Fixing ELASTICSEARCH_URL sed for filebeat

README.md

@@ -57,7 +57,7 @@ In addition, a docker-compose file is provided to launch the containers mentione
 
 * `stable` branch on correspond to the latest Wazuh-Docker stable version.
 * `master` branch contains the latest code, be aware of possible bugs on this branch.
-* `Wazuh.Version_ElasticStack.Version` (for example 3.9.3_7.1.1-opendistro) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
+* `Wazuh.Version_ElasticStack.Version` (for example 3.9.4_7.1.1-opendistro) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
 
 ## Credits and Thank you
 

VERSION

@@ -1,2 +1,2 @@
-WAZUH-DOCKER_VERSION="3.9.3_7.1.1"
-REVISION="3930"
+WAZUH-DOCKER_VERSION="3.9.4_7.1.1"
+REVISION="3940"

docker-compose.yml

@@ -1,36 +1,16 @@
 version: '3'
 services:
-
-
-  elasticsearch:
-    image: wazuh/wazuh-elasticsearch:3.9.3_7.1.1-opendistro
-    container_name: elasticsearch
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-      nofile:
-        soft: 65536 # maximum number of open files for the Elasticsearch user, set to at least 65536 on modern systems
-        hard: 65536
-    volumes:
-      - odfe-data1:/usr/share/elasticsearch/data
-      - ./root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
-      - ./node.pem:/usr/share/elasticsearch/config/node.pem
-      - ./node-key.pem:/usr/share/elasticsearch/config/node-key.pem
-      - ./admin.pem:/usr/share/elasticsearch/config/admin.pem
-      - ./admin-key.pem:/usr/share/elasticsearch/config/admin-key.pem
-      - ./custom-elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
-    ports:
-      - 9200:9200
-      - 9600:9600 # required for Performance Analyzer
-    networks:
-      - odfe-net
-
-
   wazuh:
-    image: wazuh/wazuh:3.9.3_7.1.1-opendistro
+    image: wazuh/wazuh:3.9.4_7.1.1-opendistro-security
     hostname: wazuh-manager
+    container_name: wazuh
     restart: always
+    environment:
+      - SSL_CERTIFICATE_AUTHORITIES=/etc/filebeat/CA.PEM
+      - SSL_CERTIFICATE=/etc/filebeat/node.pem
+      - SSL_KEY=/etc/filebeat/key.pem
+      - USERNAME=usertest
+      - PASSWORD=passwordtest
     ports:
       - "1514:1514/udp"
       - "1515:1515"
@@ -39,18 +19,6 @@ services:
     networks:
       - odfe-net
 
-  kibana:
-    image: wazuh/wazuh-kibana:3.9.3_7.1.1-opendistro
-    hostname: kibana
-    restart: always
-    depends_on:
-      - elasticsearch
-    links:
-      - elasticsearch:elasticsearch
-      - wazuh:wazuh
-    networks:
-      - odfe-net
-
 volumes:
   odfe-data1:
 

kibana/Dockerfile

@@ -1,7 +1,7 @@
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 FROM amazon/opendistro-for-elasticsearch-kibana:1.1.0
 ARG ELASTIC_VERSION=7.1.1
-ARG WAZUH_VERSION=3.9.3
+ARG WAZUH_VERSION=3.9.4
 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
 
 USER root
@@ -60,4 +60,6 @@ RUN ./welcome_wazuh.sh
 
 RUN /usr/local/bin/kibana-docker --optimize
 
+ENV ELASTICSEARCH_URL "--cacert /usr/share/elasticsearch/config/root-ca.pem -u admin:admin -k https://elasticsearch:9200"
+
 ENTRYPOINT ./entrypoint.sh

wazuh/Dockerfile

@@ -3,12 +3,12 @@ FROM phusion/baseimage:latest
 
 ARG FILEBEAT_VERSION=7.1.1
 
-ARG WAZUH_VERSION=3.9.3-1
+ARG WAZUH_VERSION=3.9.4-1
 
 ENV API_USER="foo" \
    API_PASS="bar"
 
-ARG TEMPLATE_VERSION="v3.9.3"
+ARG TEMPLATE_VERSION="v3.9.4"
 
 # Set repositories.
 RUN set -x && echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \

wazuh/config/01-config_filebeat.sh

@@ -3,8 +3,45 @@
 
 set -e
 
-# Modify the output to Elasticsearch if th ELASTICSEARCH_URL is set
+WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz
+
 if [ "$ELASTICSEARCH_URL" != "" ]; then
   >&2 echo "Customize Elasticsearch ouput IP."
   sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml
-fi
+fi
+
+# Install Wazuh Filebeat Module
+
+curl -s "https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module
+mkdir -p /usr/share/filebeat/module/wazuh
+chmod 755 -R /usr/share/filebeat/module/wazuh
+
+chown root: /etc/filebeat/filebeat.yml
+chmod go-w /etc/filebeat/filebeat.yml
+
+# Configure filebeat.yml security settings
+
+if [ "$SSL_CERTIFICATE_AUTHORITIES" != "" ]; then
+  >&2 echo "Customize Elasticsearch ouput IP."
+  sed -i 's|#ssl.certificate_authorities:|'ssl.certificate_authorities:\ [\"$SSL_CERTIFICATE\"]'|g' /etc/filebeat/filebeat.yml
+fi
+
+if [ "$SSL_CERTIFICATE" != "" ]; then
+  >&2 echo "Customize Elasticsearch ouput IP."
+  sed -i 's|#ssl.certificate:|'ssl.certificate:\ \"$SSL_CERTIFICATE\"'|g' /etc/filebeat/filebeat.yml
+fi
+
+if [ "$SSL_KEY" != "" ]; then
+  >&2 echo "Customize Elasticsearch ouput IP."
+  sed -i 's|#ssl.key:|'ssl.key:\ \"$SSL_KEY\"'|g' /etc/filebeat/filebeat.yml
+fi
+
+if [ "$USERNAME" != "" ]; then
+  >&2 echo "Customize Elasticsearch ouput IP."
+  sed -i 's|#username:|'username:\ \"$USERNAME\"'|g' /etc/filebeat/filebeat.yml
+fi
+
+if [ "$PASSWORD" != "" ]; then
+  >&2 echo "Customize Elasticsearch ouput IP."
+  sed -i 's|#password:|'password:\ \"$PASSWORD\"'|g' /etc/filebeat/filebeat.yml
+fi

wazuh/config/filebeat.yml

@@ -51,3 +51,8 @@ output.elasticsearch:
   #pipeline: geoip
   indices:
     - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'
+  #ssl.certificate_authorities:
+  #ssl.certificate:
+  #ssl.key:
+  #username:
+  #password: