forked from opensearch-project/OpenSearch
-
Notifications
You must be signed in to change notification settings - Fork 22
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch '4.9.0' into 253-add-splunk-indexer-integration
Signed-off-by: Álex Ruiz <[email protected]>
- Loading branch information
Showing
12 changed files
with
2,416 additions
and
81 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
opensearch | ||
external | ||
common | ||
config | ||
docker/certs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,20 @@ | ||
nodes: | ||
# Wazuh indexer server nodes | ||
# Wazuh indexer and OpenSearch server nodes | ||
indexer: | ||
- name: wazuh.indexer | ||
ip: wazuh.indexer | ||
- name: opensearch.node | ||
ip: opensearch.node | ||
|
||
# Wazuh server nodes | ||
# Use node_type only with more than one Wazuh manager | ||
server: | ||
- name: wazuh.manager | ||
ip: wazuh.manager | ||
|
||
# Wazuh dashboard node | ||
# Wazuh dashboard and OpenSearch Dashboards nodes | ||
dashboard: | ||
- name: wazuh.dashboard | ||
ip: wazuh.dashboard | ||
- name: opensearch.dashboards | ||
ip: opensearch.dashboards |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,169 @@ | ||
name: "opensearch-integration" | ||
|
||
services: | ||
events-generator: | ||
image: wazuh/indexer-events-generator | ||
build: | ||
context: ../tools/events-generator | ||
container_name: events-generator | ||
depends_on: | ||
wazuh.indexer: | ||
condition: service_healthy | ||
command: bash -c "python run.py -a wazuh.indexer" | ||
|
||
wazuh.indexer: | ||
image: opensearchproject/opensearch:2.12.0 | ||
container_name: wazuh.indexer | ||
depends_on: | ||
wazuh-certs-generator: | ||
condition: service_completed_successfully | ||
hostname: wazuh.indexer | ||
ports: | ||
- 9200:9200 | ||
environment: | ||
- node.name=wazuh.indexer | ||
- discovery.type=single-node | ||
- bootstrap.memory_lock=true | ||
- "DISABLE_INSTALL_DEMO_CONFIG=true" | ||
- plugins.security.ssl.http.enabled=true | ||
- plugins.security.allow_default_init_securityindex=true | ||
- plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem | ||
- plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem | ||
- plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem | ||
- plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem | ||
- plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem | ||
- plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem | ||
- plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" | ||
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" | ||
ulimits: | ||
memlock: | ||
soft: -1 | ||
hard: -1 | ||
nofile: | ||
soft: 65536 | ||
hard: 65536 | ||
healthcheck: | ||
test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster | ||
start_period: 10s | ||
start_interval: 3s | ||
volumes: | ||
- data:/usr/share/opensearch/data | ||
- ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem | ||
- ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem | ||
- ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem | ||
|
||
wazuh.dashboard: | ||
image: opensearchproject/opensearch-dashboards:2.12.0 | ||
container_name: wazuh.dashboard | ||
depends_on: | ||
- wazuh.indexer | ||
hostname: wazuh.dashboard | ||
ports: | ||
- 5601:5601 | ||
expose: | ||
- "5601" | ||
volumes: | ||
- ../opensearch/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml | ||
- ./certs/:/usr/share/opensearch-dashboards/config/certs/ | ||
- ./certs/opensearch.dashboards-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key | ||
- ./certs/opensearch.dashboards.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem | ||
- ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem | ||
environment: | ||
OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' | ||
SERVER_SSL_ENABLED: 'true' | ||
SERVER_SSL_KEY: '/usr/share/opensearch-dashboards/config/certs/opensearch.key' | ||
SERVER.SSL_CERTIFICATE: '/usr/share/opensearch-dashboards/config/certs/opensearch.pem' | ||
OPENSEARCH_SSL_CERTIFICATEAUTHORITIES: '/usr/share/opensearch-dashboards/config/certs/root-ca.pem' | ||
|
||
|
||
wazuh-certs-generator: | ||
image: wazuh/wazuh-certs-generator:0.0.1 | ||
hostname: wazuh-certs-generator | ||
container_name: wazuh-certs-generator | ||
entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" | ||
volumes: | ||
- ./certs/:/certificates/ | ||
- ./config/certs.yml:/config/certs.yml | ||
|
||
|
||
# ================================================ | ||
# OpenSearch, OpenSearch Dashboards and Logstash | ||
# ================================================ | ||
|
||
opensearch.node: | ||
image: opensearchproject/opensearch:${OS_VERSION} | ||
depends_on: | ||
wazuh-certs-generator: | ||
condition: service_completed_successfully | ||
container_name: opensearch.node | ||
environment: | ||
- cluster.name=opensearch-cluster | ||
- node.name=opensearch.node | ||
- discovery.type=single-node | ||
- bootstrap.memory_lock=true | ||
- 'OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m' | ||
- "DISABLE_INSTALL_DEMO_CONFIG=true" | ||
volumes: | ||
- ../opensearch/opensearch.yml:/usr/share/opensearch/config/opensearch.yml | ||
- ./certs/opensearch.node-key.pem:/usr/share/opensearch/config/certs/opensearch.key | ||
- ./certs/opensearch.node.pem:/usr/share/opensearch/config/certs/opensearch.pem | ||
- ./certs/root-ca.pem:/usr/share/opensearch/config/certs/root-ca.pem | ||
ulimits: | ||
memlock: | ||
soft: -1 | ||
hard: -1 | ||
nofile: | ||
soft: 65536 | ||
hard: 65536 | ||
ports: | ||
- 9201:9200 | ||
- 9600:9600 | ||
healthcheck: | ||
test: | ||
[ | ||
'CMD-SHELL', | ||
"curl -sku admin:admin https://opensearch.node:9200 2>&1 | grep -q 'The OpenSearch Project: https://opensearch.org/'", | ||
] | ||
interval: 1s | ||
timeout: 5s | ||
retries: 120 | ||
|
||
opensearch-dashboards: | ||
image: opensearchproject/opensearch-dashboards:${OS_VERSION} | ||
depends_on: | ||
opensearch.node: | ||
condition: service_healthy | ||
container_name: opensearch-dashboards | ||
ports: | ||
- 5602:5601 | ||
expose: | ||
- '5602' | ||
volumes: | ||
- ../opensearch/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml | ||
- ./certs/:/usr/share/opensearch-dashboards/config/certs/ | ||
- ./certs/opensearch.dashboards-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key | ||
- ./certs/opensearch.dashboards.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem | ||
- ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem | ||
|
||
environment: | ||
- 'OPENSEARCH_HOSTS="https://opensearch.node:9200"' | ||
|
||
logstash: | ||
image: logstash-oss:8.6.2 | ||
depends_on: | ||
opensearch.node: | ||
condition: service_healthy | ||
container_name: logstash | ||
build: | ||
context: ../opensearch | ||
environment: | ||
LOG_LEVEL: info | ||
MONITORING_ENABLED: false | ||
volumes: | ||
- ../opensearch/logstash/pipeline:/usr/share/logstash/pipeline | ||
- ./certs/root-ca.pem:/etc/ssl/root-ca.pem | ||
command: logstash -f /usr/share/logstash/pipeline/indexer-to-opensearch.conf | ||
|
||
volumes: | ||
data: | ||
os_config: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
# Wazuh to OpenSearch Integration Developer Guide | ||
|
||
This document describes how to prepare a Docker Compose environment to test the integration between Wazuh and the OpenSearch Stack. For a detailed guide on how to integrate Wazuh with OpenSearch Stack, please refer to the [Wazuh documentation](https://documentation.wazuh.com/current/integrations-guide/OpenSearch-stack/index.html). | ||
|
||
## Requirements | ||
|
||
- Docker and Docker Compose installed. | ||
|
||
## Usage | ||
|
||
1. Clone the Wazuh repository and navigate to the `integrations/` folder. | ||
2. Run the following command to start the environment: | ||
```bash | ||
docker compose -f ./docker/opensearch.yml up -d | ||
``` | ||
|
||
The Docker Compose project will bring up the following services: | ||
|
||
- 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)). | ||
- 1x Wazuh Indexer (OpenSearch). | ||
- 1x Wazuh Dashboards (OpenSearch Dashboards). | ||
- 1x Logstash | ||
- 1x OpenSearch | ||
- 1x OpenSearch Dashboards | ||
|
||
For custom configurations, you may need to modify these files: | ||
|
||
- [docker/opensearch.yml](../docker/opensearch.yml): Docker Compose file. | ||
- [docker/.env](../docker/.env): Environment variables file. | ||
- [opensearch/logstash/pipeline/indexer-to-opensearch.conf](./logstash/pipeline/indexer-to-opensearch.conf): Logstash Pipeline configuration file. | ||
|
||
Check the files above for **credentials**, ports, and other configurations. | ||
|
||
| Service | Address | Credentials | | ||
| --------------------- | ---------------------- | ----------- | | ||
| Wazuh Indexer | https://localhost:9200 | admin:admin | | ||
| Wazuh Dashboard | https://localhost:5601 | admin:admin | | ||
| OpenSearch | https://localhost:9201 | admin:admin | | ||
| OpenSearch Dashboards | https://localhost:5602 | admin:admin | | ||
|
||
## Importing the dashboards | ||
|
||
The dashboards for OpenSearch are included in [dashboards.ndjson](./dashboards.ndjson). The steps to import them to OpenSearch are the following: | ||
|
||
- On OpenSearch Dashboards, expand the left menu, and go to `Dashboards Management`. | ||
- Click on `Saved Objects`, select `Import`, click on the `Import` icon and browse the dashboard file. | ||
- Click on Import and complete the process. | ||
|
||
Imported dashboards will appear in the `Dashboards` app on the left menu. |
Large diffs are not rendered by default.
Oops, something went wrong.
Oops, something went wrong.