forked from opensearch-project/OpenSearch
-
Notifications
You must be signed in to change notification settings - Fork 22
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add Splunk integration Draft * Fix certificate errors * Add cfssl container to generate and sign splunk certs * Add cfssl configuration fiels * Update Splunk integration --------- Signed-off-by: Álex Ruiz <[email protected]> Co-authored-by: Fede Tux <[email protected]>
- Loading branch information
Showing
17 changed files
with
1,592 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,2 @@ | ||
splunk | ||
common | ||
config | ||
external | ||
docker/certs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,143 @@ | ||
name: "splunk-integration" | ||
|
||
services: | ||
events-generator: | ||
image: wazuh/indexer-events-generator | ||
build: | ||
context: ../tools/events-generator | ||
depends_on: | ||
wazuh.indexer: | ||
condition: service_healthy | ||
command: bash -c "python run.py -a wazuh.indexer" | ||
|
||
wazuh.indexer: | ||
image: opensearchproject/opensearch:2.12.0 | ||
depends_on: | ||
wazuh-certs-generator: | ||
condition: service_completed_successfully | ||
hostname: wazuh.indexer | ||
ports: | ||
- 9200:9200 | ||
environment: | ||
- node.name=wazuh.indexer | ||
- discovery.type=single-node | ||
- bootstrap.memory_lock=true | ||
- "DISABLE_INSTALL_DEMO_CONFIG=true" | ||
- plugins.security.ssl.http.enabled=true | ||
- plugins.security.allow_default_init_securityindex=true | ||
- plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem | ||
- plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem | ||
- plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem | ||
- plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem | ||
- plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem | ||
- plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem | ||
- plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" | ||
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" | ||
ulimits: | ||
memlock: | ||
soft: -1 | ||
hard: -1 | ||
nofile: | ||
soft: 65536 | ||
hard: 65536 | ||
healthcheck: | ||
test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster | ||
start_period: 10s | ||
start_interval: 3s | ||
volumes: | ||
- data:/usr/share/opensearch/data | ||
- ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem | ||
- ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem | ||
- ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem | ||
|
||
wazuh.dashboard: | ||
image: opensearchproject/opensearch-dashboards:2.12.0 | ||
depends_on: | ||
- wazuh.indexer | ||
hostname: wazuh.dashboard | ||
ports: | ||
- 5601:5601 # Map host port 5601 to container port 5601 | ||
expose: | ||
- "5601" # Expose port 5601 for web access to OpenSearch Dashboards | ||
environment: | ||
OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query | ||
|
||
wazuh-certs-generator: | ||
image: wazuh/wazuh-certs-generator:0.0.1 | ||
hostname: wazuh-certs-generator | ||
entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" | ||
volumes: | ||
- ./certs/:/certificates/ | ||
- ./config/certs.yml:/config/certs.yml | ||
|
||
|
||
# ================================= | ||
# Splunk and Logstash | ||
# ================================= | ||
|
||
generator: | ||
image: cfssl/cfssl | ||
depends_on: | ||
wazuh-certs-generator: | ||
condition: service_completed_successfully | ||
volumes: | ||
- ./certs/:/certs/ | ||
- ../splunk/cfssl/:/conf/ | ||
entrypoint: /bin/bash | ||
command: > | ||
-c ' | ||
cd /certs | ||
cat /conf/host.json | \ | ||
cfssl gencert \ | ||
-ca root-ca.pem \ | ||
-ca-key root-ca.key \ | ||
-config /conf/cfssl.json \ | ||
-profile=server - | \ | ||
cfssljson -bare splunk | ||
openssl pkcs8 -topk8 -inform pem -in splunk-key.pem -outform pem -nocrypt -out splunk.key | ||
rm splunk.csr | ||
cat splunk.pem splunk-key.pem root-ca.pem > splunkhec.pem | ||
chown -R 1000:1000 /certs/splunk* | ||
' | ||
splunk: | ||
image: splunk/splunk:9.0.4 | ||
volumes: | ||
- ./certs/splunk.key:/opt/splunk/etc/auth/custom/splunk.key | ||
- ./certs/splunk.pem:/opt/splunk/etc/auth/custom/splunk.pem | ||
- ./certs/splunkhec.pem:/opt/splunk/etc/auth/custom/splunkhec.pem | ||
- ../splunk/config/indexes.conf:/opt/splunk/etc/system/local/indexes.conf | ||
- ../splunk/config/default.yml:/tmp/defaults/default.yml | ||
depends_on: | ||
wazuh-certs-generator: | ||
condition: service_completed_successfully | ||
generator: | ||
condition: service_completed_successfully | ||
ports: | ||
- '8000:8000' | ||
- '8088:8088' | ||
environment: | ||
SPLUNK_HEC_TOKEN: "abcd1234" | ||
SPLUNK_HOSTNAME: splunk | ||
SPLUNK_HTTP_ENABLESSL: 'true' | ||
SPLUNK_PASSWORD: Password.1234 | ||
SPLUNK_STANDALONE_URL: https://splunk:8080 | ||
SPLUNK_START_ARGS: --accept-license | ||
|
||
logstash: | ||
depends_on: | ||
splunk: | ||
condition: service_healthy | ||
image: logstash-oss:8.6.2 | ||
build: | ||
context: ../splunk | ||
environment: | ||
LOG_LEVEL: info | ||
MONITORING_ENABLED: false | ||
volumes: | ||
- ../splunk/logstash/pipeline:/usr/share/logstash/pipeline | ||
- ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem | ||
command: logstash -f /usr/share/logstash/pipeline/indexer-to-splunk.conf | ||
|
||
volumes: | ||
data: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
# Wazuh to Splunk Integration Developer Guide | ||
|
||
This document describes how to prepare a Docker Compose environment to test the integration between Wazuh and Splunk. For a detailed guide on how to integrate Wazuh with Splunk, please refer to the [Wazuh documentation](https://documentation.wazuh.com/current/integrations-guide/splunk/index.html). | ||
|
||
## Requirements | ||
|
||
- Docker and Docker Compose installed. | ||
|
||
## Usage | ||
|
||
1. Clone the Wazuh repository and navigate to the `integrations/` folder. | ||
2. Run the following command to start the environment: | ||
```bash | ||
docker compose -f ./docker/splunk.yml up -d | ||
``` | ||
|
||
The Docker Compose project will bring up the following services: | ||
|
||
- 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)). | ||
- 1x Wazuh Indexer (OpenSearch). | ||
- 1x Wazuh Dashboards (OpenSearch Dashboards). | ||
- 1x Logstash | ||
- 1x Splunk | ||
|
||
For custom configurations, you may need to modify these files: | ||
|
||
- [docker/splunk.yml](../docker/splunk.yml): Docker Compose file. | ||
- [docker/.env](../docker/.env): Environment variables file. | ||
- [splunk/logstash/pipeline/indexer-to-splunk.conf](./logstash/pipeline/indexer-to-splunk.conf): Logstash Pipeline configuration file. | ||
|
||
Check the files above for **credentials**, ports, and other configurations. | ||
|
||
| Service | Address | Credentials | | ||
| ---------------- | ---------------------- | ------------------- | | ||
| Wazuh Indexer | https://localhost:9200 | admin:admin | | ||
| Wazuh Dashboards | https://localhost:5601 | admin:admin | | ||
| Splunk | https://localhost:8000 | admin:Password.1234 | | ||
|
||
## Importing the dashboards | ||
|
||
The dashboards for Splunk are included in this folder. The steps to import them to Splunk are the following: | ||
|
||
- In the Splunk UI, go to `Settings` > `Data Inputs` > `HTTP Event Collector` and make sure that the `hec` token is enabled and uses the `wazuh-alerts` index. | ||
- Open a dashboard file and copy all its content. | ||
- In the Splunk UI, navigate to `Search & Reporting`, `Dashboards`, click `Create New Dashboard`, write the title and select `Dashboard Studio`, select `Grid` and click on `Create`. | ||
- On the top menu, there is a `Source` icon. Click on it, and replace all the content with the copied content from the dashboard file. After that, click on `Back` and click on `Save`. | ||
- Repeat the steps for all the desired dashboards. | ||
|
||
Imported dashboards will appear under `Search & Reporting` > `Dashboards`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
{ | ||
"CN": "Wazuh", | ||
"key": { | ||
"algo": "rsa", | ||
"size": 2048 | ||
}, | ||
"names": [ | ||
{ | ||
"C": "US", | ||
"L": "San Francisco", | ||
"O": "Wazuh", | ||
"OU": "Wazuh Root CA" | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
{ | ||
"signing": { | ||
"default": { | ||
"expiry": "8760h" | ||
}, | ||
"profiles": { | ||
"intermediate_ca": { | ||
"usages": [ | ||
"signing", | ||
"digital signature", | ||
"key encipherment", | ||
"cert sign", | ||
"crl sign", | ||
"server auth", | ||
"client auth" | ||
], | ||
"expiry": "8760h", | ||
"ca_constraint": { | ||
"is_ca": true, | ||
"max_path_len": 0, | ||
"max_path_len_zero": true | ||
} | ||
}, | ||
"peer": { | ||
"usages": [ | ||
"signing", | ||
"digital signature", | ||
"key encipherment", | ||
"data encipherment", | ||
"client auth", | ||
"server auth" | ||
], | ||
"expiry": "8760h" | ||
}, | ||
"server": { | ||
"usages": [ | ||
"signing", | ||
"digital signing", | ||
"key encipherment", | ||
"data encipherment", | ||
"server auth" | ||
], | ||
"expiry": "8760h" | ||
}, | ||
"client": { | ||
"usages": [ | ||
"signing", | ||
"digital signature", | ||
"key encipherment", | ||
"data encipherment", | ||
"client auth" | ||
], | ||
"expiry": "8760h" | ||
} | ||
} | ||
} | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
{ | ||
"CN": "splunk", | ||
"key": { | ||
"algo": "rsa", | ||
"size": 2048 | ||
}, | ||
"names": [ | ||
{ | ||
"C": "US", | ||
"L": "California", | ||
"O": "Wazuh", | ||
"OU": "Wazuh" | ||
} | ||
], | ||
"hosts": [ | ||
"splunk", | ||
"localhost" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
splunk: | ||
conf: | ||
- key: web | ||
value: | ||
directory: /opt/splunk/etc/system/local | ||
content: | ||
settings: | ||
enablesSplunkWebSSL: true | ||
privKeyPath: /opt/splunk/etc/auth/custom/splunk.key | ||
serverCert: /opt/splunk/etc/auth/custom/splunk.pem | ||
- key: server | ||
value: | ||
directory: /opt/splunk/etc/system/local | ||
content: | ||
general: | ||
serverName: splunk | ||
pass4SymmKey: dadqaBZA2fzxHOvfdlSQpKjIooupehTnmjysUx7j+bP1/NucBL+rch/Kw== | ||
sslConfig: | ||
serverCert: /opt/splunk/etc/auth/custom/splunkhec.pem | ||
hec: | ||
enable: True | ||
ssl: True | ||
port: 8088 | ||
# hec.token is used only for ingestion (receiving Splunk events) | ||
token: abcd1234 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
[default] | ||
[wazuh-alerts] | ||
coldPath = $SPLUNK_DB/wazuh/colddb | ||
enableDataIntegrityControl = 1 | ||
enableTsidxReduction = 1 | ||
homePath = $SPLUNK_DB/wazuh/db | ||
maxTotalDataSizeMB = 512000 | ||
thawedPath = $SPLUNK_DB/wazuh/thaweddb | ||
timePeriodInSecBeforeTsidxReduction = 15552000 | ||
tsidxReductionCheckPeriodInSec = | ||
|
31 changes: 31 additions & 0 deletions
31
integrations/splunk/logstash/pipeline/indexer-to-splunk.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
input { | ||
opensearch { | ||
hosts => ["wazuh.indexer:9200"] | ||
user => "${INDEXER_USERNAME}" | ||
password => "${INDEXER_PASSWORD}" | ||
ssl => true | ||
ca_file => "/usr/share/logstash/root-ca.pem" | ||
index => "wazuh-alerts-4.x-*" | ||
query => '{ | ||
"query": { | ||
"range": { | ||
"@timestamp": { | ||
"gt": "now-1m" | ||
} | ||
} | ||
} | ||
}' | ||
schedule => "* * * * *" | ||
} | ||
} | ||
|
||
|
||
output { | ||
http { | ||
format => "json" | ||
http_method => "post" | ||
url => "https://splunk:8088/services/collector/raw" | ||
headers => ["Authorization", "Splunk abcd1234"] | ||
cacert => "/usr/share/logstash/root-ca.pem" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
#!/usr/bin/bash | ||
|
||
# This script creates and configures a keystore for Logstash to store | ||
# indexer's credentials. NOTE: works only for dockerized logstash. | ||
# Source: https://www.elastic.co/guide/en/logstash/current/keystore.html | ||
|
||
# Create keystore | ||
/usr/share/logstash/bin/logstash-keystore create | ||
echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME | ||
echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD |
Oops, something went wrong.