diff --git a/ansible-role-elasticsearch/defaults/main.yml b/ansible-role-elasticsearch/defaults/main.yml index c4d59a7b..c8063a38 100644 --- a/ansible-role-elasticsearch/defaults/main.yml +++ b/ansible-role-elasticsearch/defaults/main.yml @@ -5,3 +5,5 @@ elasticsearch_http_port: 9200 elasticsearch_network_host: 127.0.0.1 elasticsearch_jvm_xms: null elastic_stack_version: 5.5.2 +elasticsearch_shards: 5 +elasticsearch_replicas: 1 diff --git a/ansible-role-elasticsearch/tasks/main.yml b/ansible-role-elasticsearch/tasks/main.yml index 59c02bbb..262806e8 100644 --- a/ansible-role-elasticsearch/tasks/main.yml +++ b/ansible-role-elasticsearch/tasks/main.yml @@ -31,6 +31,30 @@ enabled: yes state: started +- name: Make sure Elasticsearch is running before proceeding + wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300 + tags: + - configure + - init + +- name: Installing Wazuh template + uri: + url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh" + method: PUT + status_code: 200 + body_format: json + body: "{{ lookup('template','wazuh-elastic5-template.json.j2') }}" + tags: init + +- name: Injecting sample alert + uri: + url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/wazuh-alerts-{{ ansible_date_time.date | regex_replace('-', '.') }}/wazuh/sample" + method: PUT + status_code: 201 + body_format: json + body: "{{ lookup('template','alert_sample.json.j2') }}" + tags: init + - include: "RMRedHat.yml" when: ansible_os_family == "RedHat" diff --git a/ansible-role-elasticsearch/templates/alert_sample.json.j2 b/ansible-role-elasticsearch/templates/alert_sample.json.j2 new file mode 100644 index 00000000..68cf86d7 --- /dev/null +++ b/ansible-role-elasticsearch/templates/alert_sample.json.j2 @@ -0,0 +1,72 @@ +{ + "@timestamp": "2015-03-18T15:55:55.000Z", + "AlertsFile": "sample", + "title": "sample", + "full_log": "sample", + "id": "sample", + "srcuser": "sample", + "srcip": "sample", + "location": "sample", + "GeoLocation": { + "country_name": "sample", + "location": [0.0,0.0] + }, + "agent": { + "name": "sample" + }, + "audit": { + "command": "sample", + "type": "sample", + "egid": "sample", + "euid": "sample", + "exe": "sample", + "gid": "sample", + "uid": "sample", + "directory": { + "name": "sample" + }, + "file": { + "mode": "sample", + "name": "sample" + } + }, + "oscap": { + "check": { + "result": "sample", + "severity": "sample", + "title": "sample" + }, + "scan": { + "id": "sample", + "content": "sample", + "score": 1.55, + "profile": { + "title": "sample" + } + } + }, + "rule": { + "cis": ["sample"], + "description": "sample", + "groups": ["sample"], + "id": "sample", + "level": 0, + "pci_dss": ["sample"] + }, + "syscheck": { + "gname_after": "sample", + "gname_before": "sample", + "guid_after": "sample", + "guid_before": "sample", + "md5_after": "sample", + "md5_before": "sample", + "path": "sample", + "perm_after": "sample", + "perm_before": "sample", + "uid_after": "sample", + "uid_before": "sample", + "uname_after": "sample", + "uname_before": "sample", + "event": "sample" + } +} diff --git a/ansible-role-elasticsearch/templates/wazuh-elastic5-template.json.j2 b/ansible-role-elasticsearch/templates/wazuh-elastic5-template.json.j2 new file mode 100644 index 00000000..10107191 --- /dev/null +++ b/ansible-role-elasticsearch/templates/wazuh-elastic5-template.json.j2 @@ -0,0 +1,622 @@ +{ + "order": 0, + "template": "wazuh*", + "settings": { + "index.refresh_interval": "5s", + "number_of_shards": {{ elasticsearch_shards }}, + "number_of_replicas": {{ elasticsearch_replicas }} + }, + "mappings": { + "wazuh": { + "dynamic_templates": [ + { + "string_as_keyword": { + "match_mapping_type": "string", + "mapping": { + "type": "keyword", + "doc_values": "true" + } + } + } + ], + "properties": { + "@timestamp": { + "type": "date", + "format": "dateOptionalTime" + }, + "@version": { + "type": "text" + }, + "agent": { + "properties": { + "ip": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "manager": { + "properties": { + "name": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "dstuser": { + "type": "keyword", + "doc_values": "true" + }, + "AlertsFile": { + "type": "keyword", + "doc_values": "true" + }, + "full_log": { + "type": "text" + }, + "previous_log": { + "type": "text" + }, + "GeoLocation": { + "properties": { + "area_code": { + "type": "long" + }, + "city_name": { + "type": "keyword", + "doc_values": "true" + }, + "continent_code": { + "type": "text" + }, + "coordinates": { + "type": "double" + }, + "country_code2": { + "type": "text" + }, + "country_code3": { + "type": "text" + }, + "country_name": { + "type": "keyword", + "doc_values": "true" + }, + "dma_code": { + "type": "long" + }, + "ip": { + "type": "keyword", + "doc_values": "true" + }, + "latitude": { + "type": "double" + }, + "location": { + "type": "geo_point" + }, + "longitude": { + "type": "double" + }, + "postal_code": { + "type": "keyword" + }, + "real_region_name": { + "type": "keyword", + "doc_values": "true" + }, + "region_name": { + "type": "keyword", + "doc_values": "true" + }, + "timezone": { + "type": "text" + } + } + }, + "host": { + "type": "keyword", + "doc_values": "true" + }, + "syscheck": { + "properties": { + "path": { + "type": "keyword", + "doc_values": "true" + }, + "sha1_before": { + "type": "keyword", + "doc_values": "true" + }, + "sha1_after": { + "type": "keyword", + "doc_values": "true" + }, + "uid_before": { + "type": "keyword", + "doc_values": "true" + }, + "uid_after": { + "type": "keyword", + "doc_values": "true" + }, + "gid_before": { + "type": "keyword", + "doc_values": "true" + }, + "gid_after": { + "type": "keyword", + "doc_values": "true" + }, + "perm_before": { + "type": "keyword", + "doc_values": "true" + }, + "perm_after": { + "type": "keyword", + "doc_values": "true" + }, + "md5_after": { + "type": "keyword", + "doc_values": "true" + }, + "md5_before": { + "type": "keyword", + "doc_values": "true" + }, + "gname_after": { + "type": "keyword", + "doc_values": "true" + }, + "gname_before": { + "type": "keyword", + "doc_values": "true" + }, + "inode_after": { + "type": "keyword", + "doc_values": "true" + }, + "inode_before": { + "type": "keyword", + "doc_values": "true" + }, + "mtime_after": { + "type": "date", + "format": "dateOptionalTime", + "doc_values": "true" + }, + "mtime_before": { + "type": "date", + "format": "dateOptionalTime", + "doc_values": "true" + }, + "uname_after": { + "type": "keyword", + "doc_values": "true" + }, + "uname_before": { + "type": "keyword", + "doc_values": "true" + }, + "size_before": { + "type": "long", + "doc_values": "true" + }, + "size_after": { + "type": "long", + "doc_values": "true" + }, + "diff": { + "type": "keyword", + "doc_values": "true" + }, + "event": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "location": { + "type": "keyword", + "doc_values": "true" + }, + "message": { + "type": "text" + }, + "offset": { + "type": "keyword" + }, + "rule": { + "properties": { + "description": { + "type": "keyword", + "doc_values": "true" + }, + "groups": { + "type": "keyword", + "doc_values": "true" + }, + "level": { + "type": "long", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "cve": { + "type": "keyword", + "doc_values": "true" + }, + "info": { + "type": "keyword", + "doc_values": "true" + }, + "frequency": { + "type": "long", + "doc_values": "true" + }, + "firedtimes": { + "type": "long", + "doc_values": "true" + }, + "cis": { + "type": "keyword", + "doc_values": "true" + }, + "pci_dss": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "decoder": { + "properties": { + "parent": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "ftscomment": { + "type": "keyword", + "doc_values": "true" + }, + "fts": { + "type": "long", + "doc_values": "true" + }, + "accumulate": { + "type": "long", + "doc_values": "true" + } + } + }, + "srcip": { + "type": "keyword", + "doc_values": "true" + }, + "protocol": { + "type": "keyword", + "doc_values": "true" + }, + "action": { + "type": "keyword", + "doc_values": "true" + }, + "dstip": { + "type": "keyword", + "doc_values": "true" + }, + "dstport": { + "type": "keyword", + "doc_values": "true" + }, + "srcuser": { + "type": "keyword", + "doc_values": "true" + }, + "program_name": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "status": { + "type": "keyword", + "doc_values": "true" + }, + "command": { + "type": "keyword", + "doc_values": "true" + }, + "url": { + "type": "keyword", + "doc_values": "true" + }, + "data": { + "type": "keyword", + "doc_values": "true" + }, + "system_name": { + "type": "keyword", + "doc_values": "true" + }, + "type": { + "type": "text" + }, + "title": { + "type": "keyword", + "doc_values": "true" + }, + "oscap": { + "properties": { + "check.title": { + "type": "keyword", + "doc_values": "true" + }, + "check.id": { + "type": "keyword", + "doc_values": "true" + }, + "check.result": { + "type": "keyword", + "doc_values": "true" + }, + "check.severity": { + "type": "keyword", + "doc_values": "true" + }, + "check.description": { + "type": "text" + }, + "check.rationale": { + "type": "text" + }, + "check.references": { + "type": "text" + }, + "check.identifiers": { + "type": "text" + }, + "check.oval.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.content": { + "type": "keyword", + "doc_values": "true" + }, + "scan.benchmark.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.profile.title": { + "type": "keyword", + "doc_values": "true" + }, + "scan.profile.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.score": { + "type": "double", + "doc_values": "true" + }, + "scan.return_code": { + "type": "long", + "doc_values": "true" + } + } + }, + "audit": { + "properties": { + "type": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "syscall": { + "type": "keyword", + "doc_values": "true" + }, + "exit": { + "type": "keyword", + "doc_values": "true" + }, + "ppid": { + "type": "keyword", + "doc_values": "true" + }, + "pid": { + "type": "keyword", + "doc_values": "true" + }, + "auid": { + "type": "keyword", + "doc_values": "true" + }, + "uid": { + "type": "keyword", + "doc_values": "true" + }, + "gid": { + "type": "keyword", + "doc_values": "true" + }, + "euid": { + "type": "keyword", + "doc_values": "true" + }, + "suid": { + "type": "keyword", + "doc_values": "true" + }, + "fsuid": { + "type": "keyword", + "doc_values": "true" + }, + "egid": { + "type": "keyword", + "doc_values": "true" + }, + "sgid": { + "type": "keyword", + "doc_values": "true" + }, + "fsgid": { + "type": "keyword", + "doc_values": "true" + }, + "tty": { + "type": "keyword", + "doc_values": "true" + }, + "session": { + "type": "keyword", + "doc_values": "true" + }, + "command": { + "type": "keyword", + "doc_values": "true" + }, + "exe": { + "type": "keyword", + "doc_values": "true" + }, + "key": { + "type": "keyword", + "doc_values": "true" + }, + "cwd": { + "type": "keyword", + "doc_values": "true" + }, + "directory.name": { + "type": "keyword", + "doc_values": "true" + }, + "directory.inode": { + "type": "keyword", + "doc_values": "true" + }, + "directory.mode": { + "type": "keyword", + "doc_values": "true" + }, + "file.name": { + "type": "keyword", + "doc_values": "true" + }, + "file.inode": { + "type": "keyword", + "doc_values": "true" + }, + "file.mode": { + "type": "keyword", + "doc_values": "true" + }, + "acct": { + "type": "keyword", + "doc_values": "true" + }, + "dev": { + "type": "keyword", + "doc_values": "true" + }, + "enforcing": { + "type": "keyword", + "doc_values": "true" + }, + "list": { + "type": "keyword", + "doc_values": "true" + }, + "old-auid": { + "type": "keyword", + "doc_values": "true" + }, + "old-ses": { + "type": "keyword", + "doc_values": "true" + }, + "old_enforcing": { + "type": "keyword", + "doc_values": "true" + }, + "old_prom": { + "type": "keyword", + "doc_values": "true" + }, + "op": { + "type": "keyword", + "doc_values": "true" + }, + "prom": { + "type": "keyword", + "doc_values": "true" + }, + "res": { + "type": "keyword", + "doc_values": "true" + }, + "srcip": { + "type": "keyword", + "doc_values": "true" + }, + "subj": { + "type": "keyword", + "doc_values": "true" + }, + "success": { + "type": "keyword", + "doc_values": "true" + } + } + } + } + }, + "agent": { + "properties": { + "@timestamp": { + "type": "date", + "format": "dateOptionalTime" + }, + "status": { + "type": "keyword" + }, + "ip": { + "type": "keyword" + }, + "host": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "id": { + "type": "keyword" + } + } + } + } +}