Skip to content
This repository has been archived by the owner on Jul 26, 2023. It is now read-only.

Commit

Permalink
Filebeat recipes updated. Filebeat template updated.
Browse files Browse the repository at this point in the history
  • Loading branch information
Jose M committed May 28, 2019
1 parent 15cf987 commit 190a8f7
Show file tree
Hide file tree
Showing 3 changed files with 78 additions and 49 deletions.
30 changes: 7 additions & 23 deletions cookbooks/wazuh_filebeat/recipes/filebeat.rb
Original file line number Diff line number Diff line change
Expand Up @@ -9,34 +9,18 @@
version node['filebeat']['elastic_stack_version']
end

bash 'Elasticsearch_template' do
code <<-EOH
curl -so /etc/filebeat/wazuh-template.json "https://raw.githubusercontent.com/wazuh/wazuh/#{node['filebeat']['extensions_version']}/extensions/elasticsearch/7.x/wazuh-template.json"
EOH
end

template node['filebeat']['config_path'] do
source 'filebeat.yml.erb'
owner 'root'
group 'root'
mode '0640'
variables(:logstash_servers => node['filebeat']['logstash_servers'])
end

begin
ssl = Chef::EncryptedDataBagItem.load('wazuh_secrets', 'logstash_certificate')
log "Logstash certificate found, writing... (Note: Disabled by default) " do
message "-----LOGSTASH CERTIFICATE FOUND-----"
level :info
end
rescue ArgumentError, Net::HTTPServerException
ssl = {'logstash_certificate' => "", 'logstash_certificate_key' => ""}
log "No logstash certificate found...Installation will continue with empty certificate (Note: Disabled by default)" do
message "-----LOGSTASH CERTIFICATE NOT FOUND-----"
level :info
end
end

file '/etc/filebeat/logstash.crt' do
mode '0644'
owner 'root'
group 'root'
content ssl['logstash_certificate'].to_s
action :create
variables(elasticsearch_server_ip: " hosts: ['#{node['filebeat']['elasticsearch_server_ip']}:9200']")
end

service node['filebeat']['service_name'] do
Expand Down
24 changes: 13 additions & 11 deletions cookbooks/wazuh_filebeat/recipes/repository.rb
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,13 @@
subscribes :reload, 'package[lsb-release]', :immediately
end

apt_repository 'elastic-6.x' do
uri 'https://artifacts.elastic.co/packages/6.x/apt'
apt_repository "elastic-7.x" do
uri 'https://artifacts.elastic.co/packages/7.x/apt'
key 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
distribution "stable"
components ["main"]
not_if do
File.exists?("/etc/apt/sources.list.d/elastic-6.x.list")
File.exists?("/etc/apt/sources.list.d/elastic-7.x.list")
end
end
when 'ubuntu'
Expand All @@ -32,20 +32,22 @@
subscribes :reload, 'package[lsb-release]', :immediately
end

apt_repository 'elastic-6.x' do
uri 'https://artifacts.elastic.co/packages/6.x/apt'
apt_repository "elastic-7.x" do
uri 'https://artifacts.elastic.co/packages/7.x/apt'
key 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
distribution "stable"
components ["main"]
not_if do
File.exists?("/etc/apt/sources.list.d/elastic-6.x.list")
File.exists?("/etc/apt/sources.list.d/elastic-7.x.list")
end
end

when 'rhel'
yum_repository 'elastic-6.x' do
description 'Elastic repository for 6.x packages'
baseurl 'https://artifacts.elastic.co/packages/6.x/yum'
gpgkey 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
yum_repository "elastic-7.x" do
description "Elastic repository for 7.x packages"
baseurl "https://artifacts.elastic.co/packages/7.x/yum"
gpgkey "https://artifacts.elastic.co/GPG-KEY-elasticsearch"
action :create
end
end
end

73 changes: 58 additions & 15 deletions cookbooks/wazuh_filebeat/templates/default/filebeat.yml.erb
Original file line number Diff line number Diff line change
@@ -1,15 +1,58 @@
filebeat:
prospectors:
- type: log
paths:
- "/var/ossec/logs/alerts/alerts.json"
document_type: json
json.message_key: log
json.keys_under_root: true
json.overwrite_keys: true

output:
logstash:
# The Logstash hosts
hosts: [<%= @logstash_servers.to_json %>]
# ssl.certificate_authorities: <%= node['filebeat']['certificate_authorities'] %>
# Wazuh - Filebeat configuration file

filebeat.inputs:
- type: log
paths:
- '/var/ossec/logs/alerts/alerts.json'

setup.template.json.enabled: true
setup.template.json.path: "/etc/filebeat/wazuh-template.json"
setup.template.json.name: "wazuh"
setup.template.overwrite: true

processors:
- decode_json_fields:
fields: ['message']
process_array: true
max_depth: 200
target: ''
overwrite_keys: true
- drop_fields:
fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
- rename:
fields:
- from: "data.aws.sourceIPAddress"
to: "@src_ip"
ignore_missing: true
fail_on_error: false
when:
regexp:
data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
- rename:
fields:
- from: "data.srcip"
to: "@src_ip"
ignore_missing: true
fail_on_error: false
when:
regexp:
data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
- rename:
fields:
- from: "data.win.eventdata.ipAddress"
to: "@src_ip"
ignore_missing: true
fail_on_error: false
when:
regexp:
data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b

# Send events directly to Elasticsearch
output.elasticsearch:
<%= @elasticsearch_server_ip %>
#pipeline: geoip
indices:
- index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'

# Optional. Send events to Logstash instead of Elasticsearch
#output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"]

0 comments on commit 190a8f7

Please sign in to comment.