Skip to content

Commit

Permalink
Add Manager to Splunk integration (#268)
Browse files Browse the repository at this point in the history
  • Loading branch information
AlexRuiz7 committed Jun 28, 2024
1 parent a472f66 commit 7db1b04
Show file tree
Hide file tree
Showing 3 changed files with 205 additions and 2 deletions.
172 changes: 172 additions & 0 deletions integrations/docker/manager-splunk.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,172 @@
name: "manager-splunk-integration"

services:
events-generator:
image: wazuh/indexer-events-generator
build:
context: ../tools/events-generator
depends_on:
wazuh.indexer:
condition: service_healthy
command: bash -c "python run.py -o filebeat"
volumes:
- alerts:/var/ossec/logs/alerts/

wazuh.manager:
image: wazuh/wazuh-manager:${WAZUH_VERSION}
hostname: wazuh.manager
restart: always
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 655360
hard: 655360
ports:
- "1514:1514"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- INDEXER_URL=https://wazuh.indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=admin
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
- SSL_CERTIFICATE=/etc/ssl/filebeat.pem
- SSL_KEY=/etc/ssl/filebeat.key
- API_USERNAME=wazuh-wui
- API_PASSWORD=MyS3cr37P450r.*-
- LOG_LEVEL=info
- MONITORING_ENABLED=false
volumes:
- ./certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
- ./certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
- ./certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
- ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem
- alerts:/var/ossec/logs/alerts/

wazuh.indexer:
image: opensearchproject/opensearch:2.12.0
depends_on:
wazuh-certs-generator:
condition: service_completed_successfully
hostname: wazuh.indexer
ports:
- 9200:9200
environment:
- node.name=wazuh.indexer
- discovery.type=single-node
- bootstrap.memory_lock=true
- "DISABLE_INSTALL_DEMO_CONFIG=true"
- plugins.security.ssl.http.enabled=true
- plugins.security.allow_default_init_securityindex=true
- plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem
- plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem
- plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem
- plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem
- plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
- plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
- plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US"
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
- compatibility.override_main_response_version=true
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
healthcheck:
test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster
start_period: 10s
start_interval: 3s
volumes:
- data:/usr/share/opensearch/data
- ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem
- ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem
- ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem

wazuh-certs-generator:
image: wazuh/wazuh-certs-generator:0.0.1
hostname: wazuh-certs-generator
entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*"
volumes:
- ./certs/:/certificates/
- ./config/certs.yml:/config/certs.yml

logstash:
depends_on:
splunk:
condition: service_healthy
wazuh-certs-generator:
condition: service_completed_successfully
image: logstash-oss:8.6.2
build:
dockerfile: ../elastic/Dockerfile
context: ../splunk
environment:
LOG_LEVEL: info
MONITORING_ENABLED: false
volumes:
- ../splunk/logstash/pipeline:/usr/share/logstash/pipeline
- ./certs/root-ca.pem:/etc/ssl/root-ca.pem
- alerts:/var/ossec/logs/alerts/
command: logstash -f /usr/share/logstash/pipeline/manager-to-splunk.conf

# ================================================
# Splunk
# ================================================

generator:
image: cfssl/cfssl
depends_on:
wazuh-certs-generator:
condition: service_completed_successfully
volumes:
- ./certs/:/certs/
- ../splunk/cfssl/:/conf/
entrypoint: /bin/bash
command: >
-c '
cd /certs
cat /conf/host.json | \
cfssl gencert \
-ca root-ca.pem \
-ca-key root-ca.key \
-config /conf/cfssl.json \
-profile=server - | \
cfssljson -bare splunk
openssl pkcs8 -topk8 -inform pem -in splunk-key.pem -outform pem -nocrypt -out splunk.key
rm splunk.csr
cat splunk.pem splunk-key.pem root-ca.pem > splunkhec.pem
chown -R 1000:1000 /certs/splunk*
'
splunk:
image: splunk/splunk:9.0.4
volumes:
- ./certs/splunk.key:/opt/splunk/etc/auth/custom/splunk.key
- ./certs/splunk.pem:/opt/splunk/etc/auth/custom/splunk.pem
- ./certs/splunkhec.pem:/opt/splunk/etc/auth/custom/splunkhec.pem
- ../splunk/config/indexes.conf:/opt/splunk/etc/system/local/indexes.conf
- ../splunk/config/default.yml:/tmp/defaults/default.yml
depends_on:
generator:
condition: service_completed_successfully
ports:
- '8000:8000'
- '8088:8088'
environment:
SPLUNK_HEC_TOKEN: "abcd1234"
SPLUNK_HOSTNAME: splunk
SPLUNK_HTTP_ENABLESSL: 'true'
SPLUNK_PASSWORD: Password.1234
SPLUNK_STANDALONE_URL: https://splunk:8080
SPLUNK_START_ARGS: --accept-license

volumes:
data:
es_certs:
alerts:
11 changes: 9 additions & 2 deletions integrations/splunk/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,27 +13,34 @@ This document describes how to prepare a Docker Compose environment to test the
```bash
docker compose -f ./docker/splunk.yml up -d
```
3. If you prefer, you can start the integration with the Wazuh Manager as data source:
```bash
docker compose -f ./docker/manager-splunk.yml up -d
```

The Docker Compose project will bring up the following services:

- 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)).
- 1x Wazuh Indexer (OpenSearch).
- 1x Wazuh Dashboards (OpenSearch Dashboards).
- 1x Logstash
- 1x Splunk
- 1x Wazuh Manager (optional).

For custom configurations, you may need to modify these files:

- [docker/splunk.yml](../docker/splunk.yml): Docker Compose file.
- [docker/.env](../docker/.env): Environment variables file.
- [splunk/logstash/pipeline/indexer-to-splunk.conf](./logstash/pipeline/indexer-to-splunk.conf): Logstash Pipeline configuration file.

If you opted to start the integration with the Wazuh Manager, you can modify the following files:
- [docker/manager-splunk.yml](../docker/manager-splunk.yml): Docker Compose file.
- [splunk/logstash/pipeline/manager-to-splunk.conf](./logstash/pipeline/manager-to-splunk.conf): Logstash Pipeline configuration file.

Check the files above for **credentials**, ports, and other configurations.

| Service | Address | Credentials |
| ---------------- | ---------------------- | ------------------- |
| Wazuh Indexer | https://localhost:9200 | admin:admin |
| Wazuh Dashboards | https://localhost:5601 | admin:admin |
| Splunk | https://localhost:8000 | admin:Password.1234 |

## Importing the dashboards
Expand Down
24 changes: 24 additions & 0 deletions integrations/splunk/logstash/pipeline/manager-to-splunk.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
input {
file {
id => "wazuh_alerts"
codec => "json"
start_position => "beginning"
stat_interval => "1 second"
path => "/var/ossec/logs/alerts/alerts.json"
mode => "tail"
ecs_compatibility => "disabled"
}
}


output {
http {
format => "json"
http_method => "post"
url => "https://splunk:8088/services/collector/raw"
headers => ["Authorization", "Splunk abcd1234"]
cacert => "/etc/ssl/root-ca.pem"
}
stdout{}
}

0 comments on commit 7db1b04

Please sign in to comment.