From 5b16e700371d92b4b85984ff8535ef19c6c7efe8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Wed, 31 Jan 2024 13:14:44 +0100 Subject: [PATCH] Init. Amazon Security Lake integration (#143) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Init. Amazon Security Lake integration Signed-off-by: Álex Ruiz --- integrations/amazon-security-lake/README.md | 49 +++++++++++++++++++ .../amazon-security-lake/wazuh-s3.conf | 34 +++++++++++++ 2 files changed, 83 insertions(+) create mode 100644 integrations/amazon-security-lake/README.md create mode 100644 integrations/amazon-security-lake/wazuh-s3.conf diff --git a/integrations/amazon-security-lake/README.md b/integrations/amazon-security-lake/README.md new file mode 100644 index 0000000000000..46eee1b92a4b0 --- /dev/null +++ b/integrations/amazon-security-lake/README.md @@ -0,0 +1,49 @@ +### Amazon Security Lake integration - Logstash + +Follow the [Wazuh indexer integration using Logstash](https://documentation.wazuh.com/current/integrations-guide/opensearch/index.html#wazuh-indexer-integration-using-logstash) +to install `Logstash` and the `logstash-input-opensearch` plugin. + +> RPM: https://www.elastic.co/guide/en/logstash/current/installing-logstash.html#_yum +```markdown + +# Install plugins (logstash-output-s3 is already installed) +sudo /usr/share/logstash/bin/logstash-plugin install logstash-input-opensearch + +# Copy certificates +mkdir -p /etc/logstash/wi-certs/ +cp /etc/wazuh-indexer/certs/root-ca.pem /etc/logstash/wi-certs/root-ca.pem +chown logstash:logstash /etc/logstash/wi-certs/root-ca.pem + +# Configuring new indexes +SKIP + +# Configuring a pipeline + +# Keystore +## Prepare keystore +set +o history +echo 'LOGSTASH_KEYSTORE_PASS="123456"'| sudo tee /etc/sysconfig/logstash +export LOGSTASH_KEYSTORE_PASS=123456 +set -o history +sudo chown root /etc/sysconfig/logstash +sudo chmod 600 /etc/sysconfig/logstash +sudo systemctl start logstash + +## Create keystore +sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create + +## Store Wazuh indexer credentials (admin user) +sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add WAZUH_INDEXER_USERNAME +sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add WAZUH_INDEXER_PASSWORD + +# Pipeline +sudo touch /etc/logstash/conf.d/wazuh-s3.conf +# Replace with cp /vagrant/wazuh-s3.conf /etc/logstash/conf.d/wazuh-s3.conf +sudo systemctl stop logstash +sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-s3.conf --path.settings /etc/logstash/ + |- Success: `[INFO ][logstash.agent ] Pipelines running ...` + +# Start Logstash +sudo systemctl enable logstash +sudo systemctl start logstash +``` \ No newline at end of file diff --git a/integrations/amazon-security-lake/wazuh-s3.conf b/integrations/amazon-security-lake/wazuh-s3.conf new file mode 100644 index 0000000000000..108423afd3193 --- /dev/null +++ b/integrations/amazon-security-lake/wazuh-s3.conf @@ -0,0 +1,34 @@ +input { + opensearch { + hosts => ["localhost:9200"] + user => "${WAZUH_INDEXER_USERNAME}" + password => "${WAZUH_INDEXER_PASSWORD}" + index => "wazuh-alerts-4.x-*" + ssl => true + ca_file => "/etc/logstash/wi-certs/root-ca.pem" + query => '{ + "query": { + "range": { + "@timestamp": { + "gt": "now-1m" + } + } + } + }' + schedule => "* * * * *" + } +} + +output { + stdout { codec => rubydebug } + s3 { + access_key_id => "" + secret_access_key => "" + region => "" + server_side_encryption => true + server_side_encryption_algorithm => "AES256" + bucket => "wazuh-indexer-amazon-security-lake-bucket" + canned_acl => "bucket-owner-full-control" + codec => "json" + } +}