Skip to content

Commit

Permalink
Init. Amazon Security Lake integration (#143)
Browse files Browse the repository at this point in the history
* Init. Amazon Security Lake integration

Signed-off-by: Álex Ruiz <[email protected]>
  • Loading branch information
AlexRuiz7 committed Aug 20, 2024
1 parent 9766f14 commit 5b16e70
Show file tree
Hide file tree
Showing 2 changed files with 83 additions and 0 deletions.
49 changes: 49 additions & 0 deletions integrations/amazon-security-lake/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
### Amazon Security Lake integration - Logstash

Follow the [Wazuh indexer integration using Logstash](https://documentation.wazuh.com/current/integrations-guide/opensearch/index.html#wazuh-indexer-integration-using-logstash)
to install `Logstash` and the `logstash-input-opensearch` plugin.

> RPM: https://www.elastic.co/guide/en/logstash/current/installing-logstash.html#_yum
```markdown

# Install plugins (logstash-output-s3 is already installed)
sudo /usr/share/logstash/bin/logstash-plugin install logstash-input-opensearch

# Copy certificates
mkdir -p /etc/logstash/wi-certs/
cp /etc/wazuh-indexer/certs/root-ca.pem /etc/logstash/wi-certs/root-ca.pem
chown logstash:logstash /etc/logstash/wi-certs/root-ca.pem

# Configuring new indexes
SKIP

# Configuring a pipeline

# Keystore
## Prepare keystore
set +o history
echo 'LOGSTASH_KEYSTORE_PASS="123456"'| sudo tee /etc/sysconfig/logstash
export LOGSTASH_KEYSTORE_PASS=123456
set -o history
sudo chown root /etc/sysconfig/logstash
sudo chmod 600 /etc/sysconfig/logstash
sudo systemctl start logstash

## Create keystore
sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create

## Store Wazuh indexer credentials (admin user)
sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add WAZUH_INDEXER_USERNAME
sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add WAZUH_INDEXER_PASSWORD

# Pipeline
sudo touch /etc/logstash/conf.d/wazuh-s3.conf
# Replace with cp /vagrant/wazuh-s3.conf /etc/logstash/conf.d/wazuh-s3.conf
sudo systemctl stop logstash
sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-s3.conf --path.settings /etc/logstash/
|- Success: `[INFO ][logstash.agent ] Pipelines running ...`

# Start Logstash
sudo systemctl enable logstash
sudo systemctl start logstash
```
34 changes: 34 additions & 0 deletions integrations/amazon-security-lake/wazuh-s3.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
input {
opensearch {
hosts => ["localhost:9200"]
user => "${WAZUH_INDEXER_USERNAME}"
password => "${WAZUH_INDEXER_PASSWORD}"
index => "wazuh-alerts-4.x-*"
ssl => true
ca_file => "/etc/logstash/wi-certs/root-ca.pem"
query => '{
"query": {
"range": {
"@timestamp": {
"gt": "now-1m"
}
}
}
}'
schedule => "* * * * *"
}
}

output {
stdout { codec => rubydebug }
s3 {
access_key_id => "<aws-access-key>"
secret_access_key => "<aws-secret-key>"
region => "<your-region>"
server_side_encryption => true
server_side_encryption_algorithm => "AES256"
bucket => "wazuh-indexer-amazon-security-lake-bucket"
canned_acl => "bucket-owner-full-control"
codec => "json"
}
}

0 comments on commit 5b16e70

Please sign in to comment.