Add Manager to Elastic integration (#266)

* Init commit

[DRAFT] Adds a Compose environment

* Mount alerts as shared volume instead of file

* Update documentation and clean up files

---------

Co-authored-by: Fede Tux <[email protected]>

integrations/README.md

@@ -20,4 +20,8 @@ Refer to these documents for more information about this integration:
 
 ### Other integrations
 
-TBD
+We host development environments to support the following integrations:
+
+* [Splunk](./splunk/README.md).
+* [Elasticsearch](./elastic/README.md).
+* [OpenSearch](./opensearch/README.md).

integrations/docker/.env

@@ -24,3 +24,6 @@ MEM_LIMIT=1073741824
 
 # OpenSearch destination cluster version
 OS_VERSION=2.14.0
+
+# Wazuh version
+WAZUH_VERSION=4.7.5

integrations/docker/manager-elastic.yml

@@ -0,0 +1,245 @@
+name: "manager-elastic-integration"
+
+services:
+  events-generator:
+    image: wazuh/indexer-events-generator
+    build:
+      context: ../tools/events-generator
+    depends_on:
+      wazuh.indexer:
+        condition: service_healthy
+    command: bash -c "python run.py -o filebeat"
+    volumes:
+      - alerts:/var/ossec/logs/alerts/
+
+  wazuh.manager:
+    image: wazuh/wazuh-manager:${WAZUH_VERSION}
+    hostname: wazuh.manager
+    restart: always
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 655360
+        hard: 655360
+    ports:
+      - "1514:1514"
+      - "1515:1515"
+      - "514:514/udp"
+      - "55000:55000"
+    environment:
+      - INDEXER_URL=https://wazuh.indexer:9200
+      - INDEXER_USERNAME=admin
+      - INDEXER_PASSWORD=admin
+      - FILEBEAT_SSL_VERIFICATION_MODE=full
+      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
+      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
+      - SSL_KEY=/etc/ssl/filebeat.key
+      - API_USERNAME=wazuh-wui
+      - API_PASSWORD=MyS3cr37P450r.*-
+      - LOG_LEVEL=info
+      - MONITORING_ENABLED=false
+    volumes:
+      - ./certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
+      - ./certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
+      - ./certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
+      - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem
+      - ../elastic/logstash/pipeline:/usr/share/logstash/pipeline
+      - es_certs:/etc/certs/elastic
+      - alerts:/var/ossec/logs/alerts/
+
+  wazuh.indexer:
+    image: opensearchproject/opensearch:2.12.0
+    depends_on:
+      wazuh-certs-generator:
+        condition: service_completed_successfully
+    hostname: wazuh.indexer
+    ports:
+      - 9200:9200
+    environment:
+      - node.name=wazuh.indexer
+      - discovery.type=single-node
+      - bootstrap.memory_lock=true
+      - "DISABLE_INSTALL_DEMO_CONFIG=true"
+      - plugins.security.ssl.http.enabled=true
+      - plugins.security.allow_default_init_securityindex=true
+      - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem
+      - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem
+      - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem
+      - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem
+      - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
+      - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
+      - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US"
+      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
+      - compatibility.override_main_response_version=true
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    healthcheck:
+      test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster
+      start_period: 10s
+      start_interval: 3s
+    volumes:
+      - data:/usr/share/opensearch/data
+      - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem
+      - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem
+      - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
+
+  wazuh-certs-generator:
+    image: wazuh/wazuh-certs-generator:0.0.1
+    hostname: wazuh-certs-generator
+    entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*"
+    volumes:
+      - ./certs/:/certificates/
+      - ./config/certs.yml:/config/certs.yml
+
+  logstash:
+    depends_on:
+      es01:
+        condition: service_healthy
+      wazuh-certs-generator:
+        condition: service_completed_successfully
+    image: logstash-oss:8.6.2
+    build:
+      context: ../elastic
+    environment:
+      LOG_LEVEL: info
+      MONITORING_ENABLED: false
+    volumes:
+      - ../elastic/logstash/pipeline:/usr/share/logstash/pipeline
+      - es_certs:/usr/share/logstash/es_certs
+      - alerts:/var/ossec/logs/alerts/
+    command: logstash -f /usr/share/logstash/pipeline/manager-to-elastic.conf
+
+
+
+  # =================================
+  # Elasticsearch and Kibana
+  # =================================
+  # https://www.elastic.co/guide/en/elastic-stack-get-started/current/get-started-docker.html
+
+  setup:
+    image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
+    volumes:
+      - es_certs:/usr/share/elasticsearch/config/certs
+    user: '0'
+    command: >
+      bash -c '
+        if [ x${ELASTIC_PASSWORD} == x ]; then
+          echo "Set the ELASTIC_PASSWORD environment variable in the .env file";
+          exit 1;
+        elif [ x${KIBANA_PASSWORD} == x ]; then
+          echo "Set the KIBANA_PASSWORD environment variable in the .env file";
+          exit 1;
+        fi;
+        if [ ! -f config/certs/ca.zip ]; then
+          echo "Creating CA";
+          bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip;
+          unzip config/certs/ca.zip -d config/certs;
+        fi;
+        if [ ! -f config/certs/certs.zip ]; then
+          echo "Creating certs";
+          echo -ne \
+          "instances:\n"\
+          "  - name: es01\n"\
+          "    dns:\n"\
+          "      - es01\n"\
+          "      - localhost\n"\
+          "    ip:\n"\
+          "      - 127.0.0.1\n"\
+          > config/certs/instances.yml;
+          bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key;
+          unzip config/certs/certs.zip -d config/certs;
+        fi;
+        echo "Setting file permissions"
+        chown -R 1000:1000 config/certs;
+        find . -type d -exec chmod 750 \{\} \;;
+        find . -type f -exec chmod 640 \{\} \;;
+        echo "Waiting for Elasticsearch availability";
+        until curl -s --cacert config/certs/ca/ca.crt https://es01:9200 | grep -q "missing authentication credentials"; do sleep 30; done;
+        echo "Setting kibana_system password";
+        until curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:${ELASTIC_PASSWORD}" -H "Content-Type: application/json" https://es01:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done;
+        echo "All done!";
+      '
+    healthcheck:
+      test: ['CMD-SHELL', '[ -f config/certs/es01/es01.crt ]']
+      interval: 1s
+      timeout: 5s
+      retries: 120
+
+  es01:
+    depends_on:
+      setup:
+        condition: service_healthy
+    image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
+    volumes:
+      - es_certs:/usr/share/elasticsearch/config/certs
+    ports:
+      - ${ES_PORT}:9200
+    environment:
+      - node.name=es01
+      - cluster.name=${CLUSTER_NAME}
+      - cluster.initial_master_nodes=es01
+      - ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
+      - bootstrap.memory_lock=true
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.key=certs/es01/es01.key
+      - xpack.security.http.ssl.certificate=certs/es01/es01.crt
+      - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.key=certs/es01/es01.key
+      - xpack.security.transport.ssl.certificate=certs/es01/es01.crt
+      - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
+      - xpack.security.transport.ssl.verification_mode=certificate
+      - xpack.license.self_generated.type=${LICENSE}
+    mem_limit: ${MEM_LIMIT}
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+    healthcheck:
+      test:
+        [
+          'CMD-SHELL',
+          "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",
+        ]
+      interval: 10s
+      timeout: 10s
+      retries: 120
+
+  kibana:
+    depends_on:
+      es01:
+        condition: service_healthy
+    image: docker.elastic.co/kibana/kibana:${STACK_VERSION}
+    volumes:
+      - es_certs:/usr/share/kibana/config/certs
+    ports:
+      - ${KIBANA_PORT}:5601
+    environment:
+      - SERVERNAME=kibana
+      - ELASTICSEARCH_HOSTS=https://es01:9200
+      - ELASTICSEARCH_USERNAME=kibana_system
+      - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}
+      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt
+    mem_limit: ${MEM_LIMIT}
+    healthcheck:
+      test:
+        [
+          'CMD-SHELL',
+          "curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'",
+        ]
+      interval: 10s
+      timeout: 10s
+      retries: 120
+
+volumes:
+  data:
+  es_certs:
+  alerts:

integrations/elastic/README.md

@@ -13,6 +13,10 @@ This document describes how to prepare a Docker Compose environment to test the
    ```bash
    docker compose -f ./docker/elastic.yml up -d
    ```
+3. If you prefer, you can start the integration with the Wazuh Manager as data source:
+   ```bash
+   docker compose -f ./docker/manager-elastic.yml up -d
+   ```
 
 The Docker Compose project will bring up the following services:
 
@@ -22,13 +26,18 @@ The Docker Compose project will bring up the following services:
 - 1x Logstash
 - 1x Elastic
 - 1x Kibana
+- 1x Wazuh Manager (optional).
 
 For custom configurations, you may need to modify these files:
 
 - [docker/elastic.yml](../docker/elastic.yml): Docker Compose file.
 - [docker/.env](../docker/.env): Environment variables file.
 - [elastic/logstash/pipeline/indexer-to-elastic.conf](./logstash/pipeline/indexer-to-elastic.conf): Logstash Pipeline configuration file.
 
+If you opted to start the integration with the Wazuh Manager, you can modify the following files:
+- [docker/manager-elastic.yml](../docker/manager-elastic.yml): Docker Compose file.
+- [elastic/logstash/pipeline/manager-to-elastic.conf](./logstash/pipeline/manager-to-elastic.conf): Logstash Pipeline configuration file.
+
 Check the files above for **credentials**, ports, and other configurations.
 
 | Service          | Address                | Credentials     |

integrations/elastic/logstash/pipeline/manager-to-elastic.conf

@@ -0,0 +1,26 @@
+input {
+  file {
+      id => "wazuh_alerts"
+      codec => "json"
+      start_position => "beginning"
+      stat_interval => "1 second"
+      path => "/var/ossec/logs/alerts/alerts.json"
+      mode => "tail"
+      ecs_compatibility => "disabled"
+  }
+}
+
+output {
+	elasticsearch {
+      hosts => "es01:9200"
+      index => "wazuh-alerts-4.x-%{+YYYY.MM.dd}"
+      user => "elastic"
+      password => "elastic"
+      ssl => true
+      cacert => '/usr/share/logstash/es_certs/ca/ca.crt'
+      template => '/usr/share/logstash/pipeline/es_template.json'
+      template_name => 'wazuh'
+      template_overwrite => true
+  }
+  stdout{}
+}