From d596683cb604625c8df189c87d0abc2f0b81df5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Fri, 14 Jun 2024 12:00:29 +0200 Subject: [PATCH] Add Manager to OpenSearch integration (#267) * Add Manager to OpenSearch integreation Also fixes small issues on other integrations * Add changes to README --- integrations/docker/elastic.yml | 4 - integrations/docker/manager-elastic.yml | 2 - integrations/docker/manager-opensearch.yml | 181 ++++++++++++++++++ integrations/docker/opensearch.yml | 7 - integrations/elastic/README.md | 2 - integrations/opensearch/README.md | 11 +- .../pipeline/manager-to-opensearch.conf | 30 +++ 7 files changed, 220 insertions(+), 17 deletions(-) create mode 100644 integrations/docker/manager-opensearch.yml create mode 100644 integrations/opensearch/logstash/pipeline/manager-to-opensearch.conf diff --git a/integrations/docker/elastic.yml b/integrations/docker/elastic.yml index b3a931dcf8418..e30cda48306ab 100644 --- a/integrations/docker/elastic.yml +++ b/integrations/docker/elastic.yml @@ -5,7 +5,6 @@ services: image: wazuh/indexer-events-generator build: context: ../tools/events-generator - container_name: events-generator depends_on: wazuh.indexer: condition: service_healthy @@ -13,7 +12,6 @@ services: wazuh.indexer: image: opensearchproject/opensearch:2.12.0 - container_name: wazuh.indexer depends_on: wazuh-certs-generator: condition: service_completed_successfully @@ -54,7 +52,6 @@ services: wazuh.dashboard: image: opensearchproject/opensearch-dashboards:2.12.0 - container_name: wazuh.dashboard depends_on: - wazuh.indexer hostname: wazuh.dashboard @@ -68,7 +65,6 @@ services: wazuh-certs-generator: image: wazuh/wazuh-certs-generator:0.0.1 hostname: wazuh-certs-generator - container_name: wazuh-certs-generator entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" volumes: - ./certs/:/certificates/ diff --git a/integrations/docker/manager-elastic.yml b/integrations/docker/manager-elastic.yml index 05ebde988ddc7..e98a2871dff8b 100644 --- a/integrations/docker/manager-elastic.yml +++ b/integrations/docker/manager-elastic.yml @@ -45,8 +45,6 @@ services: - ./certs/wazuh.manager.pem:/etc/ssl/filebeat.pem - ./certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem - - ../elastic/logstash/pipeline:/usr/share/logstash/pipeline - - es_certs:/etc/certs/elastic - alerts:/var/ossec/logs/alerts/ wazuh.indexer: diff --git a/integrations/docker/manager-opensearch.yml b/integrations/docker/manager-opensearch.yml new file mode 100644 index 0000000000000..b7f1c64bb239e --- /dev/null +++ b/integrations/docker/manager-opensearch.yml @@ -0,0 +1,181 @@ +name: "manager-opensearch-integration" + +services: + events-generator: + image: wazuh/indexer-events-generator + build: + context: ../tools/events-generator + depends_on: + wazuh.indexer: + condition: service_healthy + command: bash -c "python run.py -o filebeat" + volumes: + - alerts:/var/ossec/logs/alerts/ + + wazuh.manager: + image: wazuh/wazuh-manager:${WAZUH_VERSION} + hostname: wazuh.manager + restart: always + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 655360 + hard: 655360 + ports: + - "1514:1514" + - "1515:1515" + - "514:514/udp" + - "55000:55000" + environment: + - INDEXER_URL=https://wazuh.indexer:9200 + - INDEXER_USERNAME=admin + - INDEXER_PASSWORD=admin + - FILEBEAT_SSL_VERIFICATION_MODE=full + - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem + - SSL_CERTIFICATE=/etc/ssl/filebeat.pem + - SSL_KEY=/etc/ssl/filebeat.key + - API_USERNAME=wazuh-wui + - API_PASSWORD=MyS3cr37P450r.*- + - LOG_LEVEL=info + - MONITORING_ENABLED=false + volumes: + - ./certs/root-ca-manager.pem:/etc/ssl/root-ca.pem + - ./certs/wazuh.manager.pem:/etc/ssl/filebeat.pem + - ./certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key + - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem + - alerts:/var/ossec/logs/alerts/ + + wazuh.indexer: + image: opensearchproject/opensearch:2.12.0 + depends_on: + wazuh-certs-generator: + condition: service_completed_successfully + hostname: wazuh.indexer + ports: + - 9200:9200 + environment: + - node.name=wazuh.indexer + - discovery.type=single-node + - bootstrap.memory_lock=true + - "DISABLE_INSTALL_DEMO_CONFIG=true" + - plugins.security.ssl.http.enabled=true + - plugins.security.allow_default_init_securityindex=true + - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" + - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" + - compatibility.override_main_response_version=true + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + healthcheck: + test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster + start_period: 10s + start_interval: 3s + volumes: + - data:/usr/share/opensearch/data + - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem + - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem + - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem + + wazuh-certs-generator: + image: wazuh/wazuh-certs-generator:0.0.1 + hostname: wazuh-certs-generator + entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" + volumes: + - ./certs/:/certificates/ + - ./config/certs.yml:/config/certs.yml + + logstash: + depends_on: + opensearch.node: + condition: service_healthy + wazuh-certs-generator: + condition: service_completed_successfully + image: logstash-oss:8.6.2 + build: + dockerfile: ../elastic/Dockerfile + context: ../opensearch + environment: + LOG_LEVEL: info + MONITORING_ENABLED: false + volumes: + - ../opensearch/logstash/pipeline:/usr/share/logstash/pipeline + - ./certs/root-ca.pem:/etc/ssl/root-ca.pem + - alerts:/var/ossec/logs/alerts/ + command: logstash -f /usr/share/logstash/pipeline/manager-to-opensearch.conf + + # ================================================ + # OpenSearch and OpenSearch Dashboards + # ================================================ + + opensearch.node: + image: opensearchproject/opensearch:${OS_VERSION} + depends_on: + wazuh-certs-generator: + condition: service_completed_successfully + environment: + - cluster.name=opensearch-cluster + - node.name=opensearch.node + - discovery.type=single-node + - bootstrap.memory_lock=true + - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" + - "DISABLE_INSTALL_DEMO_CONFIG=true" + volumes: + - ../opensearch/opensearch.yml:/usr/share/opensearch/config/opensearch.yml + - ./certs/opensearch.node-key.pem:/usr/share/opensearch/config/certs/opensearch.key + - ./certs/opensearch.node.pem:/usr/share/opensearch/config/certs/opensearch.pem + - ./certs/root-ca.pem:/usr/share/opensearch/config/certs/root-ca.pem + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + ports: + - 9201:9200 + - 9600:9600 + healthcheck: + test: + [ + "CMD-SHELL", + "curl -sku admin:admin https://opensearch.node:9200 2>&1 | grep -q 'The OpenSearch Project: https://opensearch.org/'", + ] + interval: 1s + timeout: 5s + retries: 120 + + opensearch-dashboards: + image: opensearchproject/opensearch-dashboards:${OS_VERSION} + depends_on: + opensearch.node: + condition: service_healthy + ports: + - 5602:5601 + expose: + - "5602" + volumes: + - ../opensearch/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml + - ./certs/:/usr/share/opensearch-dashboards/config/certs/ + - ./certs/opensearch.dashboards-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key + - ./certs/opensearch.dashboards.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem + - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem + + environment: + - 'OPENSEARCH_HOSTS="https://opensearch.node:9200"' + +volumes: + data: + es_certs: + alerts: diff --git a/integrations/docker/opensearch.yml b/integrations/docker/opensearch.yml index 1c43a38909562..2cfa537cbcc50 100644 --- a/integrations/docker/opensearch.yml +++ b/integrations/docker/opensearch.yml @@ -5,7 +5,6 @@ services: image: wazuh/indexer-events-generator build: context: ../tools/events-generator - container_name: events-generator depends_on: wazuh.indexer: condition: service_healthy @@ -13,7 +12,6 @@ services: wazuh.indexer: image: opensearchproject/opensearch:2.12.0 - container_name: wazuh.indexer depends_on: wazuh-certs-generator: condition: service_completed_successfully @@ -54,7 +52,6 @@ services: wazuh.dashboard: image: opensearchproject/opensearch-dashboards:2.12.0 - container_name: wazuh.dashboard depends_on: - wazuh.indexer hostname: wazuh.dashboard @@ -79,7 +76,6 @@ services: wazuh-certs-generator: image: wazuh/wazuh-certs-generator:0.0.1 hostname: wazuh-certs-generator - container_name: wazuh-certs-generator entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" volumes: - ./certs/:/certificates/ @@ -95,7 +91,6 @@ services: depends_on: wazuh-certs-generator: condition: service_completed_successfully - container_name: opensearch.node environment: - cluster.name=opensearch-cluster - node.name=opensearch.node @@ -133,7 +128,6 @@ services: depends_on: opensearch.node: condition: service_healthy - container_name: opensearch-dashboards ports: - 5602:5601 expose: @@ -153,7 +147,6 @@ services: depends_on: opensearch.node: condition: service_healthy - container_name: logstash build: context: ../opensearch environment: diff --git a/integrations/elastic/README.md b/integrations/elastic/README.md index 077f03cd407d7..27b5cdd7cd209 100644 --- a/integrations/elastic/README.md +++ b/integrations/elastic/README.md @@ -22,7 +22,6 @@ The Docker Compose project will bring up the following services: - 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)). - 1x Wazuh Indexer (OpenSearch). -- 1x Wazuh Dashboards (OpenSearch Dashboards). - 1x Logstash - 1x Elastic - 1x Kibana @@ -43,7 +42,6 @@ Check the files above for **credentials**, ports, and other configurations. | Service | Address | Credentials | | ---------------- | ---------------------- | --------------- | | Wazuh Indexer | https://localhost:9200 | admin:admin | -| Wazuh Dashboards | https://localhost:5601 | admin:admin | | Elastic | https://localhost:9201 | elastic:elastic | | Kibana | https://localhost:5602 | elastic:elastic | diff --git a/integrations/opensearch/README.md b/integrations/opensearch/README.md index 1afa0dad5fb93..7547473579299 100644 --- a/integrations/opensearch/README.md +++ b/integrations/opensearch/README.md @@ -13,15 +13,19 @@ This document describes how to prepare a Docker Compose environment to test the ```bash docker compose -f ./docker/opensearch.yml up -d ``` +3. If you prefer, you can start the integration with the Wazuh Manager as data source: + ```bash + docker compose -f ./docker/manager-opensearch.yml up -d + ``` The Docker Compose project will bring up the following services: - 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)). - 1x Wazuh Indexer (OpenSearch). -- 1x Wazuh Dashboards (OpenSearch Dashboards). - 1x Logstash - 1x OpenSearch - 1x OpenSearch Dashboards +- 1x Wazuh Manager (optional). For custom configurations, you may need to modify these files: @@ -29,12 +33,15 @@ For custom configurations, you may need to modify these files: - [docker/.env](../docker/.env): Environment variables file. - [opensearch/logstash/pipeline/indexer-to-opensearch.conf](./logstash/pipeline/indexer-to-opensearch.conf): Logstash Pipeline configuration file. +If you opted to start the integration with the Wazuh Manager, you can modify the following files: +- [docker/manager-opensearch.yml](../docker/manager-opensearch.yml): Docker Compose file. +- [opensearch/logstash/pipeline/manager-to-opensearch.conf](./logstash/pipeline/manager-to-opensearch.conf): Logstash Pipeline configuration file. + Check the files above for **credentials**, ports, and other configurations. | Service | Address | Credentials | | --------------------- | ---------------------- | ----------- | | Wazuh Indexer | https://localhost:9200 | admin:admin | -| Wazuh Dashboard | https://localhost:5601 | admin:admin | | OpenSearch | https://localhost:9201 | admin:admin | | OpenSearch Dashboards | https://localhost:5602 | admin:admin | diff --git a/integrations/opensearch/logstash/pipeline/manager-to-opensearch.conf b/integrations/opensearch/logstash/pipeline/manager-to-opensearch.conf new file mode 100644 index 0000000000000..2a631e634efae --- /dev/null +++ b/integrations/opensearch/logstash/pipeline/manager-to-opensearch.conf @@ -0,0 +1,30 @@ +input { + file { + id => "wazuh_alerts" + codec => "json" + start_position => "beginning" + stat_interval => "1 second" + path => "/var/ossec/logs/alerts/alerts.json" + mode => "tail" + ecs_compatibility => "disabled" + } +} + +output { + opensearch { + hosts => ["opensearch.node:9200"] + auth_type => { + type => 'basic' + user => 'admin' + password => 'admin' + } + index => "wazuh-alerts-4.x-%{+YYYY.MM.dd}" + ssl => true + cacert => "/etc/ssl/root-ca.pem" + template => '/usr/share/logstash/pipeline/os_template.json' + template_name => 'wazuh' + template_overwrite => true + legacy_template => false + } + stdout{} +}