Fixed typo defining variable

Bump 4.3.3 into 4.3

.github/.goss.yaml

@@ -16,22 +16,22 @@ file:
   /var/ossec/etc/lists/audit-keys:
     exists: true
     mode: "0660"
-    owner: ossec
-    group: ossec
+    owner: wazuh
+    group: wazuh
     filetype: file
     contains: []
   /var/ossec/etc/ossec.conf:
     exists: true
     mode: "0660"
     owner: root
-    group: ossec
+    group: wazuh
     filetype: file
     contains: []
   /var/ossec/etc/rules/local_rules.xml:
     exists: true
     mode: "0660"
-    owner: ossec
-    group: ossec
+    owner: wazuh
+    group: wazuh
     filetype: file
     contains: []
   /var/ossec/etc/sslmanager.cert:
@@ -56,7 +56,7 @@ package:
   wazuh-manager:
     installed: true
     versions:
-    - 4.2.0
+    - 4.3.4
 port:
   tcp:1514:
     listening: true
@@ -71,26 +71,26 @@ port:
     ip:
     - 0.0.0.0
 user:
-  ossec:
+  wazuh:
     exists: true
     groups:
-    - ossec
+    - wazuh
     home: /var/ossec
     shell: /sbin/nologin
-  ossecm:
+  wazuh:
     exists: true
     groups:
-    - ossec
+    - wazuh
     home: /var/ossec
     shell: /sbin/nologin
-  ossecr:
+  wazuh:
     exists: true
     groups:
-    - ossec
+    - wazuh
     home: /var/ossec
     shell: /sbin/nologin
 group:
-  ossec:
+  wazuh:
     exists: true
 process:
   filebeat:

.github/workflows/push.yml

@@ -11,13 +11,13 @@ jobs:
       uses: actions/checkout@v2
 
     - name: Build the docker-compose stack
-      run: docker-compose -f build-from-sources.yml up -d --build
+      run: docker-compose -f build-wazuh-images.yml up -d --build
 
     - name: Check running containers
       run: docker ps -a
 
     - name: Shutdown the stack
-      run: docker-compose -f build-from-sources.yml kill
+      run: docker-compose -f build-wazuh-images.yml kill
 
     - name: Install Goss
       uses: e1himself/goss-installation-action@v1.0.3
@@ -25,12 +25,7 @@ jobs:
         version: v0.3.16
 
     - name: Execute Goss tests (wazuh-odfe)
-      run: dgoss run wazuh/wazuh-odfe:dev-version
+      run: dgoss run wazuh/wazuh-manager:4.3.4
       env:
         GOSS_SLEEP: 30
-        GOSS_FILE: .goss.yaml
-
-    - name: Execute Goss tests (wazuh-kibana-odfe)
-      run: dgoss run wazuh/wazuh-kibana-odfe:dev-version
-      env:
-        GOSS_FILE: .goss.kibana.yaml
+        GOSS_FILE: .github/.goss.yaml

.gitignore

@@ -0,0 +1,4 @@
+single-node/config/wazuh_indexer_ssl_certs/*.pem
+single-node/config/wazuh_indexer_ssl_certs/*.key
+multi-node/config/wazuh_indexer_ssl_certs/*.pem
+multi-node/config/wazuh_indexer_ssl_certs/*.key

.goss.kibana.yaml

@@ -1,53 +0,0 @@
-file:
-  /usr/share/kibana/config/kibana.yml:
-    exists: true
-    mode: "0664"
-    owner: kibana
-    group: root
-    filetype: file
-    contains: []
-  /usr/share/kibana/src/core/server/core_app/assets/legacy_light_theme.css:
-    exists: true
-    mode: "0664"
-    owner: kibana
-    group: root
-    filetype: file
-    contains: []
-  /usr/share/kibana/src/core/server/core_app/assets/wazuh_logo_circle.svg:
-    exists: true
-    mode: "0644"
-    owner: kibana
-    group: root
-    filetype: file
-    contains: []
-  /usr/share/kibana/src/core/server/core_app/assets/wazuh_wazuh_bg.svg:
-    exists: true
-    mode: "0644"
-    owner: kibana
-    group: root
-    filetype: file
-    contains: []
-  /usr/share/kibana/data/wazuh/config/wazuh.yml:
-    exists: true
-    mode: "0644"
-    owner: kibana
-    group: kibana
-    filetype: file
-    contains: []
-  /usr/share/kibana/src/legacy/ui/ui_render/bootstrap/template.js.hbs:
-    exists: true
-    mode: "0664"
-    owner: kibana
-    group: root
-    filetype: file
-    contains: []
-user:
-  kibana:
-    exists: true
-    groups:
-    - kibana
-    home: /usr/share/kibana
-    shell: /bin/bash
-group:
-  kibana:
-    exists: true

CHANGELOG.md

@@ -1,6 +1,66 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## Wazuh Docker v4.3.4
+### Added
+
+- Update Wazuh to version [4.3.4](https://github.com/wazuh/wazuh/blob/v4.3.4/CHANGELOG.md#v434)
+
+## Wazuh Docker v4.3.3
+### Added
+
+- Update Wazuh to version [4.3.3](https://github.com/wazuh/wazuh/blob/v4.3.3/CHANGELOG.md#v433)
+
+## Wazuh Docker v4.3.2
+### Added
+
+- Update Wazuh to version [4.3.2](https://github.com/wazuh/wazuh/blob/v4.3.2/CHANGELOG.md#v432)
+
+## Wazuh Docker v4.3.1
+### Added
+
+- Update Wazuh to version [4.3.1](https://github.com/wazuh/wazuh/blob/v4.3.1/CHANGELOG.md#v431)
+
+## Wazuh Docker v4.3.0
+### Added
+
+- Update Wazuh to version [4.3.0](https://github.com/wazuh/wazuh/blob/v4.3.0/CHANGELOG.md#v430)
+
+## Wazuh Docker v4.2.7
+### Added
+
+- Update Wazuh to version [4.2.7](https://github.com/wazuh/wazuh/blob/v4.2.7/CHANGELOG.md#v427)
+
+## Wazuh Docker v4.2.6
+### Added
+
+- Update Wazuh to version [4.2.6](https://github.com/wazuh/wazuh/blob/v4.2.6/CHANGELOG.md#v426)
+
+## Wazuh Docker v4.2.5
+### Added
+
+- Update Wazuh to version [4.2.5](https://github.com/wazuh/wazuh/blob/v4.2.5/CHANGELOG.md#v425)
+
+## Wazuh Docker v4.2.4
+### Added
+
+- Update Wazuh to version [4.2.4](https://github.com/wazuh/wazuh/blob/v4.2.4/CHANGELOG.md#v424)
+
+## Wazuh Docker v4.2.3
+### Added
+
+- Update Wazuh to version [4.2.3](https://github.com/wazuh/wazuh/blob/v4.2.3/CHANGELOG.md#v423)
+
+## Wazuh Docker v4.2.2
+### Added
+
+- Update Wazuh to version [4.2.2](https://github.com/wazuh/wazuh/blob/v4.2.2/CHANGELOG.md#v422)
+
+## Wazuh Docker v4.2.1
+### Added
+
+- Update Wazuh to version [4.2.1](https://github.com/wazuh/wazuh/blob/v4.2.1/CHANGELOG.md#v421)
+
 ## Wazuh Docker v4.2.0
 ### Added
 

LICENSE

@@ -1,5 +1,5 @@
 
- Portions Copyright (C) 2021 Wazuh, Inc.
+ Portions Copyright (C) 2017, Wazuh Inc.
  Based on work Copyright (C) 2003 - 2013 Trend Micro, Inc.
 
  This program is a free software; you can redistribute it and/or modify

README.md

@@ -7,13 +7,14 @@
 
 In this repository you will find the containers to run:
 
-* wazuh-opendistro: It runs the Wazuh manager, Wazuh API and Filebeat OSS (for integration with ODFE)
-* wazuh-kibana-opendistro: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
-* opendistro-for-elasticsearch: An Elasticsearch (ODFE) container (working as a single-node cluster) using ODFE Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).**
+* Wazuh manager: it runs the Wazuh manager, Wazuh API and Filebeat OSS
+* Wazuh dashboard: provides a web user interface to browse through alerts data and allows you to visualize agents configuration and status.
+* Wazuh indexer: Wazuh indexer container (working as a single-node cluster or as a multi-node cluster). **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).**
 
-In addition, a docker-compose file is provided to launch the containers mentioned above.
-
-* Elasticsearch cluster. In the Elasticsearch Dockerfile we can visualize variables to configure an Elasticsearch Cluster. These variables are used in the file *config_cluster.sh* to set them in the *elasticsearch.yml* configuration file. You can see the meaning of the node variables [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html) and other cluster settings [here](https://github.com/elastic/elasticsearch/blob/master/distribution/src/config/elasticsearch.yml).
+The folder `build-docker-images` contains a README explaining how to build the Wazuh images and the necessary assets.
+The folder `indexer-certs-creator` contains a README explaining how to create the certificates creator tool and the necessary assets.
+The folder `single-node` contains a README explaining how to run a Wazuh environment with one Wazuh manager, one Wazuh indexer, and one Wazuh dashboard.
+The folder `multi-node` contains a README explaining how to run a Wazuh environment with two Wazuh managers, three Wazuh indexer, and one Wazuh dashboard.
 
 ## Documentation
 
@@ -26,7 +27,7 @@ In addition, a docker-compose file is provided to launch the containers mentione
 
 Before starting the environment it is required to provide an SSL certificate (or just generate one self-signed).
 
-Documentation on how to provide these two can be found at [Wazuh Docer Documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#production-deployment).
+Documentation on how to provide these two can be found at [Wazuh Docker Documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#production-deployment).
 
 
 ## Environment Variables
@@ -39,16 +40,16 @@ API_USERNAME="wazuh"                                # Wazuh API username
 API_PASSWORD="wazuh"                                # Wazuh API password - Must comply with requirements
                                                     # (8+ length, uppercase, lowercase, specials chars)
 
-ELASTICSEARCH_URL=https://elasticsearch:9200        # Elasticsearch URL
-ELASTIC_USERNAME=admin                              # Elasticsearch Username
-ELASTIC_PASSWORD=admin                              # Elasticsearch Password
+INDEXER_URL=https://wazuh.indexer:9200              # Wazuh indexer URL
+INDEXER_USERNAME=admin                              # Wazuh indexer Username
+INDEXER_PASSWORD=admin                              # Wazuh indexer Password
 FILEBEAT_SSL_VERIFICATION_MODE=full                 # Filebeat SSL Verification mode (full or none)
 SSL_CERTIFICATE_AUTHORITIES=""                      # Path of Filebeat SSL CA
 SSL_CERTIFICATE=""                                  # Path of Filebeat SSL Certificate
 SSL_KEY=""                                          # Path of Filebeat SSL Key
 ```
 
-### Kibana
+### Dashboard
 ```
 PATTERN="wazuh-alerts-*"        # Default index pattern to use
 
@@ -81,66 +82,105 @@ WAZUH_MONITORING_ENABLED=true       # Custom settings to enable/disable wazuh-mo
 WAZUH_MONITORING_FREQUENCY=900      # Custom setting to set the frequency for wazuh-monitoring indices cron task
 WAZUH_MONITORING_SHARDS=2           # Configure wazuh-monitoring-* indices shards and replicas
 WAZUH_MONITORING_REPLICAS=0         #
-
-ADMIN_PRIVILEGES=true               # App privileges
 ```
 
 ## Directory structure
 
+    ├── build-docker-images
+    │   ├── docker-compose.yml
+    │   ├── wazuh-dashboard
+    │   │   ├── config
+    │   │   │   ├── config.sh
+    │   │   │   ├── config.yml
+    │   │   │   ├── entrypoint.sh
+    │   │   │   ├── opensearch_dashboards.yml
+    │   │   │   ├── wazuh_app_config.sh
+    │   │   │   └── wazuh.yml
+    │   │   └── Dockerfile
+    │   ├── wazuh-indexer
+    │   │   ├── config
+    │   │   │   ├── config.sh
+    │   │   │   ├── config.yml
+    │   │   │   ├── entrypoint.sh
+    │   │   │   ├── internal_users.yml
+    │   │   │   ├── opensearch.yml
+    │   │   │   ├── roles_mapping.yml
+    │   │   │   ├── roles.yml
+    │   │   │   └── securityadmin.sh
+    │   │   └── Dockerfile
+    │   └── wazuh-manager
+    │       ├── config
+    │       │   ├── create_user.py
+    │       │   ├── etc
+    │       │   │   ├── cont-init.d
+    │       │   │   │   ├── 0-wazuh-init
+    │       │   │   │   ├── 1-config-filebeat
+    │       │   │   │   └── 2-manager
+    │       │   │   └── services.d
+    │       │   │       ├── filebeat
+    │       │   │       │   ├── finish
+    │       │   │       │   └── run
+    │       │   │       └── ossec-logs
+    │       │   │           └── run
+    │       │   ├── filebeat.yml
+    │       │   ├── permanent_data.env
+    │       │   ├── permanent_data.sh
+    │       │   └── wazuh.repo
+    │       └── Dockerfile
     ├── CHANGELOG.md
-    ├── docker-compose.yml
-    ├── generate-opendistro-certs.yml
-    ├── kibana-odfe
+    ├── indexer-certs-creator
     │   ├── config
-    │   │   ├── custom_welcome
-    │   │   │   ├── light_theme.style.css
-    │   │   │   ├── template.js.hbs
-    │   │   │   ├── wazuh_logo_circle.svg
-    │   │   │   └── wazuh_wazuh_bg.svg
-    │   │   ├── entrypoint.sh
-    │   │   ├── kibana_settings.sh
-    │   │   ├── wazuh_app_config.sh
-    │   │   ├── wazuh.yml
-    │   │   └── welcome_wazuh.sh
+    │   │   └── entrypoint.sh
     │   └── Dockerfile
     ├── LICENSE
-    ├── production_cluster
-    │   ├── elastic_opendistro
-    │   │   ├── elasticsearch-node1.yml
-    │   │   ├── elasticsearch-node2.yml
-    │   │   ├── elasticsearch-node3.yml
-    │   │   └── internal_users.yml
-    │   ├── kibana_ssl
-    │   │   └── generate-self-signed-cert.sh
-    │   ├── nginx
-    │   │   ├── nginx.conf
-    │   │   └── ssl
-    │   │       └── generate-self-signed-cert.sh
-    │   ├── ssl_certs
-    │   │   └── certs.yml
-    │   └── wazuh_cluster
-    │       ├── wazuh_manager.conf
-    │       └── wazuh_worker.conf
-    ├── production-cluster.yml
+    ├── multi-node
+    │   ├── config
+    │   │   ├── nginx
+    │   │   │   └── nginx.conf
+    │   │   ├── wazuh_cluster
+    │   │   │   ├── wazuh_manager.conf
+    │   │   │   └── wazuh_worker.conf
+    │   │   ├── wazuh_dashboard
+    │   │   │   ├── opensearch_dashboards.yml
+    │   │   │   └── wazuh.yml
+    │   │   ├── wazuh_indexer
+    │   │   │   ├── internal_users.yml
+    │   │   │   ├── wazuh1.indexer.yml
+    │   │   │   ├── wazuh2.indexer.yml
+    │   │   │   └── wazuh3.indexer.yml
+    │   │   └── wazuh_indexer_ssl_certs
+    │   │       └── certs.yml
+    │   ├── docker-compose.yml
+    │   ├── generate-indexer-certs.yml
+    │   ├── Migration-to-Wazuh-4.3.md
+    │   └── volume-migrator.sh
     ├── README.md
-    ├── VERSION
-    └── wazuh-odfe
-        ├── config
-        │   ├── create_user.py
-        │   ├── etc
-        │   │   ├── cont-init.d
-        │   │   │   ├── 0-wazuh-init
-        │   │   │   ├── 1-config-filebeat
-        │   │   │   └── 2-manager
-        │   │   └── services.d
-        │   │       └── filebeat
-        │   │           ├── finish
-        │   │           └── run
-        │   ├── filebeat.yml
-        │   ├── permanent_data.env
-        │   ├── permanent_data.sh
-        │   └── wazuh.repo
-        └── Dockerfile
+    ├── single-node
+    │   ├── config
+    │   │   ├── wazuh_cluster
+    │   │   │   └── wazuh_manager.conf
+    │   │   ├── wazuh_dashboard
+    │   │   │   ├── opensearch_dashboards.yml
+    │   │   │   └── wazuh.yml
+    │   │   ├── wazuh_indexer
+    │   │   │   ├── internal_users.yml
+    │   │   │   └── wazuh.indexer.yml
+    │   │   └── wazuh_indexer_ssl_certs
+    │   │       ├── admin-key.pem
+    │   │       ├── admin.pem
+    │   │       ├── certs.yml
+    │   │       ├── root-ca.key
+    │   │       ├── root-ca.pem
+    │   │       ├── wazuh.dashboard-key.pem
+    │   │       ├── wazuh.dashboard.pem
+    │   │       ├── wazuh.indexer-key.pem
+    │   │       ├── wazuh.indexer.pem
+    │   │       ├── wazuh.manager-key.pem
+    │   │       └── wazuh.manager.pem
+    │   ├── docker-compose.yml
+    │   ├── generate-indexer-certs.yml
+    │   └── README.md
+    └── VERSION
 
 
 
@@ -149,11 +189,22 @@ ADMIN_PRIVILEGES=true               # App privileges
 * `master` branch contains the latest code, be aware of possible bugs on this branch.
 * `stable` branch on correspond to the last Wazuh stable version.
 
-
 ## Compatibility Matrix
 
 | Wazuh version | ODFE    | XPACK  |
 |---------------|---------|--------|
+| v4.3.4        |         |        |
+| v4.3.3        |         |        |
+| v4.3.2        |         |        |
+| v4.3.1        |         |        |
+| v4.3.0        |         |        |
+| v4.2.7        | 1.13.2  | 7.11.2 |
+| v4.2.6        | 1.13.2  | 7.11.2 |
+| v4.2.5        | 1.13.2  | 7.11.2 |
+| v4.2.4        | 1.13.2  | 7.11.2 |
+| v4.2.3        | 1.13.2  | 7.11.2 |
+| v4.2.2        | 1.13.2  | 7.11.2 |
+| v4.2.1        | 1.13.2  | 7.11.2 |
 | v4.2.0        | 1.13.2  | 7.10.2 |
 | v4.1.5        | 1.13.2  | 7.10.2 |
 | v4.1.4        | 1.12.0  | 7.10.2 |
@@ -178,7 +229,7 @@ We thank you them and everyone else who has contributed to this project.
 
 ## License and copyright
 
-Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
 
 ## Web references
 

VERSION

@@ -1,2 +1,2 @@
-WAZUH-DOCKER_VERSION="4.2.0"
-REVISION="40212"
+WAZUH-DOCKER_VERSION="4.3.4"
+REVISION="40316"

build-docker-images/README.md

@@ -0,0 +1,7 @@
+# Wazuh Docker Image Builder
+
+This stack allows you to build the Wazuh manager, indexer, and dashboard images locally by running the command:
+
+```
+$ docker-compose build
+```

build-docker-images/docker-compose.yml

@@ -0,0 +1,79 @@
+# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+version: '3.7'
+
+services:
+  wazuh.manager:
+    build:  wazuh-manager/
+    image: wazuh/wazuh-manager:4.3.4
+    hostname: wazuh.manager
+    restart: always
+    ports:
+      - "1514:1514"
+      - "1515:1515"
+      - "514:514/udp"
+      - "55000:55000"
+    environment:
+      - INDEXER_URL=https://wazuh.indexer:9200
+      - INDEXER_USERNAME=admin
+      - INDEXER_PASSWORD=admin
+      - FILEBEAT_SSL_VERIFICATION_MODE=none
+    volumes:
+      - wazuh_api_configuration:/var/ossec/api/configuration
+      - wazuh_etc:/var/ossec/etc
+      - wazuh_logs:/var/ossec/logs
+      - wazuh_queue:/var/ossec/queue
+      - wazuh_var_multigroups:/var/ossec/var/multigroups
+      - wazuh_integrations:/var/ossec/integrations
+      - wazuh_active_response:/var/ossec/active-response/bin
+      - wazuh_agentless:/var/ossec/agentless
+      - wazuh_wodles:/var/ossec/wodles
+      - filebeat_etc:/etc/filebeat
+      - filebeat_var:/var/lib/filebeat
+
+  wazuh.indexer:
+    build: wazuh-indexer/
+    image: wazuh/wazuh-indexer:4.3.4
+    hostname: wazuh.indexer
+    restart: always
+    ports:
+      - "9200:9200"
+    environment:
+      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+
+  wazuh.dashboard:
+    build: wazuh-dashboard/
+    image: wazuh/wazuh-dashboard:4.3.4
+    hostname: wazuh.dashboard
+    restart: always
+    ports:
+      - 443:443
+    environment:
+      - INDEXER_USERNAME=admin
+      - INDEXER_PASSWORD=admin
+      - SERVER_SSL_ENABLED=false
+      - WAZUH_API_URL=https://wazuh.manager
+    depends_on:
+      - wazuh.indexer
+    links:
+      - wazuh.indexer:wazuh.indexer
+      - wazuh.manager:wazuh.manager
+
+volumes:
+  wazuh_api_configuration:
+  wazuh_etc:
+  wazuh_logs:
+  wazuh_queue:
+  wazuh_var_multigroups:
+  wazuh_integrations:
+  wazuh_active_response:
+  wazuh_agentless:
+  wazuh_wodles:
+  filebeat_etc:
+  filebeat_var:

build-docker-images/wazuh-dashboard/Dockerfile

@@ -0,0 +1,110 @@
+# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+FROM ubuntu:focal AS builder
+
+ARG WAZUH_VERSION=4.3.4
+ARG WAZUH_UI_REVISION=1
+ARG INSTALL_DIR=/usr/share/wazuh-dashboard
+
+# Update and install dependencies
+RUN apt-get update && apt install curl libcap2-bin xz-utils -y
+
+# Create Install dir
+RUN mkdir -p $INSTALL_DIR
+
+# Download and extract Wazuh dashboard base
+RUN curl -o wazuh-dashboard-base.tar.xz https://packages.wazuh.com/stack/dashboard/base/wazuh-dashboard-base-${WAZUH_VERSION}-linux-x64.tar.xz && \
+    tar -xf wazuh-dashboard-base.tar.xz --directory  $INSTALL_DIR --strip-components=1
+
+# Generate certificates
+COPY config/config.sh .
+COPY config/config.yml /
+RUN bash config.sh
+
+# Install Wazuh App
+RUN $INSTALL_DIR/bin/opensearch-dashboards-plugin install https://packages.wazuh.com/4.x/ui/dashboard/wazuh-${WAZUH_VERSION}-${WAZUH_UI_REVISION}.zip --allow-root
+
+# Copy and set permissions to config files
+COPY config/opensearch_dashboards.yml $INSTALL_DIR/config/
+COPY config/wazuh.yml $INSTALL_DIR/data/wazuh/config/
+RUN chown 101:101 $INSTALL_DIR/config/opensearch_dashboards.yml && chmod 664 $INSTALL_DIR/config/opensearch_dashboards.yml
+
+# Create and set permissions to data directories
+RUN mkdir -p $INSTALL_DIR/data/wazuh && chown -R 101:101 $INSTALL_DIR/data/wazuh && chmod -R 775 $INSTALL_DIR/data/wazuh
+RUN mkdir -p $INSTALL_DIR/data/wazuh/config && chown -R 101:101 $INSTALL_DIR/data/wazuh/config && chmod -R 775 $INSTALL_DIR/data/wazuh/config
+RUN mkdir -p $INSTALL_DIR/data/wazuh/logs && chown -R 101:101 $INSTALL_DIR/data/wazuh/logs && chmod -R 775 $INSTALL_DIR/data/wazuh/logs
+
+################################################################################
+# Build stage 1 (the current Wazuh dashboard image):
+#
+# Copy wazuh-dashboard from stage 0
+# Add entrypoint
+# Add wazuh_app_config
+################################################################################
+FROM ubuntu:focal
+
+# Set environment variables
+ENV USER="wazuh-dashboard" \
+    GROUP="wazuh-dashboard" \
+    NAME="wazuh-dashboard" \
+    INSTALL_DIR="/usr/share/wazuh-dashboard"
+
+# Set Wazuh app variables
+ENV PATTERN="" \
+    CHECKS_PATTERN="" \
+    CHECKS_TEMPLATE="" \
+    CHECKS_API="" \
+    CHECKS_SETUP="" \
+    EXTENSIONS_PCI="" \
+    EXTENSIONS_GDPR="" \
+    EXTENSIONS_HIPAA="" \
+    EXTENSIONS_NIST="" \
+    EXTENSIONS_TSC="" \
+    EXTENSIONS_AUDIT="" \
+    EXTENSIONS_OSCAP="" \
+    EXTENSIONS_CISCAT="" \
+    EXTENSIONS_AWS="" \
+    EXTENSIONS_GCP="" \
+    EXTENSIONS_VIRUSTOTAL="" \
+    EXTENSIONS_OSQUERY="" \
+    EXTENSIONS_DOCKER="" \
+    APP_TIMEOUT="" \
+    API_SELECTOR="" \
+    IP_SELECTOR="" \
+    IP_IGNORE="" \
+    WAZUH_MONITORING_ENABLED="" \
+    WAZUH_MONITORING_FREQUENCY="" \
+    WAZUH_MONITORING_SHARDS="" \
+    WAZUH_MONITORING_REPLICAS=""
+
+# Install dependencies
+RUN apt update && apt install -y libnss3-dev fonts-liberation libfontconfig1
+
+# Create wazuh-dashboard user and group
+RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
+RUN useradd --system \
+            --uid 1000 \
+            --no-create-home \
+            --home-dir $INSTALL_DIR \
+            --gid $GROUP \
+            --shell /sbin/nologin \
+            --comment "$USER user" \
+            $USER
+
+# Copy and set permissions to scripts
+COPY config/entrypoint.sh /
+COPY config/wazuh_app_config.sh /
+RUN chmod 700 /entrypoint.sh
+RUN chmod 700 /wazuh_app_config.sh
+RUN chown 1000:1000 /*.sh
+
+# Copy Install dir from builder to current image
+COPY --from=builder --chown=1000:1000 $INSTALL_DIR $INSTALL_DIR
+
+# Set workdir and user
+WORKDIR $INSTALL_DIR
+USER wazuh-dashboard
+
+# Services ports
+EXPOSE 443
+
+ENTRYPOINT [ "/entrypoint.sh" ]

build-docker-images/wazuh-dashboard/config/config.sh

@@ -0,0 +1,42 @@
+# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+# This has to be exported to make some magic below work.
+export DH_OPTIONS
+
+export NAME=wazuh-dashboard
+export TARGET_DIR=${CURDIR}/debian/${NAME}
+export INSTALLATION_DIR=/usr/share/${NAME}
+export CONFIG_DIR=${INSTALLATION_DIR}/config
+
+## Variables
+CERT_TOOL=wazuh-certs-tool.sh
+PACKAGES_URL=https://packages.wazuh.com/4.3/
+PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.3/
+
+## Check if the cert tool exists in S3 buckets
+CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk  '{print $2}')
+CERT_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$CERT_TOOL | grep -E "^HTTP" | awk  '{print $2}')
+
+## If cert tool exists in some bucket, download it, if not exit 1
+if [ "$CERT_TOOL_PACKAGES" = "200" ]; then
+  curl -o $CERT_TOOL $PACKAGES_URL$CERT_TOOL
+  echo "Cert tool exists in Packages bucket"
+elif [ "$CERT_TOOL_PACKAGES_DEV" = "200" ]; then
+  curl -o $CERT_TOOL $PACKAGES_DEV_URL$CERT_TOOL
+  echo "Cert tool exists in Packages-dev bucket"
+else
+  echo "Cert tool does not exist in any bucket"
+  exit 1
+fi
+
+chmod 755 $CERT_TOOL && bash /$CERT_TOOL -A
+
+# Create certs directory
+mkdir -p ${CONFIG_DIR}/certs
+
+# Copy Wazuh dashboard certs to install config dir
+cp /wazuh-certificates/demo.dashboard.pem ${CONFIG_DIR}/certs/dashboard.pem
+cp /wazuh-certificates/demo.dashboard-key.pem ${CONFIG_DIR}/certs/dashboard-key.pem
+cp /wazuh-certificates/root-ca.pem ${CONFIG_DIR}/certs/root-ca.pem
+
+chmod -R 500 ${CONFIG_DIR}/certs
+chmod -R 400 ${CONFIG_DIR}/certs/*

build-docker-images/wazuh-dashboard/config/config.yml

@@ -0,0 +1,5 @@
+nodes:
+  # Wazuh dashboard server nodes
+  dashboard:
+    - name: demo.dashboard
+      ip: demo.dashboard

build-docker-images/wazuh-dashboard/config/entrypoint.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+
+INSTALL_DIR=/usr/share/wazuh-dashboard
+DASHBOARD_USERNAME="${DASHBOARD_USERNAME:-kibanaserver}"
+DASHBOARD_PASSWORD="${DASHBOARD_PASSWORD:-kibanaserver}"
+
+# Create and configure Wazuh dashboard keystore
+
+$INSTALL_DIR/bin/opensearch-dashboards-keystore create --allow-root && \
+echo $DASHBOARD_USERNAME | $INSTALL_DIR/bin/opensearch-dashboards-keystore add opensearch.username --stdin --allow-root && \
+echo $DASHBOARD_PASSWORD | $INSTALL_DIR/bin/opensearch-dashboards-keystore add opensearch.password --stdin --allow-root
+
+##############################################################################
+# Start Wazuh dashboard
+##############################################################################
+
+/wazuh_app_config.sh
+
+/usr/share/wazuh-dashboard/bin/opensearch-dashboards -c /usr/share/wazuh-dashboard/config/opensearch_dashboards.yml

build-docker-images/wazuh-dashboard/config/opensearch_dashboards.yml

@@ -0,0 +1,13 @@
+server.host: 0.0.0.0
+server.port: 5601
+opensearch.hosts: https://wazuh.indexer:9200
+opensearch.ssl.verificationMode: none
+opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
+opensearch_security.multitenancy.enabled: false
+opensearch_security.readonly_mode.roles: ["kibana_read_only"]
+server.ssl.enabled: true
+server.ssl.key: "/usr/share/wazuh-dashboard/config/certs/dashboard-key.pem"
+server.ssl.certificate: "/usr/share/wazuh-dashboard/config/certs/dashboard.pem"
+opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/config/certs/root-ca.pem"]
+uiSettings.overrides.defaultRoute: /app/wazuh
+

build-docker-images/wazuh-dashboard/config/wazuh.yml

@@ -1,7 +1,7 @@
 ---
 #
 # Wazuh app - App configuration file
-# Copyright (C) 2015-2021 Wazuh, Inc.
+# Copyright (C) 2017, Wazuh Inc.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -77,12 +77,6 @@
 # List of index patterns to be ignored
 #ip.ignore: []
 #
-# -------------------------------- X-Pack RBAC ---------------------------------
-#
-# Custom setting to enable/disable built-in X-Pack RBAC security capabilities.
-# Default: enabled
-#xpack.rbac.enabled: true
-#
 # ------------------------------ wazuh-monitoring ------------------------------
 #
 # Custom setting to enable/disable wazuh-monitoring indices.
@@ -159,4 +153,3 @@
 #     port: <port>
 #     username: <username>
 #     password: <password>
-

build-docker-images/wazuh-dashboard/config/wazuh_app_config.sh

@@ -1,12 +1,13 @@
 #!/bin/bash
-# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
 
 wazuh_url="${WAZUH_API_URL:-https://wazuh}"
 wazuh_port="${API_PORT:-55000}"
 api_username="${API_USERNAME:-wazuh-wui}"
 api_password="${API_PASSWORD:-wazuh-wui}"
+api_run_as="${RUN_AS:-false}"
 
-kibana_config_file="/usr/share/kibana/data/wazuh/config/wazuh.yml"
+dashboard_config_file="/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml"
 
 declare -A CONFIG_MAP=(
   [pattern]=$PATTERN
@@ -35,30 +36,30 @@ declare -A CONFIG_MAP=(
   [wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
   [wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
   [wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS
-  [admin]=$ADMIN_PRIVILEGES
 )
 
 for i in "${!CONFIG_MAP[@]}"
 do
     if [ "${CONFIG_MAP[$i]}" != "" ]; then
-        sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
+        sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $dashboard_config_file
     fi
 done
 
-CONFIG_CODE=$(curl ${auth} -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013)
 
-grep -q 1513629884013 $kibana_config_file
+grep -q 1513629884013 $dashboard_config_file
 _config_exists=$?
 
-if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then
-cat << EOF >> $kibana_config_file
+if [[ $_config_exists -ne 0 ]]; then
+cat << EOF >> $dashboard_config_file
 hosts:
   - 1513629884013:
       url: $wazuh_url
       port: $wazuh_port
       username: $api_username
       password: $api_password
+      run_as: $api_run_as
 EOF
 else
   echo "Wazuh APP already configured"
 fi
+

build-docker-images/wazuh-indexer/Dockerfile

@@ -0,0 +1,75 @@
+# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+FROM ubuntu:focal AS builder
+
+RUN apt-get update -y && apt-get install curl openssl xz-utils -y
+
+COPY config/opensearch.yml /
+
+COPY config/config.sh .
+
+COPY config/config.yml /
+
+COPY config/internal_users.yml /
+
+COPY config/roles_mapping.yml /
+
+COPY config/roles.yml /
+
+RUN bash config.sh
+
+################################################################################
+# Build stage 1 (the actual Wazuh indexer image):
+#
+# Copy wazuh-indexer from stage 0
+# Add entrypoint
+################################################################################
+FROM ubuntu:focal
+
+ENV USER="wazuh-indexer" \
+    GROUP="wazuh-indexer" \
+    NAME="wazuh-indexer" \
+    INSTALL_DIR="/usr/share/wazuh-indexer"
+
+RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
+
+RUN useradd --system \
+            --uid 1000 \
+            --no-create-home \
+            --home-dir $INSTALL_DIR \
+            --gid $GROUP \
+            --shell /sbin/nologin \
+            --comment "$USER user" \
+            $USER
+
+WORKDIR $INSTALL_DIR
+
+COPY config/entrypoint.sh /
+
+COPY config/securityadmin.sh /
+
+RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh
+
+RUN chown 1000:1000 /*.sh
+
+COPY --from=builder --chown=1000:1000 /debian/wazuh-indexer/usr/share/wazuh-indexer /usr/share/wazuh-indexer
+COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/systemd /usr/lib/systemd
+COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/sysctl.d /usr/lib/sysctl.d
+COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/tmpfiles.d /usr/lib/tmpfiles.d
+
+
+RUN mkdir -p /var/lib/wazuh-indexer && chown 1000:1000 /var/lib/wazuh-indexer && \
+    mkdir -p /usr/share/wazuh-indexer/logs && chown 1000:1000 /usr/share/wazuh-indexer/logs && \
+    mkdir -p /run/wazuh-indexer && chown 1000:1000 /run/wazuh-indexer && \
+    mkdir -p /var/log/wazuh-indexer && chown 1000:1000 /var/log/wazuh-indexer && \
+    chmod 700 /usr/share/wazuh-indexer/config && \
+    chmod 600 /usr/share/wazuh-indexer/config/jvm.options && \
+    chmod 600 /usr/share/wazuh-indexer/config/opensearch.yml
+
+USER wazuh-indexer
+
+# Services ports
+EXPOSE 9200
+
+ENTRYPOINT ["/entrypoint.sh"]
+# Dummy overridable parameter parsed by entrypoint
+CMD ["opensearchwrapper"]

build-docker-images/wazuh-indexer/config/config.sh

@@ -0,0 +1,110 @@
+# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+# This has to be exported to make some magic below work.
+export DH_OPTIONS
+
+export NAME=wazuh-indexer
+export TARGET_DIR=${CURDIR}/debian/${NAME}
+
+# Package build options
+export USER=${NAME}
+export GROUP=${NAME}
+export VERSION=4.3.4
+export LOG_DIR=/var/log/${NAME}
+export LIB_DIR=/var/lib/${NAME}
+export PID_DIR=/run/${NAME}
+export INSTALLATION_DIR=/usr/share/${NAME}
+export CONFIG_DIR=${INSTALLATION_DIR}/config
+export BASE_DIR=${NAME}-*
+export INDEXER_FILE=wazuh-indexer-base.tar.xz
+export BASE_FILE=wazuh-indexer-base-${VERSION}-linux-x64.tar.xz
+export REPO_DIR=/unattended_installer
+
+
+rm -rf ${INSTALLATION_DIR}/
+
+curl -o ${INDEXER_FILE} https://packages.wazuh.com/stack/indexer/base/${BASE_FILE}
+tar -xf ${INDEXER_FILE}
+
+## TOOLS
+
+## Variables
+CERT_TOOL=wazuh-certs-tool.sh
+PASSWORD_TOOL=wazuh-passwords-tool.sh
+PACKAGES_URL=https://packages.wazuh.com/4.3/
+PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.3/
+
+## Check if the cert tool exists in S3 buckets
+CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk  '{print $2}')
+CERT_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$CERT_TOOL | grep -E "^HTTP" | awk  '{print $2}')
+
+## If cert tool exists in some bucket, download it, if not exit 1
+if [ "$CERT_TOOL_PACKAGES" = "200" ]; then
+  curl -o $CERT_TOOL $PACKAGES_URL$CERT_TOOL
+  echo "Cert tool exists in Packages bucket"
+elif [ "$CERT_TOOL_PACKAGES_DEV" = "200" ]; then
+  curl -o $CERT_TOOL $PACKAGES_DEV_URL$CERT_TOOL
+  echo "Cert tool exists in Packages-dev bucket"
+else
+  echo "Cert tool does not exist in any bucket"
+  exit 1
+fi
+
+
+## Check if the password tool exists in S3 buckets
+PASSWORD_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$PASSWORD_TOOL | grep -E "^HTTP" | awk  '{print $2}')
+PASSWORD_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$PASSWORD_TOOL | grep -E "^HTTP" | awk  '{print $2}')
+
+## If password tool exists in some bucket, download it, if not exit 1
+if [ "$PASSWORD_TOOL_PACKAGES" = "200" ]; then
+  curl -o $PASSWORD_TOOL $PACKAGES_URL$PASSWORD_TOOL
+  echo "Password tool exists in Packages bucket"
+elif [ "$PASSWORD_TOOL_PACKAGES_DEV" = "200" ]; then
+  curl -o $PASSWORD_TOOL $PACKAGES_DEV_URL$PASSWORD_TOOL
+  echo "Password tool exists in Packages-dev bucket"
+else
+  echo "Password tool does not exist in any bucket"
+  exit 1
+fi
+
+chmod 755 $CERT_TOOL && bash /$CERT_TOOL -A
+
+# copy to target
+mkdir -p ${TARGET_DIR}${INSTALLATION_DIR}
+mkdir -p ${TARGET_DIR}${CONFIG_DIR}
+mkdir -p ${TARGET_DIR}${LIB_DIR}
+mkdir -p ${TARGET_DIR}${LOG_DIR}
+mkdir -p ${TARGET_DIR}/etc/init.d
+mkdir -p ${TARGET_DIR}/etc/default
+mkdir -p ${TARGET_DIR}/usr/lib/tmpfiles.d
+mkdir -p ${TARGET_DIR}/usr/lib/sysctl.d
+mkdir -p ${TARGET_DIR}/usr/lib/systemd/system
+mkdir -p ${TARGET_DIR}${CONFIG_DIR}/certs
+# Move configuration files for wazuh-indexer
+mv -f ${BASE_DIR}/etc/init.d/${NAME} ${TARGET_DIR}/etc/init.d/${NAME}
+mv -f ${BASE_DIR}/etc/wazuh-indexer/* ${TARGET_DIR}${CONFIG_DIR}
+mv -f ${BASE_DIR}/etc/sysconfig/${NAME} ${TARGET_DIR}/etc/default/
+mv -f ${BASE_DIR}/usr/lib/tmpfiles.d/* ${TARGET_DIR}/usr/lib/tmpfiles.d/
+mv -f ${BASE_DIR}/usr/lib/sysctl.d/* ${TARGET_DIR}/usr/lib/sysctl.d/
+mv -f ${BASE_DIR}/usr/lib/systemd/system/* ${TARGET_DIR}/usr/lib/systemd/system/
+rm -rf ${BASE_DIR}/etc
+rm -rf ${BASE_DIR}/usr
+# Copy installation files to final location
+cp -pr ${BASE_DIR}/* ${TARGET_DIR}${INSTALLATION_DIR}
+# Copy the security tools
+cp /$CERT_TOOL ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/tools/
+cp /$PASSWORD_TOOL ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/tools/
+# Copy Wazuh's config files for the security plugin
+cp -pr /roles_mapping.yml ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/securityconfig/
+cp -pr /roles.yml ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/securityconfig/
+cp -pr /internal_users.yml ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/securityconfig/
+cp -pr /opensearch.yml ${TARGET_DIR}${CONFIG_DIR}
+# Copy Wazuh indexer's certificates
+cp -pr /wazuh-certificates/demo.indexer.pem ${TARGET_DIR}${CONFIG_DIR}/certs/indexer.pem
+cp -pr /wazuh-certificates/demo.indexer-key.pem ${TARGET_DIR}${CONFIG_DIR}/certs/indexer-key.pem
+cp -pr /wazuh-certificates/root-ca.key ${TARGET_DIR}${CONFIG_DIR}/certs/root-ca.key
+cp -pr /wazuh-certificates/root-ca.pem ${TARGET_DIR}${CONFIG_DIR}/certs/root-ca.pem
+cp -pr /wazuh-certificates/admin.pem ${TARGET_DIR}${CONFIG_DIR}/certs/admin.pem
+cp -pr /wazuh-certificates/admin-key.pem ${TARGET_DIR}${CONFIG_DIR}/certs/admin-key.pem
+
+chmod -R 500 ${TARGET_DIR}${CONFIG_DIR}/certs
+chmod -R 400 ${TARGET_DIR}${CONFIG_DIR}/certs/*

build-docker-images/wazuh-indexer/config/config.yml

@@ -0,0 +1,5 @@
+nodes:
+  # Wazuh indexer server nodes
+  indexer:
+    - name: demo.indexer
+      ip: demo.indexer

build-docker-images/wazuh-indexer/config/entrypoint.sh

@@ -0,0 +1,93 @@
+#!/usr/bin/env bash
+# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+set -e
+
+umask 0002
+
+export USER=wazuh-indexer
+export INSTALLATION_DIR=/usr/share/wazuh-indexer
+export OPENSEARCH_PATH_CONF=${INSTALLATION_DIR}/config
+export JAVA_HOME=${INSTALLATION_DIR}/jdk
+export DISCOVERY=$(grep -oP "(?<=discovery.type: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml)
+export CACERT=$(grep -oP "(?<=plugins.security.ssl.transport.pemtrustedcas_filepath: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml)
+export CERT="${OPENSEARCH_PATH_CONF}/certs/admin.pem"
+export KEY="${OPENSEARCH_PATH_CONF}/certs/admin-key.pem"
+
+run_as_other_user_if_needed() {
+  if [[ "$(id -u)" == "0" ]]; then
+    # If running as root, drop to specified UID and run command
+    exec chroot --userspec=1000:0 / "${@}"
+  else
+    # Either we are running in Openshift with random uid and are a member of the root group
+    # or with a custom --user
+    exec "${@}"
+  fi
+}
+
+# Allow user specify custom CMD, maybe bin/opensearch itself
+# for example to directly specify `-E` style parameters for opensearch on k8s
+# or simply to run /bin/bash to check the image
+if [[ "$1" != "opensearchwrapper" ]]; then
+  if [[ "$(id -u)" == "0" && $(basename "$1") == "opensearch" ]]; then
+    # Rewrite CMD args to replace $1 with `opensearch` explicitly,
+    # Without this, user could specify `opensearch -E x.y=z` but
+    # `bin/opensearch -E x.y=z` would not work.
+    set -- "opensearch" "${@:2}"
+    # Use chroot to switch to UID 1000 / GID 0
+    exec chroot --userspec=1000:0 / "$@"
+  else
+    # User probably wants to run something else, like /bin/bash, with another uid forced (Openshift?)
+    exec "$@"
+  fi
+fi
+
+# Allow environment variables to be set by creating a file with the
+# contents, and setting an environment variable with the suffix _FILE to
+# point to it. This can be used to provide secrets to a container, without
+# the values being specified explicitly when running the container.
+#
+# This is also sourced in opensearch-env, and is only needed here
+# as well because we use INDEXER_PASSWORD below. Sourcing this script
+# is idempotent.
+source /usr/share/wazuh-indexer/bin/opensearch-env-from-file
+
+if [[ -f bin/opensearch-users ]]; then
+  # Check for the INDEXER_PASSWORD environment variable to set the
+  # bootstrap password for Security.
+  #
+  # This is only required for the first node in a cluster with Security
+  # enabled, but we have no way of knowing which node we are yet. We'll just
+  # honor the variable if it's present.
+  if [[ -n "$INDEXER_PASSWORD" ]]; then
+    [[ -f /usr/share/wazuh-indexer/config/opensearch.keystore ]] || (run_as_other_user_if_needed opensearch-keystore create)
+    if ! (run_as_other_user_if_needed opensearch-keystore has-passwd --silent) ; then
+      # keystore is unencrypted
+      if ! (run_as_other_user_if_needed opensearch-keystore list | grep -q '^bootstrap.password$'); then
+        (run_as_other_user_if_needed echo "$INDEXER_PASSWORD" | opensearch-keystore add -x 'bootstrap.password')
+      fi
+    else
+      # keystore requires password
+      if ! (run_as_other_user_if_needed echo "$KEYSTORE_PASSWORD" \
+          | opensearch-keystore list | grep -q '^bootstrap.password$') ; then
+        COMMANDS="$(printf "%s\n%s" "$KEYSTORE_PASSWORD" "$INDEXER_PASSWORD")"
+        (run_as_other_user_if_needed echo "$COMMANDS" | opensearch-keystore add -x 'bootstrap.password')
+      fi
+    fi
+  fi
+fi
+
+if [[ "$(id -u)" == "0" ]]; then
+  # If requested and running as root, mutate the ownership of bind-mounts
+  if [[ -n "$TAKE_FILE_OWNERSHIP" ]]; then
+    chown -R 1000:0 /usr/share/wazuh-indexer/{data,logs}
+  fi
+fi
+
+
+if [[ "$DISCOVERY" == "single-node" ]] && [[ ! -f "/var/lib/wazuh-indexer/.flag" ]]; then
+  # run securityadmin.sh for single node with CACERT, CERT and KEY parameter
+  nohup /securityadmin.sh &
+  touch "/var/lib/wazuh-indexer/.flag"
+fi
+
+run_as_other_user_if_needed /usr/share/wazuh-indexer/bin/opensearch <<<"$KEYSTORE_PASSWORD"

build-docker-images/wazuh-indexer/config/internal_users.yml

@@ -0,0 +1,74 @@
+---
+# This is the internal user database
+# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
+
+_meta:
+  type: "internalusers"
+  config_version: 2
+
+# Define your internal users here
+
+## Demo users
+
+admin:
+  hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"
+  reserved: true
+  backend_roles:
+  - "admin"
+  description: "Demo admin user"
+
+kibanaserver:
+  hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
+  reserved: true
+  description: "Demo kibanaserver user"
+
+kibanaro:
+  hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
+  reserved: false
+  backend_roles:
+  - "kibanauser"
+  - "readall"
+  attributes:
+    attribute1: "value1"
+    attribute2: "value2"
+    attribute3: "value3"
+  description: "Demo kibanaro user"
+
+logstash:
+  hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
+  reserved: false
+  backend_roles:
+  - "logstash"
+  description: "Demo logstash user"
+
+readall:
+  hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
+  reserved: false
+  backend_roles:
+  - "readall"
+  description: "Demo readall user"
+
+snapshotrestore:
+  hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
+  reserved: false
+  backend_roles:
+  - "snapshotrestore"
+  description: "Demo snapshotrestore user"
+
+wazuh_admin:
+  hash: "$2y$12$d2awHiOYvZjI88VfsDON.u6buoBol0gYPJEgdG1ArKVE0OMxViFfu"
+  reserved: true
+  hidden: false
+  backend_roles: []
+  attributes: {}
+  opendistro_security_roles: []
+  static: false
+  
+wazuh_user:
+  hash: "$2y$12$BQixeoQdRubZdVf/7sq1suHwiVRnSst1.lPI2M0.GPZms4bq2D9vO"
+  reserved: true
+  hidden: false
+  backend_roles: []
+  attributes: {}
+  opendistro_security_roles: []
+  static: false  

build-docker-images/wazuh-indexer/config/opensearch.yml

@@ -0,0 +1,26 @@
+network.host: "0.0.0.0"
+node.name: "wazuh.indexer"
+path.data: /var/lib/wazuh-indexer
+path.logs: /var/log/wazuh-indexer
+discovery.type: single-node
+compatibility.override_main_response_version: true
+plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/indexer.pem
+plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/indexer-key.pem
+plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
+plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/indexer.pem
+plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/indexer-key.pem
+plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
+plugins.security.ssl.http.enabled: true
+plugins.security.ssl.transport.enforce_hostname_verification: false
+plugins.security.ssl.transport.resolve_hostname: false
+plugins.security.authcz.admin_dn:
+- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.check_snapshot_restore_write_privileges: true
+plugins.security.enable_snapshot_restore_privilege: true
+plugins.security.nodes_dn:
+- "CN=demo.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.restapi.roles_enabled:
+- "all_access"
+- "security_rest_api_access"
+plugins.security.system_indices.enabled: true
+plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

build-docker-images/wazuh-indexer/config/roles.yml

@@ -0,0 +1,163 @@
+_meta:
+  type: "roles"
+  config_version: 2
+
+# Restrict users so they can only view visualization and dashboards on kibana
+kibana_read_only:
+  reserved: true
+
+# The security REST API access role is used to assign specific users access to change the security settings through the REST API.
+security_rest_api_access:
+  reserved: true
+
+# Allows users to view monitors, destinations and alerts
+alerting_read_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/alerting/alerts/get'
+    - 'cluster:admin/opendistro/alerting/destination/get'
+    - 'cluster:admin/opendistro/alerting/monitor/get'
+    - 'cluster:admin/opendistro/alerting/monitor/search'
+
+# Allows users to view and acknowledge alerts
+alerting_ack_alerts:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/alerting/alerts/*'
+
+# Allows users to use all alerting functionality
+alerting_full_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster_monitor'
+    - 'cluster:admin/opendistro/alerting/*'
+  index_permissions:
+    - index_patterns:
+        - '*'
+      allowed_actions:
+        - 'indices_monitor'
+        - 'indices:admin/aliases/get'
+        - 'indices:admin/mappings/get'
+
+# Allow users to read Anomaly Detection detectors and results
+anomaly_read_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/ad/detector/info'
+    - 'cluster:admin/opendistro/ad/detector/search'
+    - 'cluster:admin/opendistro/ad/detectors/get'
+    - 'cluster:admin/opendistro/ad/result/search'
+    - 'cluster:admin/opendistro/ad/tasks/search'
+
+# Allows users to use all Anomaly Detection functionality
+anomaly_full_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster_monitor'
+    - 'cluster:admin/opendistro/ad/*'
+  index_permissions:
+    - index_patterns:
+        - '*'
+      allowed_actions:
+        - 'indices_monitor'
+        - 'indices:admin/aliases/get'
+        - 'indices:admin/mappings/get'
+
+# Allows users to read Notebooks
+notebooks_read_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/notebooks/list'
+    - 'cluster:admin/opendistro/notebooks/get'
+
+# Allows users to all Notebooks functionality
+notebooks_full_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/notebooks/create'
+    - 'cluster:admin/opendistro/notebooks/update'
+    - 'cluster:admin/opendistro/notebooks/delete'
+    - 'cluster:admin/opendistro/notebooks/get'
+    - 'cluster:admin/opendistro/notebooks/list'
+
+# Allows users to read and download Reports
+reports_instances_read_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/reports/instance/list'
+    - 'cluster:admin/opendistro/reports/instance/get'
+    - 'cluster:admin/opendistro/reports/menu/download'
+
+# Allows users to read and download Reports and Report-definitions
+reports_read_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/reports/definition/get'
+    - 'cluster:admin/opendistro/reports/definition/list'
+    - 'cluster:admin/opendistro/reports/instance/list'
+    - 'cluster:admin/opendistro/reports/instance/get'
+    - 'cluster:admin/opendistro/reports/menu/download'
+
+# Allows users to all Reports functionality
+reports_full_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/reports/definition/create'
+    - 'cluster:admin/opendistro/reports/definition/update'
+    - 'cluster:admin/opendistro/reports/definition/on_demand'
+    - 'cluster:admin/opendistro/reports/definition/delete'
+    - 'cluster:admin/opendistro/reports/definition/get'
+    - 'cluster:admin/opendistro/reports/definition/list'
+    - 'cluster:admin/opendistro/reports/instance/list'
+    - 'cluster:admin/opendistro/reports/instance/get'
+    - 'cluster:admin/opendistro/reports/menu/download'
+
+# Allows users to use all asynchronous-search functionality
+asynchronous_search_full_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/asynchronous_search/*'
+  index_permissions:
+    - index_patterns:
+        - '*'
+      allowed_actions:
+        - 'indices:data/read/search*'
+
+# Allows users to read stored asynchronous-search results
+asynchronous_search_read_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opendistro/asynchronous_search/get'
+
+wazuh_ui_user:
+  reserved: true
+  hidden: false
+  cluster_permissions: []
+  index_permissions:
+  - index_patterns:
+    - "wazuh-*"
+    dls: ""
+    fls: []
+    masked_fields: []
+    allowed_actions:
+    - "read"
+  tenant_permissions: []
+  static: false        
+
+wazuh_ui_admin:
+  reserved: true
+  hidden: false
+  cluster_permissions: []
+  index_permissions:
+  - index_patterns:
+    - "wazuh-*"
+    dls: ""
+    fls: []
+    masked_fields: []
+    allowed_actions:
+    - "read"
+    - "delete"
+    - "manage"
+    - "index"
+  tenant_permissions: []
+  static: false  

build-docker-images/wazuh-indexer/config/roles_mapping.yml

@@ -0,0 +1,71 @@
+---
+# In this file users, backendroles and hosts can be mapped to Wazuh indexer Security roles.
+# Permissions for Wazuh indexer roles are configured in roles.yml
+
+_meta:
+  type: "rolesmapping"
+  config_version: 2
+
+# Define your roles mapping here
+
+## Demo roles mapping
+
+all_access:
+  reserved: false
+  backend_roles:
+  - "admin"
+  description: "Maps admin to all_access"
+
+own_index:
+  reserved: false
+  users:
+  - "*"
+  description: "Allow full access to an index named like the username"
+
+logstash:
+  reserved: false
+  backend_roles:
+  - "logstash"
+
+kibana_user:
+  reserved: false
+  backend_roles:
+  - "kibanauser"
+  users:
+  - "wazuh_user"
+  - "wazuh_admin"    
+  description: "Maps kibanauser to kibana_user"
+
+readall:
+  reserved: false
+  backend_roles:
+  - "readall"
+
+manage_snapshots:
+  reserved: false
+  backend_roles:
+  - "snapshotrestore"
+
+kibana_server:
+  reserved: true
+  users:
+  - "kibanaserver"
+
+wazuh_ui_admin:
+  reserved: true
+  hidden: false
+  backend_roles: []
+  hosts: []
+  users:
+  - "wazuh_admin"
+  - "kibanaserver"
+  and_backend_roles: []
+
+wazuh_ui_user:
+  reserved: true
+  hidden: false
+  backend_roles: []
+  hosts: []
+  users:
+  - "wazuh_user"
+  and_backend_roles: []

build-docker-images/wazuh-indexer/config/securityadmin.sh

@@ -0,0 +1,3 @@
+# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+sleep 30
+bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ -nhnv -cacert  $CACERT -cert $CERT -key $KEY -p 9300 -icl

build-docker-images/wazuh-manager/Dockerfile

@@ -1,26 +1,22 @@
-# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
-FROM centos:7
+# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+FROM ubuntu:focal
 
+ARG WAZUH_VERSION=4.3.4
+ARG TEMPLATE_VERSION=4.3
 ARG FILEBEAT_CHANNEL=filebeat-oss
 ARG FILEBEAT_VERSION=7.10.2
-ARG WAZUH_VERSION=4.2.0-1
-ARG TEMPLATE_VERSION="master"
-ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz"
+ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.2.tar.gz"
 
-# Set repositories.
-RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
+RUN apt-get update && apt install curl apt-transport-https lsb-release gnupg -y
 
-COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo
+RUN apt-key adv --fetch-keys https://packages.wazuh.com/key/GPG-KEY-WAZUH && \
+    echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list && \
+    apt-get update && \
+    apt-get install wazuh-manager=${WAZUH_VERSION}-1
 
-RUN yum --enablerepo=updates clean metadata && \
-  yum -y install openssl which expect openssh-clients && yum -y install wazuh-manager-${WAZUH_VERSION} -y && \
-  sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \
-  yum clean all && rm -rf /var/cache/yum
-
-RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm &&\
-  rpm -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm
-
-RUN curl -s https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module
+RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb &&\
+    dpkg -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb && \
+    curl -s https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module
 
 RUN curl -L https://github.com/aelsabbahy/goss/releases/latest/download/goss-linux-amd64 -o /usr/local/bin/goss && chmod +rx /usr/local/bin/goss
 
@@ -31,6 +27,9 @@ RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releas
     tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin && \
     rm  /tmp/s6-overlay-amd64.tar.gz
 
+COPY config/etc/ /etc/
+COPY --chown=root:wazuh config/create_user.py /var/ossec/framework/scripts/create_user.py
+
 COPY config/filebeat.yml /etc/filebeat/
 
 RUN chmod go-w /etc/filebeat/filebeat.yml
@@ -38,11 +37,9 @@ RUN chmod go-w /etc/filebeat/filebeat.yml
 ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
 RUN chmod go-w /etc/filebeat/wazuh-template.json
 
-COPY config/etc/ /etc/
-COPY --chown=root:ossec config/create_user.py /var/ossec/framework/scripts/create_user.py
-
 # Prepare permanent data
 # Sync calls are due to https://github.com/docker/docker/issues/9547
+
 COPY config/permanent_data.env config/permanent_data.sh /
 RUN chmod 755 /permanent_data.sh && \
     sync && /permanent_data.sh && \
@@ -51,4 +48,4 @@ RUN chmod 755 /permanent_data.sh && \
 # Services ports
 EXPOSE 55000/tcp 1514/tcp 1515/tcp 514/udp 1516/tcp
 
-ENTRYPOINT [ "/init" ]
+ENTRYPOINT [ "/init" ]

build-docker-images/wazuh-manager/config/create_user.py

@@ -13,6 +13,7 @@ SPECIAL_CHARS = "@$!%*?&-_"
 
 
 try:
+    from wazuh.rbac.orm import create_rbac_db
     from wazuh.security import (
         create_user,
         get_users,
@@ -66,6 +67,10 @@ if __name__ == "__main__":
         # abort if no user file detected
         sys.exit(0)
     username, password = read_user_file()
+
+    # create RBAC database
+    create_rbac_db()
+
     initial_users = db_users()
     if username not in initial_users:
         # create a new user

build-docker-images/wazuh-manager/config/etc/cont-init.d/0-wazuh-init

@@ -1,5 +1,5 @@
 #!/usr/bin/with-contenv bash
-# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
 
 # Variables
 source /permanent_data.env
@@ -41,12 +41,18 @@ exec_cmd_stdout() {
 
 mount_permanent_data() {
   for permanent_dir in "${PERMANENT_DATA[@]}"; do
+    data_tmp="${WAZUH_INSTALL_PATH}/data_tmp/permanent${permanent_dir}/"
+    print ${data_tmp}
     # Check if the path is not empty
     if find ${permanent_dir} -mindepth 1 | read; then
       print "The path ${permanent_dir} is already mounted"
     else
-      print "Installing ${permanent_dir}"
-      exec_cmd "cp -a ${WAZUH_INSTALL_PATH}/data_tmp/permanent${permanent_dir}/. ${permanent_dir}"
+      if find ${data_tmp} -mindepth 1 | read; then
+        print "Installing ${permanent_dir}"
+        exec_cmd "cp -a ${data_tmp}. ${permanent_dir}"
+      else
+        print "The path ${permanent_dir} is empty, skiped"
+      fi
     fi
   done
 }
@@ -164,6 +170,15 @@ set_custom_cluster_key() {
   sed -i 's/<key>to_be_replaced_by_cluster_key<\/key>/<key>'"${WAZUH_CLUSTER_KEY}"'<\/key>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
 }
 
+##############################################################################
+# Modify /var/ossec/queue/rids directory owner on
+# container start.
+##############################################################################
+
+set_rids_owner() {
+  chown -R wazuh:wazuh /var/ossec/queue/rids
+}
+
 ##############################################################################
 # Main function
 ##############################################################################
@@ -202,6 +217,8 @@ main() {
   # Delete temporary data folder
   rm -rf ${WAZUH_INSTALL_PATH}/data_tmp
 
+  # Set rids directory owner
+  set_rids_owner
 }
 
 main

build-docker-images/wazuh-manager/config/etc/cont-init.d/1-config-filebeat

@@ -1,23 +1,23 @@
 #!/usr/bin/with-contenv bash
-# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
 
 set -e
 
-if [ "$ELASTICSEARCH_URL" != "" ]; then
+if [ "$INDEXER_URL" != "" ]; then
   >&2 echo "Customize Elasticsearch ouput IP"
-  sed -i "s|hosts:.*|hosts: ['$ELASTICSEARCH_URL']|g" /etc/filebeat/filebeat.yml
+  sed -i "s|hosts:.*|hosts: ['$INDEXER_URL']|g" /etc/filebeat/filebeat.yml
 fi
 
 # Configure filebeat.yml security settings
 
-if [ "$ELASTIC_USERNAME" != "" ]; then
+if [ "$INDEXER_USERNAME" != "" ]; then
   >&2 echo "Configuring username."
-  sed -i "s|#username:.*|username: '$ELASTIC_USERNAME'|g" /etc/filebeat/filebeat.yml
+  sed -i "s|#username:.*|username: '$INDEXER_USERNAME'|g" /etc/filebeat/filebeat.yml
 fi
 
-if [ "$ELASTIC_PASSWORD" != "" ]; then
+if [ "$INDEXER_PASSWORD" != "" ]; then
   >&2 echo "Configuring password."
-  sed -i "s|#password:.*|password: '$ELASTIC_PASSWORD'|g" /etc/filebeat/filebeat.yml
+  sed -i "s|#password:.*|password: '$INDEXER_PASSWORD'|g" /etc/filebeat/filebeat.yml
 fi
 
 if [ "$FILEBEAT_SSL_VERIFICATION_MODE" != "" ]; then

build-docker-images/wazuh-manager/config/etc/cont-init.d/2-manager

@@ -36,11 +36,11 @@ function_wazuh_migration(){
       fi
 
       \cp -f /wazuh-migration/data/etc/ossec.conf /var/ossec/etc/ossec.conf
-      chown root:ossec /var/ossec/etc/ossec.conf
+      chown root:wazuh /var/ossec/etc/ossec.conf
       chmod 640 /var/ossec/etc/ossec.conf
 
       \cp -f /wazuh-migration/data/etc/client.keys /var/ossec/etc/client.keys
-      chown ossec:ossec /var/ossec/etc/client.keys
+      chown wazuh:wazuh /var/ossec/etc/client.keys
       chmod 640 /var/ossec/etc/client.keys
 
       \cp -f /wazuh-migration/data/etc/sslmanager.cert /var/ossec/etc/sslmanager.cert
@@ -49,25 +49,25 @@ function_wazuh_migration(){
       chmod 640 /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key
 
       \cp -f /wazuh-migration/data/etc/shared/default/agent.conf /var/ossec/etc/shared/default/agent.conf
-      chown ossec:ossec /var/ossec/etc/shared/default/agent.conf
+      chown wazuh:wazuh /var/ossec/etc/shared/default/agent.conf
       chmod 660 /var/ossec/etc/shared/default/agent.conf
 
       \cp -f /wazuh-migration/data/etc/decoders/* /var/ossec/etc/decoders/
-      chown ossec:ossec /var/ossec/etc/decoders/*
+      chown wazuh:wazuh /var/ossec/etc/decoders/*
       chmod 660 /var/ossec/etc/decoders/*
 
       \cp -f /wazuh-migration/data/etc/rules/* /var/ossec/etc/rules/
-      chown ossec:ossec /var/ossec/etc/rules/*
+      chown wazuh:wazuh /var/ossec/etc/rules/*
       chmod 660 /var/ossec/etc/rules/*
 
       if [ -e /wazuh-migration/data/agentless/.passlist ]; then
         \cp -f /wazuh-migration/data/agentless/.passlist /var/ossec/agentless/.passlist
-        chown root:ossec /var/ossec/agentless/.passlist
+        chown root:wazuh /var/ossec/agentless/.passlist
         chmod 640 /var/ossec/agentless/.passlist
       fi
 
       \cp -f /wazuh-migration/global.db /var/ossec/queue/db/global.db
-      chown ossec:ossec /var/ossec/queue/db/global.db
+      chown wazuh:wazuh /var/ossec/queue/db/global.db
       chmod 640 /var/ossec/queue/db/global.db
 
       # mark volume as migrated

build-docker-images/wazuh-manager/config/etc/services.d/ossec-logs/run

@@ -1,4 +1,4 @@
 #!/usr/bin/with-contenv sh
 
 # dumping ossec.log to standard output
-exec tail -f /var/ossec/logs/ossec.log
+exec tail -F /var/ossec/logs/ossec.log

build-docker-images/wazuh-manager/config/filebeat.yml

@@ -13,7 +13,7 @@ setup.template.json.name: 'wazuh'
 setup.template.overwrite: true
 setup.ilm.enabled: false
 output.elasticsearch:
-  hosts: ['https://elasticsearch:9200']
+  hosts: ['https://wazuh.indexer:9200']
   #username:
   #password:
   #ssl.verification_mode:

build-docker-images/wazuh-manager/config/permanent_data.env

@@ -4,13 +4,13 @@ PERMANENT_DATA[((i++))]="/var/ossec/api/configuration"
 PERMANENT_DATA[((i++))]="/var/ossec/etc"
 PERMANENT_DATA[((i++))]="/var/ossec/logs"
 PERMANENT_DATA[((i++))]="/var/ossec/queue"
-PERMANENT_DATA[((i++))]="/var/ossec/queue/logcollector"
 PERMANENT_DATA[((i++))]="/var/ossec/agentless"
 PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups"
 PERMANENT_DATA[((i++))]="/var/ossec/integrations"
 PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin"
 PERMANENT_DATA[((i++))]="/var/ossec/wodles"
 PERMANENT_DATA[((i++))]="/etc/filebeat"
+
 export PERMANENT_DATA
 
 # Files mounted in a volume that should not be permanent
@@ -48,6 +48,7 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_generic_diff"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_foundry_diff"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_nopass.exp"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh.exp"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/utils.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs"
@@ -68,4 +69,4 @@ export PERMANENT_DATA_DEL
 i=0
 PERMANENT_DATA_MOVE[((i++))]="/var/ossec/logs/ossec /var/ossec/logs/wazuh"
 PERMANENT_DATA_MOVE[((i++))]="/var/ossec/queue/ossec /var/ossec/queue/sockets"
-export PERMANENT_DATA_MOVE
+export PERMANENT_DATA_MOVE

build-docker-images/wazuh-manager/config/permanent_data.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
 
 # Variables
 source /permanent_data.env

build-from-sources.yml

@@ -1,84 +0,0 @@
-# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
-version: '3.7'
-
-services:
-  wazuh:
-    build:  wazuh-odfe/
-    image: wazuh/wazuh-odfe:dev-version
-    hostname: wazuh-manager
-    restart: always
-    ports:
-      - "1514:1514"
-      - "1515:1515"
-      - "514:514/udp"
-      - "55000:55000"
-    environment:
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - ELASTIC_USERNAME=admin
-      - ELASTIC_PASSWORD=admin
-      - FILEBEAT_SSL_VERIFICATION_MODE=none
-    volumes:
-      - ossec_api_configuration:/var/ossec/api/configuration
-      - ossec_etc:/var/ossec/etc
-      - ossec_logs:/var/ossec/logs
-      - ossec_queue:/var/ossec/queue
-      - ossec_var_multigroups:/var/ossec/var/multigroups
-      - ossec_integrations:/var/ossec/integrations
-      - ossec_active_response:/var/ossec/active-response/bin
-      - ossec_agentless:/var/ossec/agentless
-      - ossec_wodles:/var/ossec/wodles
-      - filebeat_etc:/etc/filebeat
-      - filebeat_var:/var/lib/filebeat
-
-  elasticsearch:
-    image: amazon/opendistro-for-elasticsearch:1.13.2
-    hostname: elasticsearch
-    restart: always
-    ports:
-      - "9200:9200"
-    environment:
-      - discovery.type=single-node
-      - cluster.name=wazuh-cluster
-      - network.host=0.0.0.0
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-      - bootstrap.memory_lock=true
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-      nofile:
-        soft: 65536
-        hard: 65536
-
-  kibana:
-    build: kibana-odfe/
-    image: wazuh/wazuh-kibana-odfe:dev-version
-    hostname: kibana
-    restart: always
-    ports:
-      - 443:5601
-    environment:
-      - ELASTICSEARCH_USERNAME=admin
-      - ELASTICSEARCH_PASSWORD=admin
-      - SERVER_SSL_ENABLED=true
-      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert
-      - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key
-
-    depends_on:
-      - elasticsearch
-    links:
-      - elasticsearch:elasticsearch
-      - wazuh:wazuh
-
-volumes:
-  ossec_api_configuration:
-  ossec_etc:
-  ossec_logs:
-  ossec_queue:
-  ossec_var_multigroups:
-  ossec_integrations:
-  ossec_active_response:
-  ossec_agentless:
-  ossec_wodles:
-  filebeat_etc:
-  filebeat_var:

docker-compose.yml

@@ -1,82 +0,0 @@
-# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
-version: '3.7'
-
-services:
-  wazuh:
-    image: wazuh/wazuh-odfe:4.2.0
-    hostname: wazuh-manager
-    restart: always
-    ports:
-      - "1514:1514"
-      - "1515:1515"
-      - "514:514/udp"
-      - "55000:55000"
-    environment:
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - ELASTIC_USERNAME=admin
-      - ELASTIC_PASSWORD=admin
-      - FILEBEAT_SSL_VERIFICATION_MODE=none
-    volumes:
-      - ossec_api_configuration:/var/ossec/api/configuration
-      - ossec_etc:/var/ossec/etc
-      - ossec_logs:/var/ossec/logs
-      - ossec_queue:/var/ossec/queue
-      - ossec_var_multigroups:/var/ossec/var/multigroups
-      - ossec_integrations:/var/ossec/integrations
-      - ossec_active_response:/var/ossec/active-response/bin
-      - ossec_agentless:/var/ossec/agentless
-      - ossec_wodles:/var/ossec/wodles
-      - filebeat_etc:/etc/filebeat
-      - filebeat_var:/var/lib/filebeat
-
-  elasticsearch:
-    image: amazon/opendistro-for-elasticsearch:1.13.2
-    hostname: elasticsearch
-    restart: always
-    ports:
-      - "9200:9200"
-    environment:
-      - discovery.type=single-node
-      - cluster.name=wazuh-cluster
-      - network.host=0.0.0.0
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-      - bootstrap.memory_lock=true
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-      nofile:
-        soft: 65536
-        hard: 65536
-
-  kibana:
-    image: wazuh/wazuh-kibana-odfe:4.2.0
-    hostname: kibana
-    restart: always
-    ports:
-      - 443:5601
-    environment:
-      - ELASTICSEARCH_USERNAME=admin
-      - ELASTICSEARCH_PASSWORD=admin
-      - SERVER_SSL_ENABLED=true
-      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert
-      - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key
-
-    depends_on:
-      - elasticsearch
-    links:
-      - elasticsearch:elasticsearch
-      - wazuh:wazuh
-
-volumes:
-  ossec_api_configuration:
-  ossec_etc:
-  ossec_logs:
-  ossec_queue:
-  ossec_var_multigroups:
-  ossec_integrations:
-  ossec_active_response:
-  ossec_agentless:
-  ossec_wodles:
-  filebeat_etc:
-  filebeat_var:

generate-elasticsearch-certs.yml

@@ -1,17 +0,0 @@
-version: '2.2'
-
-services:
-  generator:
-    container_name: generator
-    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
-    command: >
-      bash -c '
-        if [[ ! -f config/certificates/bundle.zip ]]; then
-          bin/elasticsearch-certutil cert --silent --pem --in config/certificates/instances.yml -out config/certificates/bundle.zip;
-          unzip config/certificates/bundle.zip -d config/certificates/;
-        fi;
-        chown -R 1000:0 /certs
-      '
-    user: "0"
-    working_dir: /usr/share/elasticsearch
-    volumes: ['./xpack:/usr/share/elasticsearch/config/certificates']

generate-opendistro-certs.yml

@@ -1,10 +0,0 @@
-# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
-version: '3'
-
-services:
-  generator:
-    image: wazuh/opendistro-certs-generator:0.1
-    hostname: opendistro-certs-generator
-    volumes:
-      - ./production_cluster/ssl_certs/certs.yml:/usr/src/config/myconf.yml
-      - ./production_cluster/ssl_certs/:/usr/src/certs/out/ 

indexer-certs-creator/Dockerfile

@@ -0,0 +1,12 @@
+# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+FROM ubuntu:focal
+
+RUN apt-get update && apt-get install openssl curl -y
+
+WORKDIR /
+
+COPY config/entrypoint.sh /
+
+RUN chmod 700 /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]

indexer-certs-creator/README.md

@@ -0,0 +1,9 @@
+# Certificate creation image build
+
+The dockerfile hosted in this directory is used to build the image used to boot Wazuh's single node and multi node stacks.
+
+To create the image, the following command must be executed:
+
+```
+$ docker build -t wazuh/wazuh-certs-generator:0.0.1 .
+```

indexer-certs-creator/config/entrypoint.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Downloading Cert Gen Tool
+##############################################################################
+
+## Variables
+CERT_TOOL=wazuh-certs-tool.sh
+PASSWORD_TOOL=wazuh-passwords-tool.sh
+PACKAGES_URL=https://packages.wazuh.com/4.3/
+PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.3/
+
+## Check if the cert tool exists in S3 buckets
+CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk  '{print $2}')
+CERT_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$CERT_TOOL | grep -E "^HTTP" | awk  '{print $2}')
+
+## If cert tool exists in some bucket, download it, if not exit 1
+if [ "$CERT_TOOL_PACKAGES" = "200" ]; then
+  curl -o $CERT_TOOL $PACKAGES_URL$CERT_TOOL
+  echo "Cert tool exists in Packages bucket"
+elif [ "$CERT_TOOL_PACKAGES_DEV" = "200" ]; then
+  curl -o $CERT_TOOL $PACKAGES_DEV_URL$CERT_TOOL
+  echo "Cert tool exists in Packages-dev bucket"
+else
+  echo "Cert tool does not exist in any bucket"
+  echo "ERROR: certificates were not created"
+  exit 1
+fi
+
+cp /config/certs.yml /config.yml
+
+chmod 700 /$CERT_TOOL
+
+##############################################################################
+# Creating Cluster certificates
+##############################################################################
+
+## Execute cert tool and parsin cert.yml to set UID permissions
+source /$CERT_TOOL -A
+nodes_server=$( cert_parseYaml /config.yml | grep nodes_server__name | sed 's/nodes_server__name=//' )
+node_names=($nodes_server)
+
+echo "Moving created certificates to destination directory"
+cp /wazuh-certificates/* /certificates/
+echo "changing certificate permissions"
+chmod -R 500 /certificates
+chmod -R 400 /certificates/*
+echo "Setting UID indexer and dashboard"
+chown 1000:1000 /certificates/*
+echo "Setting UID for wazuh manager and worker"
+cp /certificates/root-ca.pem /certificates/root-ca-manager.pem
+cp /certificates/root-ca.key /certificates/root-ca-manager.key
+chown 999:997 /certificates/root-ca-manager.pem
+chown 999:997 /certificates/root-ca-manager.key
+
+for i in ${node_names[@]}; 
+do 
+  chown 999:997 "/certificates/${i}.pem"
+  chown 999:997 "/certificates/${i}-key.pem"
+done

kibana-odfe/Dockerfile

@@ -1,59 +0,0 @@
-# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
-FROM amazon/opendistro-for-elasticsearch-kibana:1.13.2
-USER kibana
-ARG ELASTIC_VERSION=7.10.2
-ARG WAZUH_VERSION=4.2.0
-ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
-
-WORKDIR /usr/share/kibana
-RUN ./bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-${WAZUH_APP_VERSION}-1.zip
-
-WORKDIR /
-USER root
-COPY config/entrypoint.sh ./entrypoint.sh
-RUN chmod 755 ./entrypoint.sh
-
-ENV PATTERN="" \
-    CHECKS_PATTERN="" \
-    CHECKS_TEMPLATE="" \
-    CHECKS_API="" \
-    CHECKS_SETUP="" \
-    EXTENSIONS_PCI="" \
-    EXTENSIONS_GDPR="" \
-    EXTENSIONS_HIPAA="" \
-    EXTENSIONS_NIST="" \
-    EXTENSIONS_TSC="" \
-    EXTENSIONS_AUDIT="" \
-    EXTENSIONS_OSCAP="" \
-    EXTENSIONS_CISCAT="" \
-    EXTENSIONS_AWS="" \
-    EXTENSIONS_GCP="" \
-    EXTENSIONS_VIRUSTOTAL="" \
-    EXTENSIONS_OSQUERY="" \
-    EXTENSIONS_DOCKER="" \
-    APP_TIMEOUT="" \
-    API_SELECTOR="" \
-    IP_SELECTOR="" \
-    IP_IGNORE="" \
-    WAZUH_MONITORING_ENABLED="" \
-    WAZUH_MONITORING_FREQUENCY="" \
-    WAZUH_MONITORING_SHARDS="" \
-    WAZUH_MONITORING_REPLICAS="" \
-    ADMIN_PRIVILEGES=""
-
-USER kibana
-
-COPY ./config/custom_welcome /tmp/custom_welcome
-COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./
-RUN chmod +x ./welcome_wazuh.sh
-ARG CHANGE_WELCOME="true"
-RUN ./welcome_wazuh.sh
-
-COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/data/wazuh/config/wazuh.yml
-COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./
-RUN chmod +x ./wazuh_app_config.sh
-
-COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
-RUN chmod +x ./kibana_settings.sh
-
-ENTRYPOINT ./entrypoint.sh

kibana-odfe/config/custom_welcome/template.js.hbs

@@ -1,112 +0,0 @@
-var kbnCsp = JSON.parse(document.querySelector('kbn-csp').getAttribute('data'));
-window.__kbnStrictCsp__ = kbnCsp.strictCsp;
-window.__kbnThemeTag__ = "{{themeTag}}";
-window.__kbnPublicPath__ = {{publicPathMap}};
-window.__kbnBundles__ = {{kbnBundlesLoaderSource}}
-
-if (window.__kbnStrictCsp__ && window.__kbnCspNotEnforced__) {
-  var legacyBrowserError = document.getElementById('kbn_legacy_browser_error');
-  legacyBrowserError.style.display = 'flex';
-} else {
-  if (!window.__kbnCspNotEnforced__ && window.console) {
-    window.console.log("^ A single error about an inline script not firing due to content security policy is expected!");
-  }
-  var loadingMessage = document.getElementById('kbn_loading_message');
-  loadingMessage.style.display = 'flex';
-
-  window.onload = function () {
-    //WAZUH 
-      var interval = setInterval(() => {  
-        var title = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > div.euiText.euiText--medium > div")
-        if (!!title) {
-          clearInterval(interval);
-	  var content = document.querySelector("#kibana-body > div");
-          content.classList.add("wz-login")
-          title.textContent = "Welcome to Wazuh";
-          var subtitle = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > div.euiText.euiText--small > div")
-          subtitle.textContent = "The Open Source Security Platform";
-          var logo = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > figure");
-          logo.remove();
-          var logoContainer = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul");
-          $(logoContainer).prepend('<span class="loginWelcome__logo"></span>');
-        } 
-      })  
-    //
-
-    function failure() {
-      // make subsequent calls to failure() noop
-      failure = function () {};
-
-      var err = document.createElement('h1');
-      err.style['color'] = 'white';
-      err.style['font-family'] = 'monospace';
-      err.style['text-align'] = 'center';
-      err.style['background'] = '#F44336';
-      err.style['padding'] = '25px';
-      err.innerText = document.querySelector('[data-error-message]').dataset.errorMessage;
-
-      document.body.innerHTML = err.outerHTML;
-    }
-
-    var stylesheetTarget = document.querySelector('head meta[name="add-styles-here"]')
-    function loadStyleSheet(url, cb) {
-      var dom = document.createElement('link');
-      dom.rel = 'stylesheet';
-      dom.type = 'text/css';
-      dom.href = url;
-      dom.addEventListener('error', failure);
-      dom.addEventListener('load', cb);
-      document.head.insertBefore(dom, stylesheetTarget);
-    }
-
-    var scriptsTarget = document.querySelector('head meta[name="add-scripts-here"]')
-    function loadScript(url, cb) {
-      var dom = document.createElement('script');
-      {{!-- NOTE: async = false is used to trigger async-download/ordered-execution as outlined here: https://www.html5rocks.com/en/tutorials/speed/script-loading/ --}}
-      dom.async = false;
-      dom.src = url;
-      dom.addEventListener('error', failure);
-      dom.addEventListener('load', cb);
-      document.head.insertBefore(dom, scriptsTarget);
-    }
-
-    function load(urls, cb) {
-      var pending = urls.length;
-      urls.forEach(function (url) {
-        var innerCb = function () {
-          pending = pending - 1;
-          if (pending === 0 && typeof cb === 'function') {
-            cb();
-          }
-        }
-
-        if (typeof url !== 'string') {
-          load(url, innerCb);
-        } else if (url.slice(-4) === '.css') {
-          loadStyleSheet(url, innerCb);
-        } else {
-          loadScript(url, innerCb);
-        }
-      });
-    }
-
-    load([
-      {{#each jsDependencyPaths}}
-        '{{this}}',
-      {{/each}}
-    ], function () {
-      {{#unless legacyBundlePath}}
-        __kbnBundles__.get('entry/core/public').__kbnBootstrap__();
-      {{/unless}}
-
-      load([
-        {{#if legacyBundlePath}}
-          '{{legacyBundlePath}}',
-        {{/if}}
-        {{#each styleSheetPaths}}
-          '{{this}}',
-        {{/each}}
-      ]);
-    });
-  }
-}

kibana-odfe/config/custom_welcome/wazuh_logo_circle.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 84.67 84.67"><defs><style>.a{fill:#fff;}.b{fill:#00a9e5;}</style></defs><title>wazuh_logo_circle</title><circle class="a" cx="42.34" cy="42.34" r="42.34"/><path class="b" d="M58.13,9.2,50,26.32H35.07L26.16,9.2,20,31l-8.53,9.72,19.18,17.6,7.47,17.21h8.53l7-16.91L73.24,40.83l-8.73-9.57ZM48.58,55.13a1.79,1.79,0,0,1-.74.62,2.49,2.49,0,0,1-1,.2,2.52,2.52,0,0,1-1-.2,1.84,1.84,0,0,1-.71-.62l-2.88-4.36-2.9,4.36a1.87,1.87,0,0,1-.72.62,2.48,2.48,0,0,1-.95.2,1.94,1.94,0,0,1-1.7-.82L21.3,41.37h4.09L37.87,52.3l2.49-3.89h3.93L47,52.3,59.63,40.9h3.74Z"/></svg>

kibana-odfe/config/entrypoint.sh

@@ -1,65 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
-
-set -e
-
-##############################################################################
-# Waiting for elasticsearch
-##############################################################################
-
-if [ "x${ELASTICSEARCH_URL}" == "x" ]; then
-  if [[ ${ENABLED_SECURITY} == "false" ]]; then
-    export el_url="http://elasticsearch:9200"
-  else
-    export el_url="https://elasticsearch:9200"
-  fi
-else
-  export el_url="${ELASTICSEARCH_URL}"
-fi
-
-if [[ ${ENABLED_SECURITY} == "false" || "x${ELASTICSEARCH_USERNAME}" == "x" || "x${ELASTICSEARCH_PASSWORD}" == "x" ]]; then
-  auth=""
-  # remove security plugin from kibana if elasticsearch is not using it either
-  /usr/share/kibana/bin/kibana-plugin remove opendistro_security
-else
-  export auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} -k"
-fi
-
-until curl -XGET $el_url ${auth}; do
-  >&2 echo "Elastic is unavailable - sleeping"
-  sleep 5
-done
-
-sleep 2
-
->&2 echo "Elasticsearch is up."
-
-
-##############################################################################
-# Waiting for wazuh alerts template
-##############################################################################
-
-strlen=0
-
-while [[ $strlen -eq 0 ]]
-do
-  template=$(curl ${auth} $el_url/_cat/templates/wazuh -s)
-  strlen=${#template}
-  >&2 echo "Wazuh alerts template not loaded - sleeping."
-  sleep 2
-done
-
-sleep 2
-
->&2 echo "Wazuh alerts template is loaded."
-
-
-./wazuh_app_config.sh
-
-sleep 5
-
-./kibana_settings.sh &
-
-sleep 2
-
-/usr/local/bin/kibana-docker

kibana-odfe/config/kibana_settings.sh

@@ -1,58 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
-
-WAZUH_MAJOR=4
-
-##############################################################################
-# Wait for the Kibana API to start. It is necessary to do it in this container
-# because the others are running Elastic Stack and we can not interrupt them.
-#
-# The following actions are performed:
-#
-# Add the wazuh alerts index as default.
-# Set the Discover time interval to 24 hours instead of 15 minutes.
-# Do not ask user to help providing usage statistics to Elastic.
-##############################################################################
-
-##############################################################################
-# Customize elasticsearch ip
-##############################################################################
-sed -i "s|elasticsearch.hosts:.*|elasticsearch.hosts: $el_url|g" /usr/share/kibana/config/kibana.yml
-
-# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
-if [ "$KIBANA_INDEX" != "" ]; then
-  if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
-    sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
-  fi
-    echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
-fi
-
-while [[ "$(curl -XGET -I  -s -o /dev/null -w '%{http_code}' -k https://127.0.0.1:5601/app/login)" != "200" ]]; do
-  echo "Waiting for Kibana API. Sleeping 5 seconds"
-  sleep 5
-done
-
-# Prepare index selection.
-echo "Kibana API is running"
-
-default_index="/tmp/default_index.json"
-
-cat > ${default_index} << EOF
-{
-  "changes": {
-    "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
-  }
-}
-EOF
-
-sleep 5
-# Add the wazuh alerts index as default.
-curl ${auth} -POST -k https://127.0.0.1:5601/api/kibana/settings -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
-rm -f ${default_index}
-
-sleep 5
-# Configuring Kibana TimePicker.
-curl ${auth} -POST -k "https://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
-'{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-12h\",\n  \"to\": \"now\"}"}}'
-
-echo "End settings"

kibana-odfe/config/wazuh_app_config.sh

@@ -1,64 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
-
-wazuh_url="${WAZUH_API_URL:-https://wazuh}"
-wazuh_port="${API_PORT:-55000}"
-api_username="${API_USERNAME:-wazuh-wui}"
-api_password="${API_PASSWORD:-wazuh-wui}"
-
-kibana_config_file="/usr/share/kibana/data/wazuh/config/wazuh.yml"
-
-declare -A CONFIG_MAP=(
-  [pattern]=$PATTERN
-  [checks.pattern]=$CHECKS_PATTERN
-  [checks.template]=$CHECKS_TEMPLATE
-  [checks.api]=$CHECKS_API
-  [checks.setup]=$CHECKS_SETUP
-  [extensions.pci]=$EXTENSIONS_PCI
-  [extensions.gdpr]=$EXTENSIONS_GDPR
-  [extensions.hipaa]=$EXTENSIONS_HIPAA
-  [extensions.nist]=$EXTENSIONS_NIST
-  [extensions.tsc]=$EXTENSIONS_TSC
-  [extensions.audit]=$EXTENSIONS_AUDIT
-  [extensions.oscap]=$EXTENSIONS_OSCAP
-  [extensions.ciscat]=$EXTENSIONS_CISCAT
-  [extensions.aws]=$EXTENSIONS_AWS
-  [extensions.gcp]=$EXTENSIONS_GCP
-  [extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL
-  [extensions.osquery]=$EXTENSIONS_OSQUERY
-  [extensions.docker]=$EXTENSIONS_DOCKER
-  [timeout]=$APP_TIMEOUT
-  [api.selector]=$API_SELECTOR
-  [ip.selector]=$IP_SELECTOR
-  [ip.ignore]=$IP_IGNORE
-  [wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
-  [wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
-  [wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
-  [wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS
-  [admin]=$ADMIN_PRIVILEGES
-)
-
-for i in "${!CONFIG_MAP[@]}"
-do
-    if [ "${CONFIG_MAP[$i]}" != "" ]; then
-        sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
-    fi
-done
-
-CONFIG_CODE=$(curl ${auth} -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013)
-
-grep -q 1513629884013 $kibana_config_file
-_config_exists=$?
-
-if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then
-cat << EOF >> $kibana_config_file
-hosts:
-  - 1513629884013:
-      url: $wazuh_url
-      port: $wazuh_port
-      username: $api_username
-      password: $api_password
-EOF
-else
-  echo "Wazuh APP already configured"
-fi

kibana-odfe/config/welcome_wazuh.sh

@@ -1,14 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
-
-if [[ $CHANGE_WELCOME == "true" ]]
-then
-    echo "Set Wazuh app as the default landing page"
-    echo "server.defaultRoute: /app/wazuh?security_tenant=global" >> /usr/share/kibana/config/kibana.yml
-
-    echo "Set custom welcome styles"
-    cp -f /tmp/custom_welcome/template.js.hbs /usr/share/kibana/src/legacy/ui/ui_render/bootstrap/template.js.hbs
-    cp -f /tmp/custom_welcome/light_theme.style.css /usr/share/kibana/src/core/server/core_app/assets/legacy_light_theme.css
-    cp -f /tmp/custom_welcome/*svg /usr/share/kibana/src/core/server/core_app/assets/
-fi
-

kibana/Dockerfile

@@ -1,64 +0,0 @@
-# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/kibana/kibana:7.10.2
-USER kibana
-ARG ELASTIC_VERSION=7.10.2
-ARG WAZUH_VERSION=4.2.0
-ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
-
-WORKDIR /usr/share/kibana
-RUN ./bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-${WAZUH_APP_VERSION}-1.zip
-
-ENV PATTERN="" \
-    CHECKS_PATTERN="" \
-    CHECKS_TEMPLATE="" \
-    CHECKS_API="" \
-    CHECKS_SETUP="" \
-    EXTENSIONS_PCI="" \
-    EXTENSIONS_GDPR="" \
-    EXTENSIONS_HIPAA="" \
-    EXTENSIONS_NIST="" \
-    EXTENSIONS_TSC="" \
-    EXTENSIONS_AUDIT="" \
-    EXTENSIONS_OSCAP="" \
-    EXTENSIONS_CISCAT="" \
-    EXTENSIONS_AWS="" \
-    EXTENSIONS_GCP="" \
-    EXTENSIONS_VIRUSTOTAL="" \
-    EXTENSIONS_OSQUERY="" \
-    EXTENSIONS_DOCKER="" \
-    APP_TIMEOUT="" \
-    API_SELECTOR="" \
-    IP_SELECTOR="" \
-    IP_IGNORE="" \
-    WAZUH_MONITORING_ENABLED="" \
-    WAZUH_MONITORING_FREQUENCY="" \
-    WAZUH_MONITORING_SHARDS="" \
-    WAZUH_MONITORING_REPLICAS="" \
-    ADMIN_PRIVILEGES="" \
-    XPACK_CANVAS="true" \
-    XPACK_LOGS="true"   \
-    XPACK_INFRA="true"  \
-    XPACK_ML="true" \
-    XPACK_DEVTOOLS="true"   \
-    XPACK_MONITORING="true" \
-    XPACK_APM="true"
-
-WORKDIR /
-USER kibana
-
-COPY --chown=kibana:kibana config/entrypoint.sh ./entrypoint.sh
-RUN chmod 755 ./entrypoint.sh
-
-RUN printf "\nserver.defaultRoute: /app/wazuh\n" >> /usr/share/kibana/config/kibana.yml
-
-COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/data/wazuh/config/wazuh.yml
-COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./
-RUN chmod +x ./wazuh_app_config.sh
-
-COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
-RUN chmod +x ./kibana_settings.sh
-
-COPY --chown=kibana:kibana ./config/xpack_config.sh ./
-RUN chmod +x ./xpack_config.sh
-
-ENTRYPOINT ./entrypoint.sh

kibana/config/entrypoint.sh

@@ -1,60 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
-
-set -e
-
-##############################################################################
-# Waiting for elasticsearch
-##############################################################################
-
-if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
-  export el_url="http://elasticsearch:9200"
-else
-  export el_url="${ELASTICSEARCH_URL}"
-fi
-
-if [[ ${ENABLED_SECURITY} == "false" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
-  export auth=""
-else
-  export auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} -k"
-fi
-
-until curl -XGET $el_url ${auth}; do
-  >&2 echo "Elastic is unavailable - sleeping"
-  sleep 5
-done
-
-sleep 2
-
->&2 echo "Elasticsearch is up."
-
-
-##############################################################################
-# Waiting for wazuh alerts template
-##############################################################################
-
-strlen=0
-
-while [[ $strlen -eq 0 ]]
-do
-  template=$(curl ${auth} $el_url/_cat/templates/wazuh -s)
-  strlen=${#template}
-  >&2 echo "Wazuh alerts template not loaded - sleeping."
-  sleep 2
-done
-
-sleep 2
-
->&2 echo "Wazuh alerts template is loaded."
-
-./xpack_config.sh
-
-./wazuh_app_config.sh
-
-sleep 5
-
-./kibana_settings.sh &
-
-sleep 2
-
-/usr/local/bin/kibana-docker

kibana/config/kibana_settings.sh

@@ -1,79 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
-
-WAZUH_MAJOR=4
-
-##############################################################################
-# Wait for the Kibana API to start. It is necessary to do it in this container
-# because the others are running Elastic Stack and we can not interrupt them.
-#
-# The following actions are performed:
-#
-# Add the wazuh alerts index as default.
-# Set the Discover time interval to 24 hours instead of 15 minutes.
-# Do not ask user to help providing usage statistics to Elastic.
-##############################################################################
-
-##############################################################################
-# Customize elasticsearch ip
-##############################################################################
-sed -i "s|elasticsearch.hosts:.*|elasticsearch.hosts: $el_url|g" /usr/share/kibana/config/kibana.yml
-
-# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
-if [ "$KIBANA_INDEX" != "" ]; then
-  if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
-    sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
-  fi
-    echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
-fi
-
-kibana_proto="http"
-
-if [ "$XPACK_SECURITY_ENABLED" != "" ]; then
-  kibana_proto="https"
-  if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then
-    sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml
-  fi
-    echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml
-fi
-
-# Add auth headers if required
-if [ "$ELASTICSEARCH_USERNAME" != "" ] && [ "$ELASTICSEARCH_PASSWORD" != "" ]; then
-    curl_auth="-u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD"
-fi
-
-while [[ "$(curl $curl_auth -XGET -I  -s -o /dev/null -w ''%{http_code}'' -k $kibana_proto://127.0.0.1:5601/status)" != "200" ]]; do
-  echo "Waiting for Kibana API. Sleeping 5 seconds"
-  sleep 5
-done
-
-
-
-# Prepare index selection.
-echo "Kibana API is running"
-
-default_index="/tmp/default_index.json"
-
-cat > ${default_index} << EOF
-{
-  "changes": {
-    "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
-  }
-}
-EOF
-
-sleep 5
-# Add the wazuh alerts index as default.
-curl ${auth} -POST -k "$kibana_proto://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
-rm -f ${default_index}
-
-sleep 5
-# Configuring Kibana TimePicker.
-curl ${auth} -POST -k "$kibana_proto://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
-'{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-12h\",\n  \"to\": \"now\"}"}}'
-
-sleep 5
-# Do not ask user to help providing usage statistics to Elastic
-curl ${auth} -POST -k "$kibana_proto://127.0.0.1:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
-
-echo "End settings"

kibana/config/wazuh.yml

@@ -1,162 +0,0 @@
----
-#
-# Wazuh app - App configuration file
-# Copyright (C) 2015-2021 Wazuh, Inc.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# Find more information about this on the LICENSE file.
-#
-# ======================== Wazuh app configuration file ========================
-#
-# Please check the documentation for more information on configuration options:
-# https://documentation.wazuh.com/current/installation-guide/index.html
-#
-# Also, you can check our repository:
-# https://github.com/wazuh/wazuh-kibana-app
-#
-# ------------------------------- Index patterns -------------------------------
-#
-# Default index pattern to use.
-#pattern: wazuh-alerts-*
-#
-# ----------------------------------- Checks -----------------------------------
-#
-# Defines which checks must to be consider by the healthcheck
-# step once the Wazuh app starts. Values must to be true or false.
-#checks.pattern : true
-#checks.template: true
-#checks.api     : true
-#checks.setup   : true
-#checks.metaFields: true
-#
-# --------------------------------- Extensions ---------------------------------
-#
-# Defines which extensions should be activated when you add a new API entry.
-# You can change them after Wazuh app starts.
-# Values must to be true or false.
-#extensions.pci       : true
-#extensions.gdpr      : true
-#extensions.hipaa     : true
-#extensions.nist      : true
-#extensions.tsc       : true
-#extensions.audit     : true
-#extensions.oscap     : false
-#extensions.ciscat    : false
-#extensions.aws       : false
-#extensions.gcp       : false
-#extensions.virustotal: false
-#extensions.osquery   : false
-#extensions.docker    : false
-#
-# ---------------------------------- Time out ----------------------------------
-#
-# Defines maximum timeout to be used on the Wazuh app requests.
-# It will be ignored if it is bellow 1500.
-# It means milliseconds before we consider a request as failed.
-# Default: 20000
-#timeout: 20000
-#
-# -------------------------------- API selector --------------------------------
-#
-# Defines if the user is allowed to change the selected
-# API directly from the Wazuh app top menu.
-# Default: true
-#api.selector: true
-#
-# --------------------------- Index pattern selector ---------------------------
-#
-# Defines if the user is allowed to change the selected
-# index pattern directly from the Wazuh app top menu.
-# Default: true
-#ip.selector: true
-#
-# List of index patterns to be ignored
-#ip.ignore: []
-#
-# -------------------------------- X-Pack RBAC ---------------------------------
-#
-# Custom setting to enable/disable built-in X-Pack RBAC security capabilities.
-# Default: enabled
-#xpack.rbac.enabled: true
-#
-# ------------------------------ wazuh-monitoring ------------------------------
-#
-# Custom setting to enable/disable wazuh-monitoring indices.
-# Values: true, false, worker
-# If worker is given as value, the app will show the Agents status
-# visualization but won't insert data on wazuh-monitoring indices.
-# Default: true
-#wazuh.monitoring.enabled: true
-#
-# Custom setting to set the frequency for wazuh-monitoring indices cron task.
-# Default: 900 (s)
-#wazuh.monitoring.frequency: 900
-#
-# Configure wazuh-monitoring-* indices shards and replicas.
-#wazuh.monitoring.shards: 2
-#wazuh.monitoring.replicas: 0
-#
-# Configure wazuh-monitoring-* indices custom creation interval.
-# Values: h (hourly), d (daily), w (weekly), m (monthly)
-# Default: d
-#wazuh.monitoring.creation: d
-#
-# Default index pattern to use for Wazuh monitoring
-#wazuh.monitoring.pattern: wazuh-monitoring-*
-#
-# --------------------------------- wazuh-cron ----------------------------------
-#
-# Customize the index prefix of predefined jobs
-# This change is not retroactive, if you change it new indexes will be created
-# cron.prefix: test
-#
-# ------------------------------ wazuh-statistics -------------------------------
-#
-# Custom setting to enable/disable statistics tasks.
-#cron.statistics.status: true
-#
-# Enter the ID of the APIs you want to save data from, leave this empty to run
-# the task on all configured APIs
-#cron.statistics.apis: []
-#
-# Define the frequency of task execution using cron schedule expressions
-#cron.statistics.interval: 0 0 * * * *
-#
-# Define the name of the index in which the documents are to be saved.
-#cron.statistics.index.name: statistics
-#
-# Define the interval in which the index will be created
-#cron.statistics.index.creation: w
-#
-# ------------------------------- App privileges --------------------------------
-#admin: true
-#
-# ---------------------------- Hide manager alerts ------------------------------
-# Hide the alerts of the manager in all dashboards and discover
-#hideManagerAlerts: false
-#
-# ------------------------------- App logging level -----------------------------
-# Set the logging level for the Wazuh App log files.
-# Default value: info
-# Allowed values: info, debug
-#logs.level: info
-#
-# -------------------------------- Enrollment DNS -------------------------------
-# Set the variable WAZUH_REGISTRATION_SERVER in agents deployment.
-# Default value: ''
-#enrollment.dns: ''
-#
-#-------------------------------- API entries -----------------------------------
-#The following configuration is the default structure to define an API entry.
-#
-#hosts:
-#  - <id>:
-#     url: http(s)://<url>
-#     port: <port>
-#     username: <username>
-#     password: <password>
-

kibana/config/xpack_config.sh

@@ -1,35 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
-
-kibana_config_file="/usr/share/kibana/config/kibana.yml"
-if grep -Fq  "#xpack features" "$kibana_config_file";
-then
-  declare -A CONFIG_MAP=(
-    [xpack.apm.ui.enabled]=$XPACK_APM
-    [xpack.grokdebugger.enabled]=$XPACK_DEVTOOLS
-    [xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS
-    [xpack.ml.enabled]=$XPACK_ML
-    [xpack.canvas.enabled]=$XPACK_CANVAS
-    [xpack.infra.enabled]=$XPACK_INFRA
-    [xpack.monitoring.enabled]=$XPACK_MONITORING
-    [console.enabled]=$XPACK_DEVTOOLS
-  )
-  for i in "${!CONFIG_MAP[@]}"
-  do
-    if [ "${CONFIG_MAP[$i]}" != "" ]; then
-      sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
-    fi
-  done
-else
-  echo "
-#xpack features
-xpack.apm.ui.enabled: $XPACK_APM
-xpack.grokdebugger.enabled: $XPACK_DEVTOOLS
-xpack.searchprofiler.enabled: $XPACK_DEVTOOLS
-xpack.ml.enabled: $XPACK_ML
-xpack.canvas.enabled: $XPACK_CANVAS
-xpack.infra.enabled: $XPACK_INFRA
-xpack.monitoring.enabled: $XPACK_MONITORING
-console.enabled: $XPACK_DEVTOOLS
-" >> $kibana_config_file
-fi

multi-node/Migration-to-Wazuh-4.3.md

@@ -0,0 +1,361 @@
+# Opendistro data migration to Wazuh indexer on docker.
+This procedure explains how to migrate Opendistro data from Opendistro to Wazuh indexer in docker production deployments.
+The example is migrating from v4.2 to v4.3.
+
+## Procedure
+Assuming that you have a v4.2 production deployment, perform the following steps.
+
+**1. Stop 4.2 environment**
+`docker-compose -f production-cluster.yml stop`
+
+**2. List elasticsearch volumes**
+`docker volume ls --filter name='wazuh-docker_elastic-data'`
+
+**3. Inspect elasticsearch volume**
+`docker volume inspect wazuh-docker_elastic-data-1`
+
+**4. Spin down the 4.2 environment.**
+`docker-compose -f production-cluster.yml down`
+
+**Steps 5 and 6 can be done with the volume-migrator.sh script, specifying Docker compose version and project name as parameters.**
+
+Ex: $ multi-node/volume-migrator.sh 1.25.0 multi-node
+
+**5. Run the volume create command:** create new indexer and Wazuh manager volumes using the `com.docker.compose.version` label value from the previous command.
+
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=wazuh-indexer-data-1 \
+           multi-node_wazuh-indexer-data-1
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=wazuh-indexer-data-2 \
+           multi-node_wazuh-indexer-data-2
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=wazuh-indexer-data-3 \
+           multi-node_wazuh-indexer-data-3
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=master_wazuh_api_configuration \
+           multi-node_master_wazuh_api_configuration
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=master_wazuh_etc \
+           multi-node_docker_wazuh_etc
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=master-wazuh-logs \
+           multi-node_master-wazuh-logs
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=master-wazuh-queue \
+           multi-node_master-wazuh-queue
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=master-wazuh-var-multigroups \
+           multi-node_master-wazuh-var-multigroups
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=master-wazuh-integrations \
+           multi-node_master-wazuh-integrations
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=master-wazuh-active-response \
+           multi-node_master-wazuh-active-response
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=master-wazuh-agentless \
+           multi-node_master-wazuh-agentless
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=master-wazuh-wodles \
+           multi-node_master-wazuh-wodles
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=master-filebeat-etc \
+           multi-node_master-filebeat-etc
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=master-filebeat-var \
+           multi-node_master-filebeat-var
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=worker_wazuh_api_configuration \
+           multi-node_worker_wazuh_api_configuration
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=worker_wazuh_etc \
+           multi-node_worker-wazuh-etc
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=worker-wazuh-logs \
+           multi-node_worker-wazuh-logs
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=worker-wazuh-queue \
+           multi-node_worker-wazuh-queue
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=worker-wazuh-var-multigroups \
+           multi-node_worker-wazuh-var-multigroups
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=worker-wazuh-integrations \
+           multi-node_worker-wazuh-integrations
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=worker-wazuh-active-response \
+           multi-node_worker-wazuh-active-response
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=worker-wazuh-agentless \
+           multi-node_worker-wazuh-agentless
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=worker-wazuh-wodles \
+           multi-node_worker-wazuh-wodles
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=worker-filebeat-etc \
+           multi-node_worker-filebeat-etc
+```
+```
+docker volume create \
+           --label com.docker.compose.project=multi-node \
+           --label com.docker.compose.version=1.25.0 \
+           --label com.docker.compose.volume=worker-filebeat-var \
+           multi-node_worker-filebeat-var
+```
+**6. Copy the volume content from elasticsearch to Wazuh indexer volumes and old Wazuh manager content to new volumes.**
+```
+docker container run --rm -it \
+           -v wazuh-docker_elastic-data-1:/from \
+           -v multi-node_wazuh-indexer-data-1:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_elastic-data-2:/from \
+           -v multi-node_wazuh-indexer-data-2:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_elastic-data-3:/from \
+           -v multi-node_wazuh-indexer-data-3:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_ossec-api-configuration:/from \
+           -v multi-node_master-wazuh-api-configuration:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_ossec-etc:/from \
+           -v multi-node_master-wazuh-etc:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_ossec-logs:/from \
+           -v multi-node_master-wazuh-logs:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_ossec-queue:/from \
+           -v multi-node_master-wazuh-queue:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_ossec-var-multigroups:/from \
+           -v multi-node_master-wazuh-var-multigroups:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_ossec-integrations:/from \
+           -v multi-node_master-wazuh-integrations:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_ossec-active-response:/from \
+           -v multi-node_master-wazuh-active-response:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_ossec-agentless:/from \
+           -v multi-node_master-wazuh-agentless:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_ossec-wodles:/from \
+           -v multi-node_master-wazuh-wodles:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_filebeat-etc:/from \
+           -v multi-node_master-filebeat-etc:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_filebeat-var:/from \
+           -v multi-node_master-filebeat-var:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_worker-ossec-api-configuration:/from \
+           -v multi-node_worker-wazuh-api-configuration:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_worker-ossec-etc:/from \
+           -v multi-node_worker-wazuh-etc:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_worker-ossec-logs:/from \
+           -v multi-node_worker-wazuh-logs:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_worker-ossec-queue:/from \
+           -v multi-node_worker-wazuh-queue:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_worker-ossec-var-multigroups:/from \
+           -v multi-node_worker-wazuh-var-multigroups:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_worker-ossec-integrations:/from \
+           -v multi-node_worker-wazuh-integrations:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_worker-ossec-active-response:/from \
+           -v multi-node_worker-wazuh-active-response:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_worker-ossec-agentless:/from \
+           -v multi-node_worker-wazuh-agentless:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_worker-ossec-wodles:/from \
+           -v multi-node_worker-wazuh-wodles:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_worker-filebeat-etc:/from \
+           -v multi-node_worker-filebeat-etc:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+```
+docker container run --rm -it \
+           -v wazuh-docker_worker-filebeat-var:/from \
+           -v multi-node_worker-filebeat-var:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+```
+
+**7. Start the 4.3 environment.**
+```
+git checkout 4.3
+cd multi-node
+docker-compose -f generate-indexer-certs.yml run --rm generator
+docker-compose up -d
+```
+
+**8. Check the access to Wazuh dashboard**: go to the Wazuh dashboard using the web browser and check the data.

multi-node/README.md

@@ -0,0 +1,26 @@
+# Deploy Wazuh Docker in multi node configuration
+
+This deployment is defined in the `docker-compose.yml` file with two Wazuh manager containers, three Wazuh indexer containers, and one Wazuh dashboard container. It can be deployed by following these steps: 
+
+1) Increase max_map_count on your host (Linux). This command must be run with root permissions:
+```
+$ sysctl -w vm.max_map_count=262144
+```
+2) Run the certificate creation script:
+```
+$ docker-compose -f generate-indexer-certs.yml run --rm generator
+```
+3) Start the environment with docker-compose:
+
+- In the foregroud:
+```
+$ docker-compose up
+```
+
+- In the background:
+```
+$ docker-compose up -d
+```
+
+
+The environment takes about 1 minute to get up (depending on your Docker host) for the first time since Wazuh Indexer must be started for the first time and the indexes and index patterns must be generated.

multi-node/config/certs.yml

@@ -0,0 +1,24 @@
+nodes:
+  # Wazuh indexer server nodes
+  indexer:
+    - name: wazuh1.indexer
+      ip: wazuh1.indexer
+    - name: wazuh2.indexer
+      ip: wazuh2.indexer
+    - name: wazuh3.indexer
+      ip: wazuh3.indexer
+
+  # Wazuh server nodes
+  # Use node_type only with more than one Wazuh manager
+  server:
+    - name: wazuh.master
+      ip: wazuh.master
+      node_type: master
+    - name: wazuh.worker
+      ip: wazuh.worker
+      node_type: worker
+
+  # Wazuh dashboard node
+  dashboard:
+    - name: wazuh.dashboard
+      ip: wazuh.dashboard

multi-node/config/nginx/nginx.conf

@@ -28,27 +28,6 @@ http {
     server_tokens off;
     gzip  on;
 
-    # kibana UI
-    server {
-        listen 80;
-        listen [::]:80;
-        return 301 https://$host:443$request_uri;
-    }
-
-    server {
-        listen 443 default_server ssl http2;
-        listen [::]:443 ssl http2;
-        ssl_certificate /etc/nginx/ssl/cert.pem;
-        ssl_certificate_key /etc/nginx/ssl/key.pem;
-        location / {
-            proxy_pass https://kibana:5601/;
-            proxy_ssl_verify off;
-            proxy_buffer_size          128k;
-            proxy_buffers              4 256k;
-            proxy_busy_buffers_size    256k;
-        }
-    }
-
 }
 
 
@@ -57,11 +36,11 @@ http {
 stream {
     upstream mycluster {
         hash $remote_addr consistent;
-        server wazuh-master:1514;
-        server wazuh-worker:1514;
+        server wazuh.master:1514;
+        server wazuh.worker:1514;
     }
     server {
         listen 1514;
         proxy_pass mycluster;
     }
-}
+}

multi-node/config/wazuh_cluster/wazuh_manager.conf

@@ -0,0 +1,372 @@
+<ossec_config>
+  <global>
+    <jsonout_output>yes</jsonout_output>
+    <alerts_log>yes</alerts_log>
+    <logall>no</logall>
+    <logall_json>no</logall_json>
+    <email_notification>no</email_notification>
+    <smtp_server>smtp.example.wazuh.com</smtp_server>
+    <email_from>wazuh@example.wazuh.com</email_from>
+    <email_to>recipient@example.wazuh.com</email_to>
+    <email_maxperhour>12</email_maxperhour>
+    <email_log_source>alerts.log</email_log_source>
+    <agents_disconnection_time>10m</agents_disconnection_time>
+    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
+  </global>
+
+  <alerts>
+    <log_alert_level>3</log_alert_level>
+    <email_alert_level>12</email_alert_level>
+  </alerts>
+
+  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+
+  <remote>
+    <connection>secure</connection>
+    <port>1514</port>
+    <protocol>tcp</protocol>
+    <queue_size>131072</queue_size>
+  </remote>
+
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_if>yes</check_if>
+
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
+    <frequency>43200</frequency>
+
+    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
+
+    <skip_nfs>yes</skip_nfs>
+  </rootcheck>
+
+  <wodle name="cis-cat">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+
+    <java_path>wodles/java</java_path>
+    <ciscat_path>wodles/ciscat</ciscat_path>
+  </wodle>
+
+  <!-- Osquery integration -->
+  <wodle name="osquery">
+    <disabled>yes</disabled>
+    <run_daemon>yes</run_daemon>
+    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+    <config_path>/etc/osquery/osquery.conf</config_path>
+    <add_labels>yes</add_labels>
+  </wodle>
+
+  <!-- System inventory -->
+  <wodle name="syscollector">
+    <disabled>no</disabled>
+    <interval>1h</interval>
+    <scan_on_start>yes</scan_on_start>
+    <hardware>yes</hardware>
+    <os>yes</os>
+    <network>yes</network>
+    <packages>yes</packages>
+    <ports all="no">yes</ports>
+    <processes>yes</processes>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </wodle>
+
+  <sca>
+    <enabled>yes</enabled>
+    <scan_on_start>yes</scan_on_start>
+    <interval>12h</interval>
+    <skip_nfs>yes</skip_nfs>
+  </sca>
+
+  <vulnerability-detector>
+    <enabled>no</enabled>
+    <interval>5m</interval>
+    <min_full_scan_interval>6h</min_full_scan_interval>
+    <run_on_start>yes</run_on_start>
+
+    <!-- Ubuntu OS vulnerabilities -->
+    <provider name="canonical">
+      <enabled>no</enabled>
+      <os>trusty</os>
+      <os>xenial</os>
+      <os>bionic</os>
+      <os>focal</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Debian OS vulnerabilities -->
+    <provider name="debian">
+      <enabled>no</enabled>
+      <os>stretch</os>
+      <os>buster</os>
+      <os>bullseye</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- RedHat OS vulnerabilities -->
+    <provider name="redhat">
+      <enabled>no</enabled>
+      <os>5</os>
+      <os>6</os>
+      <os>7</os>
+      <os>8</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Amazon Linux OS vulnerabilities -->
+    <provider name="alas">
+      <enabled>no</enabled>
+      <os>amazon-linux</os>
+      <os>amazon-linux-2</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Arch OS vulnerabilities -->
+    <provider name="arch">
+      <enabled>no</enabled>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Windows OS vulnerabilities -->
+    <provider name="msu">
+      <enabled>yes</enabled>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Aggregate vulnerabilities -->
+    <provider name="nvd">
+      <enabled>yes</enabled>
+      <update_from_year>2010</update_from_year>
+      <update_interval>1h</update_interval>
+    </provider>
+
+  </vulnerability-detector>
+
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+
+    <!-- Frequency that syscheck is executed default every 12 hours -->
+    <frequency>43200</frequency>
+
+    <scan_on_start>yes</scan_on_start>
+
+    <!-- Generate alert when new file detected -->
+    <alert_new_files>yes</alert_new_files>
+
+    <!-- Don't ignore files that change more than 'frequency' times -->
+    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
+
+    <!-- Directories to check  (perform all possible verifications) -->
+    <directories>/etc,/usr/bin,/usr/sbin</directories>
+    <directories>/bin,/sbin,/boot</directories>
+
+    <!-- Files/directories to ignore -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/random.seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+
+    <!-- File types to ignore -->
+    <ignore type="sregex">.log$|.swp$</ignore>
+
+    <!-- Check the file, but never compute the diff -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+
+    <skip_nfs>yes</skip_nfs>
+    <skip_dev>yes</skip_dev>
+    <skip_proc>yes</skip_proc>
+    <skip_sys>yes</skip_sys>
+
+    <!-- Nice value for Syscheck process -->
+    <process_priority>10</process_priority>
+
+    <!-- Maximum output throughput -->
+    <max_eps>100</max_eps>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_interval>1h</max_interval>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </syscheck>
+
+  <!-- Active response -->
+  <global>
+    <white_list>127.0.0.1</white_list>
+    <white_list>^localhost.localdomain$</white_list>
+  </global>
+
+  <command>
+    <name>disable-account</name>
+    <executable>disable-account</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>restart-wazuh</name>
+    <executable>restart-wazuh</executable>
+  </command>
+
+  <command>
+    <name>firewall-drop</name>
+    <executable>firewall-drop</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>host-deny</name>
+    <executable>host-deny</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>route-null</name>
+    <executable>route-null</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>win_route-null</name>
+    <executable>route-null.exe</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>netsh</name>
+    <executable>netsh.exe</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <!--
+  <active-response>
+    active-response options here
+  </active-response>
+  -->
+
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>command</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
+    <alias>netstat listening ports</alias>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <ruleset>
+    <!-- Default ruleset -->
+    <decoder_dir>ruleset/decoders</decoder_dir>
+    <rule_dir>ruleset/rules</rule_dir>
+    <rule_exclude>0215-policy_rules.xml</rule_exclude>
+    <list>etc/lists/audit-keys</list>
+    <list>etc/lists/amazon/aws-eventnames</list>
+    <list>etc/lists/security-eventchannel</list>
+
+    <!-- User-defined ruleset -->
+    <decoder_dir>etc/decoders</decoder_dir>
+    <rule_dir>etc/rules</rule_dir>
+  </ruleset>
+
+  <rule_test>
+    <enabled>yes</enabled>
+    <threads>1</threads>
+    <max_sessions>64</max_sessions>
+    <session_timeout>15m</session_timeout>
+  </rule_test>
+
+  <!-- Configuration for wazuh-authd -->
+  <auth>
+    <disabled>no</disabled>
+    <port>1515</port>
+    <use_source_ip>no</use_source_ip>
+    <purge>yes</purge>
+    <use_password>no</use_password>
+    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
+    <!-- <ssl_agent_ca></ssl_agent_ca> -->
+    <ssl_verify_host>no</ssl_verify_host>
+    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
+    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
+    <ssl_auto_negotiate>no</ssl_auto_negotiate>
+  </auth>
+
+  <cluster>
+    <name>wazuh</name>
+    <node_name>manager</node_name>
+    <node_type>master</node_type>
+    <key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
+    <port>1516</port>
+    <bind_addr>0.0.0.0</bind_addr>
+    <nodes>
+        <node>wazuh.master</node>
+    </nodes>
+    <hidden>no</hidden>
+    <disabled>no</disabled>
+  </cluster>
+
+</ossec_config>
+
+<ossec_config>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/auth.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/syslog</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/dpkg.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/kern.log</location>
+  </localfile>
+
+</ossec_config>

multi-node/config/wazuh_cluster/wazuh_worker.conf

@@ -6,10 +6,12 @@
     <logall_json>no</logall_json>
     <email_notification>no</email_notification>
     <smtp_server>smtp.example.wazuh.com</smtp_server>
-    <email_from>ossecm@example.wazuh.com</email_from>
+    <email_from>wazuh@example.wazuh.com</email_from>
     <email_to>recipient@example.wazuh.com</email_to>
     <email_maxperhour>12</email_maxperhour>
     <email_log_source>alerts.log</email_log_source>
+    <agents_disconnection_time>10m</agents_disconnection_time>
+    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
   </global>
 
   <alerts>
@@ -43,8 +45,8 @@
     <!-- Frequency that rootcheck is executed - every 12 hours -->
     <frequency>43200</frequency>
 
-    <rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
+    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
 
     <skip_nfs>yes</skip_nfs>
   </rootcheck>
@@ -79,6 +81,11 @@
     <packages>yes</packages>
     <ports all="no">yes</ports>
     <processes>yes</processes>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <max_eps>10</max_eps>
+    </synchronization>
   </wodle>
 
   <sca>
@@ -91,7 +98,7 @@
   <vulnerability-detector>
     <enabled>no</enabled>
     <interval>5m</interval>
-    <ignore_time>6h</ignore_time>
+    <min_full_scan_interval>6h</min_full_scan_interval>
     <run_on_start>yes</run_on_start>
 
     <!-- Ubuntu OS vulnerabilities -->
@@ -109,6 +116,7 @@
       <enabled>no</enabled>
       <os>stretch</os>
       <os>buster</os>
+      <os>bullseye</os>
       <update_interval>1h</update_interval>
     </provider>
 
@@ -122,6 +130,20 @@
       <update_interval>1h</update_interval>
     </provider>
 
+    <!-- Amazon Linux OS vulnerabilities -->
+    <provider name="alas">
+      <enabled>no</enabled>
+      <os>amazon-linux</os>
+      <os>amazon-linux-2</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Arch OS vulnerabilities -->
+    <provider name="arch">
+      <enabled>no</enabled>
+      <update_interval>1h</update_interval>
+    </provider>
+
     <!-- Windows OS vulnerabilities -->
     <provider name="msu">
       <enabled>yes</enabled>
@@ -200,70 +222,46 @@
   <global>
     <white_list>127.0.0.1</white_list>
     <white_list>^localhost.localdomain$</white_list>
-    <white_list>4.2.2.1</white_list>
-    <white_list>4.2.2.2</white_list>
-    <white_list>208.67.220.220</white_list>
   </global>
 
   <command>
     <name>disable-account</name>
-    <executable>disable-account.sh</executable>
-    <expect>user</expect>
+    <executable>disable-account</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
-    <name>restart-ossec</name>
-    <executable>restart-ossec.sh</executable>
-    <expect></expect>
+    <name>restart-wazuh</name>
+    <executable>restart-wazuh</executable>
   </command>
 
   <command>
     <name>firewall-drop</name>
-    <executable>firewall-drop.sh</executable>
-    <expect>srcip</expect>
+    <executable>firewall-drop</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
     <name>host-deny</name>
-    <executable>host-deny.sh</executable>
-    <expect>srcip</expect>
+    <executable>host-deny</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
     <name>route-null</name>
-    <executable>route-null.sh</executable>
-    <expect>srcip</expect>
+    <executable>route-null</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
     <name>win_route-null</name>
-    <executable>route-null.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>win_route-null-2012</name>
-    <executable>route-null-2012.cmd</executable>
-    <expect>srcip</expect>
+    <executable>route-null.exe</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
     <name>netsh</name>
-    <executable>netsh.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>netsh-win-2016</name>
-    <executable>netsh-win-2016.cmd</executable>
-    <expect>srcip</expect>
+    <executable>netsh.exe</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
@@ -307,21 +305,25 @@
     <rule_dir>etc/rules</rule_dir>
   </ruleset>
 
+  <rule_test>
+    <enabled>yes</enabled>
+    <threads>1</threads>
+    <max_sessions>64</max_sessions>
+    <session_timeout>15m</session_timeout>
+  </rule_test>
+
   <!-- Configuration for wazuh-authd -->
   <auth>
     <disabled>no</disabled>
     <port>1515</port>
     <use_source_ip>no</use_source_ip>
-    <force_insert>yes</force_insert>
-    <force_time>0</force_time>
     <purge>yes</purge>
     <use_password>no</use_password>
-    <limit_maxagents>yes</limit_maxagents>
     <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
     <!-- <ssl_agent_ca></ssl_agent_ca> -->
     <ssl_verify_host>no</ssl_verify_host>
-    <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
-    <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
+    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
+    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
     <ssl_auto_negotiate>no</ssl_auto_negotiate>
   </auth>
 
@@ -333,7 +335,7 @@
     <port>1516</port>
     <bind_addr>0.0.0.0</bind_addr>
     <nodes>
-        <node>wazuh-master</node>
+        <node>wazuh.master</node>
     </nodes>
     <hidden>no</hidden>
     <disabled>no</disabled>
@@ -346,4 +348,25 @@
     <log_format>syslog</log_format>
     <location>/var/ossec/logs/active-responses.log</location>
   </localfile>
-</ossec_config>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/auth.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/syslog</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/dpkg.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/kern.log</location>
+  </localfile>
+
+</ossec_config>

multi-node/config/wazuh_dashboard/opensearch_dashboards.yml

@@ -0,0 +1,12 @@
+server.host: 0.0.0.0
+server.port: 5601
+opensearch.hosts: https://wazuh1.indexer:9200
+opensearch.ssl.verificationMode: certificate
+opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
+opensearch_security.multitenancy.enabled: false
+opensearch_security.readonly_mode.roles: ["kibana_read_only"]
+server.ssl.enabled: true
+server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
+server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
+opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
+uiSettings.overrides.defaultRoute: /app/wazuh

multi-node/config/wazuh_dashboard/wazuh.yml

@@ -0,0 +1,7 @@
+hosts:
+  - 1513629884013:
+      url: "https://wazuh.master"
+      port: 55000
+      username: wazuh-wui
+      password: MyS3cr37P450r.*-
+      run_as: false

multi-node/config/wazuh_indexer/wazuh1.indexer.yml

@@ -0,0 +1,38 @@
+network.host: wazuh1.indexer
+node.name: wazuh1.indexer
+cluster.initial_master_nodes:
+        - wazuh1.indexer
+        - wazuh2.indexer
+        - wazuh3.indexer
+cluster.name: "wazuh-cluster"
+discovery.seed_hosts:
+        - wazuh1.indexer
+        - wazuh2.indexer
+        - wazuh3.indexer
+node.max_local_storage_nodes: "3"
+path.data: /var/lib/wazuh-indexer
+path.logs: /var/log/wazuh-indexer
+plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh1.indexer.pem
+plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh1.indexer.key
+plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
+plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh1.indexer.pem
+plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh1.indexer.key
+plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
+plugins.security.ssl.http.enabled: true
+plugins.security.ssl.transport.enforce_hostname_verification: false
+plugins.security.ssl.transport.resolve_hostname: false
+plugins.security.authcz.admin_dn:
+- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.check_snapshot_restore_write_privileges: true
+plugins.security.enable_snapshot_restore_privilege: true
+plugins.security.nodes_dn:
+- "CN=wazuh1.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
+- "CN=wazuh2.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
+- "CN=wazuh3.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
+- "CN=filebeat,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.restapi.roles_enabled:
+- "all_access"
+- "security_rest_api_access"
+plugins.security.allow_default_init_securityindex: true
+cluster.routing.allocation.disk.threshold_enabled: false
+compatibility.override_main_response_version: true

multi-node/config/wazuh_indexer/wazuh2.indexer.yml

@@ -0,0 +1,38 @@
+network.host: wazuh2.indexer
+node.name: wazuh2.indexer
+cluster.initial_master_nodes:
+        - wazuh1.indexer
+        - wazuh2.indexer
+        - wazuh3.indexer
+cluster.name: "wazuh-cluster"
+discovery.seed_hosts:
+        - wazuh1.indexer
+        - wazuh2.indexer
+        - wazuh3.indexer
+node.max_local_storage_nodes: "3"
+path.data: /var/lib/wazuh-indexer
+path.logs: /var/log/wazuh-indexer
+plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh2.indexer.pem
+plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh2.indexer.key
+plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
+plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh2.indexer.pem
+plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh2.indexer.key
+plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
+plugins.security.ssl.http.enabled: true
+plugins.security.ssl.transport.enforce_hostname_verification: false
+plugins.security.ssl.transport.resolve_hostname: false
+plugins.security.authcz.admin_dn:
+- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.check_snapshot_restore_write_privileges: true
+plugins.security.enable_snapshot_restore_privilege: true
+plugins.security.nodes_dn:
+- "CN=wazuh1.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
+- "CN=wazuh2.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
+- "CN=wazuh3.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
+- "CN=filebeat,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.restapi.roles_enabled:
+- "all_access"
+- "security_rest_api_access"
+plugins.security.allow_default_init_securityindex: true
+cluster.routing.allocation.disk.threshold_enabled: false
+compatibility.override_main_response_version: true

multi-node/config/wazuh_indexer/wazuh3.indexer.yml

@@ -0,0 +1,38 @@
+network.host: wazuh3.indexer
+node.name: wazuh3.indexer
+cluster.initial_master_nodes:
+        - wazuh1.indexer
+        - wazuh2.indexer
+        - wazuh3.indexer
+cluster.name: "wazuh-cluster"
+discovery.seed_hosts:
+        - wazuh1.indexer
+        - wazuh2.indexer
+        - wazuh3.indexer
+node.max_local_storage_nodes: "3"
+path.data: /var/lib/wazuh-indexer
+path.logs: /var/log/wazuh-indexer
+plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh3.indexer.pem
+plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh3.indexer.key
+plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
+plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh3.indexer.pem
+plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh3.indexer.key
+plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
+plugins.security.ssl.http.enabled: true
+plugins.security.ssl.transport.enforce_hostname_verification: false
+plugins.security.ssl.transport.resolve_hostname: false
+plugins.security.authcz.admin_dn:
+- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.check_snapshot_restore_write_privileges: true
+plugins.security.enable_snapshot_restore_privilege: true
+plugins.security.nodes_dn:
+- "CN=wazuh1.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
+- "CN=wazuh2.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
+- "CN=wazuh3.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
+- "CN=filebeat,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.restapi.roles_enabled:
+- "all_access"
+- "security_rest_api_access"
+plugins.security.allow_default_init_securityindex: true
+cluster.routing.allocation.disk.threshold_enabled: false
+compatibility.override_main_response_version: true

multi-node/docker-compose.yml

@@ -0,0 +1,204 @@
+# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+version: '3.7'
+
+services:
+  wazuh.master:
+    image: wazuh/wazuh-manager:4.3.4
+    hostname: wazuh.master
+    restart: always
+    ports:
+      - "1515:1515"
+      - "514:514/udp"
+      - "55000:55000"
+    environment:
+      - INDEXER_URL=https://wazuh1.indexer:9200
+      - INDEXER_USERNAME=admin
+      - INDEXER_PASSWORD=SecretPassword
+      - FILEBEAT_SSL_VERIFICATION_MODE=full
+      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
+      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
+      - SSL_KEY=/etc/ssl/filebeat.key
+      - API_USERNAME=wazuh-wui
+      - API_PASSWORD=MyS3cr37P450r.*-
+    volumes:
+      - master-wazuh-api-configuration:/var/ossec/api/configuration
+      - master-wazuh-etc:/var/ossec/etc
+      - master-wazuh-logs:/var/ossec/logs
+      - master-wazuh-queue:/var/ossec/queue
+      - master-wazuh-var-multigroups:/var/ossec/var/multigroups
+      - master-wazuh-integrations:/var/ossec/integrations
+      - master-wazuh-active-response:/var/ossec/active-response/bin
+      - master-wazuh-agentless:/var/ossec/agentless
+      - master-wazuh-wodles:/var/ossec/wodles
+      - master-filebeat-etc:/etc/filebeat
+      - master-filebeat-var:/var/lib/filebeat
+      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.master.pem:/etc/ssl/filebeat.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.master-key.pem:/etc/ssl/filebeat.key
+      - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
+
+  wazuh.worker:
+    image: wazuh/wazuh-manager:4.3.4
+    hostname: wazuh.worker
+    restart: always
+    environment:
+      - INDEXER_URL=https://wazuh1.indexer:9200
+      - INDEXER_USERNAME=admin
+      - INDEXER_PASSWORD=SecretPassword
+      - FILEBEAT_SSL_VERIFICATION_MODE=full
+      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
+      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
+      - SSL_KEY=/etc/ssl/filebeat.key
+    volumes:
+      - worker-wazuh-api-configuration:/var/ossec/api/configuration
+      - worker-wazuh-etc:/var/ossec/etc
+      - worker-wazuh-logs:/var/ossec/logs
+      - worker-wazuh-queue:/var/ossec/queue
+      - worker-wazuh-var-multigroups:/var/ossec/var/multigroups
+      - worker-wazuh-integrations:/var/ossec/integrations
+      - worker-wazuh-active-response:/var/ossec/active-response/bin
+      - worker-wazuh-agentless:/var/ossec/agentless
+      - worker-wazuh-wodles:/var/ossec/wodles
+      - worker-filebeat-etc:/etc/filebeat
+      - worker-filebeat-var:/var/lib/filebeat
+      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.worker.pem:/etc/ssl/filebeat.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.worker-key.pem:/etc/ssl/filebeat.key
+      - ./config/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
+
+  wazuh1.indexer:
+    image: wazuh/wazuh-indexer:4.3.4
+    hostname: wazuh1.indexer
+    restart: always
+    ports:
+      - "9200:9200"
+    environment:
+      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
+      - "bootstrap.memory_lock=true"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - wazuh-indexer-data-1:/var/lib/wazuh-indexer
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh1.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh1.indexer.pem
+      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/config/certs/admin.pem
+      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/config/certs/admin-key.pem
+      - ./config/wazuh_indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
+
+  wazuh2.indexer:
+    image: wazuh/wazuh-indexer:4.3.4
+    hostname: wazuh2.indexer
+    restart: always
+    environment:
+      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
+      - "bootstrap.memory_lock=true"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - wazuh-indexer-data-2:/var/lib/wazuh-indexer
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh2.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh2.indexer.pem
+      - ./config/wazuh_indexer/wazuh2.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
+
+  wazuh3.indexer:
+    image: wazuh/wazuh-indexer:4.3.4
+    hostname: wazuh3.indexer
+    restart: always
+    environment:
+      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
+      - "bootstrap.memory_lock=true"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - wazuh-indexer-data-3:/var/lib/wazuh-indexer
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh3.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh3.indexer.pem
+      - ./config/wazuh_indexer/wazuh3.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
+
+  wazuh.dashboard:
+    image: wazuh/wazuh-dashboard:4.3.4
+    hostname: wazuh.dashboard
+    restart: always
+    ports:
+      - 443:5601
+    environment:
+      - OPENSEARCH_HOSTS="https://wazuh1.indexer:9200"
+      - WAZUH_API_URL="https://wazuh.master"
+      - API_USERNAME=wazuh-wui
+      - API_PASSWORD=MyS3cr37P450r.*-
+    volumes:
+      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
+      - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
+      - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
+    depends_on:
+      - wazuh1.indexer
+    links:
+      - wazuh1.indexer:wazuh1.indexer
+      - wazuh.master:wazuh.master
+
+  nginx:
+    image: nginx:stable
+    hostname: nginx
+    restart: always
+    ports:
+      - "1514:1514"
+    depends_on:
+      - wazuh.master
+      - wazuh.worker
+      - wazuh.dashboard
+    links:
+      - wazuh.master:wazuh.master
+      - wazuh.worker:wazuh.worker
+      - wazuh.dashboard:wazuh.dashboard
+    volumes:
+      - ./config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+
+volumes:
+  master-wazuh-api-configuration:
+  master-wazuh-etc:
+  master-wazuh-logs:
+  master-wazuh-queue:
+  master-wazuh-var-multigroups:
+  master-wazuh-integrations:
+  master-wazuh-active-response:
+  master-wazuh-agentless:
+  master-wazuh-wodles:
+  master-filebeat-etc:
+  master-filebeat-var:
+  worker-wazuh-api-configuration:
+  worker-wazuh-etc:
+  worker-wazuh-logs:
+  worker-wazuh-queue:
+  worker-wazuh-var-multigroups:
+  worker-wazuh-integrations:
+  worker-wazuh-active-response:
+  worker-wazuh-agentless:
+  worker-wazuh-wodles:
+  worker-filebeat-etc:
+  worker-filebeat-var:
+  wazuh-indexer-data-1:
+  wazuh-indexer-data-2:
+  wazuh-indexer-data-3:

multi-node/generate-indexer-certs.yml

@@ -0,0 +1,10 @@
+# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+version: '3'
+
+services:
+  generator:
+    image: wazuh/wazuh-certs-generator:0.0.1
+    hostname: wazuh-certs-generator
+    volumes:
+      - ./config/wazuh_indexer_ssl_certs/:/certificates/
+      - ./config/certs.yml:/config/certs.yml

multi-node/volume-migrator.sh

@@ -0,0 +1,279 @@
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=wazuh-indexer-data-1 \
+           $2_wazuh-indexer-data-1
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=wazuh-indexer-data-2 \
+           $2_wazuh-indexer-data-2
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=wazuh-indexer-data-3 \
+           $2_wazuh-indexer-data-3
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=master_wazuh_api_configuration \
+           $2_master_wazuh_api_configuration
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=master_wazuh_etc \
+           $2_docker_wazuh_etc
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=master-wazuh-logs \
+           $2_master-wazuh-logs
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=master-wazuh-queue \
+           $2_master-wazuh-queue
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=master-wazuh-var-multigroups \
+           $2_master-wazuh-var-multigroups
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=master-wazuh-integrations \
+           $2_master-wazuh-integrations
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=master-wazuh-active-response \
+           $2_master-wazuh-active-response
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=master-wazuh-agentless \
+           $2_master-wazuh-agentless
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=master-wazuh-wodles \
+           $2_master-wazuh-wodles
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=master-filebeat-etc \
+           $2_master-filebeat-etc
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=master-filebeat-var \
+           $2_master-filebeat-var
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=worker_wazuh_api_configuration \
+           $2_worker_wazuh_api_configuration
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=worker_wazuh_etc \
+           $2_worker-wazuh-etc
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=worker-wazuh-logs \
+           $2_worker-wazuh-logs
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=worker-wazuh-queue \
+           $2_worker-wazuh-queue
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=worker-wazuh-var-multigroups \
+           $2_worker-wazuh-var-multigroups
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=worker-wazuh-integrations \
+           $2_worker-wazuh-integrations
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=worker-wazuh-active-response \
+           $2_worker-wazuh-active-response
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=worker-wazuh-agentless \
+           $2_worker-wazuh-agentless
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=worker-wazuh-wodles \
+           $2_worker-wazuh-wodles
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=worker-filebeat-etc \
+           $2_worker-filebeat-etc
+
+docker volume create \
+           --label com.docker.compose.project=$2 \
+           --label com.docker.compose.version=$1 \
+           --label com.docker.compose.volume=worker-filebeat-var \
+           $2_worker-filebeat-var
+
+docker container run --rm -it \
+           -v wazuh-docker_worker-filebeat-var:/from \
+           -v $2_worker-filebeat-var:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_elastic-data-1:/from \
+           -v $2_wazuh-indexer-data-1:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_elastic-data-2:/from \
+           -v $2_wazuh-indexer-data-2:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_elastic-data-3:/from \
+           -v $2_wazuh-indexer-data-3:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_ossec-api-configuration:/from \
+           -v $2_master-wazuh-api-configuration:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_ossec-etc:/from \
+           -v $2_master-wazuh-etc:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_ossec-logs:/from \
+           -v $2_master-wazuh-logs:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_ossec-queue:/from \
+           -v $2_master-wazuh-queue:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_ossec-var-multigroups:/from \
+           -v $2_master-wazuh-var-multigroups:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_ossec-integrations:/from \
+           -v $2_master-wazuh-integrations:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_ossec-active-response:/from \
+           -v $2_master-wazuh-active-response:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_ossec-agentless:/from \
+           -v $2_master-wazuh-agentless:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_ossec-wodles:/from \
+           -v $2_master-wazuh-wodles:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_filebeat-etc:/from \
+           -v $2_master-filebeat-etc:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_filebeat-var:/from \
+           -v $2_master-filebeat-var:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_worker-ossec-api-configuration:/from \
+           -v $2_worker-wazuh-api-configuration:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_worker-ossec-etc:/from \
+           -v $2_worker-wazuh-etc:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_worker-ossec-logs:/from \
+           -v $2_worker-wazuh-logs:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_worker-ossec-queue:/from \
+           -v $2_worker-wazuh-queue:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_worker-ossec-var-multigroups:/from \
+           -v $2_worker-wazuh-var-multigroups:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_worker-ossec-integrations:/from \
+           -v $2_worker-wazuh-integrations:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_worker-ossec-active-response:/from \
+           -v $2_worker-wazuh-active-response:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_worker-ossec-agentless:/from \
+           -v $2_worker-wazuh-agentless:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_worker-ossec-wodles:/from \
+           -v $2_worker-wazuh-wodles:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_worker-filebeat-etc:/from \
+           -v $2_worker-filebeat-etc:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"
+
+docker container run --rm -it \
+           -v wazuh-docker_worker-filebeat-var:/from \
+           -v $2_worker-filebeat-var:/to \
+           alpine ash -c "cd /from ; cp -avp . /to"

production-cluster.yml

@@ -1,206 +0,0 @@
-# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
-version: '3.7'
-
-services:
-  wazuh-master:
-    image: wazuh/wazuh-odfe:4.2.0
-    hostname: wazuh-master
-    restart: always
-    ports:
-      - "1515:1515"
-      - "514:514/udp"
-      - "55000:55000"
-    environment:
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - ELASTIC_USERNAME=admin
-      - ELASTIC_PASSWORD=SecretPassword
-      - FILEBEAT_SSL_VERIFICATION_MODE=full
-      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
-      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
-      - SSL_KEY=/etc/ssl/filebeat.key
-      - API_USERNAME=acme-user
-      - API_PASSWORD=MyS3cr37P450r.*-
-    volumes:
-      - ossec-api-configuration:/var/ossec/api/configuration
-      - ossec-etc:/var/ossec/etc
-      - ossec-logs:/var/ossec/logs
-      - ossec-queue:/var/ossec/queue
-      - ossec-var-multigroups:/var/ossec/var/multigroups
-      - ossec-integrations:/var/ossec/integrations
-      - ossec-active-response:/var/ossec/active-response/bin
-      - ossec-agentless:/var/ossec/agentless
-      - ossec-wodles:/var/ossec/wodles
-      - filebeat-etc:/etc/filebeat
-      - filebeat-var:/var/lib/filebeat
-      - ./production_cluster/ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
-      - ./production_cluster/ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem
-      - ./production_cluster/ssl_certs/filebeat.key:/etc/ssl/filebeat.key
-      - ./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
-
-  wazuh-worker:
-    image: wazuh/wazuh-odfe:4.2.0
-    hostname: wazuh-worker
-    restart: always
-    environment:
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - ELASTIC_USERNAME=admin
-      - ELASTIC_PASSWORD=SecretPassword
-      - FILEBEAT_SSL_VERIFICATION_MODE=full
-      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
-      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
-      - SSL_KEY=/etc/ssl/filebeat.key
-    volumes:
-      - worker-ossec-api-configuration:/var/ossec/api/configuration
-      - worker-ossec-etc:/var/ossec/etc
-      - worker-ossec-logs:/var/ossec/logs
-      - worker-ossec-queue:/var/ossec/queue
-      - worker-ossec-var-multigroups:/var/ossec/var/multigroups
-      - worker-ossec-integrations:/var/ossec/integrations
-      - worker-ossec-active-response:/var/ossec/active-response/bin
-      - worker-ossec-agentless:/var/ossec/agentless
-      - worker-ossec-wodles:/var/ossec/wodles
-      - worker-filebeat-etc:/etc/filebeat
-      - worker-filebeat-var:/var/lib/filebeat
-      - ./production_cluster/ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
-      - ./production_cluster/ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem
-      - ./production_cluster/ssl_certs/filebeat.key:/etc/ssl/filebeat.key
-      - ./production_cluster/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
-
-  elasticsearch:
-    image: amazon/opendistro-for-elasticsearch:1.13.2
-    hostname: elasticsearch
-    restart: always
-    ports:
-      - "9200:9200"
-    environment:
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-      nofile:
-        soft: 65536
-        hard: 65536
-    volumes:
-      - elastic-data-1:/usr/share/elasticsearch/data
-      - ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
-      - ./production_cluster/ssl_certs/node1.key:/usr/share/elasticsearch/config/node1.key
-      - ./production_cluster/ssl_certs/node1.pem:/usr/share/elasticsearch/config/node1.pem
-      - ./production_cluster/ssl_certs/admin.pem:/usr/share/elasticsearch/config/admin.pem
-      - ./production_cluster/ssl_certs/admin.key:/usr/share/elasticsearch/config/admin.key
-      - ./production_cluster/elastic_opendistro/elasticsearch-node1.yml:/usr/share/elasticsearch/config/elasticsearch.yml
-      - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
-
-  elasticsearch-2:
-    image: amazon/opendistro-for-elasticsearch:1.13.2
-    hostname: elasticsearch-2
-    restart: always
-    environment:
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-      nofile:
-        soft: 65536
-        hard: 65536
-    volumes:
-      - elastic-data-2:/usr/share/elasticsearch/data
-      - ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
-      - ./production_cluster/ssl_certs/node2.key:/usr/share/elasticsearch/config/node2.key
-      - ./production_cluster/ssl_certs/node2.pem:/usr/share/elasticsearch/config/node2.pem
-      - ./production_cluster/elastic_opendistro/elasticsearch-node2.yml:/usr/share/elasticsearch/config/elasticsearch.yml
-      - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
-
-  elasticsearch-3:
-    image: amazon/opendistro-for-elasticsearch:1.13.2
-    hostname: elasticsearch-3
-    restart: always
-    environment:
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-      nofile:
-        soft: 65536
-        hard: 65536
-    volumes:
-      - elastic-data-3:/usr/share/elasticsearch/data
-      - ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
-      - ./production_cluster/ssl_certs/node3.key:/usr/share/elasticsearch/config/node3.key
-      - ./production_cluster/ssl_certs/node3.pem:/usr/share/elasticsearch/config/node3.pem
-      - ./production_cluster/elastic_opendistro/elasticsearch-node3.yml:/usr/share/elasticsearch/config/elasticsearch.yml
-      - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
-
-  kibana:
-    image: wazuh/wazuh-kibana-odfe:4.2.0
-    hostname: kibana
-    restart: always
-    ports:
-      - 5601:5601
-    environment:
-      - ELASTICSEARCH_USERNAME=admin
-      - ELASTICSEARCH_PASSWORD=SecretPassword
-      - SERVER_SSL_ENABLED=true
-      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/cert.pem
-      - SERVER_SSL_KEY=/usr/share/kibana/config/key.pem
-      - WAZUH_API_URL="https://wazuh-master"
-      - API_USERNAME=acme-user
-      - API_PASSWORD=MyS3cr37P450r.*-
-    volumes:
-      - ./production_cluster/kibana_ssl/cert.pem:/usr/share/kibana/config/cert.pem
-      - ./production_cluster/kibana_ssl/key.pem:/usr/share/kibana/config/key.pem
-
-    depends_on:
-      - elasticsearch
-    links:
-      - elasticsearch:elasticsearch
-      - wazuh-master:wazuh-master
-
-  nginx:
-    image: nginx:stable
-    hostname: nginx
-    restart: always
-    ports:
-      - "80:80"
-      - "443:443"
-      - "1514:1514"
-    depends_on:
-      - wazuh-master
-      - wazuh-worker
-      - kibana
-    links:
-      - wazuh-master:wazuh-master
-      - wazuh-worker:wazuh-worker
-      - kibana:kibana
-    volumes:
-      - ./production_cluster/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
-      - ./production_cluster/nginx/ssl:/etc/nginx/ssl:ro
-
-volumes:
-  ossec-api-configuration:
-  ossec-etc:
-  ossec-logs:
-  ossec-queue:
-  ossec-var-multigroups:
-  ossec-integrations:
-  ossec-active-response:
-  ossec-agentless:
-  ossec-wodles:
-  filebeat-etc:
-  filebeat-var:
-  worker-ossec-api-configuration:
-  worker-ossec-etc:
-  worker-ossec-logs:
-  worker-ossec-queue:
-  worker-ossec-var-multigroups:
-  worker-ossec-integrations:
-  worker-ossec-active-response:
-  worker-ossec-agentless:
-  worker-ossec-wodles:
-  worker-filebeat-etc:
-  worker-filebeat-var:
-  elastic-data-1:
-  elastic-data-2:
-  elastic-data-3:

production_cluster/elastic_opendistro/elasticsearch-node1.yml

@@ -1,31 +0,0 @@
-network.host: 0.0.0.0
-cluster.name: wazuh-cluster
-node.name: elasticsearch
-discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
-cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
-bootstrap.memory_lock: true
-
-opendistro_security.ssl.transport.pemcert_filepath: node1.pem
-opendistro_security.ssl.transport.pemkey_filepath: node1.key
-opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
-opendistro_security.ssl.transport.enforce_hostname_verification: false
-opendistro_security.ssl.transport.resolve_hostname: false
-opendistro_security.ssl.http.enabled: true
-opendistro_security.ssl.http.pemcert_filepath: node1.pem
-opendistro_security.ssl.http.pemkey_filepath: node1.key
-opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
-opendistro_security.allow_default_init_securityindex: true
-opendistro_security.nodes_dn:
-    - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-    - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-    - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-    - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com']
-opendistro_security.audit.type: internal_elasticsearch
-opendistro_security.enable_snapshot_restore_privilege: true
-opendistro_security.check_snapshot_restore_write_privileges: true
-opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
-cluster.routing.allocation.disk.threshold_enabled: false
-#opendistro_security.audit.config.disabled_rest_categories: NONE
-#opendistro_security.audit.config.disabled_transport_categories: NONE
-opendistro_security.audit.log_request_body: false

production_cluster/elastic_opendistro/elasticsearch-node2.yml

@@ -1,31 +0,0 @@
-network.host: 0.0.0.0
-cluster.name: wazuh-cluster
-node.name: elasticsearch-2
-discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
-cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
-bootstrap.memory_lock: true
-
-opendistro_security.ssl.transport.pemcert_filepath: node2.pem
-opendistro_security.ssl.transport.pemkey_filepath: node2.key
-opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
-opendistro_security.ssl.transport.enforce_hostname_verification: false
-opendistro_security.ssl.transport.resolve_hostname: false
-opendistro_security.ssl.http.enabled: true
-opendistro_security.ssl.http.pemcert_filepath: node2.pem
-opendistro_security.ssl.http.pemkey_filepath: node2.key
-opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
-opendistro_security.allow_default_init_securityindex: true
-opendistro_security.nodes_dn:
-    - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-    - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-    - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-    - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com']
-opendistro_security.audit.type: internal_elasticsearch
-opendistro_security.enable_snapshot_restore_privilege: true
-opendistro_security.check_snapshot_restore_write_privileges: true
-opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
-cluster.routing.allocation.disk.threshold_enabled: false
-#opendistro_security.audit.config.disabled_rest_categories: NONE
-#opendistro_security.audit.config.disabled_transport_categories: NONE
-opendistro_security.audit.log_request_body: false

production_cluster/elastic_opendistro/elasticsearch-node3.yml

@@ -1,31 +0,0 @@
-network.host: 0.0.0.0
-cluster.name: wazuh-cluster
-node.name: elasticsearch-3
-discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
-cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
-bootstrap.memory_lock: true
-
-opendistro_security.ssl.transport.pemcert_filepath: node3.pem
-opendistro_security.ssl.transport.pemkey_filepath: node3.key
-opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
-opendistro_security.ssl.transport.enforce_hostname_verification: false
-opendistro_security.ssl.transport.resolve_hostname: false
-opendistro_security.ssl.http.enabled: true
-opendistro_security.ssl.http.pemcert_filepath: node3.pem
-opendistro_security.ssl.http.pemkey_filepath: node3.key
-opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
-opendistro_security.allow_default_init_securityindex: true
-opendistro_security.nodes_dn:
-    - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-    - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-    - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-    - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com']
-opendistro_security.audit.type: internal_elasticsearch
-opendistro_security.enable_snapshot_restore_privilege: true
-opendistro_security.check_snapshot_restore_write_privileges: true
-opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
-cluster.routing.allocation.disk.threshold_enabled: false
-#opendistro_security.audit.config.disabled_rest_categories: NONE
-#opendistro_security.audit.config.disabled_transport_categories: NONE
-opendistro_security.audit.log_request_body: false

production_cluster/kibana_ssl/generate-self-signed-cert.sh

@@ -1,12 +0,0 @@
-#!/bin/bash
-
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-cd $DIR
-
-if [ -s key.pem ]
-then
-    echo "Certificate already exists"
-    exit
-else
-    openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
-fi

production_cluster/nginx/ssl/generate-self-signed-cert.sh

@@ -1,12 +0,0 @@
-#!/bin/bash
-
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-cd $DIR
-
-if [ -s key.pem ]
-then
-    echo "Certificate already exists"
-    exit
-else
-    openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
-fi

production_cluster/ssl_certs/certs.yml

@@ -1,35 +0,0 @@
-ca:
-   root:
-      dn: CN=root-ca,OU=CA,O=Example\, Inc.,DC=example,DC=com
-      pkPassword: none
-      keysize: 2048
-      file: root-ca.pem 
-   intermediate:
-      dn: CN=intermediate,OU=CA,O=Example\, Inc.,DC=example,DC=com
-      keysize: 2048
-      validityDays: 3650  
-      pkPassword: intermediate-ca-password
-      file: intermediate-ca.pem
-
-nodes:
-  - name: node1
-    dn: CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com
-    dns: 
-      - elasticsearch
-  - name: node2
-    dn: CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com
-    dns: 
-      - elasticsearch-2
-  - name: node3
-    dn: CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com
-    dns: 
-      - elasticsearch-3
-  - name: filebeat
-    dn: CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com
-    dns: 
-      - wazuh
-
-clients:
-  - name: admin
-    dn: CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com
-    admin: true

single-node/README.md

@@ -0,0 +1,24 @@
+# Deploy Wazuh Docker in single node configuration
+
+This deployment is defined in the `docker-compose.yml` file with one Wazuh manager containers, one Wazuh indexer containers, and one Wazuh dashboard container. It can be deployed by following these steps: 
+
+1) Increase max_map_count on your host (Linux). This command must be run with root permissions:
+```
+$ sysctl -w vm.max_map_count=262144
+```
+2) Run the certificate creation script:
+```
+$ docker-compose -f generate-indexer-certs.yml run --rm generator
+```
+3) Start the environment with docker-compose:
+
+- In the foregroud:
+```
+$ docker-compose up
+```
+- In the background:
+```
+$ docker-compose up -d
+```
+
+The environment takes about 1 minute to get up (depending on your Docker host) for the first time since Wazuh Indexer must be started for the first time and the indexes and index patterns must be generated.

single-node/config/certs.yml

@@ -0,0 +1,16 @@
+nodes:
+  # Wazuh indexer server nodes
+  indexer:
+    - name: wazuh.indexer
+      ip: wazuh.indexer
+
+  # Wazuh server nodes
+  # Use node_type only with more than one Wazuh manager
+  server:
+    - name: wazuh.manager
+      ip: wazuh.manager
+
+  # Wazuh dashboard node
+  dashboard:
+    - name: wazuh.dashboard
+      ip: wazuh.dashboard

single-node/config/wazuh_cluster/wazuh_manager.conf

@@ -6,10 +6,12 @@
     <logall_json>no</logall_json>
     <email_notification>no</email_notification>
     <smtp_server>smtp.example.wazuh.com</smtp_server>
-    <email_from>ossecm@example.wazuh.com</email_from>
+    <email_from>wazuh@example.wazuh.com</email_from>
     <email_to>recipient@example.wazuh.com</email_to>
     <email_maxperhour>12</email_maxperhour>
     <email_log_source>alerts.log</email_log_source>
+    <agents_disconnection_time>10m</agents_disconnection_time>
+    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
   </global>
 
   <alerts>
@@ -43,8 +45,8 @@
     <!-- Frequency that rootcheck is executed - every 12 hours -->
     <frequency>43200</frequency>
 
-    <rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
+    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
 
     <skip_nfs>yes</skip_nfs>
   </rootcheck>
@@ -79,6 +81,11 @@
     <packages>yes</packages>
     <ports all="no">yes</ports>
     <processes>yes</processes>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <max_eps>10</max_eps>
+    </synchronization>
   </wodle>
 
   <sca>
@@ -91,7 +98,7 @@
   <vulnerability-detector>
     <enabled>no</enabled>
     <interval>5m</interval>
-    <ignore_time>6h</ignore_time>
+    <min_full_scan_interval>6h</min_full_scan_interval>
     <run_on_start>yes</run_on_start>
 
     <!-- Ubuntu OS vulnerabilities -->
@@ -109,6 +116,7 @@
       <enabled>no</enabled>
       <os>stretch</os>
       <os>buster</os>
+      <os>bullseye</os>
       <update_interval>1h</update_interval>
     </provider>
 
@@ -122,6 +130,20 @@
       <update_interval>1h</update_interval>
     </provider>
 
+    <!-- Amazon Linux OS vulnerabilities -->
+    <provider name="alas">
+      <enabled>no</enabled>
+      <os>amazon-linux</os>
+      <os>amazon-linux-2</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Arch OS vulnerabilities -->
+    <provider name="arch">
+      <enabled>no</enabled>
+      <update_interval>1h</update_interval>
+    </provider>
+
     <!-- Windows OS vulnerabilities -->
     <provider name="msu">
       <enabled>yes</enabled>
@@ -200,70 +222,46 @@
   <global>
     <white_list>127.0.0.1</white_list>
     <white_list>^localhost.localdomain$</white_list>
-    <white_list>4.2.2.1</white_list>
-    <white_list>4.2.2.2</white_list>
-    <white_list>208.67.220.220</white_list>
   </global>
 
   <command>
     <name>disable-account</name>
-    <executable>disable-account.sh</executable>
-    <expect>user</expect>
+    <executable>disable-account</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
-    <name>restart-ossec</name>
-    <executable>restart-ossec.sh</executable>
-    <expect></expect>
+    <name>restart-wazuh</name>
+    <executable>restart-wazuh</executable>
   </command>
 
   <command>
     <name>firewall-drop</name>
-    <executable>firewall-drop.sh</executable>
-    <expect>srcip</expect>
+    <executable>firewall-drop</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
     <name>host-deny</name>
-    <executable>host-deny.sh</executable>
-    <expect>srcip</expect>
+    <executable>host-deny</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
     <name>route-null</name>
-    <executable>route-null.sh</executable>
-    <expect>srcip</expect>
+    <executable>route-null</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
     <name>win_route-null</name>
-    <executable>route-null.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>win_route-null-2012</name>
-    <executable>route-null-2012.cmd</executable>
-    <expect>srcip</expect>
+    <executable>route-null.exe</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
     <name>netsh</name>
-    <executable>netsh.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>netsh-win-2016</name>
-    <executable>netsh-win-2016.cmd</executable>
-    <expect>srcip</expect>
+    <executable>netsh.exe</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
@@ -307,36 +305,40 @@
     <rule_dir>etc/rules</rule_dir>
   </ruleset>
 
+  <rule_test>
+    <enabled>yes</enabled>
+    <threads>1</threads>
+    <max_sessions>64</max_sessions>
+    <session_timeout>15m</session_timeout>
+  </rule_test>
+
   <!-- Configuration for wazuh-authd -->
   <auth>
     <disabled>no</disabled>
     <port>1515</port>
     <use_source_ip>no</use_source_ip>
-    <force_insert>yes</force_insert>
-    <force_time>0</force_time>
     <purge>yes</purge>
     <use_password>no</use_password>
-    <limit_maxagents>yes</limit_maxagents>
     <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
     <!-- <ssl_agent_ca></ssl_agent_ca> -->
     <ssl_verify_host>no</ssl_verify_host>
-    <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
-    <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
+    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
+    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
     <ssl_auto_negotiate>no</ssl_auto_negotiate>
   </auth>
 
   <cluster>
     <name>wazuh</name>
-    <node_name>manager</node_name>
+    <node_name>node01</node_name>
     <node_type>master</node_type>
-    <key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
+    <key></key>
     <port>1516</port>
     <bind_addr>0.0.0.0</bind_addr>
     <nodes>
-        <node>wazuh-master</node>
+        <node>NODE_IP</node>
     </nodes>
     <hidden>no</hidden>
-    <disabled>no</disabled>
+    <disabled>yes</disabled>
   </cluster>
 
 </ossec_config>
@@ -346,4 +348,5 @@
     <log_format>syslog</log_format>
     <location>/var/ossec/logs/active-responses.log</location>
   </localfile>
+
 </ossec_config>

single-node/config/wazuh_dashboard/opensearch_dashboards.yml

@@ -0,0 +1,12 @@
+server.host: 0.0.0.0
+server.port: 5601
+opensearch.hosts: https://wazuh.indexer:9200
+opensearch.ssl.verificationMode: certificate
+opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
+opensearch_security.multitenancy.enabled: false
+opensearch_security.readonly_mode.roles: ["kibana_read_only"]
+server.ssl.enabled: true
+server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
+server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
+opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
+uiSettings.overrides.defaultRoute: /app/wazuh

single-node/config/wazuh_dashboard/wazuh.yml

@@ -0,0 +1,7 @@
+hosts:
+  - 1513629884013:
+      url: "https://wazuh.manager"
+      port: 55000
+      username: wazuh-wui
+      password: MyS3cr37P450r.*-
+      run_as: false

single-node/config/wazuh_indexer/internal_users.yml

@@ -0,0 +1,56 @@
+---
+# This is the internal user database
+# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
+
+_meta:
+  type: "internalusers"
+  config_version: 2
+
+# Define your internal users here
+
+## Demo users
+
+admin:
+  hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
+  reserved: true
+  backend_roles:
+  - "admin"
+  description: "Demo admin user"
+
+kibanaserver:
+  hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
+  reserved: true
+  description: "Demo kibanaserver user"
+
+kibanaro:
+  hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
+  reserved: false
+  backend_roles:
+  - "kibanauser"
+  - "readall"
+  attributes:
+    attribute1: "value1"
+    attribute2: "value2"
+    attribute3: "value3"
+  description: "Demo kibanaro user"
+
+logstash:
+  hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
+  reserved: false
+  backend_roles:
+  - "logstash"
+  description: "Demo logstash user"
+
+readall:
+  hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
+  reserved: false
+  backend_roles:
+  - "readall"
+  description: "Demo readall user"
+
+snapshotrestore:
+  hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
+  reserved: false
+  backend_roles:
+  - "snapshotrestore"
+  description: "Demo snapshotrestore user"

single-node/config/wazuh_indexer/wazuh.indexer.yml

@@ -0,0 +1,28 @@
+network.host: "0.0.0.0"
+node.name: "wazuh.indexer"
+path.data: /var/lib/wazuh-indexer
+path.logs: /var/log/wazuh-indexer
+discovery.type: single-node
+compatibility.override_main_response_version: true
+plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.pem
+plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.key
+plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
+plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.pem
+plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.key
+plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
+plugins.security.ssl.http.enabled: true
+plugins.security.ssl.transport.enforce_hostname_verification: false
+plugins.security.ssl.transport.resolve_hostname: false
+plugins.security.authcz.admin_dn:
+- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.check_snapshot_restore_write_privileges: true
+plugins.security.enable_snapshot_restore_privilege: true
+plugins.security.nodes_dn:
+- "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.restapi.roles_enabled:
+- "all_access"
+- "security_rest_api_access"
+plugins.security.system_indices.enabled: true
+plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
+plugins.security.allow_default_init_securityindex: true
+cluster.routing.allocation.disk.threshold_enabled: false

single-node/docker-compose.yml

@@ -0,0 +1,102 @@
+# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+version: '3.7'
+
+services:
+  wazuh.manager:
+    image: wazuh/wazuh-manager:4.3.4
+    hostname: wazuh.manager
+    restart: always
+    ports:
+      - "1514:1514"
+      - "1515:1515"
+      - "514:514/udp"
+      - "55000:55000"
+    environment:
+      - INDEXER_URL=https://wazuh.indexer:9200
+      - INDEXER_USERNAME=admin
+      - INDEXER_PASSWORD=SecretPassword
+      - FILEBEAT_SSL_VERIFICATION_MODE=full
+      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
+      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
+      - SSL_KEY=/etc/ssl/filebeat.key
+      - API_USERNAME=wazuh-wui
+      - API_PASSWORD=MyS3cr37P450r.*-
+    volumes:
+      - wazuh_api_configuration:/var/ossec/api/configuration
+      - wazuh_etc:/var/ossec/etc
+      - wazuh_logs:/var/ossec/logs
+      - wazuh_queue:/var/ossec/queue
+      - wazuh_var_multigroups:/var/ossec/var/multigroups
+      - wazuh_integrations:/var/ossec/integrations
+      - wazuh_active_response:/var/ossec/active-response/bin
+      - wazuh_agentless:/var/ossec/agentless
+      - wazuh_wodles:/var/ossec/wodles
+      - filebeat_etc:/etc/filebeat
+      - filebeat_var:/var/lib/filebeat
+      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
+      - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
+
+  wazuh.indexer:
+    image: wazuh/wazuh-indexer:4.3.4
+    hostname: wazuh.indexer
+    restart: always
+    ports:
+      - "9200:9200"
+    environment:
+      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - wazuh-indexer-data:/var/lib/wazuh-indexer
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh.indexer.pem
+      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/config/certs/admin.pem
+      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/config/certs/admin-key.pem
+      - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
+
+  wazuh.dashboard:
+    image: wazuh/wazuh-dashboard:4.3.4
+    hostname: wazuh.dashboard
+    restart: always
+    ports:
+      - 443:5601
+    environment:
+      - INDEXER_USERNAME=admin
+      - INDEXER_PASSWORD=SecretPassword
+      - WAZUH_API_URL=https://wazuh.manager
+      - API_USERNAME=wazuh-wui
+      - API_PASSWORD=MyS3cr37P450r.*-
+    volumes:
+      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
+      - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
+      - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
+    depends_on:
+      - wazuh.indexer
+    links:
+      - wazuh.indexer:wazuh.indexer
+      - wazuh.manager:wazuh.manager
+
+volumes:
+  wazuh_api_configuration:
+  wazuh_etc:
+  wazuh_logs:
+  wazuh_queue:
+  wazuh_var_multigroups:
+  wazuh_integrations:
+  wazuh_active_response:
+  wazuh_agentless:
+  wazuh_wodles:
+  filebeat_etc:
+  filebeat_var:
+  wazuh-indexer-data:

single-node/generate-indexer-certs.yml

@@ -0,0 +1,10 @@
+# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+version: '3'
+
+services:
+  generator:
+    image: wazuh/wazuh-certs-generator:0.0.1
+    hostname: wazuh-certs-generator
+    volumes:
+      - ./config/wazuh_indexer_ssl_certs/:/certificates/
+      - ./config/certs.yml:/config/certs.yml

wazuh-odfe/config/wazuh.repo

@@ -1,7 +0,0 @@
-[wazuh_repo]
-gpgcheck=1
-gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
-enabled=1
-name=Wazuh repository
-baseurl=https://packages.wazuh.com/4.x/yum/
-protect=1

xpack-compose.yml

@@ -1,186 +0,0 @@
-# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
-version: '3.7'
-
-services:
-  wazuh:
-    image: wazuh/wazuh:4.2.0
-    hostname: wazuh-manager
-    restart: always
-    ports:
-      - "1514:1514"
-      - "1515:1515"
-      - "514:514/udp"
-      - "55000:55000"
-    environment:
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - ELASTIC_USERNAME=elastic
-      - ELASTIC_PASSWORD=SecretPassword
-      - FILEBEAT_SSL_VERIFICATION_MODE=none
-      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/ca.crt
-      - SSL_CERTIFICATE=/etc/ssl/wazuh.crt
-      - SSL_KEY=/etc/ssl/wazuh.key
-    volumes:
-      - ossec_api_configuration:/var/ossec/api/configuration
-      - ossec_etc:/var/ossec/etc
-      - ossec_logs:/var/ossec/logs
-      - ossec_queue:/var/ossec/queue
-      - ossec_var_multigroups:/var/ossec/var/multigroups
-      - ossec_integrations:/var/ossec/integrations
-      - ossec_active_response:/var/ossec/active-response/bin
-      - ossec_agentless:/var/ossec/agentless
-      - ossec_wodles:/var/ossec/wodles
-      - filebeat_etc:/etc/filebeat
-      - filebeat_var:/var/lib/filebeat
-      - ./xpack/ca/ca.crt:/etc/ssl/ca.crt
-      - ./xpack/wazuh/wazuh.crt:/etc/ssl/wazuh.crt
-      - ./xpack/wazuh/wazuh.key:/etc/ssl/wazuh.key
-
-
-  elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
-    hostname: elasticsearch
-    restart: always
-    ports:
-      - "9200:9200"
-    environment:
-      - cluster.name=wazuh-cluster
-      - node.name=elasticsearch
-      - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
-      - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
-      - ELASTIC_PASSWORD=SecretPassword
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-      - bootstrap.memory_lock=true
-      - xpack.license.self_generated.type=basic
-      - xpack.security.enabled=true
-      - xpack.security.http.ssl.enabled=true
-      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
-      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
-      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
-      - xpack.security.transport.ssl.enabled=true
-      - xpack.security.transport.ssl.verification_mode=certificate
-      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
-      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
-      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-      nofile:
-        soft: 65536
-        hard: 65536
-    volumes:
-      - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
-      - ./xpack/elasticsearch/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key
-      - ./xpack/elasticsearch/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt
-
-  elasticsearch2:
-    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
-    hostname: elasticsearch2
-    restart: always
-    environment:
-      - cluster.name=wazuh-cluster
-      - node.name=elasticsearch2
-      - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
-      - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
-      - ELASTIC_PASSWORD=SecretPassword
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-      - bootstrap.memory_lock=true
-      - xpack.license.self_generated.type=basic
-      - xpack.security.enabled=true
-      - xpack.security.http.ssl.enabled=true
-      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
-      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
-      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
-      - xpack.security.transport.ssl.enabled=true
-      - xpack.security.transport.ssl.verification_mode=certificate
-      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
-      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
-      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-      nofile:
-        soft: 65536
-        hard: 65536
-    volumes:
-      - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
-      - ./xpack/elasticsearch2/elasticsearch2.key:/usr/share/elasticsearch/config/elasticsearch.key
-      - ./xpack/elasticsearch2/elasticsearch2.crt:/usr/share/elasticsearch/config/elasticsearch.crt
-
-  elasticsearch3:
-    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
-    hostname: elasticsearch3
-    restart: always
-    environment:
-      - cluster.name=wazuh-cluster
-      - node.name=elasticsearch3
-      - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
-      - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
-      - ELASTIC_PASSWORD=SecretPassword
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-      - bootstrap.memory_lock=true
-      - xpack.license.self_generated.type=basic
-      - xpack.security.enabled=true
-      - xpack.security.http.ssl.enabled=true
-      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
-      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
-      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
-      - xpack.security.transport.ssl.enabled=true
-      - xpack.security.transport.ssl.verification_mode=certificate
-      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
-      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
-      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-      nofile:
-        soft: 65536
-        hard: 65536
-    volumes:
-      - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
-      - ./xpack/elasticsearch3/elasticsearch3.key:/usr/share/elasticsearch/config/elasticsearch.key
-      - ./xpack/elasticsearch3/elasticsearch3.crt:/usr/share/elasticsearch/config/elasticsearch.crt
-
-
-
-  kibana:
-    image: wazuh/wazuh-kibana:4.2.0
-    hostname: kibana
-    restart: always
-    ports:
-      - 443:5601
-    environment:
-      - SERVERNAME=localhost
-      - ELASTICSEARCH_USERNAME=elastic
-      - ELASTICSEARCH_PASSWORD=SecretPassword
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - ELASTICSEARCH_HOSTS=https://elasticsearch:9200
-      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=/usr/share/kibana/config/ca.crt
-      - SERVER_SSL_ENABLED=true
-      - XPACK_SECURITY_ENABLED=true
-      - SERVER_SSL_KEY=/usr/share/kibana/config/kibana.key
-      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/kibana.crt
-    volumes:
-      - ./xpack/ca/ca.crt:/usr/share/kibana/config/ca.crt
-      - ./xpack/kibana/kibana.key:/usr/share/kibana/config/kibana.key
-      - ./xpack/kibana/kibana.crt:/usr/share/kibana/config/kibana.crt
-    depends_on:
-      - elasticsearch
-    links:
-      - elasticsearch:elasticsearch
-      - wazuh:wazuh
-
-volumes:
-  ossec_api_configuration:
-  ossec_etc:
-  ossec_logs:
-  ossec_queue:
-  ossec_var_multigroups:
-  ossec_integrations:
-  ossec_active_response:
-  ossec_agentless:
-  ossec_wodles:
-  filebeat_etc:
-  filebeat_var:

xpack-from-sources.yml

@@ -1,192 +0,0 @@
-# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
-version: '3.7'
-
-services:
-  wazuh:
-    build:
-      context: wazuh-odfe/
-      args:
-        - FILEBEAT_CHANNEL=filebeat
-        - FILEBEAT_VERSION=7.10.2
-    image: wazuh/wazuh:4.2.0
-    hostname: wazuh-manager
-    restart: always
-    ports:
-      - "1514:1514"
-      - "1515:1515"
-      - "514:514/udp"
-      - "55000:55000"
-    environment:
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - ELASTIC_USERNAME=elastic
-      - ELASTIC_PASSWORD=SecretPassword
-      - FILEBEAT_SSL_VERIFICATION_MODE=none
-      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/ca.crt
-      - SSL_CERTIFICATE=/etc/ssl/wazuh.crt
-      - SSL_KEY=/etc/ssl/wazuh.key
-    volumes:
-      - ossec_api_configuration:/var/ossec/api/configuration
-      - ossec_etc:/var/ossec/etc
-      - ossec_logs:/var/ossec/logs
-      - ossec_queue:/var/ossec/queue
-      - ossec_var_multigroups:/var/ossec/var/multigroups
-      - ossec_integrations:/var/ossec/integrations
-      - ossec_active_response:/var/ossec/active-response/bin
-      - ossec_agentless:/var/ossec/agentless
-      - ossec_wodles:/var/ossec/wodles
-      - filebeat_etc:/etc/filebeat
-      - filebeat_var:/var/lib/filebeat
-      - ./xpack/ca/ca.crt:/etc/ssl/ca.crt
-      - ./xpack/wazuh/wazuh.crt:/etc/ssl/wazuh.crt
-      - ./xpack/wazuh/wazuh.key:/etc/ssl/wazuh.key
-
-
-  elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
-    hostname: elasticsearch
-    restart: always
-    ports:
-      - "9200:9200"
-    environment:
-      - cluster.name=wazuh-cluster
-      - node.name=elasticsearch
-      - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
-      - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
-      - ELASTIC_PASSWORD=SecretPassword
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-      - bootstrap.memory_lock=true
-      - xpack.license.self_generated.type=basic
-      - xpack.security.enabled=true
-      - xpack.security.http.ssl.enabled=true
-      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
-      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
-      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
-      - xpack.security.transport.ssl.enabled=true
-      - xpack.security.transport.ssl.verification_mode=certificate
-      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
-      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
-      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-      nofile:
-        soft: 65536
-        hard: 65536
-    volumes:
-      - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
-      - ./xpack/elasticsearch/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key
-      - ./xpack/elasticsearch/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt
-
-  elasticsearch2:
-    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
-    hostname: elasticsearch2
-    restart: always
-    environment:
-      - cluster.name=wazuh-cluster
-      - node.name=elasticsearch2
-      - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
-      - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
-      - ELASTIC_PASSWORD=SecretPassword
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-      - bootstrap.memory_lock=true
-      - xpack.license.self_generated.type=basic
-      - xpack.security.enabled=true
-      - xpack.security.http.ssl.enabled=true
-      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
-      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
-      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
-      - xpack.security.transport.ssl.enabled=true
-      - xpack.security.transport.ssl.verification_mode=certificate
-      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
-      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
-      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-      nofile:
-        soft: 65536
-        hard: 65536
-    volumes:
-      - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
-      - ./xpack/elasticsearch2/elasticsearch2.key:/usr/share/elasticsearch/config/elasticsearch.key
-      - ./xpack/elasticsearch2/elasticsearch2.crt:/usr/share/elasticsearch/config/elasticsearch.crt
-
-  elasticsearch3:
-    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
-    hostname: elasticsearch3
-    restart: always
-    environment:
-      - cluster.name=wazuh-cluster
-      - node.name=elasticsearch3
-      - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
-      - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
-      - ELASTIC_PASSWORD=SecretPassword
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-      - bootstrap.memory_lock=true
-      - xpack.license.self_generated.type=basic
-      - xpack.security.enabled=true
-      - xpack.security.http.ssl.enabled=true
-      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
-      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
-      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
-      - xpack.security.transport.ssl.enabled=true
-      - xpack.security.transport.ssl.verification_mode=certificate
-      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
-      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
-      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-      nofile:
-        soft: 65536
-        hard: 65536
-    volumes:
-      - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
-      - ./xpack/elasticsearch3/elasticsearch3.key:/usr/share/elasticsearch/config/elasticsearch.key
-      - ./xpack/elasticsearch3/elasticsearch3.crt:/usr/share/elasticsearch/config/elasticsearch.crt
-
-
-
-  kibana:
-    build: kibana/
-    image: wazuh/wazuh-kibana:4.2.0
-    hostname: kibana
-    restart: always
-    ports:
-      - 443:5601
-    environment:
-      - SERVERNAME=localhost
-      - ELASTICSEARCH_USERNAME=elastic
-      - ELASTICSEARCH_PASSWORD=SecretPassword
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - ELASTICSEARCH_HOSTS=https://elasticsearch:9200
-      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=/usr/share/kibana/config/ca.crt
-      - SERVER_SSL_ENABLED=true
-      - XPACK_SECURITY_ENABLED=true
-      - SERVER_SSL_KEY=/usr/share/kibana/config/kibana.key
-      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/kibana.crt
-    volumes:
-      - ./xpack/ca/ca.crt:/usr/share/kibana/config/ca.crt
-      - ./xpack/kibana/kibana.key:/usr/share/kibana/config/kibana.key
-      - ./xpack/kibana/kibana.crt:/usr/share/kibana/config/kibana.crt
-    depends_on:
-      - elasticsearch
-    links:
-      - elasticsearch:elasticsearch
-      - wazuh:wazuh
-
-volumes:
-  ossec_api_configuration:
-  ossec_etc:
-  ossec_logs:
-  ossec_queue:
-  ossec_var_multigroups:
-  ossec_integrations:
-  ossec_active_response:
-  ossec_agentless:
-  ossec_wodles:
-  filebeat_etc:
-  filebeat_var:

xpack/instances.yml

@@ -1,35 +0,0 @@
-instances:
-  - name: elasticsearch
-    dns:
-      - elasticsearch
-      - localhost
-    ip:
-      - 127.0.0.1
-
-  - name: elasticsearch2
-    dns:
-      - elasticsearch2
-      - localhost
-    ip:
-      - 127.0.0.1
-
-  - name: elasticsearch3
-    dns:
-      - elasticsearch3
-      - localhost
-    ip:
-      - 127.0.0.1
-
-  - name: kibana
-    dns:
-      - kibana
-      - localhost
-    ip:
-      - 127.0.0.1
-
-  - name: wazuh
-    dns:
-      - wazuh
-      - localhost
-    ip:
-      - 127.0.0.1