forked from opensearch-project/OpenSearch
-
Notifications
You must be signed in to change notification settings - Fork 22
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Init. Amazon Security Lake integration
- Loading branch information
Showing
2 changed files
with
83 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
### Amazon Security Lake integration - Logstash | ||
|
||
Follow the [Wazuh indexer integration using Logstash](https://documentation.wazuh.com/current/integrations-guide/opensearch/index.html#wazuh-indexer-integration-using-logstash) | ||
to install `Logstash` and the `logstash-input-opensearch` plugin. | ||
|
||
> RPM: https://www.elastic.co/guide/en/logstash/current/installing-logstash.html#_yum | ||
```markdown | ||
|
||
# Install plugins (logstash-output-s3 is already installed) | ||
sudo /usr/share/logstash/bin/logstash-plugin install logstash-input-opensearch | ||
|
||
# Copy certificates | ||
mkdir -p /etc/logstash/wi-certs/ | ||
cp /etc/wazuh-indexer/certs/root-ca.pem /etc/logstash/wi-certs/root-ca.pem | ||
chown logstash:logstash /etc/logstash/wi-certs/root-ca.pem | ||
|
||
# Configuring new indexes | ||
SKIP | ||
|
||
# Configuring a pipeline | ||
|
||
# Keystore | ||
## Prepare keystore | ||
set +o history | ||
echo 'LOGSTASH_KEYSTORE_PASS="123456"'| sudo tee /etc/sysconfig/logstash | ||
export LOGSTASH_KEYSTORE_PASS=123456 | ||
set -o history | ||
sudo chown root /etc/sysconfig/logstash | ||
sudo chmod 600 /etc/sysconfig/logstash | ||
sudo systemctl start logstash | ||
|
||
## Create keystore | ||
sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create | ||
|
||
## Store Wazuh indexer credentials (admin user) | ||
sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add WAZUH_INDEXER_USERNAME | ||
sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add WAZUH_INDEXER_PASSWORD | ||
|
||
# Pipeline | ||
sudo touch /etc/logstash/conf.d/wazuh-s3.conf | ||
# Replace with cp /vagrant/wazuh-s3.conf /etc/logstash/conf.d/wazuh-s3.conf | ||
sudo systemctl stop logstash | ||
sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-s3.conf --path.settings /etc/logstash/ | ||
|- Success: `[INFO ][logstash.agent ] Pipelines running ...` | ||
|
||
# Start Logstash | ||
sudo systemctl enable logstash | ||
sudo systemctl start logstash | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
input { | ||
opensearch { | ||
hosts => ["localhost:9200"] | ||
user => "${WAZUH_INDEXER_USERNAME}" | ||
password => "${WAZUH_INDEXER_PASSWORD}" | ||
index => "wazuh-alerts-4.x-*" | ||
ssl => true | ||
ca_file => "/etc/wazuh-indexer/certs/root-ca.pem" | ||
query => '{ | ||
"query": { | ||
"range": { | ||
"@timestamp": { | ||
"gt": "now-1m" | ||
} | ||
} | ||
} | ||
}' | ||
schedule => "* * * * *" | ||
} | ||
} | ||
|
||
output { | ||
stdout { codec => rubydebug } | ||
s3 { | ||
access_key_id => "<aws-access-key>" | ||
secret_access_key => "<aws-secret-key>" | ||
region => "<your-region>" | ||
server_side_encryption => true | ||
server_side_encryption_algorithm => "AES256" | ||
bucket => "wazuh-indexer-amazon-security-lake-bucket" | ||
canned_acl => "bucket-owner-full-control" | ||
codec => "json" | ||
} | ||
} |