From 06441c5f1782490d345d68225abd74af5a18f78a Mon Sep 17 00:00:00 2001 From: zenidd Date: Tue, 6 Oct 2020 12:43:12 +0200 Subject: [PATCH 01/17] Update directory structure --- README.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 257d15cc..5eaa6b17 100644 --- a/README.md +++ b/README.md @@ -19,9 +19,14 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack. │ │ ├── elastic-stack │ │ │ ├── ansible-elasticsearch │ │ │ ├── ansible-kibana - │ │ + │ │ + │ │ ├── opendistro + │ │ │ ├── opendistro-elasticsearch + │ │ │ ├── opendistro-kibana + │ │ │ │ ├── wazuh │ │ │ ├── ansible-filebeat + │ │ │ ├── ansible-filebeat-oss │ │ │ ├── ansible-wazuh-manager │ │ │ ├── ansible-wazuh-agent │ │ @@ -35,6 +40,9 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack. │ │ ├── wazuh-elastic_stack-single.yml │ │ ├── wazuh-kibana.yml │ │ ├── wazuh-manager.yml + │ │ ├── wazuh-manager-oss.yml + │ │ ├── wazuh-opendistro.yml + │ │ ├── wazuh-opendistro-kibana.yml │ │ ├── README.md │ ├── VERSION From 898e7ad3b87c35b6ffa0fa2bc68a4577e5029610 Mon Sep 17 00:00:00 2001 From: zenidd Date: Fri, 9 Oct 2020 18:44:32 +0200 Subject: [PATCH 02/17] Update README.md --- README.md | 291 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 291 insertions(+) diff --git a/README.md b/README.md index 5eaa6b17..f591ca1a 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,297 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack. │ ├── VERSION │ ├── CHANGELOG.md +## Example custom deploy: Wazuh cluster, ODFE cluster, Kibana + +### Playbook +The hereunder example playbook deploys a complete Wazuh distributed architecture with two Wazuh nodes (master+worker), 3 ODFE nodes and a mixed ODFE and Kibana node. + +```yaml +--- +# Certificates generation + - hosts: es1 + roles: + - role: ../roles/opendistro/opendistro-elasticsearch + elasticsearch_network_host: "{{ private_ip }}" + elasticsearch_cluster_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + elasticsearch_discovery_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + perform_installation: false + become: yes + become_user: root + vars: + opendistro_standalone_installation: false + ansible_ssh_user: centos + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + elasticsearch_node_master: true + elasticsearch_cluster_name: wazuh + opendistro_version: 1.10.1 + opendistro_admin_password: T3stP4ssw0rd + certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: "{{ hostvars.es2.private_ip }}" + node3: + name: node-3 + ip: "{{ hostvars.es3.private_ip }}" + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + node6: + name: node-6 + ip: "{{ hostvars.kibana.private_ip }}" + tags: + - generate-certs + +#ODFE Cluster + - hosts: odfe_cluster + strategy: free + roles: + - role: ../roles/opendistro/opendistro-elasticsearch + elasticsearch_network_host: "{{ private_ip }}" + become: yes + become_user: root + vars: + elasticsearch_cluster_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + elasticsearch_discovery_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + opendistro_standalone_installation: false + ansible_ssh_user: centos + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + elasticsearch_node_master: true + elasticsearch_cluster_name: wazuh + opendistro_version: 1.10.1 + opendistro_admin_password: T3stP4ssw0rd + opendistro_custom_user_role: admin + certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: "{{ hostvars.es2.private_ip }}" + node3: + name: node-3 + ip: "{{ hostvars.es3.private_ip }}" + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + node6: + name: node-6 + ip: "{{ hostvars.kibana.private_ip }}" + +#Wazuh cluster + - hosts: manager + roles: + - role: "../roles/wazuh/ansible-wazuh-manager" + - role: "../roles/wazuh/ansible-filebeat-oss" + filebeat_node_name: node-4 + become: yes + become_user: root + vars: + ansible_ssh_user: "centos" + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + wazuh_manager_version: 3.13.2 + wazuh_manager_config: + connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 + api: + port: "55000" + https: 'yes' + cluster: + disable: 'no' + name: 'wazuh' + node_name: 'master' + node_type: 'master' + key: 'c98b62a9b6169ac5f67dae55ae4a9088' + port: '1516' + bind_addr: '0.0.0.0' + nodes: + - '"{{ hostvars.manager.private_ip }}"' + hidden: 'no' + filebeat_version: 7.9.1 + filebeat_security: true + elasticsearch_security_user: wazuh + elasticsearch_security_password: T3stP4ssw0rd + filebeat_output_elasticsearch_hosts: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + + - hosts: worker + roles: + - role: "../roles/wazuh/ansible-wazuh-manager" + - role: "../roles/wazuh/ansible-filebeat-oss" + filebeat_node_name: node-5 + become: yes + become_user: root + vars: + wazuh_manager_config: + authd: + enable: false + port: 1515 + use_source_ip: 'no' + force_insert: 'yes' + force_time: 0 + purge: 'yes' + use_password: 'no' + limit_maxagents: 'yes' + ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH' + ssl_agent_ca: null + ssl_verify_host: 'no' + ssl_manager_cert: 'sslmanager.cert' + ssl_manager_key: 'sslmanager.key' + ssl_auto_negotiate: 'no' + connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 + api: + port: "55000" + https: 'yes' + cluster: + disable: 'no' + name: 'wazuh' + node_name: 'worker_01' + node_type: 'worker' + key: 'c98b62a9b6169ac5f67dae55ae4a9088' + port: '1516' + bind_addr: '0.0.0.0' + nodes: + - '"{{ hostvars.manager.private_ip }}"' + hidden: 'no' + ansible_ssh_user: centos + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + wazuh_manager_version: 3.13.2 + filebeat_version: 7.9.1 + filebeat_security: true + elasticsearch_security_user: wazuh + elasticsearch_security_password: T3stP4ssw0rd + filebeat_output_elasticsearch_hosts: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + +#ODFE+Kibana node + - hosts: kibana + roles: + - role: "../roles/opendistro/opendistro-elasticsearch" + - role: "../roles/opendistro/opendistro-kibana" + become: yes + become_user: root + vars: + elasticsearch_jvm_xms: 2560 + elasticsearch_network_host: "{{ hostvars.kibana.private_ip }}" + elasticsearch_node_name: node-6 + opendistro_kibana_user: wazuh + opendistro_kibana_password: T3stP4ssw0rd + elasticsearch_node_master: false + elasticsearch_node_ingest: false + elasticsearch_node_data: false + elasticsearch_cluster_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + elasticsearch_discovery_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + kibana_node_name: node-6 + opendistro_standalone_installation: false + ansible_ssh_user: centos + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + wazuh_version: 3.13.2 + elastic_stack_version: 7.9.1 + opendistro_version: 1.10.1 + kibana_opendistro_version: -1.10.1-1 + elasticsearch_cluster_name: wazuh + kibana_opendistro_security: true + opendistro_admin_password: T3stP4ssw0rd + opendistro_custom_user: wazuh + opendistro_custom_user_role: admin + node_options: "--max-old-space-size=2048" + certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip + wazuh_api_credentials: + - id: default + url: https://{{ hostvars.manager.private_ip }} + port: 55000 + user: foo + password: bar + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: "{{ hostvars.es2.private_ip }}" + node3: + name: node-3 + ip: "{{ hostvars.es3.private_ip }}" + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + node6: + name: node-6 + ip: "{{ hostvars.kibana.private_ip }}" +``` + + +### Example inventory file + + +```ini +es1 ansible_host= private_ip= elasticsearch_node_name=node-1 +es2 ansible_host= private_ip= elasticsearch_node_name=node-2 +es3 ansible_host= private_ip= elasticsearch_node_name=node-3 opendistro_custom_user=wazuh +kibana ansible_host= private_ip= +manager ansible_host= private_ip= +worker ansible_host= private_ip= + + +[odfe_cluster] +es1 +es2 +es3 +[wui] +kibana +[managers] +manager +worker +``` + ## Branches From 5e09f85c21b7ebf06fa3413642794d004f896995 Mon Sep 17 00:00:00 2001 From: zenidd Date: Fri, 9 Oct 2020 18:44:54 +0200 Subject: [PATCH 03/17] Example ODFE-production-ready playbook --- playbooks/wazuh-odfe-production-ready.yml | 259 ++++++++++++++++++++++ 1 file changed, 259 insertions(+) create mode 100644 playbooks/wazuh-odfe-production-ready.yml diff --git a/playbooks/wazuh-odfe-production-ready.yml b/playbooks/wazuh-odfe-production-ready.yml new file mode 100644 index 00000000..588e3187 --- /dev/null +++ b/playbooks/wazuh-odfe-production-ready.yml @@ -0,0 +1,259 @@ +--- + # Certificates generation + - hosts: es1 + roles: + - role: ../roles/opendistro/opendistro-elasticsearch + elasticsearch_network_host: "{{ private_ip }}" + elasticsearch_cluster_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + elasticsearch_discovery_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + perform_installation: false + become: yes + become_user: root + vars: + opendistro_standalone_installation: false + ansible_ssh_user: centos + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + elasticsearch_node_master: true + elasticsearch_cluster_name: wazuh + opendistro_version: 1.10.1 + opendistro_admin_password: T3stP4ssw0rd + certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: "{{ hostvars.es2.private_ip }}" + node3: + name: node-3 + ip: "{{ hostvars.es3.private_ip }}" + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + node6: + name: node-6 + ip: "{{ hostvars.kibana.private_ip }}" + tags: + - generate-certs + + #ODFE Cluster + - hosts: odfe_cluster + strategy: free + roles: + - role: ../roles/opendistro/opendistro-elasticsearch + elasticsearch_network_host: "{{ private_ip }}" + become: yes + become_user: root + vars: + elasticsearch_cluster_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + elasticsearch_discovery_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + opendistro_standalone_installation: false + ansible_ssh_user: centos + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + elasticsearch_node_master: true + elasticsearch_cluster_name: wazuh + opendistro_version: 1.10.1 + opendistro_admin_password: T3stP4ssw0rd + opendistro_custom_user_role: admin + certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: "{{ hostvars.es2.private_ip }}" + node3: + name: node-3 + ip: "{{ hostvars.es3.private_ip }}" + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + node6: + name: node-6 + ip: "{{ hostvars.kibana.private_ip }}" + + #Wazuh cluster + - hosts: manager + roles: + - role: "../roles/wazuh/ansible-wazuh-manager" + - role: "../roles/wazuh/ansible-filebeat-oss" + filebeat_node_name: node-4 + become: yes + become_user: root + vars: + ansible_ssh_user: "centos" + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + wazuh_manager_version: 3.13.2 + wazuh_manager_config: + connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 + api: + port: "55000" + https: 'yes' + cluster: + disable: 'no' + name: 'wazuh' + node_name: 'master' + node_type: 'master' + key: 'c98b62a9b6169ac5f67dae55ae4a9088' + port: '1516' + bind_addr: '0.0.0.0' + nodes: + - '"{{ hostvars.manager.private_ip }}"' + hidden: 'no' + filebeat_version: 7.9.1 + filebeat_security: true + elasticsearch_security_user: wazuh + elasticsearch_security_password: T3stP4ssw0rd + filebeat_output_elasticsearch_hosts: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + + - hosts: worker + roles: + - role: "../roles/wazuh/ansible-wazuh-manager" + - role: "../roles/wazuh/ansible-filebeat-oss" + filebeat_node_name: node-5 + become: yes + become_user: root + vars: + wazuh_manager_config: + authd: + enable: false + port: 1515 + use_source_ip: 'no' + force_insert: 'yes' + force_time: 0 + purge: 'yes' + use_password: 'no' + limit_maxagents: 'yes' + ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH' + ssl_agent_ca: null + ssl_verify_host: 'no' + ssl_manager_cert: 'sslmanager.cert' + ssl_manager_key: 'sslmanager.key' + ssl_auto_negotiate: 'no' + connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 + api: + port: "55000" + https: 'yes' + cluster: + disable: 'no' + name: 'wazuh' + node_name: 'worker_01' + node_type: 'worker' + key: 'c98b62a9b6169ac5f67dae55ae4a9088' + port: '1516' + bind_addr: '0.0.0.0' + nodes: + - '"{{ hostvars.manager.private_ip }}"' + hidden: 'no' + ansible_ssh_user: centos + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + wazuh_manager_version: 3.13.2 + filebeat_version: 7.9.1 + filebeat_security: true + elasticsearch_security_user: wazuh + elasticsearch_security_password: T3stP4ssw0rd + filebeat_output_elasticsearch_hosts: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + + #ODFE+Kibana node + - hosts: kibana + roles: + - role: "../roles/opendistro/opendistro-elasticsearch" + - role: "../roles/opendistro/opendistro-kibana" + become: yes + become_user: root + vars: + elasticsearch_jvm_xms: 2560 + elasticsearch_network_host: "{{ hostvars.kibana.private_ip }}" + elasticsearch_node_name: node-6 + opendistro_kibana_user: wazuh + opendistro_kibana_password: T3stP4ssw0rd + elasticsearch_node_master: false + elasticsearch_node_ingest: false + elasticsearch_node_data: false + elasticsearch_cluster_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + elasticsearch_discovery_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + kibana_node_name: node-6 + opendistro_standalone_installation: false + ansible_ssh_user: centos + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + wazuh_version: 3.13.2 + elastic_stack_version: 7.9.1 + opendistro_version: 1.10.1 + kibana_opendistro_version: -1.10.1-1 + elasticsearch_cluster_name: wazuh + kibana_opendistro_security: true + opendistro_admin_password: T3stP4ssw0rd + opendistro_custom_user: wazuh + opendistro_custom_user_role: admin + node_options: "--max-old-space-size=2048" + certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip + wazuh_api_credentials: + - id: default + url: https://{{ hostvars.manager.private_ip }} + port: 55000 + user: foo + password: bar + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: "{{ hostvars.es2.private_ip }}" + node3: + name: node-3 + ip: "{{ hostvars.es3.private_ip }}" + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + node6: + name: node-6 + ip: "{{ hostvars.kibana.private_ip }}" \ No newline at end of file From 25b2a8a946ae69f5111f17a6b8c0455ffa3b76fb Mon Sep 17 00:00:00 2001 From: zenidd Date: Thu, 15 Oct 2020 16:44:54 +0200 Subject: [PATCH 04/17] Updat README --- README.md | 491 +++++++++++++++++++++++------------------------------- 1 file changed, 207 insertions(+), 284 deletions(-) diff --git a/README.md b/README.md index f591ca1a..b6755343 100644 --- a/README.md +++ b/README.md @@ -48,18 +48,63 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack. │ ├── VERSION │ ├── CHANGELOG.md -## Example custom deploy: Wazuh cluster, ODFE cluster, Kibana + +## Example: production-ready distributed environment ### Playbook -The hereunder example playbook deploys a complete Wazuh distributed architecture with two Wazuh nodes (master+worker), 3 ODFE nodes and a mixed ODFE and Kibana node. +The hereunder example playbook uses the `wazuh-ansible` role to provision a production-ready Wazuh environment. The architecture includes 2 Wazuh nodes, 3 ODFE nodes and a mixed ODFE-Kibana node. ```yaml --- # Certificates generation - - hosts: es1 - roles: - - role: ../roles/opendistro/opendistro-elasticsearch - elasticsearch_network_host: "{{ private_ip }}" + - hosts: es1 + roles: + - role: ../roles/opendistro/opendistro-elasticsearch + elasticsearch_network_host: "{{ private_ip }}" + elasticsearch_cluster_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + elasticsearch_discovery_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + perform_installation: false + become: yes + become_user: root + vars: + elasticsearch_node_master: true + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: "{{ hostvars.es2.private_ip }}" + node3: + name: node-3 + ip: "{{ hostvars.es3.private_ip }}" + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + node6: + name: node-6 + ip: "{{ hostvars.kibana.private_ip }}" + tags: + - generate-certs + +#ODFE Cluster + - hosts: odfe_cluster + strategy: free + roles: + - role: ../roles/opendistro/opendistro-elasticsearch + elasticsearch_network_host: "{{ private_ip }}" + become: yes + become_user: root + vars: elasticsearch_cluster_nodes: - "{{ hostvars.es1.private_ip }}" - "{{ hostvars.es2.private_ip }}" @@ -68,305 +113,183 @@ The hereunder example playbook deploys a complete Wazuh distributed architecture - "{{ hostvars.es1.private_ip }}" - "{{ hostvars.es2.private_ip }}" - "{{ hostvars.es3.private_ip }}" - perform_installation: false - become: yes - become_user: root - vars: - opendistro_standalone_installation: false - ansible_ssh_user: centos - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' - elasticsearch_node_master: true - elasticsearch_cluster_name: wazuh - opendistro_version: 1.10.1 - opendistro_admin_password: T3stP4ssw0rd - certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip - instances: - node1: - name: node-1 # Important: must be equal to elasticsearch_node_name. - ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. - node2: - name: node-2 - ip: "{{ hostvars.es2.private_ip }}" - node3: - name: node-3 - ip: "{{ hostvars.es3.private_ip }}" - node4: - name: node-4 - ip: "{{ hostvars.manager.private_ip }}" - node5: - name: node-5 - ip: "{{ hostvars.worker.private_ip }}" - node6: - name: node-6 - ip: "{{ hostvars.kibana.private_ip }}" - tags: - - generate-certs + elasticsearch_node_master: true + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: "{{ hostvars.es2.private_ip }}" + node3: + name: node-3 + ip: "{{ hostvars.es3.private_ip }}" + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + node6: + name: node-6 + ip: "{{ hostvars.kibana.private_ip }}" -#ODFE Cluster - - hosts: odfe_cluster - strategy: free - roles: - - role: ../roles/opendistro/opendistro-elasticsearch - elasticsearch_network_host: "{{ private_ip }}" - become: yes - become_user: root - vars: - elasticsearch_cluster_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - elasticsearch_discovery_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - opendistro_standalone_installation: false - ansible_ssh_user: centos - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' - elasticsearch_node_master: true - elasticsearch_cluster_name: wazuh - opendistro_version: 1.10.1 - opendistro_admin_password: T3stP4ssw0rd - opendistro_custom_user_role: admin - certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip - instances: - node1: - name: node-1 # Important: must be equal to elasticsearch_node_name. - ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. - node2: - name: node-2 - ip: "{{ hostvars.es2.private_ip }}" - node3: - name: node-3 - ip: "{{ hostvars.es3.private_ip }}" - node4: - name: node-4 - ip: "{{ hostvars.manager.private_ip }}" - node5: - name: node-5 - ip: "{{ hostvars.worker.private_ip }}" - node6: - name: node-6 - ip: "{{ hostvars.kibana.private_ip }}" - -#Wazuh cluster - - hosts: manager - roles: - - role: "../roles/wazuh/ansible-wazuh-manager" - - role: "../roles/wazuh/ansible-filebeat-oss" - filebeat_node_name: node-4 - become: yes - become_user: root - vars: - ansible_ssh_user: "centos" - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' - wazuh_manager_version: 3.13.2 - wazuh_manager_config: + #Wazuh cluster + - hosts: manager + roles: + - role: "../roles/wazuh/ansible-wazuh-manager" + - role: "../roles/wazuh/ansible-filebeat-oss" + filebeat_node_name: node-4 + become: yes + become_user: root + vars: + wazuh_manager_config: connection: - - type: 'secure' - port: '1514' - protocol: 'tcp' - queue_size: 131072 + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 api: - port: "55000" - https: 'yes' + https: 'yes' cluster: - disable: 'no' - name: 'wazuh' - node_name: 'master' - node_type: 'master' - key: 'c98b62a9b6169ac5f67dae55ae4a9088' - port: '1516' - bind_addr: '0.0.0.0' - nodes: - - '"{{ hostvars.manager.private_ip }}"' - hidden: 'no' - filebeat_version: 7.9.1 - filebeat_security: true - elasticsearch_security_user: wazuh - elasticsearch_security_password: T3stP4ssw0rd - filebeat_output_elasticsearch_hosts: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - - - hosts: worker - roles: - - role: "../roles/wazuh/ansible-wazuh-manager" - - role: "../roles/wazuh/ansible-filebeat-oss" - filebeat_node_name: node-5 - become: yes - become_user: root - vars: - wazuh_manager_config: - authd: - enable: false - port: 1515 - use_source_ip: 'no' - force_insert: 'yes' - force_time: 0 - purge: 'yes' - use_password: 'no' - limit_maxagents: 'yes' - ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH' - ssl_agent_ca: null - ssl_verify_host: 'no' - ssl_manager_cert: 'sslmanager.cert' - ssl_manager_key: 'sslmanager.key' - ssl_auto_negotiate: 'no' - connection: - - type: 'secure' - port: '1514' - protocol: 'tcp' - queue_size: 131072 - api: - port: "55000" - https: 'yes' - cluster: - disable: 'no' - name: 'wazuh' - node_name: 'worker_01' - node_type: 'worker' - key: 'c98b62a9b6169ac5f67dae55ae4a9088' - port: '1516' - bind_addr: '0.0.0.0' - nodes: - - '"{{ hostvars.manager.private_ip }}"' - hidden: 'no' - ansible_ssh_user: centos - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' - wazuh_manager_version: 3.13.2 - filebeat_version: 7.9.1 - filebeat_security: true - elasticsearch_security_user: wazuh - elasticsearch_security_password: T3stP4ssw0rd - filebeat_output_elasticsearch_hosts: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - -#ODFE+Kibana node - - hosts: kibana - roles: - - role: "../roles/opendistro/opendistro-elasticsearch" - - role: "../roles/opendistro/opendistro-kibana" - become: yes - become_user: root - vars: - elasticsearch_jvm_xms: 2560 - elasticsearch_network_host: "{{ hostvars.kibana.private_ip }}" - elasticsearch_node_name: node-6 - opendistro_kibana_user: wazuh - opendistro_kibana_password: T3stP4ssw0rd - elasticsearch_node_master: false - elasticsearch_node_ingest: false - elasticsearch_node_data: false - elasticsearch_cluster_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - elasticsearch_discovery_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - kibana_node_name: node-6 - opendistro_standalone_installation: false - ansible_ssh_user: centos - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' - wazuh_version: 3.13.2 - elastic_stack_version: 7.9.1 - opendistro_version: 1.10.1 - kibana_opendistro_version: -1.10.1-1 - elasticsearch_cluster_name: wazuh - kibana_opendistro_security: true - opendistro_admin_password: T3stP4ssw0rd - opendistro_custom_user: wazuh - opendistro_custom_user_role: admin - node_options: "--max-old-space-size=2048" - certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip - wazuh_api_credentials: - - id: default - url: https://{{ hostvars.manager.private_ip }} - port: 55000 - user: foo - password: bar - instances: - node1: - name: node-1 # Important: must be equal to elasticsearch_node_name. - ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. - node2: - name: node-2 - ip: "{{ hostvars.es2.private_ip }}" - node3: - name: node-3 - ip: "{{ hostvars.es3.private_ip }}" - node4: - name: node-4 - ip: "{{ hostvars.manager.private_ip }}" - node5: - name: node-5 - ip: "{{ hostvars.worker.private_ip }}" - node6: - name: node-6 - ip: "{{ hostvars.kibana.private_ip }}" + disable: 'no' + node_name: 'master' + node_type: 'master' + nodes: + - '"{{ hostvars.manager.private_ip }}"' + hidden: 'no' + filebeat_output_elasticsearch_hosts: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + + - hosts: worker + roles: + - role: "../roles/wazuh/ansible-wazuh-manager" + - role: "../roles/wazuh/ansible-filebeat-oss" + filebeat_node_name: node-5 + become: yes + become_user: root + vars: + wazuh_manager_config: + connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 + api: + https: 'yes' + cluster: + disable: 'no' + node_name: 'worker_01' + node_type: 'worker' + key: 'c98b62a9b6169ac5f67dae55ae4a9088' + nodes: + - '"{{ hostvars.manager.private_ip }}"' + hidden: 'no' + filebeat_output_elasticsearch_hosts: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + + #ODFE+Kibana node + - hosts: kibana + roles: + - role: "../roles/opendistro/opendistro-elasticsearch" + - role: "../roles/opendistro/opendistro-kibana" + become: yes + become_user: root + vars: + elasticsearch_network_host: "{{ hostvars.kibana.private_ip }}" + elasticsearch_node_name: node-6 + elasticsearch_node_master: false + elasticsearch_node_ingest: false + elasticsearch_node_data: false + elasticsearch_cluster_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + elasticsearch_discovery_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + kibana_node_name: node-6 + wazuh_api_credentials: + - id: default + url: https://{{ hostvars.manager.private_ip }} + port: 55000 + user: foo + password: bar + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: "{{ hostvars.es2.private_ip }}" + node3: + name: node-3 + ip: "{{ hostvars.es3.private_ip }}" + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + node6: + name: node-6 + ip: "{{ hostvars.kibana.private_ip }}" ``` +### Inventory file -### Example inventory file +The inventory file sets the public and private address of each node. The public addresses are used to gather facts and provision the instances while the private addresses are used for the cluster communications. +The ssh credentials used by Ansible during the provision can be specified in this file too. Another option is including them directly on the playbook. ```ini es1 ansible_host= private_ip= elasticsearch_node_name=node-1 es2 ansible_host= private_ip= elasticsearch_node_name=node-2 -es3 ansible_host= private_ip= elasticsearch_node_name=node-3 opendistro_custom_user=wazuh -kibana ansible_host= private_ip= +es3 ansible_host= private_ip= elasticsearch_node_name=node-3 +kibana ansible_host= private_ip= manager ansible_host= private_ip= -worker ansible_host= private_ip= - +worker ansible_host= private_ip= [odfe_cluster] es1 es2 es3 -[wui] -kibana -[managers] -manager -worker + +[all:vars] +ansible_ssh_user=vagrant +ansible_ssh_private_key_file=/path/to/ssh/key.pem +ansible_ssh_extra_args='-o StrictHostKeyChecking=no' +``` + +### Launching playbook + +```bash +ansible-playbook wazuh-odfe-production-ready.yml -i inventory +``` + +## Example: single-host environment + +### Playbook +The hereunder example playbook uses the `wazuh-ansible` role to provision a single-host Wazuh environment. This architecture includes all the Wazuh and ODFE components in a single node. + +```yaml + +``` + +### Launching playbook + +```bash +ansible-playbook wazuh-odfe-single.yml -i inventory ``` ## Branches - -* `stable` branch on correspond to the last Wazuh-Ansible stable version. -* `master` branch contains the latest code, be aware of possible bugs on this branch. - -## Testing - -1. Get the `wazuh-ansible` folder from the `wazuh-qa` [repository](https://github.com/wazuh/wazuh-qa/tree/master/ansible/wazuh-ansible). - -``` -git clone https://github.com/wazuh/wazuh-qa -``` - -2. Copy the `Pipfile` and the `molecule` folder into the root wazuh-ansible directory: - -``` -cp wazuh-qa/ansible/wazuh-ansible/* . -R -``` - -3. Follow these steps for launching the tests. Check the Pipfile for running different scenarios: - -``` -pip install pipenv -sudo pipenv install -pipenv run test -pipenv run agent -``` +* `master` branch on correspond to the last Wazuh-Ansible stable version. ## Contribute @@ -387,7 +310,7 @@ https://github.com/dj-wasabi/ansible-ossec-server ## License and copyright WAZUH -Copyright (C) 2016-2018 Wazuh Inc. (License GPLv2) +Copyright (C) 2016-2020 Wazuh Inc. (License GPLv2) ## Web references From 5d1f55c42477372f819b9e81a0eed9638d5d0153 Mon Sep 17 00:00:00 2001 From: zenidd Date: Thu, 15 Oct 2020 18:44:47 +0200 Subject: [PATCH 05/17] Wazuh and ODFE production ready playbook --- playbooks/wazuh-odfe-production-ready.yml | 93 +++-------------------- 1 file changed, 9 insertions(+), 84 deletions(-) diff --git a/playbooks/wazuh-odfe-production-ready.yml b/playbooks/wazuh-odfe-production-ready.yml index 588e3187..b2675834 100644 --- a/playbooks/wazuh-odfe-production-ready.yml +++ b/playbooks/wazuh-odfe-production-ready.yml @@ -1,5 +1,5 @@ --- - # Certificates generation +# Certificates generation - hosts: es1 roles: - role: ../roles/opendistro/opendistro-elasticsearch @@ -16,15 +16,7 @@ become: yes become_user: root vars: - opendistro_standalone_installation: false - ansible_ssh_user: centos - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' elasticsearch_node_master: true - elasticsearch_cluster_name: wazuh - opendistro_version: 1.10.1 - opendistro_admin_password: T3stP4ssw0rd - certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip instances: node1: name: node-1 # Important: must be equal to elasticsearch_node_name. @@ -47,7 +39,7 @@ tags: - generate-certs - #ODFE Cluster +#ODFE Cluster - hosts: odfe_cluster strategy: free roles: @@ -64,16 +56,7 @@ - "{{ hostvars.es1.private_ip }}" - "{{ hostvars.es2.private_ip }}" - "{{ hostvars.es3.private_ip }}" - opendistro_standalone_installation: false - ansible_ssh_user: centos - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' elasticsearch_node_master: true - elasticsearch_cluster_name: wazuh - opendistro_version: 1.10.1 - opendistro_admin_password: T3stP4ssw0rd - opendistro_custom_user_role: admin - certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip instances: node1: name: node-1 # Important: must be equal to elasticsearch_node_name. @@ -103,34 +86,21 @@ become: yes become_user: root vars: - ansible_ssh_user: "centos" - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' - wazuh_manager_version: 3.13.2 wazuh_manager_config: - connection: - - type: 'secure' - port: '1514' - protocol: 'tcp' - queue_size: 131072 - api: - port: "55000" + connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 + api: https: 'yes' - cluster: + cluster: disable: 'no' - name: 'wazuh' node_name: 'master' node_type: 'master' - key: 'c98b62a9b6169ac5f67dae55ae4a9088' - port: '1516' - bind_addr: '0.0.0.0' nodes: - '"{{ hostvars.manager.private_ip }}"' hidden: 'no' - filebeat_version: 7.9.1 - filebeat_security: true - elasticsearch_security_user: wazuh - elasticsearch_security_password: T3stP4ssw0rd filebeat_output_elasticsearch_hosts: - "{{ hostvars.es1.private_ip }}" - "{{ hostvars.es2.private_ip }}" @@ -145,48 +115,21 @@ become_user: root vars: wazuh_manager_config: - authd: - enable: false - port: 1515 - use_source_ip: 'no' - force_insert: 'yes' - force_time: 0 - purge: 'yes' - use_password: 'no' - limit_maxagents: 'yes' - ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH' - ssl_agent_ca: null - ssl_verify_host: 'no' - ssl_manager_cert: 'sslmanager.cert' - ssl_manager_key: 'sslmanager.key' - ssl_auto_negotiate: 'no' connection: - type: 'secure' port: '1514' protocol: 'tcp' queue_size: 131072 api: - port: "55000" https: 'yes' cluster: disable: 'no' - name: 'wazuh' node_name: 'worker_01' node_type: 'worker' key: 'c98b62a9b6169ac5f67dae55ae4a9088' - port: '1516' - bind_addr: '0.0.0.0' nodes: - '"{{ hostvars.manager.private_ip }}"' hidden: 'no' - ansible_ssh_user: centos - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' - wazuh_manager_version: 3.13.2 - filebeat_version: 7.9.1 - filebeat_security: true - elasticsearch_security_user: wazuh - elasticsearch_security_password: T3stP4ssw0rd filebeat_output_elasticsearch_hosts: - "{{ hostvars.es1.private_ip }}" - "{{ hostvars.es2.private_ip }}" @@ -200,11 +143,8 @@ become: yes become_user: root vars: - elasticsearch_jvm_xms: 2560 elasticsearch_network_host: "{{ hostvars.kibana.private_ip }}" elasticsearch_node_name: node-6 - opendistro_kibana_user: wazuh - opendistro_kibana_password: T3stP4ssw0rd elasticsearch_node_master: false elasticsearch_node_ingest: false elasticsearch_node_data: false @@ -217,21 +157,6 @@ - "{{ hostvars.es2.private_ip }}" - "{{ hostvars.es3.private_ip }}" kibana_node_name: node-6 - opendistro_standalone_installation: false - ansible_ssh_user: centos - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' - wazuh_version: 3.13.2 - elastic_stack_version: 7.9.1 - opendistro_version: 1.10.1 - kibana_opendistro_version: -1.10.1-1 - elasticsearch_cluster_name: wazuh - kibana_opendistro_security: true - opendistro_admin_password: T3stP4ssw0rd - opendistro_custom_user: wazuh - opendistro_custom_user_role: admin - node_options: "--max-old-space-size=2048" - certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip wazuh_api_credentials: - id: default url: https://{{ hostvars.manager.private_ip }} From bc6e4264761e1f0162bb19392c690ea4dc6970aa Mon Sep 17 00:00:00 2001 From: zenidd Date: Thu, 15 Oct 2020 18:45:00 +0200 Subject: [PATCH 06/17] Wazuh and ODFE single node playbook --- playbooks/wazuh-odfe-single.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 playbooks/wazuh-odfe-single.yml diff --git a/playbooks/wazuh-odfe-single.yml b/playbooks/wazuh-odfe-single.yml new file mode 100644 index 00000000..ce98cfaf --- /dev/null +++ b/playbooks/wazuh-odfe-single.yml @@ -0,0 +1,21 @@ +--- +# Single node + - hosts: + become: yes + become_user: root + roles: + - role: ../roles/opendistro/opendistro-elasticsearch + - role: ../roles/wazuh/ansible-wazuh-manager + - role: ../roles/wazuh/ansible-filebeat-oss + - role: ../roles/opendistro/opendistro-kibana + vars: + single_node: true + minimum_master_nodes: 1 + elasticsearch_node_master: true + elasticsearch_network_host: + filebeat_node_name: node-1 + filebeat_output_elasticsearch_hosts: + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: \ No newline at end of file From 5696a0835496ccad39e6fb2e43a207224905e3a8 Mon Sep 17 00:00:00 2001 From: zenidd Date: Thu, 15 Oct 2020 18:46:05 +0200 Subject: [PATCH 07/17] Updating README with single node example --- README.md | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/README.md b/README.md index b6755343..c0f02bde 100644 --- a/README.md +++ b/README.md @@ -278,7 +278,42 @@ ansible-playbook wazuh-odfe-production-ready.yml -i inventory The hereunder example playbook uses the `wazuh-ansible` role to provision a single-host Wazuh environment. This architecture includes all the Wazuh and ODFE components in a single node. ```yaml +--- +# Single node + - hosts: server + become: yes + become_user: root + roles: + - role: ../roles/opendistro/opendistro-elasticsearch + - role: "../roles/wazuh/ansible-wazuh-manager" + - role: "../roles/wazuh/ansible-filebeat-oss" + - role: "../roles/opendistro/opendistro-kibana" + vars: + single_node: true + minimum_master_nodes: 1 + elasticsearch_node_master: true + elasticsearch_network_host: + filebeat_node_name: node-1 + filebeat_output_elasticsearch_hosts: + ansible_ssh_user: vagrant + ansible_ssh_private_key_file: /path/to/ssh/key.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: +``` +### Inventory file + +```ini +[server] + + +[all:vars] +ansible_ssh_user=vagrant +ansible_ssh_private_key_file=/path/to/ssh/key.pem +ansible_ssh_extra_args='-o StrictHostKeyChecking=no' ``` ### Launching playbook @@ -287,6 +322,7 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a sing ansible-playbook wazuh-odfe-single.yml -i inventory ``` +After the playbooks execution ## Branches * `master` branch on correspond to the last Wazuh-Ansible stable version. From 672470344a7a81699edb0a4403c6018bd39dc5c8 Mon Sep 17 00:00:00 2001 From: zenidd Date: Thu, 15 Oct 2020 18:46:55 +0200 Subject: [PATCH 08/17] Update certs generation tool URL. Bump versions. Set variables to correct value --- .../opendistro/opendistro-elasticsearch/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 1ece22c7..bd0d1e46 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -3,10 +3,10 @@ es_version: "7.8.0" es_major_version: "7.x" -opendistro_version: 1.9.0 +opendistro_version: 1.10.1 -elasticsearch_cluster_name: wazuh-cluster -single_node: true +single_node: false +elasticsearch_node_name: node-1 opendistro_cluster_name: wazuh elasticsearch_node_data: true elasticsearch_node_ingest: true @@ -56,7 +56,7 @@ opendistro_http_port: 9200 certs_gen_tool_version: 1.7 # Url of Search Guard certificates generator tool -certs_gen_tool_url: "https://releases.floragunn.com/search-guard-tlstool/{{ certs_gen_tool_version }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" +certs_gen_tool_url: "https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/{{ certs_gen_tool_version }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" elasticrepo: apt: 'https://artifacts.elastic.co/packages/7.x/apt' From 6de730bf9762687ffe21e10b2f3392055f338521 Mon Sep 17 00:00:00 2001 From: zenidd Date: Thu, 15 Oct 2020 18:47:31 +0200 Subject: [PATCH 09/17] Avoid checking for green status on single node --- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 7c5b3262..b429af26 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -70,6 +70,7 @@ tags: debug when: - hostvars[inventory_hostname]['private_ip'] is not defined or not hostvars[inventory_hostname]['private_ip'] + - single_node == false - name: Wait for Elasticsearch API (Private IP) uri: @@ -86,7 +87,8 @@ delay: 5 tags: debug when: - - hostvars[inventory_hostname]['private_ip'] is defined and hostvars[inventory_hostname]['private_ip'] + - hostvars[inventory_hostname]['private_ip'] is defined and hostvars[inventory_hostname]['private_ip'] + - single_node == false - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" From 1e6e389ff431c57474d5dc9e51405a697bc9fa3a Mon Sep 17 00:00:00 2001 From: zenidd Date: Thu, 15 Oct 2020 18:48:05 +0200 Subject: [PATCH 10/17] Add single node option to ODFE configuration template --- .../opendistro-elasticsearch/templates/elasticsearch.yml.j2 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 index fa98feea..96e585e2 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 @@ -1,4 +1,4 @@ -cluster.name: {{ elasticsearch_cluster_name }} +cluster.name: {{ opendistro_cluster_name }} node.name: {{ elasticsearch_node_name }} path.data: /var/lib/elasticsearch path.logs: /var/log/elasticsearch @@ -6,6 +6,9 @@ network.host: {{ elasticsearch_network_host }} node.master: {{ elasticsearch_node_master|lower }} +{% if single_node == true %} +discovery.type: single-node +{% else %} cluster.initial_master_nodes: {% for item in elasticsearch_cluster_nodes %} - {{ item }} @@ -15,6 +18,7 @@ discovery.seed_hosts: {% for item in elasticsearch_discovery_nodes %} - {{ item }} {% endfor %} +{% endif %} {% if elasticsearch_node_data|lower == 'false' %} node.data: false From 0201da6f0f9c8939663b6f38604567865dbf7dfb Mon Sep 17 00:00:00 2001 From: zenidd Date: Thu, 15 Oct 2020 18:48:18 +0200 Subject: [PATCH 11/17] Bump versions --- roles/opendistro/opendistro-kibana/defaults/main.yml | 5 ++--- roles/wazuh/ansible-filebeat-oss/defaults/main.yml | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml index 2c285c8d..8bf679f0 100644 --- a/roles/opendistro/opendistro-kibana/defaults/main.yml +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -6,7 +6,6 @@ elasticsearch_nodes: |- {% for item in groups['es_cluster'] -%} {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} {%- endfor %} -elasticsearch_network_host: 172.16.0.161 elastic_api_protocol: https kibana_conf_path: /etc/kibana kibana_node_name: node-1 @@ -14,12 +13,12 @@ kibana_server_host: "0.0.0.0" kibana_server_port: "5601" kibana_server_name: "kibana" kibana_max_payload_bytes: 1048576 -elastic_stack_version: 7.8.0 +elastic_stack_version: 7.9.1 wazuh_version: 3.13.2 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp # The OpenDistro package repository -kibana_opendistro_version: -1.9.0-1 # Version includes the - for RedHat family compatibility, replace with = for Debian hosts +kibana_opendistro_version: -1.10.1-1 # Version includes the - for RedHat family compatibility, replace with = for Debian hosts package_repos: yum: diff --git a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml index 110cc9d7..d31b6057 100644 --- a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml @@ -1,5 +1,5 @@ --- -filebeat_version: 7.8.0 +filebeat_version: 7.9.1 wazuh_template_branch: v3.13.2 From dff5798a7fa8796a08c745a5f22aec6674c14c32 Mon Sep 17 00:00:00 2001 From: zenidd Date: Thu, 15 Oct 2020 18:50:50 +0200 Subject: [PATCH 12/17] Minor readme fix --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c0f02bde..557b288d 100644 --- a/README.md +++ b/README.md @@ -272,6 +272,8 @@ ansible_ssh_extra_args='-o StrictHostKeyChecking=no' ansible-playbook wazuh-odfe-production-ready.yml -i inventory ``` +After the playbook execution, Wazuh UI should be reachable through `https://:5601` + ## Example: single-host environment ### Playbook @@ -322,7 +324,7 @@ ansible_ssh_extra_args='-o StrictHostKeyChecking=no' ansible-playbook wazuh-odfe-single.yml -i inventory ``` -After the playbooks execution +After the playbook execution, Wazuh UI should be reachable through `https://:5601` ## Branches * `master` branch on correspond to the last Wazuh-Ansible stable version. From f7d191fd31c13840ff1150332b79987f8eb75886 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Pablo=20S=C3=A1ez=20Guti=C3=A9rrez?= Date: Fri, 16 Oct 2020 12:32:05 +0200 Subject: [PATCH 13/17] Update README.md Minor syntax fixes Co-authored-by: Manuel J. Bernal --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 557b288d..cb79b246 100644 --- a/README.md +++ b/README.md @@ -245,7 +245,7 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod The inventory file sets the public and private address of each node. The public addresses are used to gather facts and provision the instances while the private addresses are used for the cluster communications. -The ssh credentials used by Ansible during the provision can be specified in this file too. Another option is including them directly on the playbook. +The SSH credentials used by Ansible during the provision can be specified in this file too. Another option is to include them directly in the playbook. ```ini es1 ansible_host= private_ip= elasticsearch_node_name=node-1 From 8990e2864d1e070dea74ef4e899ccac1e88d67dc Mon Sep 17 00:00:00 2001 From: zenidd Date: Fri, 16 Oct 2020 14:12:14 +0200 Subject: [PATCH 14/17] Clearer inventory file description --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 557b288d..01f2533f 100644 --- a/README.md +++ b/README.md @@ -243,9 +243,10 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod ### Inventory file -The inventory file sets the public and private address of each node. The public addresses are used to gather facts and provision the instances while the private addresses are used for the cluster communications. - -The ssh credentials used by Ansible during the provision can be specified in this file too. Another option is including them directly on the playbook. +- The `ansible_host` variable should contain the `address/FQDN` used to gather facts and provision each node. +- The `private_ip` variable should contain the `address/FQDN` used for the internal cluster communications. +- Whether the environment is located in a local subnet, `ansible_host` and `private_ip` variables should match. +- The ssh credentials used by Ansible during the provision can be specified in this file too. Another option is including them directly on the playbook. ```ini es1 ansible_host= private_ip= elasticsearch_node_name=node-1 From 653eecca1b6b91d9a95f90af08d05f3df909e6a5 Mon Sep 17 00:00:00 2001 From: zenidd Date: Fri, 16 Oct 2020 14:12:56 +0200 Subject: [PATCH 15/17] minor syntax fix --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 01f2533f..44e834f7 100644 --- a/README.md +++ b/README.md @@ -267,7 +267,7 @@ ansible_ssh_private_key_file=/path/to/ssh/key.pem ansible_ssh_extra_args='-o StrictHostKeyChecking=no' ``` -### Launching playbook +### Launching the playbook ```bash ansible-playbook wazuh-odfe-production-ready.yml -i inventory @@ -319,7 +319,7 @@ ansible_ssh_private_key_file=/path/to/ssh/key.pem ansible_ssh_extra_args='-o StrictHostKeyChecking=no' ``` -### Launching playbook +### Launching the playbook ```bash ansible-playbook wazuh-odfe-single.yml -i inventory From c265a6db4be4ad5a6ddffd3b7b767ad0c2a0a656 Mon Sep 17 00:00:00 2001 From: zenidd Date: Fri, 16 Oct 2020 14:13:35 +0200 Subject: [PATCH 16/17] minor syntax fix2 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 44e834f7..4fb71fa9 100644 --- a/README.md +++ b/README.md @@ -273,7 +273,7 @@ ansible_ssh_extra_args='-o StrictHostKeyChecking=no' ansible-playbook wazuh-odfe-production-ready.yml -i inventory ``` -After the playbook execution, Wazuh UI should be reachable through `https://:5601` +After the playbook execution, the Wazuh UI should be reachable through `https://:5601` ## Example: single-host environment @@ -325,7 +325,7 @@ ansible_ssh_extra_args='-o StrictHostKeyChecking=no' ansible-playbook wazuh-odfe-single.yml -i inventory ``` -After the playbook execution, Wazuh UI should be reachable through `https://:5601` +After the playbook execution, the Wazuh UI should be reachable through `https://:5601` ## Branches * `master` branch on correspond to the last Wazuh-Ansible stable version. From 58eb10c6dc74a0a03fc3f5b30ce3eeb996ddd8e3 Mon Sep 17 00:00:00 2001 From: zenidd Date: Fri, 16 Oct 2020 14:19:05 +0200 Subject: [PATCH 17/17] Fix branches description --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 4fb71fa9..c9f54929 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,10 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack. +## Branches +* `master` branch corresponds to the latest Wazuh Ansible changes. It might be unstable. +* `3.13` branch on correspond to the last Wazuh Ansible stable version. + ## Documentation * [Wazuh Ansible documentation](https://documentation.wazuh.com/current/deploying-with-ansible/index.html) @@ -327,9 +331,6 @@ ansible-playbook wazuh-odfe-single.yml -i inventory After the playbook execution, the Wazuh UI should be reachable through `https://:5601` -## Branches -* `master` branch on correspond to the last Wazuh-Ansible stable version. - ## Contribute If you want to contribute to our repository, please fork our Github repository and submit a pull request.