Skip to content

Commit

Permalink
Add Splunk integration (#257)
Browse files Browse the repository at this point in the history
* Add Splunk integration

Draft

* Fix certificate errors

* Add cfssl container to generate and sign splunk certs

* Add cfssl configuration fiels

* Update Splunk integration

---------

Signed-off-by: Álex Ruiz <[email protected]>
Co-authored-by: Fede Tux <[email protected]>
  • Loading branch information
AlexRuiz7 and f-galland committed Jun 28, 2024
1 parent 9f378ce commit 46516aa
Show file tree
Hide file tree
Showing 17 changed files with 1,592 additions and 3 deletions.
4 changes: 1 addition & 3 deletions integrations/.gitignore
Original file line number Diff line number Diff line change
@@ -1,4 +1,2 @@
splunk
common
config
external
docker/certs
143 changes: 143 additions & 0 deletions integrations/docker/splunk.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
name: "splunk-integration"

services:
events-generator:
image: wazuh/indexer-events-generator
build:
context: ../tools/events-generator
depends_on:
wazuh.indexer:
condition: service_healthy
command: bash -c "python run.py -a wazuh.indexer"

wazuh.indexer:
image: opensearchproject/opensearch:2.12.0
depends_on:
wazuh-certs-generator:
condition: service_completed_successfully
hostname: wazuh.indexer
ports:
- 9200:9200
environment:
- node.name=wazuh.indexer
- discovery.type=single-node
- bootstrap.memory_lock=true
- "DISABLE_INSTALL_DEMO_CONFIG=true"
- plugins.security.ssl.http.enabled=true
- plugins.security.allow_default_init_securityindex=true
- plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem
- plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem
- plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem
- plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem
- plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
- plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
- plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US"
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
healthcheck:
test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster
start_period: 10s
start_interval: 3s
volumes:
- data:/usr/share/opensearch/data
- ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem
- ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem
- ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem

wazuh.dashboard:
image: opensearchproject/opensearch-dashboards:2.12.0
depends_on:
- wazuh.indexer
hostname: wazuh.dashboard
ports:
- 5601:5601 # Map host port 5601 to container port 5601
expose:
- "5601" # Expose port 5601 for web access to OpenSearch Dashboards
environment:
OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query

wazuh-certs-generator:
image: wazuh/wazuh-certs-generator:0.0.1
hostname: wazuh-certs-generator
entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*"
volumes:
- ./certs/:/certificates/
- ./config/certs.yml:/config/certs.yml


# =================================
# Splunk and Logstash
# =================================

generator:
image: cfssl/cfssl
depends_on:
wazuh-certs-generator:
condition: service_completed_successfully
volumes:
- ./certs/:/certs/
- ../splunk/cfssl/:/conf/
entrypoint: /bin/bash
command: >
-c '
cd /certs
cat /conf/host.json | \
cfssl gencert \
-ca root-ca.pem \
-ca-key root-ca.key \
-config /conf/cfssl.json \
-profile=server - | \
cfssljson -bare splunk
openssl pkcs8 -topk8 -inform pem -in splunk-key.pem -outform pem -nocrypt -out splunk.key
rm splunk.csr
cat splunk.pem splunk-key.pem root-ca.pem > splunkhec.pem
chown -R 1000:1000 /certs/splunk*
'
splunk:
image: splunk/splunk:9.0.4
volumes:
- ./certs/splunk.key:/opt/splunk/etc/auth/custom/splunk.key
- ./certs/splunk.pem:/opt/splunk/etc/auth/custom/splunk.pem
- ./certs/splunkhec.pem:/opt/splunk/etc/auth/custom/splunkhec.pem
- ../splunk/config/indexes.conf:/opt/splunk/etc/system/local/indexes.conf
- ../splunk/config/default.yml:/tmp/defaults/default.yml
depends_on:
wazuh-certs-generator:
condition: service_completed_successfully
generator:
condition: service_completed_successfully
ports:
- '8000:8000'
- '8088:8088'
environment:
SPLUNK_HEC_TOKEN: "abcd1234"
SPLUNK_HOSTNAME: splunk
SPLUNK_HTTP_ENABLESSL: 'true'
SPLUNK_PASSWORD: Password.1234
SPLUNK_STANDALONE_URL: https://splunk:8080
SPLUNK_START_ARGS: --accept-license

logstash:
depends_on:
splunk:
condition: service_healthy
image: logstash-oss:8.6.2
build:
context: ../splunk
environment:
LOG_LEVEL: info
MONITORING_ENABLED: false
volumes:
- ../splunk/logstash/pipeline:/usr/share/logstash/pipeline
- ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem
command: logstash -f /usr/share/logstash/pipeline/indexer-to-splunk.conf

volumes:
data:
49 changes: 49 additions & 0 deletions integrations/splunk/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# Wazuh to Splunk Integration Developer Guide

This document describes how to prepare a Docker Compose environment to test the integration between Wazuh and Splunk. For a detailed guide on how to integrate Wazuh with Splunk, please refer to the [Wazuh documentation](https://documentation.wazuh.com/current/integrations-guide/splunk/index.html).

## Requirements

- Docker and Docker Compose installed.

## Usage

1. Clone the Wazuh repository and navigate to the `integrations/` folder.
2. Run the following command to start the environment:
```bash
docker compose -f ./docker/splunk.yml up -d
```

The Docker Compose project will bring up the following services:

- 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)).
- 1x Wazuh Indexer (OpenSearch).
- 1x Wazuh Dashboards (OpenSearch Dashboards).
- 1x Logstash
- 1x Splunk

For custom configurations, you may need to modify these files:

- [docker/splunk.yml](../docker/splunk.yml): Docker Compose file.
- [docker/.env](../docker/.env): Environment variables file.
- [splunk/logstash/pipeline/indexer-to-splunk.conf](./logstash/pipeline/indexer-to-splunk.conf): Logstash Pipeline configuration file.

Check the files above for **credentials**, ports, and other configurations.

| Service | Address | Credentials |
| ---------------- | ---------------------- | ------------------- |
| Wazuh Indexer | https://localhost:9200 | admin:admin |
| Wazuh Dashboards | https://localhost:5601 | admin:admin |
| Splunk | https://localhost:8000 | admin:Password.1234 |

## Importing the dashboards

The dashboards for Splunk are included in this folder. The steps to import them to Splunk are the following:

- In the Splunk UI, go to `Settings` > `Data Inputs` > `HTTP Event Collector` and make sure that the `hec` token is enabled and uses the `wazuh-alerts` index.
- Open a dashboard file and copy all its content.
- In the Splunk UI, navigate to `Search & Reporting`, `Dashboards`, click `Create New Dashboard`, write the title and select `Dashboard Studio`, select `Grid` and click on `Create`.
- On the top menu, there is a `Source` icon. Click on it, and replace all the content with the copied content from the dashboard file. After that, click on `Back` and click on `Save`.
- Repeat the steps for all the desired dashboards.

Imported dashboards will appear under `Search & Reporting` > `Dashboards`.
15 changes: 15 additions & 0 deletions integrations/splunk/cfssl/ca.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{
"CN": "Wazuh",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "San Francisco",
"O": "Wazuh",
"OU": "Wazuh Root CA"
}
]
}
58 changes: 58 additions & 0 deletions integrations/splunk/cfssl/cfssl.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"intermediate_ca": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"cert sign",
"crl sign",
"server auth",
"client auth"
],
"expiry": "8760h",
"ca_constraint": {
"is_ca": true,
"max_path_len": 0,
"max_path_len_zero": true
}
},
"peer": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"data encipherment",
"client auth",
"server auth"
],
"expiry": "8760h"
},
"server": {
"usages": [
"signing",
"digital signing",
"key encipherment",
"data encipherment",
"server auth"
],
"expiry": "8760h"
},
"client": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"data encipherment",
"client auth"
],
"expiry": "8760h"
}
}
}
}

19 changes: 19 additions & 0 deletions integrations/splunk/cfssl/host.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"CN": "splunk",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "California",
"O": "Wazuh",
"OU": "Wazuh"
}
],
"hosts": [
"splunk",
"localhost"
]
}
25 changes: 25 additions & 0 deletions integrations/splunk/config/default.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
splunk:
conf:
- key: web
value:
directory: /opt/splunk/etc/system/local
content:
settings:
enablesSplunkWebSSL: true
privKeyPath: /opt/splunk/etc/auth/custom/splunk.key
serverCert: /opt/splunk/etc/auth/custom/splunk.pem
- key: server
value:
directory: /opt/splunk/etc/system/local
content:
general:
serverName: splunk
pass4SymmKey: dadqaBZA2fzxHOvfdlSQpKjIooupehTnmjysUx7j+bP1/NucBL+rch/Kw==
sslConfig:
serverCert: /opt/splunk/etc/auth/custom/splunkhec.pem
hec:
enable: True
ssl: True
port: 8088
# hec.token is used only for ingestion (receiving Splunk events)
token: abcd1234
11 changes: 11 additions & 0 deletions integrations/splunk/config/indexes.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
[default]
[wazuh-alerts]
coldPath = $SPLUNK_DB/wazuh/colddb
enableDataIntegrityControl = 1
enableTsidxReduction = 1
homePath = $SPLUNK_DB/wazuh/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/wazuh/thaweddb
timePeriodInSecBeforeTsidxReduction = 15552000
tsidxReductionCheckPeriodInSec =

31 changes: 31 additions & 0 deletions integrations/splunk/logstash/pipeline/indexer-to-splunk.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
input {
opensearch {
hosts => ["wazuh.indexer:9200"]
user => "${INDEXER_USERNAME}"
password => "${INDEXER_PASSWORD}"
ssl => true
ca_file => "/usr/share/logstash/root-ca.pem"
index => "wazuh-alerts-4.x-*"
query => '{
"query": {
"range": {
"@timestamp": {
"gt": "now-1m"
}
}
}
}'
schedule => "* * * * *"
}
}


output {
http {
format => "json"
http_method => "post"
url => "https://splunk:8088/services/collector/raw"
headers => ["Authorization", "Splunk abcd1234"]
cacert => "/usr/share/logstash/root-ca.pem"
}
}
10 changes: 10 additions & 0 deletions integrations/splunk/logstash/setup.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#!/usr/bin/bash

# This script creates and configures a keystore for Logstash to store
# indexer's credentials. NOTE: works only for dockerized logstash.
# Source: https://www.elastic.co/guide/en/logstash/current/keystore.html

# Create keystore
/usr/share/logstash/bin/logstash-keystore create
echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME
echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD
Loading

0 comments on commit 46516aa

Please sign in to comment.