From 09735f04710b1a934c7ff2f47d4d85a0e54bc4a2 Mon Sep 17 00:00:00 2001 From: Federico Galland Date: Wed, 10 Jul 2024 14:01:19 -0300 Subject: [PATCH] Using common logstash container for Security Lake integration --- .../logstash/pipeline/indexer-to-file.conf | 34 ------------------- .../logstash/pipeline/indexer-to-s3.conf | 7 ++++ .../amazon-security-lake/logstash/setup.sh | 10 ------ .../docker/compose.amazon-security-lake.yml | 3 +- integrations/logstash/Dockerfile | 1 - 5 files changed, 8 insertions(+), 47 deletions(-) delete mode 100644 integrations/amazon-security-lake/logstash/pipeline/indexer-to-file.conf delete mode 100644 integrations/amazon-security-lake/logstash/setup.sh diff --git a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-file.conf b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-file.conf deleted file mode 100644 index 1bee9afc62450..0000000000000 --- a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-file.conf +++ /dev/null @@ -1,34 +0,0 @@ -input { - opensearch { - hosts => ["wazuh.indexer:9200"] - user => "${INDEXER_USERNAME}" - password => "${INDEXER_PASSWORD}" - ssl => true - ca_file => "/usr/share/logstash/root-ca.pem" - index => "wazuh-alerts-4.x-*" - query => '{ - "query": { - "range": { - "@timestamp": { - "gt": "now-1m" - } - } - } - }' - schedule => "* * * * *" - } -} - - -output { - stdout { - id => "output.stdout" - codec => json_lines - } - file { - id => "output.file" - path => "/var/log/logstash/indexer-to-file-%{+YYYY-MM-dd-HH}.log" - file_mode => 0644 - codec => json_lines - } -} diff --git a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-s3.conf b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-s3.conf index a2446b4d9406e..ee8bd8146b34a 100644 --- a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-s3.conf +++ b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-s3.conf @@ -42,4 +42,11 @@ output { } time_file => 5 } + file { + id => "output.file" + path => "/usr/share/logstash/logs/indexer-to-file-%{+YYYY-MM-dd-HH}.log" + file_mode => 0644 + codec => json_lines + flush_interval => 30 + } } diff --git a/integrations/amazon-security-lake/logstash/setup.sh b/integrations/amazon-security-lake/logstash/setup.sh deleted file mode 100644 index 9527f1fa58362..0000000000000 --- a/integrations/amazon-security-lake/logstash/setup.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/bash - -# This script creates and configures a keystore for Logstash to store -# indexer's credentials. NOTE: works only for dockerized logstash. -# Source: https://www.elastic.co/guide/en/logstash/current/keystore.html - -# Create keystore -/usr/share/logstash/bin/logstash-keystore create --path.settings /etc/logstash -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME --path.settings /etc/logstash -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD --path.settings /etc/logstash diff --git a/integrations/docker/compose.amazon-security-lake.yml b/integrations/docker/compose.amazon-security-lake.yml index 16ee907668a0d..180a8cecc2bd4 100644 --- a/integrations/docker/compose.amazon-security-lake.yml +++ b/integrations/docker/compose.amazon-security-lake.yml @@ -80,7 +80,7 @@ services: wazuh.integration.security.lake: image: wazuh/indexer-security-lake-integration build: - context: ../amazon-security-lake + context: ../logstash container_name: wazuh.integration.security.lake depends_on: - wazuh.indexer @@ -104,7 +104,6 @@ services: - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem - ../amazon-security-lake/src:/usr/share/logstash/amazon-security-lake # TODO use dedicated folder # - ./credentials:/usr/share/logstash/.aws/credentials # TODO credentials are not commited (missing) - command: tail -f /var/log/logstash/logstash-plain.log s3.ninja: image: scireum/s3-ninja:latest diff --git a/integrations/logstash/Dockerfile b/integrations/logstash/Dockerfile index a47ad9f804483..3848c8b757d9a 100644 --- a/integrations/logstash/Dockerfile +++ b/integrations/logstash/Dockerfile @@ -8,7 +8,6 @@ USER logstash # Install plugin RUN LS_JAVA_OPTS="-Xms1024m -Xmx1024m" logstash-plugin install logstash-input-opensearch -COPY --chown=logstash:logstash logstash/pipeline /usr/share/logstash/pipeline # Copy and run the setup.sh script to create and configure a keystore for Logstash. COPY --chown=logstash:logstash ./setup.sh /usr/share/logstash/bin/setup.sh RUN bash /usr/share/logstash/bin/setup.sh