Add Splunk integration (#257)

* Add Splunk integration

Draft

* Fix certificate errors

* Add cfssl container to generate and sign splunk certs

* Add cfssl configuration fiels

* Update Splunk integration

---------

Signed-off-by: Álex Ruiz <[email protected]>
Co-authored-by: Fede Tux <[email protected]>

integrations/.gitignore

@@ -1,4 +1,2 @@
-splunk
-common
-config
+external
 docker/certs

integrations/docker/splunk.yml

@@ -0,0 +1,143 @@
+name: "splunk-integration"
+
+services:
+  events-generator:
+    image: wazuh/indexer-events-generator
+    build:
+      context: ../tools/events-generator
+    depends_on:
+      wazuh.indexer:
+        condition: service_healthy
+    command: bash -c "python run.py -a wazuh.indexer"
+
+  wazuh.indexer:
+    image: opensearchproject/opensearch:2.12.0
+    depends_on:
+      wazuh-certs-generator:
+        condition: service_completed_successfully
+    hostname: wazuh.indexer
+    ports:
+      - 9200:9200
+    environment:
+      - node.name=wazuh.indexer
+      - discovery.type=single-node
+      - bootstrap.memory_lock=true
+      - "DISABLE_INSTALL_DEMO_CONFIG=true"
+      - plugins.security.ssl.http.enabled=true
+      - plugins.security.allow_default_init_securityindex=true
+      - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem
+      - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem
+      - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem
+      - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem
+      - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
+      - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
+      - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US"
+      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    healthcheck:
+      test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster
+      start_period: 10s
+      start_interval: 3s
+    volumes:
+      - data:/usr/share/opensearch/data
+      - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem
+      - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem
+      - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
+
+  wazuh.dashboard:
+    image: opensearchproject/opensearch-dashboards:2.12.0
+    depends_on:
+      - wazuh.indexer
+    hostname: wazuh.dashboard
+    ports:
+      - 5601:5601 # Map host port 5601 to container port 5601
+    expose:
+      - "5601" # Expose port 5601 for web access to OpenSearch Dashboards
+    environment:
+      OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query
+
+  wazuh-certs-generator:
+    image: wazuh/wazuh-certs-generator:0.0.1
+    hostname: wazuh-certs-generator
+    entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*"
+    volumes:
+      - ./certs/:/certificates/
+      - ./config/certs.yml:/config/certs.yml
+
+
+  # =================================
+  # Splunk and Logstash
+  # =================================
+
+  generator:
+    image: cfssl/cfssl
+    depends_on:
+      wazuh-certs-generator:
+        condition: service_completed_successfully
+    volumes:
+      - ./certs/:/certs/
+      - ../splunk/cfssl/:/conf/
+    entrypoint: /bin/bash
+    command: >
+      -c '
+        cd /certs
+      	cat /conf/host.json | \
+      	cfssl gencert \
+      		-ca root-ca.pem \
+      		-ca-key root-ca.key \
+      		-config /conf/cfssl.json \
+      		-profile=server - | \
+      	cfssljson -bare splunk
+      	openssl pkcs8 -topk8 -inform pem -in splunk-key.pem -outform pem -nocrypt -out splunk.key
+        rm splunk.csr
+        cat splunk.pem splunk-key.pem root-ca.pem > splunkhec.pem
+        chown -R 1000:1000 /certs/splunk*
+      '
+
+  splunk:
+    image: splunk/splunk:9.0.4
+    volumes:
+      - ./certs/splunk.key:/opt/splunk/etc/auth/custom/splunk.key
+      - ./certs/splunk.pem:/opt/splunk/etc/auth/custom/splunk.pem
+      - ./certs/splunkhec.pem:/opt/splunk/etc/auth/custom/splunkhec.pem
+      - ../splunk/config/indexes.conf:/opt/splunk/etc/system/local/indexes.conf
+      - ../splunk/config/default.yml:/tmp/defaults/default.yml
+    depends_on:
+      wazuh-certs-generator:
+        condition: service_completed_successfully
+      generator:
+        condition: service_completed_successfully
+    ports:
+      - '8000:8000'
+      - '8088:8088'
+    environment:
+      SPLUNK_HEC_TOKEN: "abcd1234"
+      SPLUNK_HOSTNAME: splunk
+      SPLUNK_HTTP_ENABLESSL: 'true'
+      SPLUNK_PASSWORD: Password.1234
+      SPLUNK_STANDALONE_URL: https://splunk:8080
+      SPLUNK_START_ARGS: --accept-license
+
+  logstash:
+    depends_on:
+      splunk:
+        condition: service_healthy
+    image: logstash-oss:8.6.2
+    build:
+      context: ../splunk
+    environment:
+      LOG_LEVEL: info
+      MONITORING_ENABLED: false
+    volumes:
+      - ../splunk/logstash/pipeline:/usr/share/logstash/pipeline
+      - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem
+    command: logstash -f /usr/share/logstash/pipeline/indexer-to-splunk.conf
+
+volumes:
+  data:

integrations/splunk/README.md

@@ -0,0 +1,49 @@
+# Wazuh to Splunk Integration Developer Guide
+
+This document describes how to prepare a Docker Compose environment to test the integration between Wazuh and Splunk. For a detailed guide on how to integrate Wazuh with Splunk, please refer to the [Wazuh documentation](https://documentation.wazuh.com/current/integrations-guide/splunk/index.html).
+
+## Requirements
+
+- Docker and Docker Compose installed.
+
+## Usage
+
+1. Clone the Wazuh repository and navigate to the `integrations/` folder.
+2. Run the following command to start the environment:
+   ```bash
+   docker compose -f ./docker/splunk.yml up -d
+   ```
+
+The Docker Compose project will bring up the following services:
+
+- 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)).
+- 1x Wazuh Indexer (OpenSearch).
+- 1x Wazuh Dashboards (OpenSearch Dashboards).
+- 1x Logstash
+- 1x Splunk
+
+For custom configurations, you may need to modify these files:
+
+- [docker/splunk.yml](../docker/splunk.yml): Docker Compose file.
+- [docker/.env](../docker/.env): Environment variables file.
+- [splunk/logstash/pipeline/indexer-to-splunk.conf](./logstash/pipeline/indexer-to-splunk.conf): Logstash Pipeline configuration file.
+
+Check the files above for **credentials**, ports, and other configurations.
+
+| Service          | Address                | Credentials         |
+| ---------------- | ---------------------- | ------------------- |
+| Wazuh Indexer    | https://localhost:9200 | admin:admin         |
+| Wazuh Dashboards | https://localhost:5601 | admin:admin         |
+| Splunk           | https://localhost:8000 | admin:Password.1234 |
+
+## Importing the dashboards
+
+The dashboards for Splunk are included in this folder. The steps to import them to Splunk are the following:
+
+- In the Splunk UI, go to `Settings` > `Data Inputs` > `HTTP Event Collector` and make sure that the `hec` token is enabled and uses the `wazuh-alerts` index. 
+- Open a dashboard file and copy all its content.
+- In the Splunk UI, navigate to `Search & Reporting`, `Dashboards`, click `Create New Dashboard`, write the title and select `Dashboard Studio`, select `Grid` and click on `Create`.
+- On the top menu, there is a `Source` icon. Click on it, and replace all the content with the copied content from the dashboard file. After that, click on `Back` and click on `Save`.
+- Repeat the steps for all the desired dashboards.
+
+Imported dashboards will appear under `Search & Reporting` > `Dashboards`.

integrations/splunk/cfssl/ca.json

@@ -0,0 +1,15 @@
+{
+  "CN": "Wazuh",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+  {
+    "C": "US",
+    "L": "San Francisco",
+    "O": "Wazuh",
+    "OU": "Wazuh Root CA"
+  }
+ ]
+}

integrations/splunk/cfssl/cfssl.json

@@ -0,0 +1,58 @@
+{
+  "signing": {
+    "default": {
+      "expiry": "8760h"
+    },
+    "profiles": {
+      "intermediate_ca": {
+        "usages": [
+            "signing",
+            "digital signature",
+            "key encipherment",
+            "cert sign",
+            "crl sign",
+            "server auth",
+            "client auth"
+        ],
+        "expiry": "8760h",
+        "ca_constraint": {
+            "is_ca": true,
+            "max_path_len": 0, 
+            "max_path_len_zero": true
+        }
+      },
+      "peer": {
+        "usages": [
+            "signing",
+            "digital signature",
+            "key encipherment", 
+            "data encipherment",
+            "client auth",
+            "server auth"
+        ],
+        "expiry": "8760h"
+      },
+      "server": {
+        "usages": [
+          "signing",
+          "digital signing",
+          "key encipherment",
+          "data encipherment",
+          "server auth"
+        ],
+        "expiry": "8760h"
+      },
+      "client": {
+        "usages": [
+          "signing",
+          "digital signature",
+          "key encipherment", 
+          "data encipherment",
+          "client auth"
+        ],
+        "expiry": "8760h"
+      }
+    }
+  }
+}
+

integrations/splunk/cfssl/host.json

@@ -0,0 +1,19 @@
+{
+  "CN": "splunk",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+  {
+    "C": "US",
+    "L": "California",
+    "O": "Wazuh",
+    "OU": "Wazuh"
+  }
+  ],
+  "hosts": [
+    "splunk",
+    "localhost"
+  ]
+}

integrations/splunk/config/default.yml

@@ -0,0 +1,25 @@
+splunk:
+  conf:
+    - key: web
+      value:
+        directory: /opt/splunk/etc/system/local
+        content:
+          settings:
+            enablesSplunkWebSSL: true
+            privKeyPath: /opt/splunk/etc/auth/custom/splunk.key
+            serverCert: /opt/splunk/etc/auth/custom/splunk.pem
+    - key: server
+      value:
+        directory: /opt/splunk/etc/system/local
+        content:
+          general:
+            serverName: splunk
+            pass4SymmKey: dadqaBZA2fzxHOvfdlSQpKjIooupehTnmjysUx7j+bP1/NucBL+rch/Kw==
+          sslConfig:
+            serverCert: /opt/splunk/etc/auth/custom/splunkhec.pem
+  hec:
+    enable: True
+    ssl: True
+    port: 8088
+    # hec.token is used only for ingestion (receiving Splunk events)
+    token: abcd1234

integrations/splunk/config/indexes.conf

@@ -0,0 +1,11 @@
+[default]
+[wazuh-alerts]
+coldPath = $SPLUNK_DB/wazuh/colddb
+enableDataIntegrityControl = 1
+enableTsidxReduction = 1
+homePath = $SPLUNK_DB/wazuh/db
+maxTotalDataSizeMB = 512000
+thawedPath = $SPLUNK_DB/wazuh/thaweddb
+timePeriodInSecBeforeTsidxReduction = 15552000
+tsidxReductionCheckPeriodInSec = 
+

integrations/splunk/logstash/pipeline/indexer-to-splunk.conf

@@ -0,0 +1,31 @@
+input {
+   opensearch {
+      hosts =>  ["wazuh.indexer:9200"]
+      user  =>  "${INDEXER_USERNAME}"
+      password  =>  "${INDEXER_PASSWORD}"
+      ssl => true
+      ca_file => "/usr/share/logstash/root-ca.pem"
+      index =>  "wazuh-alerts-4.x-*"
+      query =>  '{
+            "query": {
+               "range": {
+                  "@timestamp": {
+                     "gt": "now-1m"
+                  }
+               }
+            }
+      }'
+      schedule => "* * * * *"
+   }
+}
+
+
+output {
+  http {
+  	   format => "json"
+      http_method => "post"
+      url => "https://splunk:8088/services/collector/raw"
+      headers => ["Authorization", "Splunk abcd1234"]
+      cacert => "/usr/share/logstash/root-ca.pem"
+  }
+}

integrations/splunk/logstash/setup.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/bash
+
+# This script creates and configures a keystore for Logstash to store
+# indexer's credentials. NOTE: works only for dockerized logstash.
+#   Source: https://www.elastic.co/guide/en/logstash/current/keystore.html
+
+# Create keystore
+/usr/share/logstash/bin/logstash-keystore create
+echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME
+echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD