split and update formulas

.gitignore

@@ -1 +1,4 @@
 *.retry
+wazuh-manager.yml
+wazuh-agent.yml
+elk.yml

1

@@ -0,0 +1,3 @@
+- hosts: kibana
+  roles:
+    - { role: ansible-role-kibana, elasticsearch_network_host: '192.168.33.182' } 

ansible-role-elasticsearch/README.md

@@ -0,0 +1,45 @@
+# Ansible Role: Elasticsearch
+
+
+An Ansible Role that installs Elasticsearch RedHat/CentOS.
+
+## Requirements
+
+Requires at least Java 8 (Java 8+ preferred).
+
+## Role Variables
+Available variables are listed below, along with default values (see `vars/main.yml`):
+
+    elasticsearch_cluster_name: wazuh
+    elasticsearch_node_name: node-1
+    elasticsearch_http_port: 9200
+    elasticsearch_network_host: 192.168.33.182
+    elasticsearch_jvm_xms: 1g
+
+
+Network host to listen for incoming connections on. By default we only listen on the localhost interface. Change this to the IP address to listen on a specific interface, or `0.0.0.0` to listen on all interfaces.
+
+    elasticsearch_http_port: 9200
+
+Whether to allow inline scripting against ElasticSearch. You should read the following link as there are possible security implications for enabling these options: [Enable Dynamic Scripting](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-scripting.html#enable-dynamic-scripting). Available options include: `true`, `false`, and `sandbox`.
+
+
+
+## Example Playbook
+
+    - hosts: search
+      roles:
+        - geerlingguy.java
+        - geerlingguy.elasticsearch
+
+## License
+
+MIT / BSD
+
+## Author Information
+
+This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).
+
+## Modified
+
+The playbooks have been modified by Wazuh, Inc, including some specific requirements, templates and configuration for integrating Elastic Stack and Wazuh ecosystem.

ansible-role-elasticsearch/defaults/main.yml

@@ -0,0 +1 @@
+---

ansible-role-elasticsearch/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart elasticsearch
+  service: name=elasticsearch state=restarted

ansible-role-elasticsearch/meta/main.yml

@@ -0,0 +1,15 @@
+---
+galaxy_info:
+  author: Jose Luis Ruiz
+  description: Elasticsearch for Linux.
+  company: "Wazuh"
+  license: "license (BSD, MIT)"
+  min_ansible_version: 1.8
+  platforms:
+  - name: EL
+    versions:
+    - all
+  galaxy_tags:
+    - web
+    - system
+    - monitoring

ansible-role-elasticsearch/tasks/RMRedHat.yml

@@ -0,0 +1,6 @@
+---
+# Remove logstash repository
+- name: Remove Elasticsearch repository (and clean up left-over metadata)
+  yum_repository:
+    name: logstash
+    state: absent

ansible-role-elasticsearch/tasks/RedHat.yml

@@ -21,7 +21,7 @@
     key: https://artifacts.elastic.co/GPG-KEY-elasticsearch
     state: present
 
-- name: RedHat | Install ELK repo
+- name: RedHat | Install Elasticsearch repo
   yum_repository:
     name: elk_repo
     description: Elastic repository for 5.x packages
@@ -29,12 +29,8 @@
     gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
     gpgcheck: yes
 
-- name: RedHat | Install ELK
-  yum: pkg={{ item }}
+- name: RedHat | Install Elasticsarch
+  yum: pkg=elasticsearch-5.3.0
        state=present
-  with_items:
-    - logstash-5.2.2
-    - elasticsearch-5.2.2
-    - kibana-5.2.2
   tags:
     - init

ansible-role-elasticsearch/tasks/main.yml

@@ -0,0 +1,38 @@
+---
+- include: RedHat.yml
+  when: ansible_os_family == 'RedHat'
+
+- name: 'check parm is null or invalid'
+  fail: msg="This playbook is not compatible with Debian/Ubuntu"
+  when: ansible_os_family == 'Debian'
+
+- name: Configure Elasticsearch.
+  template:
+    src: elasticsearch.yml.j2
+    dest: /etc/elasticsearch/elasticsearch.yml
+    owner: root
+    group: elasticsearch
+    mode: 0660
+  notify: restart elasticsearch
+
+- name: Configure Elasticsearch JVM memmory.
+  template:
+    src: jvm.options.j2
+    dest: /etc/elasticsearch/jvm.options
+    owner: root
+    group: elasticsearch
+    mode: 0660
+  notify: restart elasticsearch
+
+- name: Start Elasticsearch.
+  service: name=elasticsearch state=started enabled=yes
+
+- name: Ensure Elasticsearch started and enabled
+  service:
+    name: elasticsearch
+    enabled: yes
+    state: started
+
+- name: Remove the correct repository
+  include: "RMRedHat.yml"
+  when: ansible_os_family == "RedHat"

ansible-role-elasticsearch/templates/elasticsearch.yml.j2

@@ -53,7 +53,7 @@ node.name: {{ elasticsearch_node_name }}
 #
 # Set the bind address to a specific IP (IPv4 or IPv6):
 #
-#network.host: 192.168.0.1
+network.host: {{ elasticsearch_network_host }}
 #
 # Set a custom port for HTTP:
 #

ansible-role-elasticsearch/vars/main.yml

@@ -2,8 +2,5 @@
 elasticsearch_cluster_name: wazuh
 elasticsearch_node_name: node-1
 elasticsearch_http_port: 9200
-elasticsearch_network_host: localhost
+elasticsearch_network_host: 192.168.33.182
 elasticsearch_jvm_xms: 1g
-
-
-kibana_server_host: "0.0.0.0"

ansible-role-elk/handlers/main.yml

@@ -1,9 +0,0 @@
----
-- name: restart elasticsearch
-  service: name=elasticsearch state=restarted
-
-- name: restart logstash
-  service: name=logstash state=restarted
-
-- name: restart kibana
-  service: name=kibana state=restarted

ansible-role-elk/tasks/main.yml

@@ -1,71 +0,0 @@
----
-- include: RedHat.yml
-  when: ansible_os_family == 'RedHat'
-
-- name: Configure Elasticsearch.
-  template:
-    src: elasticsearch.yml.j2
-    dest: /etc/elasticsearch/elasticsearch.yml
-    owner: root
-    group: elasticsearch
-    mode: 0660
-  notify: restart elasticsearch
-
-- name: Configure Elasticsearch JVM memmory.
-  template:
-    src: jvm.options.j2
-    dest: /etc/elasticsearch/jvm.options
-    owner: root
-    group: elasticsearch
-    mode: 0660
-  notify: restart elasticsearch
-
-- name: Start Elasticsearch.
-  service: name=elasticsearch state=started enabled=yes
-
-- name: Make sure Elasticsearch is running before proceeding.
-  wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300
-
-- name: Logstash configuration
-  template:
-    src: 01-wazuh.conf.j2
-    dest: /etc/logstash/conf.d/01-wazuh.conf
-    owner: root
-    group: root
-  notify: restart logstash
-
-- name: Logstash template
-  template:
-    src: wazuh-elastic5-template.json.j2
-    dest: /etc/logstash/wazuh-elastic5-template.json
-    owner: root
-    group: root
-  notify: restart logstash
-
-- name: Kibana configuration
-  template:
-    src: kibana.yml.j2
-    dest: /etc/kibana/kibana.yml
-    owner: root
-    group: root
-    mode: 0664
-  notify: restart kibana
-
-
-- name: Verify if Wazuh-APP is installed
-  command: /bin/bash /usr/share/kibana/bin/kibana-plugin list
-  register: kibanainstalled
-
-- name: Install Wazuh-APP (can take a while)
-  shell: /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_5.2.2.zip && service kibana restart
-  when: kibanainstalled.stdout.find('wazuh') == -1
-
-- name: Ensure Logstash, Kibana and Elasticsearch started and enabled
-  service:
-    name: "{{ item }}"
-    enabled: yes
-    state: started
-  with_items:
-    - logstash
-    - elasticsearch
-    - kibana

ansible-role-elk/tests/requirements.yml

@@ -1,2 +0,0 @@
----
-- src: geerlingguy.java

ansible-role-elk/tests/test.yml

@@ -1,15 +0,0 @@
----
-- hosts: all
-
-  pre_tasks:
-    - name: Update apt cache.
-      apt: update_cache=yes cache_valid_time=600
-      when: ansible_os_family == 'Debian'
-      changed_when: false
-
-    - name: Ensure build dependencies are installed.
-      package: name=curl state=present
-
-  roles:
-    - geerlingguy.java
-    - role_under_test

ansible-role-filebeat/tasks/RMDebian.yml

@@ -0,0 +1,6 @@
+---
+# Remove ELK REPOSITORY and Wazuh repositories from sources list.
+- name: Remove Filebeat repository (and clean up left-over metadata)
+  apt_repository:
+    repo: ddeb https://artifacts.elastic.co/packages/5.x/apt stable main
+    state: absent

ansible-role-filebeat/tasks/RMRedHat.yml

@@ -0,0 +1,6 @@
+---
+# Remove repositories
+- name: Remove Filebeat repository (and clean up left-over metadata)
+  yum_repository:
+    name: filebeat
+    state: absent

ansible-role-filebeat/tasks/main.yml

@@ -16,3 +16,11 @@
     name: filebeat
     state: started
     enabled: yes
+
+- name: Remove the correct repository
+  include: "RMRedHat.yml"
+  when: ansible_os_family == "RedHat"
+
+- name: Remove the correct repository
+  include: "RMDebian.yml"
+  when: ansible_os_family == "Debian"

ansible-role-filebeat/tasks/setup-RedHat.yml

@@ -6,7 +6,7 @@
 
 - name: RedHat | Install Filebeats repo
   yum_repository:
-    name: elk_repo
+    name: filebeat
     description: Elastic repository for 5.x packages
     baseurl: https://artifacts.elastic.co/packages/5.x/yum
     gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch

ansible-role-kibana/README.md

@@ -1,14 +1,14 @@
 # Ansible Role: Elasticsearch
 
 
-An Ansible Role that installs Elasticsearch, Logstash, Kibana and WazuhAPP  on RedHat/CentOS.
+An Ansible Role that installs Kibana and WazuhAPP  on RedHat/CentOS.
 
 ## Requirements
 
 Requires at least Java 8 (Java 8+ preferred).
 
 ## Role Variables
-Available variables are listed below, along with default values (see `defaults/main.yml`):
+Available variables are listed below, along with default values (see `vars/main.yml`):
 
     elasticsearch_network_host: localhost
 

ansible-role-kibana/defaults/main.yml

@@ -0,0 +1 @@
+---

ansible-role-kibana/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart kibana
+  service: name=kibana state=restarted

ansible-role-kibana/tasks/RMRedHat.yml

@@ -0,0 +1,6 @@
+---
+# Remove logstash repository
+- name: Remove Elasticsearch repository (and clean up left-over metadata)
+  yum_repository:
+    name: logstash
+    state: absent

ansible-role-kibana/tasks/RedHat.yml

@@ -0,0 +1,23 @@
+---
+- name: Add Elasticsearch GPG key.
+  rpm_key:
+    key: https://artifacts.elastic.co/GPG-KEY-elasticsearch
+    state: present
+
+- name: RedHat | Install Kibana repo
+  yum_repository:
+    name: elk_repo
+    description: Elastic repository for 5.x packages
+    baseurl: https://artifacts.elastic.co/packages/5.x/yum
+    gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
+    gpgcheck: yes
+
+- name: RedHat | Install Kibana
+  yum: pkg=kibana-5.3.0
+       state=present
+  tags:
+    - init
+
+- name: Remove the correct repository
+  include: "RMRedHat.yml"
+  when: ansible_os_family == "RedHat"

ansible-role-kibana/tasks/main.yml

@@ -0,0 +1,34 @@
+---
+- include: RedHat.yml
+  when: ansible_os_family == 'RedHat'
+
+- name: 'check parm is null or invalid'
+  fail: msg="This playbook is not compatible with Debian/Ubuntu"
+  when: ansible_os_family == 'Debian'
+
+- name: Make sure Elasticsearch is running before proceeding.
+  wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300
+
+- name: Kibana configuration
+  template:
+    src: kibana.yml.j2
+    dest: /etc/kibana/kibana.yml
+    owner: root
+    group: root
+    mode: 0664
+  notify: restart kibana
+
+
+- name: Verify if Wazuh-APP is installed
+  command: /bin/bash /usr/share/kibana/bin/kibana-plugin list
+  register: kibanainstalled
+
+- name: Install Wazuh-APP (can take a while)
+  shell: /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_5.3.0.zip && service kibana restart
+  when: kibanainstalled.stdout.find('wazuh') == -1
+
+- name: Ensure Logstash, Kibana and Elasticsearch started and enabled
+  service:
+    name: kibana
+    enabled: yes
+    state: started

ansible-role-kibana/templates/kibana.yml.j2

@@ -19,7 +19,7 @@ server.host: {{ kibana_server_host }}
 #server.name: "your-hostname"
 
 # The URL of the Elasticsearch instance to use for all your queries.
-#elasticsearch.url: "http://localhost:9200"
+elasticsearch.url: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"
 
 # When this setting's value is true Kibana uses the hostname specified in the server.host
 # setting. When the value of this setting is false, Kibana uses the hostname of the host

ansible-role-kibana/vars/main.yml

@@ -0,0 +1,5 @@
+---
+elasticsearch_http_port: "9200"
+elasticsearch_network_host: "192.168.33.182"
+
+kibana_server_host: "0.0.0.0"

ansible-role-logstash/README.md

@@ -0,0 +1,40 @@
+# Ansible Role: Logstash
+
+
+An Ansible Role that installs Logstash  on RedHat/CentOS.
+
+## Requirements
+
+Requires at least Java 8 (Java 8+ preferred).
+
+## Role Variables
+Available variables are listed below, along with default values (see `vars/main.yml`):
+
+    elasticsearch_network_host: localhost
+
+Network host to listen for incoming connections on. By default we only listen on the localhost interface. Change this to the IP address to listen on a specific interface, or `0.0.0.0` to listen on all interfaces.
+
+    elasticsearch_http_port: 9200
+
+Whether to allow inline scripting against ElasticSearch. You should read the following link as there are possible security implications for enabling these options: [Enable Dynamic Scripting](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-scripting.html#enable-dynamic-scripting). Available options include: `true`, `false`, and `sandbox`.
+
+
+
+## Example Playbook
+
+    - hosts: search
+      roles:
+        - geerlingguy.java
+        - geerlingguy.elasticsearch
+
+## License
+
+MIT / BSD
+
+## Author Information
+
+This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).
+
+## Modified
+
+The playbooks have been modified by Wazuh, Inc, including some specific requirements, templates and configuration for integrating Elastic Stack and Wazuh ecosystem.

ansible-role-logstash/defaults/main.yml

@@ -0,0 +1 @@
+---

ansible-role-logstash/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart logstash
+  service: name=logstash state=restarted

ansible-role-logstash/meta/main.yml

@@ -0,0 +1,15 @@
+---
+galaxy_info:
+  author: Jose Luis Ruiz
+  description: Logstash for Linux.
+  company: "Wazuh"
+  license: "license (BSD, MIT)"
+  min_ansible_version: 1.8
+  platforms:
+  - name: EL
+    versions:
+    - all
+  galaxy_tags:
+    - web
+    - system
+    - monitoring

ansible-role-logstash/tasks/RMRedHat.yml

@@ -0,0 +1,6 @@
+---
+# Remove logstash repository
+- name: Remove logstash repository (and clean up left-over metadata)
+  yum_repository:
+    name: logstash
+    state: absent

ansible-role-logstash/tasks/RedHat.yml

@@ -0,0 +1,36 @@
+---
+- name: download Java RPM
+  shell:
+    "curl -L  -H 'Cookie:oraclelicense=accept-securebackup-cookie' -o /tmp/jdk-8-linux-x64.rpm http://download.oracle.com/otn-pub/java/jdk/8u111-b14/jdk-8u111-linux-x64.rpm"
+  args:
+    creates: "/tmp/jdk-8-linux-x64.rpm"
+  register: oracle_java_task_rpm_download
+  become: yes
+  tags:
+    - installation
+
+- name: install RPM
+  action: "yum name=/tmp/jdk-8-linux-x64.rpm state=present"
+  when: not oracle_java_task_rpm_download|skipped
+  become: yes
+  tags:
+    - installation
+
+- name: Add Elasticsearch GPG key.
+  rpm_key:
+    key: https://artifacts.elastic.co/GPG-KEY-elasticsearch
+    state: present
+
+- name: RedHat | Install Logstash repo
+  yum_repository:
+    name: logstash
+    description: Elastic repository for 5.x packages
+    baseurl: https://artifacts.elastic.co/packages/5.x/yum
+    gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
+    gpgcheck: yes
+
+- name: RedHat | Install Logstash
+  yum: pkg=logstash-5.3.0
+       state=present
+  tags:
+    - init

ansible-role-logstash/tasks/main.yml

@@ -0,0 +1,34 @@
+---
+- include: RedHat.yml
+  when: ansible_os_family == 'RedHat'
+
+- name: 'check parm is null or invalid'
+  fail: msg="This playbook is not compatible with Debian/Ubuntu"
+  when: ansible_os_family == 'Debian'
+
+- name: Logstash configuration
+  template:
+    src: 01-wazuh.conf.j2
+    dest: /etc/logstash/conf.d/01-wazuh.conf
+    owner: root
+    group: root
+  notify: restart logstash
+
+- name: Logstash template
+  template:
+    src: wazuh-elastic5-template.json.j2
+    dest: /etc/logstash/wazuh-elastic5-template.json
+    owner: root
+    group: root
+  notify: restart logstash
+
+
+- name: Ensure Logstash started and enabled
+  service:
+    name: logstash
+    enabled: yes
+    state: started
+
+- name: Remove the correct repository
+  include: "RMRedHat.yml"
+  when: ansible_os_family == "RedHat"

ansible-role-logstash/templates/01-wazuh.conf.j2

@@ -35,7 +35,7 @@ filter {
 output {
     #stdout { codec => rubydebug }
     elasticsearch {
-        hosts => ["localhost:9200"]
+        hosts => ["{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"]
         index => "wazuh-alerts-%{+YYYY.MM.dd}"
         document_type => "wazuh"
         template => "/etc/logstash/wazuh-elastic5-template.json"

ansible-role-logstash/vars/main.yml

@@ -0,0 +1,3 @@
+---
+elasticsearch_network_host: "192.168.33.182"
+elasticsearch_http_port: "9200"

ansible-wazuh-agent/tasks/RMDebian.yml

@@ -0,0 +1,5 @@
+---
+# Remove Nodejs and Wazuh repositories from sources list.
+- apt_repository:
+    repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
+    state: absent

ansible-wazuh-agent/tasks/RMRedHat.yml

@@ -0,0 +1,6 @@
+---
+# Remove repositories
+- name: Remove Wazuh repository (and clean up left-over metadata)
+  yum_repository:
+    name: wazuh_repo
+    state: absent

ansible-wazuh-agent/tasks/RedHat.yml

@@ -30,6 +30,13 @@
     cis_distribution_filename: cis_rhel7_linux_rcl.txt
   when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "7"
 
+- name: RedHat | Install openscap
+  yum: pkg=openscap-scanner
+       state=present
+  when: ansible_os_family == "RedHat" and ansible_distribution_major_version >= 6
+  tags:
+    - init
+
 - name: RedHat | Install Wazuh Agent
   yum: pkg={{ item }}
        state=present

ansible-wazuh-agent/tasks/main.yml

@@ -39,3 +39,12 @@
     state: started
   with_items:
     - wazuh-agent
+
+
+- name: Remove the correct repository
+  include: "RMRedHat.yml"
+  when: ansible_os_family == "RedHat"
+
+- name: Remove the correct repository
+  include: "RMDebian.yml"
+  when: ansible_os_family == "Debian"

ansible-wazuh-server/tasks/RMDebian.yml

@@ -0,0 +1,19 @@
+---
+# Remove Nodejs and Wazuh repositories from sources list.
+- name: Remove Wazuh repository.
+  apt_repository:
+    repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
+    state: absent
+
+- name: Remove Nodejs repository.
+  apt_repository:
+    repo: deb-src https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main
+      - deb https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main
+      - deb-src https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main
+      - deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
+    state: absent
+
+- name: Remove Nodejs repository.
+  apt_repository:
+    repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
+    state: absent

ansible-wazuh-server/tasks/RMRedHat.yml

@@ -0,0 +1,12 @@
+---
+# Remove repositories
+- name: Remove NodeJS repository (and clean up left-over metadata)
+  yum_repository:
+    name: NodeJS
+    state: absent
+
+
+- name: Remove Wazuh repository (and clean up left-over metadata)
+  yum_repository:
+    name: wazuh_repo
+    state: absent

ansible-wazuh-server/tasks/RedHat.yml

@@ -6,7 +6,7 @@
     ansible_distribution: centos
   when: ansible_distribution == "RedHat"
 
-- name: RedHat | Install Wazuh repo
+- name: RedHat | Install Nodejs repo
   yum_repository:
     name: NodeJS
     description: NodeJS-$releasever
@@ -14,7 +14,7 @@
     gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL
     gpgcheck: yes
 
-- name: RedHat | Install NodeJS repo
+- name: RedHat | Install Wazuh repo
   yum_repository:
     name: wazuh_repo
     description: CentOS-$releasever - Wazuh
@@ -41,22 +41,22 @@
   tags:
     - init
 
-- name: Set Distribution CIS filename for RHEL5
+- name: Set Distribution CIS filename for RHEL5/CentOS-5
   set_fact:
     cis_distribution_filename: cis_rhel5_linux_rcl.txt
   when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "5"
 
-- name: Set Distribution CIS filename for RHEL6
+- name: Set Distribution CIS filename for RHEL6/CentOS-6
   set_fact:
     cis_distribution_filename: cis_rhel6_linux_rcl.txt
   when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "6"
 
-- name: Set Distribution CIS filename for RHEL7
+- name: Set Distribution CIS filename for RHEL7/CentOS-7
   set_fact:
     cis_distribution_filename: cis_rhel7_linux_rcl.txt
   when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "7"
 
-- name: Set ossec deploy facts for RedHat
+- name: Set ossec deploy facts for RedHat/CentOS
   set_fact:
     ossec_server_config_filename: ossec-server.conf
     ossec_init_name: wazuh-manager

ansible-wazuh-server/tasks/main.yml

@@ -1,6 +1,5 @@
 ---
-# tasks file for ossec-server
-
+# tasks file for wazuh-manager
 - name: Install the correct repository
   include: "RedHat.yml"
   when: ansible_os_family == "RedHat"
@@ -18,44 +17,31 @@
   tags:
       - config
 
-- name: Configure the shared-agent.conf
-  template: src=var-ossec-etc-shared-agent.conf.j2
-            dest=/var/ossec/etc/shared/agent.conf
-            owner=ossec
-            group=ossec
-            mode=0644
-  notify: restart wazuh-manager
-  tags:
-    - init
-    - config
-
-- name: Installing custom local_rules.xml
-  template:
-    src: "{{ playbook_dir }}/{{ ossec_server_config.local_rules_template }}"
-    dest: /var/ossec/rules/local_rules.xml
-    owner: root
-    group: root
-    mode: 0644
-  when: ossec_server_config.local_rules_template is defined
-  notify: restart wazuh-manager
-  tags:
-    - init
-    - config
-    - rules
-
 - name: Installing the local_rules.xml (default local_rules.xml)
   template: src=var-ossec-rules-local_rules.xml.j2
             dest=/var/ossec/etc/rules/local_rules.xml
             owner=root
-            group=root
-            mode=0644
-  when: ossec_server_config.local_rules_template is not defined
+            group=ossec
+            mode=0640
   notify: restart wazuh-manager
   tags:
     - init
     - config
     - rules
 
+- name: Installing the local_decoder.xml
+  template: src=var-ossec-rules-local_decoder.xml.j2
+            dest=/var/ossec/etc/decoders/local_decoder.xml
+            owner=root
+            group=ossec
+            mode=0640
+  notify: restart wazuh-manager
+  tags:
+    - init
+    - config
+    - rules
+
+
 - name: Check if client-syslog is enabled
   shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-csyslogd is running' | xargs echo"
   register: csyslog_running
@@ -115,3 +101,11 @@
     - wazuh-manager
     - wazuh-api
     - ossec-authd
+
+- name: Remove the correct repository
+  include: "RMRedHat.yml"
+  when: ansible_os_family == "RedHat"
+
+- name: Remove the correct repository
+  include: "RMDebian.yml"
+  when: ansible_os_family == "Debian"

ansible-wazuh-server/templates/var-ossec-etc-shared-agent.conf.j2

@@ -1,42 +0,0 @@
-{% for item in ossec_agent_configs %}
-<agent_config {{ item.type }}="{{ item.type_value }}">
-  <syscheck>
-  <!-- Directories to check (perform all possible verifications) -->
-{% for directory in item.directories %}
-  <directories check_all="{{ directory.check_all }}">{{ directory.dirs }}</directories>
-{% endfor %}
-    <!-- files we don't watch/ignore -->
-    <frequency>{{ item.frequency_check }}</frequency>
-    {% for ignore_file in item.ignore_files %}
-    <ignore>{{ ignore_file }}</ignore>
-    {% endfor %}
-  </syscheck>
-
-  <!-- Files to monitor (localfiles) -->
-{% for localfile in item.localfiles %}
-  <localfile>
-     <log_format>{{ localfile.format }}</log_format>
-     {% if localfile.command is defined %}
-     <command>{{ localfile.command }}</command>
-     {% else %}
-     <location>{{ localfile.location }}</location>
-     {% endif %}
-  </localfile>
-{% endfor %}
-
-  <rootcheck>
-    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
-    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
-    {% if item.cis_distribution_filename is defined %}
-    <system_audit>/var/ossec/etc/shared/{{ item.cis_distribution_filename }}</system_audit>
-    {% else %}
-    {# none specified so install all #}
-    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
-    <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
-    <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
-    {% endif %}
-  </rootcheck>
-
-</agent_config>
-{% endfor %}

ansible-wazuh-server/templates/var-ossec-rules-local_decoder.xml.j2

@@ -0,0 +1,25 @@
+<!-- Local Decoders -->
+
+<!-- Modify it at your will. -->
+
+<!--
+  - Allowed static fields:
+  - location   - where the log came from (only on FTS)
+  - srcuser    - extracts the source username
+  - dstuser    - extracts the destination (target) username
+  - user       - an alias to dstuser (only one of the two can be used)
+  - srcip      - source ip
+  - dstip      - dst ip
+  - srcport    - source port
+  - dstport    - destination port
+  - protocol   - protocol
+  - id         - event id
+  - url        - url of the event
+  - action     - event action (deny, drop, accept, etc)
+  - status     - event status (success, failure, etc)
+  - extra_data - Any extra data
+-->
+
+<decoder name="local_decoder_example">
+    <program_name>local_decoder_example</program_name>
+</decoder>

ansible-wazuh-server/vars/main.yml

@@ -79,32 +79,3 @@ ossec_server_config:
       location: 'local'
       level: 6
       timeout: 600
-
-ossec_agent_configs:
-  - type: os
-    type_value: linux
-    frequency_check: 79200
-    ignore_files:
-      - /etc/mtab
-      - /etc/mnttab
-      - /etc/hosts.deny
-      - /etc/mail/statistics
-      - /etc/svc/volatile
-    directories:
-      - check_all: yes
-        dirs: /etc,/usr/bin,/usr/sbin
-      - check_all: yes
-        dirs: /bin,/sbin
-    localfiles:
-      - format: 'syslog'
-        location: '/var/log/messages'
-      - format: 'syslog'
-        location: '/var/log/secure'
-      - format: 'syslog'
-        location: '/var/log/maillog'
-      - format: 'apache'
-        location: '/var/log/httpd/error_log'
-      - format: 'apache'
-        location: '/var/log/httpd/access_log'
-      - format: 'apache'
-        location: '/var/ossec/logs/active-responses.log'

wazuh-agent.yml

@@ -1,3 +1,3 @@
 - hosts: all:!wazuh-manager
   roles:
-     - { role: ansible-wazuh-agent, ossec_server_ip: 192.168.33.169 }
+     - { role: ansible-wazuh-agent, ossec_server_ip: 192.168.33.183 }

wazuh-elastic.yml

@@ -0,0 +1,3 @@
+- hosts: elasticsearch
+  roles:
+    - { role: ansible-role-elasticsearch, elasticsearch_network_host: '192.168.33.182' } 

wazuh-kibana.yml

@@ -0,0 +1,3 @@
+- hosts: kibana
+  roles:
+    - { role: ansible-role-kibana, elasticsearch_network_host: '192.168.33.182' } 

wazuh-logstash.yml

@@ -0,0 +1,3 @@
+- hosts: logstash
+  roles:
+    - { role: ansible-role-logstash, elasticsearch_network_host: '192.168.33.182' } 

wazuh-manager.yml

@@ -1,4 +1,4 @@
 - hosts: wazuh-manager
   roles:
     - role: ansible-wazuh-server
-    - { role: ansible-role-filebeat, filebeat_output_logstash_hosts: '192.168.33.177:5000' } 
+    - { role: ansible-role-filebeat, filebeat_output_logstash_hosts: '192.168.33.169:5000' }