diff --git a/.gitignore b/.gitignore
index a8b42eb6..1d151e26 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,4 @@
*.retry
+wazuh-manager.yml
+wazuh-agent.yml
+elk.yml
diff --git a/1 b/1
new file mode 100644
index 00000000..d8d8c881
--- /dev/null
+++ b/1
@@ -0,0 +1,3 @@
+- hosts: kibana
+ roles:
+ - { role: ansible-role-kibana, elasticsearch_network_host: '192.168.33.182' }
diff --git a/ansible-role-elasticsearch/README.md b/ansible-role-elasticsearch/README.md
new file mode 100644
index 00000000..f1f156e5
--- /dev/null
+++ b/ansible-role-elasticsearch/README.md
@@ -0,0 +1,45 @@
+# Ansible Role: Elasticsearch
+
+
+An Ansible Role that installs Elasticsearch RedHat/CentOS.
+
+## Requirements
+
+Requires at least Java 8 (Java 8+ preferred).
+
+## Role Variables
+Available variables are listed below, along with default values (see `vars/main.yml`):
+
+ elasticsearch_cluster_name: wazuh
+ elasticsearch_node_name: node-1
+ elasticsearch_http_port: 9200
+ elasticsearch_network_host: 192.168.33.182
+ elasticsearch_jvm_xms: 1g
+
+
+Network host to listen for incoming connections on. By default we only listen on the localhost interface. Change this to the IP address to listen on a specific interface, or `0.0.0.0` to listen on all interfaces.
+
+ elasticsearch_http_port: 9200
+
+Whether to allow inline scripting against ElasticSearch. You should read the following link as there are possible security implications for enabling these options: [Enable Dynamic Scripting](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-scripting.html#enable-dynamic-scripting). Available options include: `true`, `false`, and `sandbox`.
+
+
+
+## Example Playbook
+
+ - hosts: search
+ roles:
+ - geerlingguy.java
+ - geerlingguy.elasticsearch
+
+## License
+
+MIT / BSD
+
+## Author Information
+
+This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).
+
+## Modified
+
+The playbooks have been modified by Wazuh, Inc, including some specific requirements, templates and configuration for integrating Elastic Stack and Wazuh ecosystem.
diff --git a/ansible-role-elasticsearch/defaults/main.yml b/ansible-role-elasticsearch/defaults/main.yml
new file mode 100644
index 00000000..ed97d539
--- /dev/null
+++ b/ansible-role-elasticsearch/defaults/main.yml
@@ -0,0 +1 @@
+---
diff --git a/ansible-role-elasticsearch/handlers/main.yml b/ansible-role-elasticsearch/handlers/main.yml
new file mode 100644
index 00000000..a4c1162a
--- /dev/null
+++ b/ansible-role-elasticsearch/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart elasticsearch
+ service: name=elasticsearch state=restarted
diff --git a/ansible-role-elasticsearch/meta/main.yml b/ansible-role-elasticsearch/meta/main.yml
new file mode 100644
index 00000000..eebb284f
--- /dev/null
+++ b/ansible-role-elasticsearch/meta/main.yml
@@ -0,0 +1,15 @@
+---
+galaxy_info:
+ author: Jose Luis Ruiz
+ description: Elasticsearch for Linux.
+ company: "Wazuh"
+ license: "license (BSD, MIT)"
+ min_ansible_version: 1.8
+ platforms:
+ - name: EL
+ versions:
+ - all
+ galaxy_tags:
+ - web
+ - system
+ - monitoring
diff --git a/ansible-role-elasticsearch/tasks/RMRedHat.yml b/ansible-role-elasticsearch/tasks/RMRedHat.yml
new file mode 100644
index 00000000..7465026b
--- /dev/null
+++ b/ansible-role-elasticsearch/tasks/RMRedHat.yml
@@ -0,0 +1,6 @@
+---
+# Remove logstash repository
+- name: Remove Elasticsearch repository (and clean up left-over metadata)
+ yum_repository:
+ name: logstash
+ state: absent
diff --git a/ansible-role-elk/tasks/RedHat.yml b/ansible-role-elasticsearch/tasks/RedHat.yml
similarity index 84%
rename from ansible-role-elk/tasks/RedHat.yml
rename to ansible-role-elasticsearch/tasks/RedHat.yml
index 51910946..b8dc89ef 100644
--- a/ansible-role-elk/tasks/RedHat.yml
+++ b/ansible-role-elasticsearch/tasks/RedHat.yml
@@ -21,7 +21,7 @@
key: https://artifacts.elastic.co/GPG-KEY-elasticsearch
state: present
-- name: RedHat | Install ELK repo
+- name: RedHat | Install Elasticsearch repo
yum_repository:
name: elk_repo
description: Elastic repository for 5.x packages
@@ -29,12 +29,8 @@
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
gpgcheck: yes
-- name: RedHat | Install ELK
- yum: pkg={{ item }}
+- name: RedHat | Install Elasticsarch
+ yum: pkg=elasticsearch-5.3.0
state=present
- with_items:
- - logstash-5.2.2
- - elasticsearch-5.2.2
- - kibana-5.2.2
tags:
- init
diff --git a/ansible-role-elasticsearch/tasks/main.yml b/ansible-role-elasticsearch/tasks/main.yml
new file mode 100644
index 00000000..d15e6d4c
--- /dev/null
+++ b/ansible-role-elasticsearch/tasks/main.yml
@@ -0,0 +1,38 @@
+---
+- include: RedHat.yml
+ when: ansible_os_family == 'RedHat'
+
+- name: 'check parm is null or invalid'
+ fail: msg="This playbook is not compatible with Debian/Ubuntu"
+ when: ansible_os_family == 'Debian'
+
+- name: Configure Elasticsearch.
+ template:
+ src: elasticsearch.yml.j2
+ dest: /etc/elasticsearch/elasticsearch.yml
+ owner: root
+ group: elasticsearch
+ mode: 0660
+ notify: restart elasticsearch
+
+- name: Configure Elasticsearch JVM memmory.
+ template:
+ src: jvm.options.j2
+ dest: /etc/elasticsearch/jvm.options
+ owner: root
+ group: elasticsearch
+ mode: 0660
+ notify: restart elasticsearch
+
+- name: Start Elasticsearch.
+ service: name=elasticsearch state=started enabled=yes
+
+- name: Ensure Elasticsearch started and enabled
+ service:
+ name: elasticsearch
+ enabled: yes
+ state: started
+
+- name: Remove the correct repository
+ include: "RMRedHat.yml"
+ when: ansible_os_family == "RedHat"
diff --git a/ansible-role-elk/templates/elasticsearch.yml.j2 b/ansible-role-elasticsearch/templates/elasticsearch.yml.j2
similarity index 98%
rename from ansible-role-elk/templates/elasticsearch.yml.j2
rename to ansible-role-elasticsearch/templates/elasticsearch.yml.j2
index 0939da3a..e9429686 100644
--- a/ansible-role-elk/templates/elasticsearch.yml.j2
+++ b/ansible-role-elasticsearch/templates/elasticsearch.yml.j2
@@ -53,7 +53,7 @@ node.name: {{ elasticsearch_node_name }}
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
-#network.host: 192.168.0.1
+network.host: {{ elasticsearch_network_host }}
#
# Set a custom port for HTTP:
#
diff --git a/ansible-role-elk/templates/jvm.options.j2 b/ansible-role-elasticsearch/templates/jvm.options.j2
similarity index 100%
rename from ansible-role-elk/templates/jvm.options.j2
rename to ansible-role-elasticsearch/templates/jvm.options.j2
diff --git a/ansible-role-elk/defaults/main.yml b/ansible-role-elasticsearch/vars/main.yml
similarity index 64%
rename from ansible-role-elk/defaults/main.yml
rename to ansible-role-elasticsearch/vars/main.yml
index 9ad375fd..2e988791 100644
--- a/ansible-role-elk/defaults/main.yml
+++ b/ansible-role-elasticsearch/vars/main.yml
@@ -2,8 +2,5 @@
elasticsearch_cluster_name: wazuh
elasticsearch_node_name: node-1
elasticsearch_http_port: 9200
-elasticsearch_network_host: localhost
+elasticsearch_network_host: 192.168.33.182
elasticsearch_jvm_xms: 1g
-
-
-kibana_server_host: "0.0.0.0"
diff --git a/ansible-role-elk/handlers/main.yml b/ansible-role-elk/handlers/main.yml
deleted file mode 100644
index 1b2400b8..00000000
--- a/ansible-role-elk/handlers/main.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- name: restart elasticsearch
- service: name=elasticsearch state=restarted
-
-- name: restart logstash
- service: name=logstash state=restarted
-
-- name: restart kibana
- service: name=kibana state=restarted
diff --git a/ansible-role-elk/tasks/main.yml b/ansible-role-elk/tasks/main.yml
deleted file mode 100644
index 0a2962b4..00000000
--- a/ansible-role-elk/tasks/main.yml
+++ /dev/null
@@ -1,71 +0,0 @@
----
-- include: RedHat.yml
- when: ansible_os_family == 'RedHat'
-
-- name: Configure Elasticsearch.
- template:
- src: elasticsearch.yml.j2
- dest: /etc/elasticsearch/elasticsearch.yml
- owner: root
- group: elasticsearch
- mode: 0660
- notify: restart elasticsearch
-
-- name: Configure Elasticsearch JVM memmory.
- template:
- src: jvm.options.j2
- dest: /etc/elasticsearch/jvm.options
- owner: root
- group: elasticsearch
- mode: 0660
- notify: restart elasticsearch
-
-- name: Start Elasticsearch.
- service: name=elasticsearch state=started enabled=yes
-
-- name: Make sure Elasticsearch is running before proceeding.
- wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300
-
-- name: Logstash configuration
- template:
- src: 01-wazuh.conf.j2
- dest: /etc/logstash/conf.d/01-wazuh.conf
- owner: root
- group: root
- notify: restart logstash
-
-- name: Logstash template
- template:
- src: wazuh-elastic5-template.json.j2
- dest: /etc/logstash/wazuh-elastic5-template.json
- owner: root
- group: root
- notify: restart logstash
-
-- name: Kibana configuration
- template:
- src: kibana.yml.j2
- dest: /etc/kibana/kibana.yml
- owner: root
- group: root
- mode: 0664
- notify: restart kibana
-
-
-- name: Verify if Wazuh-APP is installed
- command: /bin/bash /usr/share/kibana/bin/kibana-plugin list
- register: kibanainstalled
-
-- name: Install Wazuh-APP (can take a while)
- shell: /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_5.2.2.zip && service kibana restart
- when: kibanainstalled.stdout.find('wazuh') == -1
-
-- name: Ensure Logstash, Kibana and Elasticsearch started and enabled
- service:
- name: "{{ item }}"
- enabled: yes
- state: started
- with_items:
- - logstash
- - elasticsearch
- - kibana
diff --git a/ansible-role-elk/tests/requirements.yml b/ansible-role-elk/tests/requirements.yml
deleted file mode 100644
index 8fbe7cb6..00000000
--- a/ansible-role-elk/tests/requirements.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-- src: geerlingguy.java
diff --git a/ansible-role-elk/tests/test.yml b/ansible-role-elk/tests/test.yml
deleted file mode 100644
index 7e775aea..00000000
--- a/ansible-role-elk/tests/test.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-- hosts: all
-
- pre_tasks:
- - name: Update apt cache.
- apt: update_cache=yes cache_valid_time=600
- when: ansible_os_family == 'Debian'
- changed_when: false
-
- - name: Ensure build dependencies are installed.
- package: name=curl state=present
-
- roles:
- - geerlingguy.java
- - role_under_test
diff --git a/ansible-role-filebeat/tasks/RMDebian.yml b/ansible-role-filebeat/tasks/RMDebian.yml
new file mode 100644
index 00000000..cff461bc
--- /dev/null
+++ b/ansible-role-filebeat/tasks/RMDebian.yml
@@ -0,0 +1,6 @@
+---
+# Remove ELK REPOSITORY and Wazuh repositories from sources list.
+- name: Remove Filebeat repository (and clean up left-over metadata)
+ apt_repository:
+ repo: ddeb https://artifacts.elastic.co/packages/5.x/apt stable main
+ state: absent
diff --git a/ansible-role-filebeat/tasks/RMRedHat.yml b/ansible-role-filebeat/tasks/RMRedHat.yml
new file mode 100644
index 00000000..3d16c46e
--- /dev/null
+++ b/ansible-role-filebeat/tasks/RMRedHat.yml
@@ -0,0 +1,6 @@
+---
+# Remove repositories
+- name: Remove Filebeat repository (and clean up left-over metadata)
+ yum_repository:
+ name: filebeat
+ state: absent
diff --git a/ansible-role-filebeat/tasks/main.yml b/ansible-role-filebeat/tasks/main.yml
index e6886b46..0fd216ee 100644
--- a/ansible-role-filebeat/tasks/main.yml
+++ b/ansible-role-filebeat/tasks/main.yml
@@ -16,3 +16,11 @@
name: filebeat
state: started
enabled: yes
+
+- name: Remove the correct repository
+ include: "RMRedHat.yml"
+ when: ansible_os_family == "RedHat"
+
+- name: Remove the correct repository
+ include: "RMDebian.yml"
+ when: ansible_os_family == "Debian"
diff --git a/ansible-role-filebeat/tasks/setup-RedHat.yml b/ansible-role-filebeat/tasks/setup-RedHat.yml
index d52e10e3..c4b87e87 100644
--- a/ansible-role-filebeat/tasks/setup-RedHat.yml
+++ b/ansible-role-filebeat/tasks/setup-RedHat.yml
@@ -6,7 +6,7 @@
- name: RedHat | Install Filebeats repo
yum_repository:
- name: elk_repo
+ name: filebeat
description: Elastic repository for 5.x packages
baseurl: https://artifacts.elastic.co/packages/5.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
diff --git a/ansible-role-elk/README.md b/ansible-role-kibana/README.md
similarity index 91%
rename from ansible-role-elk/README.md
rename to ansible-role-kibana/README.md
index 68c54514..69609ed3 100644
--- a/ansible-role-elk/README.md
+++ b/ansible-role-kibana/README.md
@@ -1,14 +1,14 @@
# Ansible Role: Elasticsearch
-An Ansible Role that installs Elasticsearch, Logstash, Kibana and WazuhAPP on RedHat/CentOS.
+An Ansible Role that installs Kibana and WazuhAPP on RedHat/CentOS.
## Requirements
Requires at least Java 8 (Java 8+ preferred).
## Role Variables
-Available variables are listed below, along with default values (see `defaults/main.yml`):
+Available variables are listed below, along with default values (see `vars/main.yml`):
elasticsearch_network_host: localhost
diff --git a/ansible-role-kibana/defaults/main.yml b/ansible-role-kibana/defaults/main.yml
new file mode 100644
index 00000000..ed97d539
--- /dev/null
+++ b/ansible-role-kibana/defaults/main.yml
@@ -0,0 +1 @@
+---
diff --git a/ansible-role-kibana/handlers/main.yml b/ansible-role-kibana/handlers/main.yml
new file mode 100644
index 00000000..55ea3d3c
--- /dev/null
+++ b/ansible-role-kibana/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart kibana
+ service: name=kibana state=restarted
diff --git a/ansible-role-elk/meta/main.yml b/ansible-role-kibana/meta/main.yml
similarity index 100%
rename from ansible-role-elk/meta/main.yml
rename to ansible-role-kibana/meta/main.yml
diff --git a/ansible-role-kibana/tasks/RMRedHat.yml b/ansible-role-kibana/tasks/RMRedHat.yml
new file mode 100644
index 00000000..7465026b
--- /dev/null
+++ b/ansible-role-kibana/tasks/RMRedHat.yml
@@ -0,0 +1,6 @@
+---
+# Remove logstash repository
+- name: Remove Elasticsearch repository (and clean up left-over metadata)
+ yum_repository:
+ name: logstash
+ state: absent
diff --git a/ansible-role-kibana/tasks/RedHat.yml b/ansible-role-kibana/tasks/RedHat.yml
new file mode 100644
index 00000000..e3fbcf98
--- /dev/null
+++ b/ansible-role-kibana/tasks/RedHat.yml
@@ -0,0 +1,23 @@
+---
+- name: Add Elasticsearch GPG key.
+ rpm_key:
+ key: https://artifacts.elastic.co/GPG-KEY-elasticsearch
+ state: present
+
+- name: RedHat | Install Kibana repo
+ yum_repository:
+ name: elk_repo
+ description: Elastic repository for 5.x packages
+ baseurl: https://artifacts.elastic.co/packages/5.x/yum
+ gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
+ gpgcheck: yes
+
+- name: RedHat | Install Kibana
+ yum: pkg=kibana-5.3.0
+ state=present
+ tags:
+ - init
+
+- name: Remove the correct repository
+ include: "RMRedHat.yml"
+ when: ansible_os_family == "RedHat"
diff --git a/ansible-role-kibana/tasks/main.yml b/ansible-role-kibana/tasks/main.yml
new file mode 100644
index 00000000..21afed28
--- /dev/null
+++ b/ansible-role-kibana/tasks/main.yml
@@ -0,0 +1,34 @@
+---
+- include: RedHat.yml
+ when: ansible_os_family == 'RedHat'
+
+- name: 'check parm is null or invalid'
+ fail: msg="This playbook is not compatible with Debian/Ubuntu"
+ when: ansible_os_family == 'Debian'
+
+- name: Make sure Elasticsearch is running before proceeding.
+ wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300
+
+- name: Kibana configuration
+ template:
+ src: kibana.yml.j2
+ dest: /etc/kibana/kibana.yml
+ owner: root
+ group: root
+ mode: 0664
+ notify: restart kibana
+
+
+- name: Verify if Wazuh-APP is installed
+ command: /bin/bash /usr/share/kibana/bin/kibana-plugin list
+ register: kibanainstalled
+
+- name: Install Wazuh-APP (can take a while)
+ shell: /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_5.3.0.zip && service kibana restart
+ when: kibanainstalled.stdout.find('wazuh') == -1
+
+- name: Ensure Logstash, Kibana and Elasticsearch started and enabled
+ service:
+ name: kibana
+ enabled: yes
+ state: started
diff --git a/ansible-role-elk/templates/kibana.yml.j2 b/ansible-role-kibana/templates/kibana.yml.j2
similarity index 97%
rename from ansible-role-elk/templates/kibana.yml.j2
rename to ansible-role-kibana/templates/kibana.yml.j2
index 90cf2e84..4631d2f1 100644
--- a/ansible-role-elk/templates/kibana.yml.j2
+++ b/ansible-role-kibana/templates/kibana.yml.j2
@@ -19,7 +19,7 @@ server.host: {{ kibana_server_host }}
#server.name: "your-hostname"
# The URL of the Elasticsearch instance to use for all your queries.
-#elasticsearch.url: "http://localhost:9200"
+elasticsearch.url: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"
# When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host
diff --git a/ansible-role-kibana/vars/main.yml b/ansible-role-kibana/vars/main.yml
new file mode 100644
index 00000000..408eb898
--- /dev/null
+++ b/ansible-role-kibana/vars/main.yml
@@ -0,0 +1,5 @@
+---
+elasticsearch_http_port: "9200"
+elasticsearch_network_host: "192.168.33.182"
+
+kibana_server_host: "0.0.0.0"
diff --git a/ansible-role-logstash/README.md b/ansible-role-logstash/README.md
new file mode 100644
index 00000000..766ed4a2
--- /dev/null
+++ b/ansible-role-logstash/README.md
@@ -0,0 +1,40 @@
+# Ansible Role: Logstash
+
+
+An Ansible Role that installs Logstash on RedHat/CentOS.
+
+## Requirements
+
+Requires at least Java 8 (Java 8+ preferred).
+
+## Role Variables
+Available variables are listed below, along with default values (see `vars/main.yml`):
+
+ elasticsearch_network_host: localhost
+
+Network host to listen for incoming connections on. By default we only listen on the localhost interface. Change this to the IP address to listen on a specific interface, or `0.0.0.0` to listen on all interfaces.
+
+ elasticsearch_http_port: 9200
+
+Whether to allow inline scripting against ElasticSearch. You should read the following link as there are possible security implications for enabling these options: [Enable Dynamic Scripting](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-scripting.html#enable-dynamic-scripting). Available options include: `true`, `false`, and `sandbox`.
+
+
+
+## Example Playbook
+
+ - hosts: search
+ roles:
+ - geerlingguy.java
+ - geerlingguy.elasticsearch
+
+## License
+
+MIT / BSD
+
+## Author Information
+
+This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).
+
+## Modified
+
+The playbooks have been modified by Wazuh, Inc, including some specific requirements, templates and configuration for integrating Elastic Stack and Wazuh ecosystem.
diff --git a/ansible-role-logstash/defaults/main.yml b/ansible-role-logstash/defaults/main.yml
new file mode 100644
index 00000000..ed97d539
--- /dev/null
+++ b/ansible-role-logstash/defaults/main.yml
@@ -0,0 +1 @@
+---
diff --git a/ansible-role-logstash/handlers/main.yml b/ansible-role-logstash/handlers/main.yml
new file mode 100644
index 00000000..56f376c8
--- /dev/null
+++ b/ansible-role-logstash/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart logstash
+ service: name=logstash state=restarted
diff --git a/ansible-role-logstash/meta/main.yml b/ansible-role-logstash/meta/main.yml
new file mode 100644
index 00000000..49cebc4c
--- /dev/null
+++ b/ansible-role-logstash/meta/main.yml
@@ -0,0 +1,15 @@
+---
+galaxy_info:
+ author: Jose Luis Ruiz
+ description: Logstash for Linux.
+ company: "Wazuh"
+ license: "license (BSD, MIT)"
+ min_ansible_version: 1.8
+ platforms:
+ - name: EL
+ versions:
+ - all
+ galaxy_tags:
+ - web
+ - system
+ - monitoring
diff --git a/ansible-role-logstash/tasks/RMRedHat.yml b/ansible-role-logstash/tasks/RMRedHat.yml
new file mode 100644
index 00000000..9d6f51a2
--- /dev/null
+++ b/ansible-role-logstash/tasks/RMRedHat.yml
@@ -0,0 +1,6 @@
+---
+# Remove logstash repository
+- name: Remove logstash repository (and clean up left-over metadata)
+ yum_repository:
+ name: logstash
+ state: absent
diff --git a/ansible-role-logstash/tasks/RedHat.yml b/ansible-role-logstash/tasks/RedHat.yml
new file mode 100644
index 00000000..5cff11b3
--- /dev/null
+++ b/ansible-role-logstash/tasks/RedHat.yml
@@ -0,0 +1,36 @@
+---
+- name: download Java RPM
+ shell:
+ "curl -L -H 'Cookie:oraclelicense=accept-securebackup-cookie' -o /tmp/jdk-8-linux-x64.rpm http://download.oracle.com/otn-pub/java/jdk/8u111-b14/jdk-8u111-linux-x64.rpm"
+ args:
+ creates: "/tmp/jdk-8-linux-x64.rpm"
+ register: oracle_java_task_rpm_download
+ become: yes
+ tags:
+ - installation
+
+- name: install RPM
+ action: "yum name=/tmp/jdk-8-linux-x64.rpm state=present"
+ when: not oracle_java_task_rpm_download|skipped
+ become: yes
+ tags:
+ - installation
+
+- name: Add Elasticsearch GPG key.
+ rpm_key:
+ key: https://artifacts.elastic.co/GPG-KEY-elasticsearch
+ state: present
+
+- name: RedHat | Install Logstash repo
+ yum_repository:
+ name: logstash
+ description: Elastic repository for 5.x packages
+ baseurl: https://artifacts.elastic.co/packages/5.x/yum
+ gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
+ gpgcheck: yes
+
+- name: RedHat | Install Logstash
+ yum: pkg=logstash-5.3.0
+ state=present
+ tags:
+ - init
diff --git a/ansible-role-logstash/tasks/main.yml b/ansible-role-logstash/tasks/main.yml
new file mode 100644
index 00000000..7f5660f3
--- /dev/null
+++ b/ansible-role-logstash/tasks/main.yml
@@ -0,0 +1,34 @@
+---
+- include: RedHat.yml
+ when: ansible_os_family == 'RedHat'
+
+- name: 'check parm is null or invalid'
+ fail: msg="This playbook is not compatible with Debian/Ubuntu"
+ when: ansible_os_family == 'Debian'
+
+- name: Logstash configuration
+ template:
+ src: 01-wazuh.conf.j2
+ dest: /etc/logstash/conf.d/01-wazuh.conf
+ owner: root
+ group: root
+ notify: restart logstash
+
+- name: Logstash template
+ template:
+ src: wazuh-elastic5-template.json.j2
+ dest: /etc/logstash/wazuh-elastic5-template.json
+ owner: root
+ group: root
+ notify: restart logstash
+
+
+- name: Ensure Logstash started and enabled
+ service:
+ name: logstash
+ enabled: yes
+ state: started
+
+- name: Remove the correct repository
+ include: "RMRedHat.yml"
+ when: ansible_os_family == "RedHat"
diff --git a/ansible-role-elk/templates/01-wazuh.conf.j2 b/ansible-role-logstash/templates/01-wazuh.conf.j2
similarity index 93%
rename from ansible-role-elk/templates/01-wazuh.conf.j2
rename to ansible-role-logstash/templates/01-wazuh.conf.j2
index 3684738c..1de99ec5 100644
--- a/ansible-role-elk/templates/01-wazuh.conf.j2
+++ b/ansible-role-logstash/templates/01-wazuh.conf.j2
@@ -35,7 +35,7 @@ filter {
output {
#stdout { codec => rubydebug }
elasticsearch {
- hosts => ["localhost:9200"]
+ hosts => ["{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"]
index => "wazuh-alerts-%{+YYYY.MM.dd}"
document_type => "wazuh"
template => "/etc/logstash/wazuh-elastic5-template.json"
diff --git a/ansible-role-elk/templates/wazuh-elastic5-template.json.j2 b/ansible-role-logstash/templates/wazuh-elastic5-template.json.j2
similarity index 100%
rename from ansible-role-elk/templates/wazuh-elastic5-template.json.j2
rename to ansible-role-logstash/templates/wazuh-elastic5-template.json.j2
diff --git a/ansible-role-logstash/vars/main.yml b/ansible-role-logstash/vars/main.yml
new file mode 100644
index 00000000..afab9e7e
--- /dev/null
+++ b/ansible-role-logstash/vars/main.yml
@@ -0,0 +1,3 @@
+---
+elasticsearch_network_host: "192.168.33.182"
+elasticsearch_http_port: "9200"
diff --git a/ansible-wazuh-agent/tasks/RMDebian.yml b/ansible-wazuh-agent/tasks/RMDebian.yml
new file mode 100644
index 00000000..3c56a9db
--- /dev/null
+++ b/ansible-wazuh-agent/tasks/RMDebian.yml
@@ -0,0 +1,5 @@
+---
+# Remove Nodejs and Wazuh repositories from sources list.
+- apt_repository:
+ repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
+ state: absent
diff --git a/ansible-wazuh-agent/tasks/RMRedHat.yml b/ansible-wazuh-agent/tasks/RMRedHat.yml
new file mode 100644
index 00000000..fe04a176
--- /dev/null
+++ b/ansible-wazuh-agent/tasks/RMRedHat.yml
@@ -0,0 +1,6 @@
+---
+# Remove repositories
+- name: Remove Wazuh repository (and clean up left-over metadata)
+ yum_repository:
+ name: wazuh_repo
+ state: absent
diff --git a/ansible-wazuh-agent/tasks/RedHat.yml b/ansible-wazuh-agent/tasks/RedHat.yml
index 9d60d9e8..0498480c 100644
--- a/ansible-wazuh-agent/tasks/RedHat.yml
+++ b/ansible-wazuh-agent/tasks/RedHat.yml
@@ -30,6 +30,13 @@
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "7"
+- name: RedHat | Install openscap
+ yum: pkg=openscap-scanner
+ state=present
+ when: ansible_os_family == "RedHat" and ansible_distribution_major_version >= 6
+ tags:
+ - init
+
- name: RedHat | Install Wazuh Agent
yum: pkg={{ item }}
state=present
diff --git a/ansible-wazuh-agent/tasks/main.yml b/ansible-wazuh-agent/tasks/main.yml
index 2c96ca86..b5af50a1 100644
--- a/ansible-wazuh-agent/tasks/main.yml
+++ b/ansible-wazuh-agent/tasks/main.yml
@@ -39,3 +39,12 @@
state: started
with_items:
- wazuh-agent
+
+
+- name: Remove the correct repository
+ include: "RMRedHat.yml"
+ when: ansible_os_family == "RedHat"
+
+- name: Remove the correct repository
+ include: "RMDebian.yml"
+ when: ansible_os_family == "Debian"
diff --git a/ansible-wazuh-server/tasks/RMDebian.yml b/ansible-wazuh-server/tasks/RMDebian.yml
new file mode 100644
index 00000000..ab243091
--- /dev/null
+++ b/ansible-wazuh-server/tasks/RMDebian.yml
@@ -0,0 +1,19 @@
+---
+# Remove Nodejs and Wazuh repositories from sources list.
+- name: Remove Wazuh repository.
+ apt_repository:
+ repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
+ state: absent
+
+- name: Remove Nodejs repository.
+ apt_repository:
+ repo: deb-src https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main
+ - deb https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main
+ - deb-src https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main
+ - deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
+ state: absent
+
+- name: Remove Nodejs repository.
+ apt_repository:
+ repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
+ state: absent
diff --git a/ansible-wazuh-server/tasks/RMRedHat.yml b/ansible-wazuh-server/tasks/RMRedHat.yml
new file mode 100644
index 00000000..52577c31
--- /dev/null
+++ b/ansible-wazuh-server/tasks/RMRedHat.yml
@@ -0,0 +1,12 @@
+---
+# Remove repositories
+- name: Remove NodeJS repository (and clean up left-over metadata)
+ yum_repository:
+ name: NodeJS
+ state: absent
+
+
+- name: Remove Wazuh repository (and clean up left-over metadata)
+ yum_repository:
+ name: wazuh_repo
+ state: absent
diff --git a/ansible-wazuh-server/tasks/RedHat.yml b/ansible-wazuh-server/tasks/RedHat.yml
index efa0496c..e7e55b34 100644
--- a/ansible-wazuh-server/tasks/RedHat.yml
+++ b/ansible-wazuh-server/tasks/RedHat.yml
@@ -6,7 +6,7 @@
ansible_distribution: centos
when: ansible_distribution == "RedHat"
-- name: RedHat | Install Wazuh repo
+- name: RedHat | Install Nodejs repo
yum_repository:
name: NodeJS
description: NodeJS-$releasever
@@ -14,7 +14,7 @@
gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL
gpgcheck: yes
-- name: RedHat | Install NodeJS repo
+- name: RedHat | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: CentOS-$releasever - Wazuh
@@ -41,22 +41,22 @@
tags:
- init
-- name: Set Distribution CIS filename for RHEL5
+- name: Set Distribution CIS filename for RHEL5/CentOS-5
set_fact:
cis_distribution_filename: cis_rhel5_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "5"
-- name: Set Distribution CIS filename for RHEL6
+- name: Set Distribution CIS filename for RHEL6/CentOS-6
set_fact:
cis_distribution_filename: cis_rhel6_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "6"
-- name: Set Distribution CIS filename for RHEL7
+- name: Set Distribution CIS filename for RHEL7/CentOS-7
set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "7"
-- name: Set ossec deploy facts for RedHat
+- name: Set ossec deploy facts for RedHat/CentOS
set_fact:
ossec_server_config_filename: ossec-server.conf
ossec_init_name: wazuh-manager
diff --git a/ansible-wazuh-server/tasks/main.yml b/ansible-wazuh-server/tasks/main.yml
index 00791964..c6c7028c 100644
--- a/ansible-wazuh-server/tasks/main.yml
+++ b/ansible-wazuh-server/tasks/main.yml
@@ -1,6 +1,5 @@
---
-# tasks file for ossec-server
-
+# tasks file for wazuh-manager
- name: Install the correct repository
include: "RedHat.yml"
when: ansible_os_family == "RedHat"
@@ -18,44 +17,31 @@
tags:
- config
-- name: Configure the shared-agent.conf
- template: src=var-ossec-etc-shared-agent.conf.j2
- dest=/var/ossec/etc/shared/agent.conf
- owner=ossec
- group=ossec
- mode=0644
- notify: restart wazuh-manager
- tags:
- - init
- - config
-
-- name: Installing custom local_rules.xml
- template:
- src: "{{ playbook_dir }}/{{ ossec_server_config.local_rules_template }}"
- dest: /var/ossec/rules/local_rules.xml
- owner: root
- group: root
- mode: 0644
- when: ossec_server_config.local_rules_template is defined
- notify: restart wazuh-manager
- tags:
- - init
- - config
- - rules
-
- name: Installing the local_rules.xml (default local_rules.xml)
template: src=var-ossec-rules-local_rules.xml.j2
dest=/var/ossec/etc/rules/local_rules.xml
owner=root
- group=root
- mode=0644
- when: ossec_server_config.local_rules_template is not defined
+ group=ossec
+ mode=0640
notify: restart wazuh-manager
tags:
- init
- config
- rules
+- name: Installing the local_decoder.xml
+ template: src=var-ossec-rules-local_decoder.xml.j2
+ dest=/var/ossec/etc/decoders/local_decoder.xml
+ owner=root
+ group=ossec
+ mode=0640
+ notify: restart wazuh-manager
+ tags:
+ - init
+ - config
+ - rules
+
+
- name: Check if client-syslog is enabled
shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-csyslogd is running' | xargs echo"
register: csyslog_running
@@ -115,3 +101,11 @@
- wazuh-manager
- wazuh-api
- ossec-authd
+
+- name: Remove the correct repository
+ include: "RMRedHat.yml"
+ when: ansible_os_family == "RedHat"
+
+- name: Remove the correct repository
+ include: "RMDebian.yml"
+ when: ansible_os_family == "Debian"
diff --git a/ansible-wazuh-server/templates/var-ossec-etc-shared-agent.conf.j2 b/ansible-wazuh-server/templates/var-ossec-etc-shared-agent.conf.j2
deleted file mode 100644
index ac5a4d65..00000000
--- a/ansible-wazuh-server/templates/var-ossec-etc-shared-agent.conf.j2
+++ /dev/null
@@ -1,42 +0,0 @@
-{% for item in ossec_agent_configs %}
-
-
-
-{% for directory in item.directories %}
- {{ directory.dirs }}
-{% endfor %}
-
- {{ item.frequency_check }}
- {% for ignore_file in item.ignore_files %}
- {{ ignore_file }}
- {% endfor %}
-
-
-
-{% for localfile in item.localfiles %}
-
- {{ localfile.format }}
- {% if localfile.command is defined %}
- {{ localfile.command }}
- {% else %}
- {{ localfile.location }}
- {% endif %}
-
-{% endfor %}
-
-
- /var/ossec/etc/shared/rootkit_files.txt
- /var/ossec/etc/shared/rootkit_trojans.txt
- /var/ossec/etc/shared/system_audit_rcl.txt
- {% if item.cis_distribution_filename is defined %}
- /var/ossec/etc/shared/{{ item.cis_distribution_filename }}
- {% else %}
- {# none specified so install all #}
- /var/ossec/etc/shared/cis_debian_linux_rcl.txt
- /var/ossec/etc/shared/cis_rhel_linux_rcl.txt
- /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
- {% endif %}
-
-
-
-{% endfor %}
diff --git a/ansible-wazuh-server/templates/var-ossec-rules-local_decoder.xml.j2 b/ansible-wazuh-server/templates/var-ossec-rules-local_decoder.xml.j2
new file mode 100644
index 00000000..653167f8
--- /dev/null
+++ b/ansible-wazuh-server/templates/var-ossec-rules-local_decoder.xml.j2
@@ -0,0 +1,25 @@
+
+
+
+
+
+
+
+ local_decoder_example
+
diff --git a/ansible-wazuh-server/vars/main.yml b/ansible-wazuh-server/vars/main.yml
index 95c8cf27..f7dbcd1d 100644
--- a/ansible-wazuh-server/vars/main.yml
+++ b/ansible-wazuh-server/vars/main.yml
@@ -79,32 +79,3 @@ ossec_server_config:
location: 'local'
level: 6
timeout: 600
-
-ossec_agent_configs:
- - type: os
- type_value: linux
- frequency_check: 79200
- ignore_files:
- - /etc/mtab
- - /etc/mnttab
- - /etc/hosts.deny
- - /etc/mail/statistics
- - /etc/svc/volatile
- directories:
- - check_all: yes
- dirs: /etc,/usr/bin,/usr/sbin
- - check_all: yes
- dirs: /bin,/sbin
- localfiles:
- - format: 'syslog'
- location: '/var/log/messages'
- - format: 'syslog'
- location: '/var/log/secure'
- - format: 'syslog'
- location: '/var/log/maillog'
- - format: 'apache'
- location: '/var/log/httpd/error_log'
- - format: 'apache'
- location: '/var/log/httpd/access_log'
- - format: 'apache'
- location: '/var/ossec/logs/active-responses.log'
diff --git a/wazuh-agent.yml b/wazuh-agent.yml
index db13438f..da3fbd71 100644
--- a/wazuh-agent.yml
+++ b/wazuh-agent.yml
@@ -1,3 +1,3 @@
- hosts: all:!wazuh-manager
roles:
- - { role: ansible-wazuh-agent, ossec_server_ip: 192.168.33.169 }
+ - { role: ansible-wazuh-agent, ossec_server_ip: 192.168.33.183 }
diff --git a/wazuh-elastic.yml b/wazuh-elastic.yml
new file mode 100644
index 00000000..34179cf3
--- /dev/null
+++ b/wazuh-elastic.yml
@@ -0,0 +1,3 @@
+- hosts: elasticsearch
+ roles:
+ - { role: ansible-role-elasticsearch, elasticsearch_network_host: '192.168.33.182' }
diff --git a/wazuh-kibana.yml b/wazuh-kibana.yml
new file mode 100644
index 00000000..d8d8c881
--- /dev/null
+++ b/wazuh-kibana.yml
@@ -0,0 +1,3 @@
+- hosts: kibana
+ roles:
+ - { role: ansible-role-kibana, elasticsearch_network_host: '192.168.33.182' }
diff --git a/wazuh-logstash.yml b/wazuh-logstash.yml
new file mode 100644
index 00000000..73049220
--- /dev/null
+++ b/wazuh-logstash.yml
@@ -0,0 +1,3 @@
+- hosts: logstash
+ roles:
+ - { role: ansible-role-logstash, elasticsearch_network_host: '192.168.33.182' }
diff --git a/wazuh-manager.yml b/wazuh-manager.yml
index 22139ecf..e7ed4e83 100644
--- a/wazuh-manager.yml
+++ b/wazuh-manager.yml
@@ -1,4 +1,4 @@
- hosts: wazuh-manager
roles:
- role: ansible-wazuh-server
- - { role: ansible-role-filebeat, filebeat_output_logstash_hosts: '192.168.33.177:5000' }
+ - { role: ansible-role-filebeat, filebeat_output_logstash_hosts: '192.168.33.169:5000' }