Filebeat recipes updated. Filebeat template updated.

wazuh · May 28, 2019 · 190a8f7 · 190a8f7
1 parent 15cf987
commit 190a8f7
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 49 deletions.
diff --git a/cookbooks/wazuh_filebeat/recipes/filebeat.rb b/cookbooks/wazuh_filebeat/recipes/filebeat.rb
@@ -9,34 +9,18 @@
     version node['filebeat']['elastic_stack_version']
 end
 
+bash 'Elasticsearch_template' do
+  code <<-EOH
+  curl -so /etc/filebeat/wazuh-template.json "https://raw.githubusercontent.com/wazuh/wazuh/#{node['filebeat']['extensions_version']}/extensions/elasticsearch/7.x/wazuh-template.json"
+  EOH
+end
+
 template node['filebeat']['config_path'] do
   source 'filebeat.yml.erb'
   owner 'root'
   group 'root'
   mode '0640'
-  variables(:logstash_servers => node['filebeat']['logstash_servers'])
-end
-
-begin
-  ssl = Chef::EncryptedDataBagItem.load('wazuh_secrets', 'logstash_certificate')
-  log "Logstash certificate found, writing... (Note: Disabled by default) " do
-    message "-----LOGSTASH CERTIFICATE FOUND-----"
-    level :info
-  end
-rescue ArgumentError, Net::HTTPServerException
-  ssl = {'logstash_certificate' => "", 'logstash_certificate_key' => ""}
-  log "No logstash certificate found...Installation will continue with empty certificate (Note: Disabled by default)" do
-    message "-----LOGSTASH CERTIFICATE NOT FOUND-----"
-    level :info
-  end
-end
-
-file '/etc/filebeat/logstash.crt' do
-  mode '0644'
-  owner 'root'
-  group 'root'
-  content ssl['logstash_certificate'].to_s
-  action :create
+  variables(elasticsearch_server_ip: "  hosts: ['#{node['filebeat']['elasticsearch_server_ip']}:9200']")
 end
 
 service node['filebeat']['service_name'] do

diff --git a/cookbooks/wazuh_filebeat/recipes/repository.rb b/cookbooks/wazuh_filebeat/recipes/repository.rb
@@ -14,13 +14,13 @@
     subscribes :reload, 'package[lsb-release]', :immediately
   end
 
-  apt_repository 'elastic-6.x' do
-    uri 'https://artifacts.elastic.co/packages/6.x/apt'
+ apt_repository "elastic-7.x" do
+    uri 'https://artifacts.elastic.co/packages/7.x/apt'
     key 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
     distribution "stable"
     components ["main"]
     not_if do
-      File.exists?("/etc/apt/sources.list.d/elastic-6.x.list")
+      File.exists?("/etc/apt/sources.list.d/elastic-7.x.list")
     end
   end
 when 'ubuntu'
@@ -32,20 +32,22 @@
     subscribes :reload, 'package[lsb-release]', :immediately
   end
 
-  apt_repository 'elastic-6.x' do
-    uri 'https://artifacts.elastic.co/packages/6.x/apt'
+  apt_repository "elastic-7.x" do
+    uri 'https://artifacts.elastic.co/packages/7.x/apt'
     key 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
     distribution "stable"
     components ["main"]
     not_if do
-      File.exists?("/etc/apt/sources.list.d/elastic-6.x.list")
+      File.exists?("/etc/apt/sources.list.d/elastic-7.x.list")
     end
   end
+
 when 'rhel'
-  yum_repository 'elastic-6.x' do
-    description 'Elastic repository for 6.x packages'
-    baseurl 'https://artifacts.elastic.co/packages/6.x/yum'
-    gpgkey 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
+  yum_repository "elastic-7.x" do
+    description "Elastic repository for 7.x packages"
+    baseurl "https://artifacts.elastic.co/packages/7.x/yum"
+    gpgkey "https://artifacts.elastic.co/GPG-KEY-elasticsearch"
     action :create
   end
-end
+end
+
diff --git a/cookbooks/wazuh_filebeat/templates/default/filebeat.yml.erb b/cookbooks/wazuh_filebeat/templates/default/filebeat.yml.erb
@@ -1,15 +1,58 @@
-filebeat:
-  prospectors:
-    - type: log
-      paths:
-        - "/var/ossec/logs/alerts/alerts.json"
-      document_type: json
-      json.message_key: log
-      json.keys_under_root: true
-      json.overwrite_keys: true
-
-output:
-  logstash:
-    # The Logstash hosts
-    hosts: [<%= @logstash_servers.to_json %>]
-#   ssl.certificate_authorities: <%= node['filebeat']['certificate_authorities'] %>
+# Wazuh - Filebeat configuration file
+
+filebeat.inputs:
+  - type: log
+    paths:
+      - '/var/ossec/logs/alerts/alerts.json'
+
+setup.template.json.enabled: true
+setup.template.json.path: "/etc/filebeat/wazuh-template.json"
+setup.template.json.name: "wazuh"
+setup.template.overwrite: true
+
+processors:
+  - decode_json_fields:
+      fields: ['message']
+      process_array: true
+      max_depth: 200
+      target: ''
+      overwrite_keys: true
+  - drop_fields:
+      fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
+  - rename:
+      fields:
+        - from: "data.aws.sourceIPAddress"
+          to: "@src_ip"
+      ignore_missing: true
+      fail_on_error: false
+      when:
+        regexp:
+          data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+  - rename:
+      fields:
+        - from: "data.srcip"
+          to: "@src_ip"
+      ignore_missing: true
+      fail_on_error: false
+      when:
+        regexp:
+          data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+  - rename:
+      fields:
+        - from: "data.win.eventdata.ipAddress"
+          to: "@src_ip"
+      ignore_missing: true
+      fail_on_error: false
+      when:
+        regexp:
+          data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+
+# Send events directly to Elasticsearch
+output.elasticsearch:
+<%= @elasticsearch_server_ip %>
+  #pipeline: geoip
+  indices:
+    - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'
+
+# Optional. Send events to Logstash instead of Elasticsearch
+#output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"]