Updating versions on README.md

Add a mount point for custom Wazuh configuration files

README.md

@@ -1,5 +1,10 @@
 # Wazuh containers for Docker
 
+[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://goo.gl/forms/M2AoZC4b2R9A9Zy12)
+[![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh)
+[![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com)
+[![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com)
+
 In this repository you will find the containers to run:
 
 * wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
@@ -10,7 +15,7 @@ In addition, a docker-compose file is provided to launch the containers mentione
 
 ## Current release
 
-Containers are currently tested on Wazuh version 2.0 and Elastic Stack version 5.5.2. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
+Containers are currently tested on Wazuh version 3.2.1 and Elastic Stack version 6.2.2. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
 
 ## Installation notes
 
@@ -20,7 +25,34 @@ To run all docker instances you can just run ``docker-compose up``, from the dir
 * Kibana container can take a few minutes to install Wazuh plugin, this takes place after ``Optimizing and caching browser bundles...`` is printed out.
 * It is recommended to set Docker host preferences to give at least 4GB memory per container (this doesn't necessarily mean they all will use it, but Elasticsearch requires them to work properly).
 
-Once installed you can browse through the interface at: http://127.0.0.1:5601
+Once installed you can browse through the interface at: https://127.0.0.1.
+
+## Mount custom Wazuh configuration files
+
+To mount custom Wazuh configuration files in the Wazuh manager container, mount them in the `/wazuh-config-mount` folder. For example, to mount a custom `ossec.conf` file, mount it in `/wazuh-config-mount/etc/ossec.conf` and the [run.sh](wazuh/config/run.sh) script will copy the file at the right place on boot while respecting the destination file permissions.
+
+Here is an example of a `/wazuh-config-mount` folder used to mount some common custom configuration files:
+```
+root@wazuh-manager:/# tree /wazuh-config-mount/
+/wazuh-config-mount/
+└── etc
+    ├── ossec.conf
+    ├── rules
+    │   └── local_rules.xml
+    └── shared
+        └── default
+            └── agent.conf
+
+4 directories, 3 files
+```
+
+In that case, you will see this in the Wazuh manager logs on boot:
+```
+Identified Wazuh configuration files to mount...
+'/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/data/etc/ossec.conf'
+'/wazuh-config-mount/etc/rules/local_rules.xml' -> '/var/ossec/data/etc/rules/local_rules.xml'
+'/wazuh-config-mount/etc/shared/default/agent.conf' -> '/var/ossec/data/etc/shared/default/agent.conf'
+```
 
 ## More documentation
 

docker-compose.yml

@@ -13,8 +13,10 @@ services:
     networks:
         - docker_elk
 #    volumes:
-#      - my-path:/var/ossec/data
-#      - my-path:/etc/postfix
+#      - my-path:/var/ossec/data:Z
+#      - my-path:/etc/postfix:Z
+#      - my-path:/etc/filebeat
+#      - my-custom-config-path/ossec.conf:/wazuh-config-mount/etc/ossec.conf
     depends_on:
       - elasticsearch
   logstash:
@@ -23,7 +25,7 @@ services:
     restart: always
     command: -f /etc/logstash/conf.d/
 #    volumes:
-#      - my-path:/etc/logstash/conf.d
+#      - my-path:/etc/logstash/conf.d:Z
     links:
      - kibana
      - elasticsearch:elasticsearch
@@ -37,7 +39,7 @@ services:
       - LS_HEAP_SIZE=2048m
       - XPACK_MONITORING_ENABLED=false
   elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch:5.6.4
+    image: docker.elastic.co/elasticsearch/elasticsearch:6.2.2
     hostname: elasticsearch
     restart: always
     ports:
@@ -60,7 +62,7 @@ services:
         hard: -1
     mem_limit: 2g
 #    volumes:
-#      - my-path:/usr/share/elasticsearch/data
+#      - my-path:/usr/share/elasticsearch/data:Z
     networks:
         - docker_elk
   kibana:
@@ -69,6 +71,8 @@ services:
     restart: always
 #    ports:
 #      - "5601:5601"
+    environment:
+      - "NODE_OPTIONS=--max-old-space-size=3072"
     networks:
       - docker_elk
     depends_on:
@@ -77,8 +81,6 @@ services:
       - elasticsearch:elasticsearch
       - wazuh
     entrypoint: /wait-for-it.sh elasticsearch
-#    environment:
-#      - "WAZUH_KIBANA_PLUGIN_URL=http://your.repo/wazuhapp-2.1.0-5.5.1.zip"
   nginx:
     image: wazuh/wazuh-nginx
     hostname: nginx
@@ -89,6 +91,8 @@ services:
     ports:
       - "80:80"
       - "443:443"
+#    volumes:
+#      - my-path:/etc/nginx/conf.d:Z
     networks:
       - docker_elk
     depends_on:

kibana/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.elastic.co/kibana/kibana:5.6.4
+FROM docker.elastic.co/kibana/kibana:6.2.2
 
 USER root
 
@@ -6,4 +6,20 @@ COPY ./config/kibana.yml /usr/share/kibana/config/kibana.yml
 
 COPY config/wait-for-it.sh /wait-for-it.sh
 
+ADD https://packages.wazuh.com/wazuhapp/wazuhapp-3.2.1_6.2.2.zip /tmp
+
+ADD https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config
+
+ADD https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-monitoring.json /usr/share/kibana/config
+
+ADD https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/alert_sample.json /usr/share/kibana/config
+
+RUN /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-3.2.1_6.2.2.zip
+
+RUN chown -R kibana.kibana /usr/share/kibana
+
+RUN rm -rf /tmp/*
+
 RUN chmod 755 /wait-for-it.sh
+
+USER kibana

kibana/config/wait-for-it.sh

@@ -5,7 +5,6 @@ set -e
 host="$1"
 shift
 cmd="kibana"
-WAZUH_KIBANA_PLUGIN_URL=${WAZUH_KIBANA_PLUGIN_URL:-https://packages.wazuh.com/wazuhapp/wazuhapp-2.1.1_5.6.4.zip}
 
 until curl -XGET $host:9200; do
   >&2 echo "Elastic is unavailable - sleeping"
@@ -14,23 +13,23 @@ done
 
 >&2 echo "Elastic is up - executing command"
 
-if /usr/share/kibana/bin/kibana-plugin list | grep wazuh; then
-  echo "Wazuh APP already installed"
-else
-  /usr/share/kibana/bin/kibana-plugin install ${WAZUH_KIBANA_PLUGIN_URL}
-fi
+sleep 5
+#Insert default templates
+cat /usr/share/kibana/config/wazuh-elastic6-template-alerts.json | curl -XPUT "http://$host:9200/_template/wazuh" -H 'Content-Type: application/json' -d @-
 
-sleep 30
+sleep 5
+#Insert default templates
+cat /usr/share/kibana/config/wazuh-elastic6-template-monitoring.json | curl -XPUT "http://$host:9200/_template/wazuh-agent" -H 'Content-Type: application/json' -d @-
 
-echo "Configuring defaultIndex to wazuh-alerts-*"
-
-curl -s -XPUT http://$host:9200/.kibana/config/5.6.4 -H 'Content-Type: application/json' -d '{"defaultIndex" : "wazuh-alerts-*"}' > /dev/null
+#Insert sample alert:
+sleep 5
+cat /usr/share/kibana/config/alert_sample.json | curl -XPUT "http://$host:9200/wazuh-alerts-3.x-"`date +%Y.%m.%d`"/wazuh/sample" -H 'Content-Type: application/json' -d @-
 
+sleep 5
 echo "Setting API credentials into Wazuh APP"
-
-CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET http://$host:9200/.wazuh/wazuh-configuration/apiconfig)
+CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET http://$host:9200/.wazuh/wazuh-configuration/1513629884013)
 if [ "x$CONFIG_CODE" = "x404" ]; then
-  curl -s -XPOST http://$host:9200/.wazuh/wazuh-configuration/apiconfig -H 'Content-Type: application/json' -d'
+  curl -s -XPOST http://$host:9200/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'
     {
       "api_user": "foo",
       "api_password": "YmFy",
@@ -38,12 +37,17 @@ if [ "x$CONFIG_CODE" = "x404" ]; then
       "api_port": "55000",
       "insecure": "true",
       "component": "API",
-    "active": "true",
+      "cluster_info": {
         "manager": "wazuh-manager",
+        "cluster": "Disabled",
+        "status": "disabled"
+       },
       "extensions": {
         "oscap": true,
         "audit": true,
-      "pci": true
+        "pci": true,
+        "aws": true,
+        "virustotal": true
       }
     }
     ' > /dev/null

logstash/Dockerfile

@@ -1,4 +1,3 @@
-FROM docker.elastic.co/logstash/logstash:5.6.4
+FROM docker.elastic.co/logstash/logstash:6.2.2
 
 COPY config/logstash.conf /etc/logstash/conf.d/logstash.conf
-COPY config/wazuh-elastic5-template.json /etc/logstash/wazuh-elastic5-template.json

logstash/config/logstash.conf

@@ -9,17 +9,21 @@ input {
 #       ssl_key => "/etc/logstash/logstash.key"
     }
 }
-## Local Wazuh Manager - JSON file input
-#input {
-#   file {
-#       type => "wazuh-alerts"
-#       path => "/var/ossec/logs/alerts/alerts.json"
-#       codec => "json"
-#   }
-#}
+filter {
+    if [data][srcip] {
+        mutate {
+            add_field => [ "@src_ip", "%{[data][srcip]}" ]
+        }
+    }
+    if [data][aws][sourceIPAddress] {
+        mutate {
+            add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
+        }
+    }
+}
 filter {
     geoip {
-        source => "srcip"
+        source => "@src_ip"
         target => "GeoLocation"
         fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
     }
@@ -28,16 +32,13 @@ filter {
         target => "@timestamp"
     }
     mutate {
-        remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count", "@version", "log", "offset", "type"]
+        remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"]
     }
 }
 output {
     elasticsearch {
         hosts => ["elasticsearch:9200"]
-        index => "wazuh-alerts-%{+YYYY.MM.dd}"
+        index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
         document_type => "wazuh"
-        template => "/etc/logstash/wazuh-elastic5-template.json"
-        template_name => "wazuh"
-        template_overwrite => true
     }
 }

logstash/config/wazuh-elastic5-template.json

@@ -1,620 +0,0 @@
-{
-  "order": 0,
-  "template": "wazuh*",
-  "settings": {
-    "index.refresh_interval": "5s"
-  },
-  "mappings": {
-    "wazuh": {
-      "dynamic_templates": [
-        {
-          "string_as_keyword": {
-            "match_mapping_type": "string",
-            "mapping": {
-              "type": "keyword",
-              "doc_values": "true"
-            }
-          }
-        }
-      ],
-      "properties": {
-        "@timestamp": {
-          "type": "date",
-          "format": "dateOptionalTime"
-        },
-        "@version": {
-          "type": "text"
-        },
-        "agent": {
-          "properties": {
-            "ip": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "id": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "name": {
-              "type": "keyword",
-              "doc_values": "true"
-            }
-          }
-        },
-        "manager": {
-          "properties": {
-            "name": {
-              "type": "keyword",
-              "doc_values": "true"
-            }
-          }
-        },
-        "dstuser": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "AlertsFile": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "full_log": {
-          "type": "text"
-        },
-        "previous_log": {
-          "type": "text"
-        },
-        "GeoLocation": {
-          "properties": {
-            "area_code": {
-              "type": "long"
-            },
-            "city_name": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "continent_code": {
-              "type": "text"
-            },
-            "coordinates": {
-              "type": "double"
-            },
-            "country_code2": {
-              "type": "text"
-            },
-            "country_code3": {
-              "type": "text"
-            },
-            "country_name": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "dma_code": {
-              "type": "long"
-            },
-            "ip": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "latitude": {
-              "type": "double"
-            },
-            "location": {
-              "type": "geo_point"
-            },
-            "longitude": {
-              "type": "double"
-            },
-            "postal_code": {
-              "type": "keyword"
-            },
-            "real_region_name": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "region_name": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "timezone": {
-              "type": "text"
-            }
-          }
-        },
-        "host": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "syscheck": {
-          "properties": {
-            "path": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "sha1_before": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "sha1_after": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "uid_before": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "uid_after": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "gid_before": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "gid_after": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "perm_before": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "perm_after": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "md5_after": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "md5_before": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "gname_after": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "gname_before": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "inode_after": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "inode_before": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "mtime_after": {
-              "type": "date",
-              "format": "dateOptionalTime",
-              "doc_values": "true"
-            },
-            "mtime_before": {
-              "type": "date",
-              "format": "dateOptionalTime",
-              "doc_values": "true"
-            },
-            "uname_after": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "uname_before": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "size_before": {
-              "type": "long",
-              "doc_values": "true"
-            },
-            "size_after": {
-              "type": "long",
-              "doc_values": "true"
-            },
-            "diff": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "event": {
-              "type": "keyword",
-              "doc_values": "true"
-            }
-          }
-        },
-        "location": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "message": {
-          "type": "text"
-        },
-        "offset": {
-          "type": "keyword"
-        },
-        "rule": {
-          "properties": {
-            "description": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "groups": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "level": {
-              "type": "long",
-              "doc_values": "true"
-            },
-            "id": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "cve": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "info": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "frequency": {
-              "type": "long",
-              "doc_values": "true"
-            },
-            "firedtimes": {
-              "type": "long",
-              "doc_values": "true"
-            },
-            "cis": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "pci_dss": {
-              "type": "keyword",
-              "doc_values": "true"
-            }
-          }
-        },
-        "decoder": {
-          "properties": {
-            "parent": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "name": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "ftscomment": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "fts": {
-              "type": "long",
-              "doc_values": "true"
-            },
-            "accumulate": {
-              "type": "long",
-              "doc_values": "true"
-            }
-          }
-        },
-        "srcip": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "protocol": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "action": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "dstip": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "dstport": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "srcuser": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "program_name": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "id": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "status": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "command": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "url": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "data": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "system_name": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "type": {
-          "type": "text"
-        },
-        "title": {
-          "type": "keyword",
-          "doc_values": "true"
-        },
-        "oscap": {
-          "properties": {
-            "check.title": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "check.id": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "check.result": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "check.severity": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "check.description": {
-              "type": "text"
-            },
-            "check.rationale": {
-              "type": "text"
-            },
-            "check.references": {
-              "type": "text"
-            },
-            "check.identifiers": {
-              "type": "text"
-            },
-            "check.oval.id": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "scan.id": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "scan.content": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "scan.benchmark.id": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "scan.profile.title": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "scan.profile.id": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "scan.score": {
-              "type": "double",
-              "doc_values": "true"
-            },
-            "scan.return_code": {
-              "type": "long",
-              "doc_values": "true"
-            }
-          }
-        },
-        "audit": {
-          "properties": {
-            "type": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "id": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "syscall": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "exit": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "ppid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "pid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "auid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "uid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "gid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "euid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "suid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "fsuid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "egid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "sgid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "fsgid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "tty": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "session": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "command": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "exe": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "key": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "cwd": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "directory.name": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "directory.inode": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "directory.mode": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "file.name": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "file.inode": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "file.mode": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "acct": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "dev": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "enforcing": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "list": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "old-auid": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "old-ses": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "old_enforcing": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "old_prom": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "op": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "prom": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "res": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "srcip": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "subj": {
-              "type": "keyword",
-              "doc_values": "true"
-            },
-            "success": {
-              "type": "keyword",
-              "doc_values": "true"
-            }
-          }
-        }
-      }
-    },
-    "agent": {
-      "properties": {
-        "@timestamp": {
-          "type": "date",
-          "format": "dateOptionalTime"
-        },
-        "status": {
-          "type": "keyword"
-        },
-        "ip": {
-          "type": "keyword"
-        },
-        "host": {
-          "type": "keyword"
-        },
-        "name": {
-          "type": "keyword"
-        },
-        "id": {
-          "type": "keyword"
-        }
-      }
-    }
-  }
-}

wazuh/Dockerfile

@@ -1,5 +1,5 @@
 FROM phusion/baseimage:latest
-ARG FILEBEAT_VERSION=5.6.4
+ARG FILEBEAT_VERSION=6.2.2
 
 RUN apt-get update; apt-get -y dist-upgrade
 RUN apt-get -y install openssl postfix bsd-mailx curl apt-transport-https lsb-release
@@ -8,11 +8,12 @@ RUN useradd -u 1000 -g 1000 ossec
 RUN curl --silent --location https://deb.nodesource.com/setup_6.x | bash - &&\
     apt-get install -y nodejs
 RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
-RUN echo "deb https://packages.wazuh.com/apt $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/wazuh.list
-RUN apt-get update && apt-get -y install wazuh-manager wazuh-api expect
+RUN echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
+RUN apt-get update && apt-get -y install wazuh-manager=3.2.1-1 wazuh-api=3.2.1-1 expect && apt-get clean
 
 ADD config/data_dirs.env /data_dirs.env
 ADD config/init.bash /init.bash
+
 # Sync calls are due to https://github.com/docker/docker/issues/9547
 RUN chmod 755 /init.bash &&\
   sync && /init.bash &&\
@@ -27,6 +28,7 @@ ADD config/run.sh /tmp/run.sh
 RUN chmod 755 /tmp/run.sh
 
 VOLUME ["/var/ossec/data"]
+VOLUME ["/etc/filebeat"]
 
 EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp
 

wazuh/config/run.sh

@@ -12,8 +12,13 @@
 #
 
 source /data_dirs.env
+
 FIRST_TIME_INSTALLATION=false
-DATA_PATH=/var/ossec/data
+
+WAZUH_INSTALL_PATH=/var/ossec
+DATA_PATH=${WAZUH_INSTALL_PATH}/data
+
+WAZUH_CONFIG_MOUNT=/wazuh-config-mount
 
 print() {
     echo -e $1
@@ -29,6 +34,9 @@ exec_cmd() {
     eval $1 > /dev/null 2>&1 || error_and_exit "$1"
 }
 
+exec_cmd_stdout() {
+    eval $1 2>&1 || error_and_exit "$1"
+}
 
 edit_configuration() { # $1 -> setting,  $2 -> value
     sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${DATA_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
@@ -75,11 +83,28 @@ then
   fi
 fi
 
+##############################################################################
+# Copy all files from $WAZUH_CONFIG_MOUNT to $DATA_PATH and respect
+# destination files permissions
+#
+# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at
+# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will
+# replace the ossec.conf file in /var/ossec/data/etc with yours.
+##############################################################################
+if [ -e "$WAZUH_CONFIG_MOUNT" ]
+then
+  print "Identified Wazuh configuration files to mount..."
+
+  exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $DATA_PATH"
+else
+  print "No Wazuh configuration files to mount..."
+fi
+
 # Enabling ossec-authd.
 exec_cmd "/var/ossec/bin/ossec-control enable auth"
 
 function ossec_shutdown(){
-  ${DATA_PATH}/bin/ossec-control stop;
+  ${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
 }
 
 # Trap exit signals and do a proper shutdown