Upgrade ELastic Stack to 6.3.2

Fix wazuh/wazuh-kibana image version to 3.4.0_6.3.1

README.md

@@ -15,7 +15,7 @@ In addition, a docker-compose file is provided to launch the containers mentione
 
 ## Current release
 
-Containers are currently tested on Wazuh version 3.3.0 and Elastic Stack version 6.2.4. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
+Containers are currently tested on Wazuh version 3.4.0 and Elastic Stack version 6.3.2. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
 
 ## Installation notes
 

docker-compose.yml

@@ -3,7 +3,7 @@ version: '2'
 
 services:
   wazuh:
-    image: wazuh/wazuh
+    image: wazuh/wazuh:3.4.0_6.3.2
     hostname: wazuh-manager
     restart: always
     ports:
@@ -22,7 +22,7 @@ services:
     depends_on:
       - logstash
   logstash:
-    image: wazuh/wazuh-logstash
+    image: wazuh/wazuh-logstash:3.4.0_6.3.2
     hostname: logstash
     restart: always
 #    volumes:
@@ -38,7 +38,7 @@ services:
     environment:
       - LS_HEAP_SIZE=2048m
   elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.4
+    image: docker.elastic.co/elasticsearch/elasticsearch:6.3.2
     hostname: elasticsearch
     restart: always
     ports:
@@ -60,7 +60,7 @@ services:
     networks:
         - docker_elk
   kibana:
-    image: wazuh/wazuh-kibana
+    image: wazuh/wazuh-kibana:3.4.0_6.3.2
     hostname: kibana
     restart: always
 #    ports:
@@ -75,7 +75,7 @@ services:
       - elasticsearch:elasticsearch
       - wazuh:wazuh
   nginx:
-    image: wazuh/wazuh-nginx
+    image: wazuh/wazuh-nginx:3.4.0_6.3.2
     hostname: nginx
     restart: always
     environment:

kibana/Dockerfile

@@ -1,11 +1,11 @@
 # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/kibana/kibana-oss:6.2.4
+FROM docker.elastic.co/kibana/kibana:6.3.2
-ARG WAZUH_APP_VERSION=3.3.0_6.2.4
+ARG WAZUH_APP_VERSION=3.4.0_6.3.2
 USER root
 
 ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
 
-ADD https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config
+ADD https://raw.githubusercontent.com/wazuh/wazuh/3.4/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config
 
 RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\
     chown -R kibana.kibana /usr/share/kibana &&\

kibana/config/entrypoint.sh

@@ -24,28 +24,29 @@ echo "Setting API credentials into Wazuh APP"
 CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013)
 if [ "x$CONFIG_CODE" = "x404" ]; then
   curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'
-    {
+  {
-      "api_user": "foo",
+    "api_user": "foo",
-      "api_password": "YmFy",
+    "api_password": "YmFy",
-      "url": "https://wazuh",
+    "url": "https://wazuh",
-      "api_port": "55000",
+    "api_port": "55000",
-      "insecure": "true",
+    "insecure": "true",
-      "component": "API",
+    "component": "API",
-      "cluster_info": {
+    "cluster_info": {
-        "manager": "wazuh-manager",
+      "manager": "wazuh-manager",
-        "cluster": "Disabled",
+      "cluster": "Disabled",
-        "status": "disabled"
+      "status": "disabled"
-       },
+    },
-      "extensions": {
+    "extensions": {
-        "oscap": true,
+      "oscap": true,
-        "audit": true,
+      "audit": true,
-        "pci": true,
+      "pci": true,
-        "aws": true,
+      "aws": true,
-        "virustotal": true,
+      "virustotal": true,
-        "gdpr": true
+      "gdpr": true,
-      }
+      "ciscat": true
     }
-    ' > /dev/null
+  }
+  ' > /dev/null
 else
   echo "Wazuh APP already configured"
 fi

kibana/config/kibana.yml

@@ -90,10 +90,3 @@ logging.quiet: true
 # Set the interval in milliseconds to sample system and process performance
 # metrics. Minimum is 100ms. Defaults to 10000.
 # ops.interval: 10000
-
-xpack.security.enabled: false
-xpack.grokdebugger.enabled: false
-xpack.graph.enabled: false
-xpack.ml.enabled: false
-xpack.monitoring.enabled: false
-xpack.reporting.enabled: false

logstash/Dockerfile

@@ -1,5 +1,5 @@
 # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/logstash/logstash-oss:6.2.4
+FROM docker.elastic.co/logstash/logstash:6.3.2
 
 RUN rm -f /usr/share/logstash/pipeline/logstash.conf
 

logstash/config/01-wazuh.conf

@@ -26,14 +26,14 @@ filter {
     geoip {
         source => "@src_ip"
         target => "GeoLocation"
-        fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
+        fields => ["city_name", "country_name", "region_name", "location"]
     }
     date {
         match => ["timestamp", "ISO8601"]
         target => "@timestamp"
     }
     mutate {
-        remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"]
+        remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
     }
 }
 output {

wazuh/Dockerfile

@@ -1,7 +1,7 @@
 # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 FROM phusion/baseimage:latest
-ARG FILEBEAT_VERSION=6.2.4
+ARG FILEBEAT_VERSION=6.3.2
-ARG WAZUH_VERSION=3.3.0-1
+ARG WAZUH_VERSION=3.4.0-1
 
 # Updating image
 RUN apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold"
@@ -39,6 +39,7 @@ RUN chmod 755 /init.bash &&\
 RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb &&\
     dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb
 COPY config/filebeat.yml /etc/filebeat/
+RUN chmod go-w /etc/filebeat/filebeat.yml
 
 # Adding entrypoint
 ADD config/entrypoint.sh /entrypoint.sh