From 025677db01d04f9ad1ca657c02e4360174ae2628 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Fri, 14 Jun 2024 12:00:18 +0200 Subject: [PATCH] Add Manager to Splunk integration (#268) --- integrations/docker/manager-splunk.yml | 172 ++++++++++++++++++ integrations/splunk/README.md | 11 +- .../logstash/pipeline/manager-to-splunk.conf | 24 +++ 3 files changed, 205 insertions(+), 2 deletions(-) create mode 100644 integrations/docker/manager-splunk.yml create mode 100644 integrations/splunk/logstash/pipeline/manager-to-splunk.conf diff --git a/integrations/docker/manager-splunk.yml b/integrations/docker/manager-splunk.yml new file mode 100644 index 0000000000000..532eb73374b7f --- /dev/null +++ b/integrations/docker/manager-splunk.yml @@ -0,0 +1,172 @@ +name: "manager-splunk-integration" + +services: + events-generator: + image: wazuh/indexer-events-generator + build: + context: ../tools/events-generator + depends_on: + wazuh.indexer: + condition: service_healthy + command: bash -c "python run.py -o filebeat" + volumes: + - alerts:/var/ossec/logs/alerts/ + + wazuh.manager: + image: wazuh/wazuh-manager:${WAZUH_VERSION} + hostname: wazuh.manager + restart: always + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 655360 + hard: 655360 + ports: + - "1514:1514" + - "1515:1515" + - "514:514/udp" + - "55000:55000" + environment: + - INDEXER_URL=https://wazuh.indexer:9200 + - INDEXER_USERNAME=admin + - INDEXER_PASSWORD=admin + - FILEBEAT_SSL_VERIFICATION_MODE=full + - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem + - SSL_CERTIFICATE=/etc/ssl/filebeat.pem + - SSL_KEY=/etc/ssl/filebeat.key + - API_USERNAME=wazuh-wui + - API_PASSWORD=MyS3cr37P450r.*- + - LOG_LEVEL=info + - MONITORING_ENABLED=false + volumes: + - ./certs/root-ca-manager.pem:/etc/ssl/root-ca.pem + - ./certs/wazuh.manager.pem:/etc/ssl/filebeat.pem + - ./certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key + - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem + - alerts:/var/ossec/logs/alerts/ + + wazuh.indexer: + image: opensearchproject/opensearch:2.12.0 + depends_on: + wazuh-certs-generator: + condition: service_completed_successfully + hostname: wazuh.indexer + ports: + - 9200:9200 + environment: + - node.name=wazuh.indexer + - discovery.type=single-node + - bootstrap.memory_lock=true + - "DISABLE_INSTALL_DEMO_CONFIG=true" + - plugins.security.ssl.http.enabled=true + - plugins.security.allow_default_init_securityindex=true + - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" + - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" + - compatibility.override_main_response_version=true + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + healthcheck: + test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster + start_period: 10s + start_interval: 3s + volumes: + - data:/usr/share/opensearch/data + - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem + - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem + - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem + + wazuh-certs-generator: + image: wazuh/wazuh-certs-generator:0.0.1 + hostname: wazuh-certs-generator + entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" + volumes: + - ./certs/:/certificates/ + - ./config/certs.yml:/config/certs.yml + + logstash: + depends_on: + splunk: + condition: service_healthy + wazuh-certs-generator: + condition: service_completed_successfully + image: logstash-oss:8.6.2 + build: + dockerfile: ../elastic/Dockerfile + context: ../splunk + environment: + LOG_LEVEL: info + MONITORING_ENABLED: false + volumes: + - ../splunk/logstash/pipeline:/usr/share/logstash/pipeline + - ./certs/root-ca.pem:/etc/ssl/root-ca.pem + - alerts:/var/ossec/logs/alerts/ + command: logstash -f /usr/share/logstash/pipeline/manager-to-splunk.conf + + # ================================================ + # Splunk + # ================================================ + + generator: + image: cfssl/cfssl + depends_on: + wazuh-certs-generator: + condition: service_completed_successfully + volumes: + - ./certs/:/certs/ + - ../splunk/cfssl/:/conf/ + entrypoint: /bin/bash + command: > + -c ' + cd /certs + cat /conf/host.json | \ + cfssl gencert \ + -ca root-ca.pem \ + -ca-key root-ca.key \ + -config /conf/cfssl.json \ + -profile=server - | \ + cfssljson -bare splunk + openssl pkcs8 -topk8 -inform pem -in splunk-key.pem -outform pem -nocrypt -out splunk.key + rm splunk.csr + cat splunk.pem splunk-key.pem root-ca.pem > splunkhec.pem + chown -R 1000:1000 /certs/splunk* + ' + + splunk: + image: splunk/splunk:9.0.4 + volumes: + - ./certs/splunk.key:/opt/splunk/etc/auth/custom/splunk.key + - ./certs/splunk.pem:/opt/splunk/etc/auth/custom/splunk.pem + - ./certs/splunkhec.pem:/opt/splunk/etc/auth/custom/splunkhec.pem + - ../splunk/config/indexes.conf:/opt/splunk/etc/system/local/indexes.conf + - ../splunk/config/default.yml:/tmp/defaults/default.yml + depends_on: + generator: + condition: service_completed_successfully + ports: + - '8000:8000' + - '8088:8088' + environment: + SPLUNK_HEC_TOKEN: "abcd1234" + SPLUNK_HOSTNAME: splunk + SPLUNK_HTTP_ENABLESSL: 'true' + SPLUNK_PASSWORD: Password.1234 + SPLUNK_STANDALONE_URL: https://splunk:8080 + SPLUNK_START_ARGS: --accept-license + +volumes: + data: + es_certs: + alerts: \ No newline at end of file diff --git a/integrations/splunk/README.md b/integrations/splunk/README.md index 203ea83457114..5e1bdbdccfb5b 100644 --- a/integrations/splunk/README.md +++ b/integrations/splunk/README.md @@ -13,14 +13,18 @@ This document describes how to prepare a Docker Compose environment to test the ```bash docker compose -f ./docker/splunk.yml up -d ``` +3. If you prefer, you can start the integration with the Wazuh Manager as data source: + ```bash + docker compose -f ./docker/manager-splunk.yml up -d + ``` The Docker Compose project will bring up the following services: - 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)). - 1x Wazuh Indexer (OpenSearch). -- 1x Wazuh Dashboards (OpenSearch Dashboards). - 1x Logstash - 1x Splunk +- 1x Wazuh Manager (optional). For custom configurations, you may need to modify these files: @@ -28,12 +32,15 @@ For custom configurations, you may need to modify these files: - [docker/.env](../docker/.env): Environment variables file. - [splunk/logstash/pipeline/indexer-to-splunk.conf](./logstash/pipeline/indexer-to-splunk.conf): Logstash Pipeline configuration file. +If you opted to start the integration with the Wazuh Manager, you can modify the following files: +- [docker/manager-splunk.yml](../docker/manager-splunk.yml): Docker Compose file. +- [splunk/logstash/pipeline/manager-to-splunk.conf](./logstash/pipeline/manager-to-splunk.conf): Logstash Pipeline configuration file. + Check the files above for **credentials**, ports, and other configurations. | Service | Address | Credentials | | ---------------- | ---------------------- | ------------------- | | Wazuh Indexer | https://localhost:9200 | admin:admin | -| Wazuh Dashboards | https://localhost:5601 | admin:admin | | Splunk | https://localhost:8000 | admin:Password.1234 | ## Importing the dashboards diff --git a/integrations/splunk/logstash/pipeline/manager-to-splunk.conf b/integrations/splunk/logstash/pipeline/manager-to-splunk.conf new file mode 100644 index 0000000000000..8953866646b7a --- /dev/null +++ b/integrations/splunk/logstash/pipeline/manager-to-splunk.conf @@ -0,0 +1,24 @@ +input { + file { + id => "wazuh_alerts" + codec => "json" + start_position => "beginning" + stat_interval => "1 second" + path => "/var/ossec/logs/alerts/alerts.json" + mode => "tail" + ecs_compatibility => "disabled" + } +} + + +output { + http { + format => "json" + http_method => "post" + url => "https://splunk:8088/services/collector/raw" + headers => ["Authorization", "Splunk abcd1234"] + cacert => "/etc/ssl/root-ca.pem" + } + stdout{} +} +