Add Manager to OpenSearch integration (#267)

* Add Manager to OpenSearch integreation Also fixes small issues on other integrations * Add changes to README
wazuh · Jun 14, 2024 · f327a41 · f327a41
1 parent a80eed2
commit f327a41
Show file tree

Hide file tree

Showing 7 changed files with 220 additions and 17 deletions.
diff --git a/integrations/docker/elastic.yml b/integrations/docker/elastic.yml
@@ -5,15 +5,13 @@ services:
     image: wazuh/indexer-events-generator
     build:
       context: ../tools/events-generator
-    container_name: events-generator
     depends_on:
       wazuh.indexer:
         condition: service_healthy
     command: bash -c "python run.py -a wazuh.indexer"
 
   wazuh.indexer:
     image: opensearchproject/opensearch:2.12.0
-    container_name: wazuh.indexer
     depends_on:
       wazuh-certs-generator:
         condition: service_completed_successfully
@@ -54,7 +52,6 @@ services:
 
   wazuh.dashboard:
     image: opensearchproject/opensearch-dashboards:2.12.0
-    container_name: wazuh.dashboard
     depends_on:
       - wazuh.indexer
     hostname: wazuh.dashboard
@@ -68,7 +65,6 @@ services:
   wazuh-certs-generator:
     image: wazuh/wazuh-certs-generator:0.0.1
     hostname: wazuh-certs-generator
-    container_name: wazuh-certs-generator
     entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*"
     volumes:
       - ./certs/:/certificates/

diff --git a/integrations/docker/manager-elastic.yml b/integrations/docker/manager-elastic.yml
@@ -45,8 +45,6 @@ services:
       - ./certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
       - ./certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
       - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem
-      - ../elastic/logstash/pipeline:/usr/share/logstash/pipeline
-      - es_certs:/etc/certs/elastic
       - alerts:/var/ossec/logs/alerts/
 
   wazuh.indexer:

diff --git a/integrations/docker/manager-opensearch.yml b/integrations/docker/manager-opensearch.yml
@@ -0,0 +1,181 @@
+name: "manager-opensearch-integration"
+
+services:
+  events-generator:
+    image: wazuh/indexer-events-generator
+    build:
+      context: ../tools/events-generator
+    depends_on:
+      wazuh.indexer:
+        condition: service_healthy
+    command: bash -c "python run.py -o filebeat"
+    volumes:
+      - alerts:/var/ossec/logs/alerts/
+
+  wazuh.manager:
+    image: wazuh/wazuh-manager:${WAZUH_VERSION}
+    hostname: wazuh.manager
+    restart: always
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 655360
+        hard: 655360
+    ports:
+      - "1514:1514"
+      - "1515:1515"
+      - "514:514/udp"
+      - "55000:55000"
+    environment:
+      - INDEXER_URL=https://wazuh.indexer:9200
+      - INDEXER_USERNAME=admin
+      - INDEXER_PASSWORD=admin
+      - FILEBEAT_SSL_VERIFICATION_MODE=full
+      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
+      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
+      - SSL_KEY=/etc/ssl/filebeat.key
+      - API_USERNAME=wazuh-wui
+      - API_PASSWORD=MyS3cr37P450r.*-
+      - LOG_LEVEL=info
+      - MONITORING_ENABLED=false
+    volumes:
+      - ./certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
+      - ./certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
+      - ./certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
+      - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem
+      - alerts:/var/ossec/logs/alerts/
+
+  wazuh.indexer:
+    image: opensearchproject/opensearch:2.12.0
+    depends_on:
+      wazuh-certs-generator:
+        condition: service_completed_successfully
+    hostname: wazuh.indexer
+    ports:
+      - 9200:9200
+    environment:
+      - node.name=wazuh.indexer
+      - discovery.type=single-node
+      - bootstrap.memory_lock=true
+      - "DISABLE_INSTALL_DEMO_CONFIG=true"
+      - plugins.security.ssl.http.enabled=true
+      - plugins.security.allow_default_init_securityindex=true
+      - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem
+      - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem
+      - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem
+      - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem
+      - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
+      - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
+      - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US"
+      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
+      - compatibility.override_main_response_version=true
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    healthcheck:
+      test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster
+      start_period: 10s
+      start_interval: 3s
+    volumes:
+      - data:/usr/share/opensearch/data
+      - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem
+      - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem
+      - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
+
+  wazuh-certs-generator:
+    image: wazuh/wazuh-certs-generator:0.0.1
+    hostname: wazuh-certs-generator
+    entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*"
+    volumes:
+      - ./certs/:/certificates/
+      - ./config/certs.yml:/config/certs.yml
+
+  logstash:
+    depends_on:
+      opensearch.node:
+        condition: service_healthy
+      wazuh-certs-generator:
+        condition: service_completed_successfully
+    image: logstash-oss:8.6.2
+    build:
+      dockerfile: ../elastic/Dockerfile
+      context: ../opensearch
+    environment:
+      LOG_LEVEL: info
+      MONITORING_ENABLED: false
+    volumes:
+      - ../opensearch/logstash/pipeline:/usr/share/logstash/pipeline
+      - ./certs/root-ca.pem:/etc/ssl/root-ca.pem
+      - alerts:/var/ossec/logs/alerts/
+    command: logstash -f /usr/share/logstash/pipeline/manager-to-opensearch.conf
+
+  # ================================================
+  # OpenSearch and OpenSearch Dashboards
+  # ================================================
+
+  opensearch.node:
+    image: opensearchproject/opensearch:${OS_VERSION}
+    depends_on:
+      wazuh-certs-generator:
+        condition: service_completed_successfully
+    environment:
+      - cluster.name=opensearch-cluster
+      - node.name=opensearch.node
+      - discovery.type=single-node
+      - bootstrap.memory_lock=true
+      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
+      - "DISABLE_INSTALL_DEMO_CONFIG=true"
+    volumes:
+      - ../opensearch/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
+      - ./certs/opensearch.node-key.pem:/usr/share/opensearch/config/certs/opensearch.key
+      - ./certs/opensearch.node.pem:/usr/share/opensearch/config/certs/opensearch.pem
+      - ./certs/root-ca.pem:/usr/share/opensearch/config/certs/root-ca.pem
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    ports:
+      - 9201:9200
+      - 9600:9600
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "curl -sku admin:admin https://opensearch.node:9200 2>&1 | grep -q 'The OpenSearch Project: https://opensearch.org/'",
+        ]
+      interval: 1s
+      timeout: 5s
+      retries: 120
+
+  opensearch-dashboards:
+    image: opensearchproject/opensearch-dashboards:${OS_VERSION}
+    depends_on:
+      opensearch.node:
+        condition: service_healthy
+    ports:
+      - 5602:5601
+    expose:
+      - "5602"
+    volumes:
+      - ../opensearch/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
+      - ./certs/:/usr/share/opensearch-dashboards/config/certs/
+      - ./certs/opensearch.dashboards-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key
+      - ./certs/opensearch.dashboards.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem
+      - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem
+
+    environment:
+      - 'OPENSEARCH_HOSTS="https://opensearch.node:9200"'
+
+volumes:
+  data:
+  es_certs:
+  alerts:
diff --git a/integrations/docker/opensearch.yml b/integrations/docker/opensearch.yml
@@ -5,15 +5,13 @@ services:
     image: wazuh/indexer-events-generator
     build:
       context: ../tools/events-generator
-    container_name: events-generator
     depends_on:
       wazuh.indexer:
         condition: service_healthy
     command: bash -c "python run.py -a wazuh.indexer"
 
   wazuh.indexer:
     image: opensearchproject/opensearch:2.12.0
-    container_name: wazuh.indexer
     depends_on:
       wazuh-certs-generator:
         condition: service_completed_successfully
@@ -54,7 +52,6 @@ services:
 
   wazuh.dashboard:
     image: opensearchproject/opensearch-dashboards:2.12.0
-    container_name: wazuh.dashboard
     depends_on:
       - wazuh.indexer
     hostname: wazuh.dashboard
@@ -79,7 +76,6 @@ services:
   wazuh-certs-generator:
     image: wazuh/wazuh-certs-generator:0.0.1
     hostname: wazuh-certs-generator
-    container_name: wazuh-certs-generator
     entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*"
     volumes:
       - ./certs/:/certificates/
@@ -95,7 +91,6 @@ services:
     depends_on:
       wazuh-certs-generator:
         condition: service_completed_successfully
-    container_name: opensearch.node
     environment:
       - cluster.name=opensearch-cluster
       - node.name=opensearch.node
@@ -133,7 +128,6 @@ services:
     depends_on:
       opensearch.node:
         condition: service_healthy
-    container_name: opensearch-dashboards
     ports:
       - 5602:5601
     expose:
@@ -153,7 +147,6 @@ services:
     depends_on:
       opensearch.node:
         condition: service_healthy
-    container_name: logstash
     build:
       context: ../opensearch
     environment:

diff --git a/integrations/elastic/README.md b/integrations/elastic/README.md
@@ -22,7 +22,6 @@ The Docker Compose project will bring up the following services:
 
 - 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)).
 - 1x Wazuh Indexer (OpenSearch).
-- 1x Wazuh Dashboards (OpenSearch Dashboards).
 - 1x Logstash
 - 1x Elastic
 - 1x Kibana
@@ -43,7 +42,6 @@ Check the files above for **credentials**, ports, and other configurations.
 | Service          | Address                | Credentials     |
 | ---------------- | ---------------------- | --------------- |
 | Wazuh Indexer    | https://localhost:9200 | admin:admin     |
-| Wazuh Dashboards | https://localhost:5601 | admin:admin     |
 | Elastic          | https://localhost:9201 | elastic:elastic |
 | Kibana           | https://localhost:5602 | elastic:elastic |
 

diff --git a/integrations/opensearch/README.md b/integrations/opensearch/README.md
@@ -13,28 +13,35 @@ This document describes how to prepare a Docker Compose environment to test the
    ```bash
    docker compose -f ./docker/opensearch.yml up -d
    ```
+3. If you prefer, you can start the integration with the Wazuh Manager as data source:
+   ```bash
+   docker compose -f ./docker/manager-opensearch.yml up -d
+   ```
 
 The Docker Compose project will bring up the following services:
 
 - 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)).
 - 1x Wazuh Indexer (OpenSearch).
-- 1x Wazuh Dashboards (OpenSearch Dashboards).
 - 1x Logstash
 - 1x OpenSearch
 - 1x OpenSearch Dashboards
+- 1x Wazuh Manager (optional).
 
 For custom configurations, you may need to modify these files:
 
 - [docker/opensearch.yml](../docker/opensearch.yml): Docker Compose file.
 - [docker/.env](../docker/.env): Environment variables file.
 - [opensearch/logstash/pipeline/indexer-to-opensearch.conf](./logstash/pipeline/indexer-to-opensearch.conf): Logstash Pipeline configuration file.
 
+If you opted to start the integration with the Wazuh Manager, you can modify the following files:
+- [docker/manager-opensearch.yml](../docker/manager-opensearch.yml): Docker Compose file.
+- [opensearch/logstash/pipeline/manager-to-opensearch.conf](./logstash/pipeline/manager-to-opensearch.conf): Logstash Pipeline configuration file.
+
 Check the files above for **credentials**, ports, and other configurations.
 
 | Service               | Address                | Credentials |
 | --------------------- | ---------------------- | ----------- |
 | Wazuh Indexer         | https://localhost:9200 | admin:admin |
-| Wazuh Dashboard       | https://localhost:5601 | admin:admin |
 | OpenSearch            | https://localhost:9201 | admin:admin |
 | OpenSearch Dashboards | https://localhost:5602 | admin:admin |
 

diff --git a/integrations/opensearch/logstash/pipeline/manager-to-opensearch.conf b/integrations/opensearch/logstash/pipeline/manager-to-opensearch.conf
@@ -0,0 +1,30 @@
+input {
+  file {
+    id => "wazuh_alerts"
+    codec => "json"
+    start_position => "beginning"
+    stat_interval => "1 second"
+    path => "/var/ossec/logs/alerts/alerts.json"
+    mode => "tail"
+    ecs_compatibility => "disabled"
+  }
+}
+
+output {
+  opensearch {
+    hosts => ["opensearch.node:9200"]
+    auth_type => {
+      type => 'basic'
+      user => 'admin'
+      password => 'admin'
+    }
+    index  => "wazuh-alerts-4.x-%{+YYYY.MM.dd}"
+    ssl => true
+    cacert => "/etc/ssl/root-ca.pem"
+    template => '/usr/share/logstash/pipeline/os_template.json'
+    template_name => 'wazuh'
+    template_overwrite => true
+    legacy_template => false
+  }
+  stdout{}
+}