" => ["^/.+/(?<audit_file>(.+)$)|^[A-Z]:.+\\(?<audit_file>(.+)$)|^[A-Z]:\\.+/(?<audit_file>(.+)$)"]
}
}
mutate {
rename => [ "hostname", "AgentName" ]
rename => [ "agentip", "AgentIP" ]
rename => [ "[rule][comment]", "[rule][description]" ]
rename => [ "[rule][level]", "[rule][AlertLevel]" ]
remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count" ]
}
}
output { output {
#stdout { codec => rubydebug } elasticsearch {
elasticsearch { hosts => ["elasticsearch:9200"]
hosts => ["elasticsearch:9200"] index => "wazuh-alerts-%{+YYYY.MM.dd}"
index => "ossec-%{+YYYY.MM.dd}" document_type => "wazuh"
document_type => "ossec" template => "/etc/logstash/wazuh-elastic5-template.json"
template => "/etc/logstash/elastic5-ossec-template.json" template_name => "wazuh"
template_name => "ossec" template_overwrite => true
template_overwrite => true }
} }
}

209
logstash/config/elastic5-ossec-template.json → logstash/config/wazuh-elastic5-template.json
View File

@@ -1,13 +1,11 @@
{ {
"order": 0, "order": 0,
"template": "ossec*", "template": "wazuh*",
"settings": { "settings": {
"number_of_shards": 1,
"number_of_replicas": 0,
"index.refresh_interval": "5s" "index.refresh_interval": "5s"
}, },
"mappings": { "mappings": {
"ossec": { "wazuh": {
"dynamic_templates": [ "dynamic_templates": [
{ {
"notanalyzed": { "notanalyzed": {
@@ -27,13 +25,29 @@
"@version": { "@version": {
"type": "text" "type": "text"
}, },
"AgentIP": { "agent": {
"type": "keyword", "properties": {
"doc_values": "true" "ip": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
}
}
}, },
"AgentID": { "manager": {
"type": "keyword", "properties": {
"doc_values": "true" "name": {
"type": "keyword",
"doc_values": "true"
}
}
}, },
"dstuser": { "dstuser": {
"type": "keyword", "type": "keyword",
@@ -110,11 +124,7 @@
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"AgentName": { "syscheck": {
"type": "keyword",
"doc_values": "true"
},
"SyscheckFile": {
"properties": { "properties": {
"path": { "path": {
"type": "keyword", "type": "keyword",
@@ -128,19 +138,15 @@
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"owner_before": { "uid_before": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"owner_after": { "uid_after": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"gowner_before": { "gid_before": {
"type": "keyword",
"doc_values": "true"
},
"gowner_after": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
@@ -232,11 +238,11 @@
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"AlertLevel": { "level": {
"type": "long", "type": "long",
"doc_values": "true" "doc_values": "true"
}, },
"sidid": { "id": {
"type": "long", "type": "long",
"doc_values": "true" "doc_values": "true"
}, },
@@ -256,11 +262,11 @@
"type": "long", "type": "long",
"doc_values": "true" "doc_values": "true"
}, },
"CIS": { "cis": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"PCI_DSS": { "pci_dss": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
} }
@@ -338,7 +344,7 @@
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"systemname": { "system_name": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
@@ -350,70 +356,93 @@
"doc_values": "true" "doc_values": "true"
}, },
"oscap": { "oscap": {
"properties": { "properties": {
"check.title": { "check.title": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"check.id": { "check.id": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"check.result": { "check.result": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"check.severity": { "check.severity": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"check.description": { "check.description": {
"type": "text" "type": "text"
}, },
"check.rationale": { "check.rationale": {
"type": "text" "type": "text"
}, },
"check.references": { "check.references": {
"type": "text" "type": "text"
}, },
"check.identifiers": { "check.identifiers": {
"type": "text" "type": "text"
}, },
"check.oval.id": { "check.oval.id": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"scan.id": { "scan.id": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"scan.content": { "scan.content": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"scan.benchmark.id": { "scan.benchmark.id": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"scan.profile.title": { "scan.profile.title": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"scan.profile.id": { "scan.profile.id": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"scan.score": { "scan.score": {
"type": "double", "type": "double",
"doc_values": "true" "doc_values": "true"
}, },
"scan.return_code": { "scan.return_code": {
"type": "long", "type": "long",
"doc_values": "true" "doc_values": "true"
}
} }
}
} }
} }
} },
"agent": {
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"status": {
"type": "keyword"
},
"ip": {
"type": "keyword"
},
"host": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
}
} }
} }

2
wazuh/config/run.sh
View File

@@ -97,7 +97,7 @@ sleep 15 # give ossec a reasonable amount of time to start before checking statu
LAST_OK_DATE=`date +%s` LAST_OK_DATE=`date +%s`
## Update rules and decoders with Wazuh Ruleset ## Update rules and decoders with Wazuh Ruleset
cd /var/ossec/update/ruleset && python ossec_ruleset.py #cd /var/ossec/update/ruleset && python ossec_ruleset.py
/bin/node /var/ossec/api/app.js & /bin/node /var/ossec/api/app.js &
/var/ossec/bin/ossec-control restart /var/ossec/bin/ossec-control restart