Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adapting filebeat to be used instead of logstash #492

Open
wants to merge 22 commits into
base: cloud-1.0
Choose a base branch
from
Open

Adapting filebeat to be used instead of logstash #492

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
bb90cd7
Update Dockerfile
jhaos Aug 4, 2021
5d08586
Join 02 and 03 scripts.
jhaos Aug 4, 2021
75f5c07
File renamed
jhaos Aug 4, 2021
5e2c4f2
Delete unused old script 02
jhaos Aug 4, 2021
c409f20
Delete unused script 03
jhaos Aug 4, 2021
55ef95a
Delete unused logstash config file
jhaos Aug 4, 2021
def6d08
Updated filebeat config to use only odfe
jhaos Aug 4, 2021
23258cf
Fixed names of the new script and added to the copy
jhaos Aug 18, 2021
8a9eb91
Erase filebeat to logstash and only leave to elastic
jhaos Aug 20, 2021
ed10511
Delete old config to filebeat.
jhaos Aug 20, 2021
75fc45c
Updated to use 4.x
jhaos Aug 23, 2021
da77826
fixing folder creation bug
jhaos Aug 23, 2021
1bfcf19
Changing creation of filebeat directory
jhaos Aug 25, 2021
f99d60b
adding creation of directories for filebeat
jhaos Aug 25, 2021
13a5b59
Update 02-set_config_filebeat.sh
jhaos Aug 27, 2021
ea29943
Update 02-set_config_filebeat.sh
jhaos Aug 27, 2021
04298be
Update 02-set_config_filebeat.sh
jhaos Aug 27, 2021
9f3397f
Update Dockerfile
jhaos Aug 27, 2021
157c139
Update Dockerfile
jhaos Aug 27, 2021
d6034e1
Update Dockerfile
jhaos Aug 27, 2021
7332d55
Update Dockerfile
jhaos Aug 27, 2021
bd256d8
Update Dockerfile
jhaos Aug 27, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 9 additions & 10 deletions wazuh/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,12 @@ FROM waystonesystems/baseimage-centos:0.2.0
# Arguments
ARG FILEBEAT_VERSION=7.10.2
ARG WAZUH_VERSION=4.1.5-1

ARG FILEBEAT_CHANNEL=filebeat-oss
# Environment variables
ENV API_USER="foo" \
API_PASS="bar"

ARG TEMPLATE_VERSION="4.0"
ENV FILEBEAT_DESTINATION="elasticsearch"

RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Expand Down Expand Up @@ -42,8 +41,8 @@ RUN set -x && \
rm -f /var/ossec/logs/api/*/*/* && \
rm -f /var/ossec/logs/cluster/*/*/* && \
rm -f /var/ossec/logs/ossec/*/*/* && \
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-x86_64.rpm && \
rpm -vi filebeat-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-${FILEBEAT_VERSION}-x86_64.rpm && \
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && \
rpm -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && \
sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

# Services
Expand All @@ -60,8 +59,7 @@ RUN chmod +x /etc/service/wazuh/run && \
chmod +x /etc/service/filebeat/run

# Copy configuration files from repository
COPY config/filebeat_to_elasticsearch.yml ./
COPY config/filebeat_to_logstash.yml ./
COPY config/filebeat.yml ./

# Prepare permanent data
# Sync calls are due to https://github.com/docker/docker/issues/9547
Expand Down Expand Up @@ -100,17 +98,15 @@ COPY config/entrypoint.sh /entrypoint.sh
COPY --chown=root:ossec config/create_user.py /var/ossec/framework/scripts/create_user.py
COPY config/00-decrypt_credentials.sh /entrypoint-scripts/00-decrypt_credentials.sh
COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh
COPY config/02-set_filebeat_destination.sh /entrypoint-scripts/02-set_filebeat_destination.sh
COPY config/03-config_filebeat.sh /entrypoint-scripts/03-config_filebeat.sh
COPY config/02-set_config_filebeat.sh /entrypoint-scripts/02-set_config_filebeat.sh
COPY config/20-ossec-configuration.sh /entrypoint-scripts/20-ossec-configuration.sh
COPY config/25-backups.sh /entrypoint-scripts/25-backups.sh
COPY config/35-remove_credentials_file.sh /entrypoint-scripts/35-remove_credentials_file.sh
COPY config/85-save_wazuh_version.sh /entrypoint-scripts/85-save_wazuh_version.sh
RUN chmod 755 /entrypoint.sh && \
chmod 755 /entrypoint-scripts/00-decrypt_credentials.sh && \
chmod 755 /entrypoint-scripts/01-wazuh.sh && \
chmod 755 /entrypoint-scripts/02-set_filebeat_destination.sh && \
chmod 755 /entrypoint-scripts/03-config_filebeat.sh && \
chmod 755 /entrypoint-scripts/02-set_config_filebeat.sh && \
chmod 755 /entrypoint-scripts/20-ossec-configuration.sh && \
chmod 755 /entrypoint-scripts/25-backups.sh && \
chmod 755 /entrypoint-scripts/35-remove_credentials_file.sh && \
Expand All @@ -120,5 +116,8 @@ RUN chmod 755 /entrypoint.sh && \
ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
RUN chmod go-w /etc/filebeat/wazuh-template.json

# Create filebeat directories
RUN mkdir -p /usr/share/filebeat/module/
RUN mkdir /usr/share/filebeat/config
# Run all services
ENTRYPOINT ["/entrypoint.sh"]
26 changes: 26 additions & 0 deletions wazuh/config/02-set_config_filebeat.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)

set -e

##############################################################################
# Set Filebeat config.

##############################################################################

WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz

echo "FILEBEAT - Copy Filebeat config file"
if ! [[ -L /etc/filebeat/filebeat.yml ]]; then
cp filebeat.yml /etc/filebeat/filebeat.yml
chmod go-w /etc/filebeat/filebeat.yml
else
echo "Not needed. File already exist."
fi
echo "FILEBEAT - Set permissions"

echo "FILEBEAT - Get Filebeat Wazuh module"

>&2 echo "FILEBEAT - Install Wazuh Filebeat Module."
curl -s "https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module
chmod 755 -R /usr/share/filebeat/module/wazuh
30 changes: 0 additions & 30 deletions wazuh/config/02-set_filebeat_destination.sh
View file
Open in desktop

This file was deleted.

23 changes: 0 additions & 23 deletions wazuh/config/03-config_filebeat.sh
View file
Open in desktop

This file was deleted.

19 changes: 19 additions & 0 deletions wazuh/config/filebeat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)

# Wazuh - Filebeat configuration file
filebeat.inputs:
- type: log
paths:
- '/var/ossec/logs/alerts/alerts.json'

setup.template.json.enabled: true
setup.template.json.path: "/etc/filebeat/wazuh-template.json"
setup.template.json.name: "wazuh"
setup.template.overwrite: true


output.elasticsearch:
hosts: ['http://odfe:9200']
#pipeline: geoip
indices:
- index: 'wazuh-alerts-4.x-%{+yyyy.MM.dd}'
55 changes: 0 additions & 55 deletions wazuh/config/filebeat_to_elasticsearch.yml
View file
Open in desktop

This file was deleted.

20 changes: 0 additions & 20 deletions wazuh/config/filebeat_to_logstash.yml
View file
Open in desktop

This file was deleted.