afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Inject Wazuh template and sample alert.

Browse Source
This commit is contained in:
Miguelangel Freitas 2017-08-21 23:31:39 -04:00
parent 90dacea946
commit 66ca4e3fd0
4 changed files with 720 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ansible-role-elasticsearch/defaults/main.yml
View File

@ -5,3 +5,5 @@ elasticsearch_http_port: 9200
elasticsearch_network_host: 127.0.0.1 elasticsearch_network_host: 127.0.0.1
elasticsearch_jvm_xms: null elasticsearch_jvm_xms: null
elastic_stack_version: 5.5.2 elastic_stack_version: 5.5.2
elasticsearch_shards: 5
elasticsearch_replicas: 1

24
ansible-role-elasticsearch/tasks/main.yml
View File

@ -31,6 +31,30 @@
enabled: yes enabled: yes
state: started state: started
- name: Make sure Elasticsearch is running before proceeding
wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300
tags:
- configure
- init
- name: Installing Wazuh template
uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh"
method: PUT
status_code: 200
body_format: json
body: "{{ lookup('template','wazuh-elastic5-template.json.j2') }}"
tags: init
- name: Injecting sample alert
uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/wazuh-alerts-{{ ansible_date_time.date | regex_replace('-', '.') }}/wazuh/sample"
method: PUT
status_code: 201
body_format: json
body: "{{ lookup('template','alert_sample.json.j2') }}"
tags: init
- include: "RMRedHat.yml" - include: "RMRedHat.yml"
when: ansible_os_family == "RedHat" when: ansible_os_family == "RedHat"

72
ansible-role-elasticsearch/templates/alert_sample.json.j2 Normal file
View File

@ -0,0 +1,72 @@
{
"@timestamp": "2015-03-18T15:55:55.000Z",
"AlertsFile": "sample",
"title": "sample",
"full_log": "sample",
"id": "sample",
"srcuser": "sample",
"srcip": "sample",
"location": "sample",
"GeoLocation": {
"country_name": "sample",
"location": [0.0,0.0]
},
"agent": {
"name": "sample"
},
"audit": {
"command": "sample",
"type": "sample",
"egid": "sample",
"euid": "sample",
"exe": "sample",
"gid": "sample",
"uid": "sample",
"directory": {
"name": "sample"
},
"file": {
"mode": "sample",
"name": "sample"
}
},
"oscap": {
"check": {
"result": "sample",
"severity": "sample",
"title": "sample"
},
"scan": {
"id": "sample",
"content": "sample",
"score": 1.55,
"profile": {
"title": "sample"
}
}
},
"rule": {
"cis": ["sample"],
"description": "sample",
"groups": ["sample"],
"id": "sample",
"level": 0,
"pci_dss": ["sample"]
},
"syscheck": {
"gname_after": "sample",
"gname_before": "sample",
"guid_after": "sample",
"guid_before": "sample",
"md5_after": "sample",
"md5_before": "sample",
"path": "sample",
"perm_after": "sample",
"perm_before": "sample",
"uid_after": "sample",
"uid_before": "sample",
"uname_after": "sample",
"uname_before": "sample",
"event": "sample"
}
}

622
ansible-role-elasticsearch/templates/wazuh-elastic5-template.json.j2 Normal file
View File

@ -0,0 +1,622 @@
{
"order": 0,
"template": "wazuh*",
"settings": {
"index.refresh_interval": "5s",
"number_of_shards": {{ elasticsearch_shards }},
"number_of_replicas": {{ elasticsearch_replicas }}
},
"mappings": {
"wazuh": {
"dynamic_templates": [
{
"string_as_keyword": {
"match_mapping_type": "string",
"mapping": {
"type": "keyword",
"doc_values": "true"
}
}
}
],
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"@version": {
"type": "text"
},
"agent": {
"properties": {
"ip": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"manager": {
"properties": {
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"dstuser": {
"type": "keyword",
"doc_values": "true"
},
"AlertsFile": {
"type": "keyword",
"doc_values": "true"
},
"full_log": {
"type": "text"
},
"previous_log": {
"type": "text"
},
"GeoLocation": {
"properties": {
"area_code": {
"type": "long"
},
"city_name": {
"type": "keyword",
"doc_values": "true"
},
"continent_code": {
"type": "text"
},
"coordinates": {
"type": "double"
},
"country_code2": {
"type": "text"
},
"country_code3": {
"type": "text"
},
"country_name": {
"type": "keyword",
"doc_values": "true"
},
"dma_code": {
"type": "long"
},
"ip": {
"type": "keyword",
"doc_values": "true"
},
"latitude": {
"type": "double"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "double"
},
"postal_code": {
"type": "keyword"
},
"real_region_name": {
"type": "keyword",
"doc_values": "true"
},
"region_name": {
"type": "keyword",
"doc_values": "true"
},
"timezone": {
"type": "text"
}
}
},
"host": {
"type": "keyword",
"doc_values": "true"
},
"syscheck": {
"properties": {
"path": {
"type": "keyword",
"doc_values": "true"
},
"sha1_before": {
"type": "keyword",
"doc_values": "true"
},
"sha1_after": {
"type": "keyword",
"doc_values": "true"
},
"uid_before": {
"type": "keyword",
"doc_values": "true"
},
"uid_after": {
"type": "keyword",
"doc_values": "true"
},
"gid_before": {
"type": "keyword",
"doc_values": "true"
},
"gid_after": {
"type": "keyword",
"doc_values": "true"
},
"perm_before": {
"type": "keyword",
"doc_values": "true"
},
"perm_after": {
"type": "keyword",
"doc_values": "true"
},
"md5_after": {
"type": "keyword",
"doc_values": "true"
},
"md5_before": {
"type": "keyword",
"doc_values": "true"
},
"gname_after": {
"type": "keyword",
"doc_values": "true"
},
"gname_before": {
"type": "keyword",
"doc_values": "true"
},
"inode_after": {
"type": "keyword",
"doc_values": "true"
},
"inode_before": {
"type": "keyword",
"doc_values": "true"
},
"mtime_after": {
"type": "date",
"format": "dateOptionalTime",
"doc_values": "true"
},
"mtime_before": {
"type": "date",
"format": "dateOptionalTime",
"doc_values": "true"
},
"uname_after": {
"type": "keyword",
"doc_values": "true"
},
"uname_before": {
"type": "keyword",
"doc_values": "true"
},
"size_before": {
"type": "long",
"doc_values": "true"
},
"size_after": {
"type": "long",
"doc_values": "true"
},
"diff": {
"type": "keyword",
"doc_values": "true"
},
"event": {
"type": "keyword",
"doc_values": "true"
}
}
},
"location": {
"type": "keyword",
"doc_values": "true"
},
"message": {
"type": "text"
},
"offset": {
"type": "keyword"
},
"rule": {
"properties": {
"description": {
"type": "keyword",
"doc_values": "true"
},
"groups": {
"type": "keyword",
"doc_values": "true"
},
"level": {
"type": "long",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"cve": {
"type": "keyword",
"doc_values": "true"
},
"info": {
"type": "keyword",
"doc_values": "true"
},
"frequency": {
"type": "long",
"doc_values": "true"
},
"firedtimes": {
"type": "long",
"doc_values": "true"
},
"cis": {
"type": "keyword",
"doc_values": "true"
},
"pci_dss": {
"type": "keyword",
"doc_values": "true"
}
}
},
"decoder": {
"properties": {
"parent": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
},
"ftscomment": {
"type": "keyword",
"doc_values": "true"
},
"fts": {
"type": "long",
"doc_values": "true"
},
"accumulate": {
"type": "long",
"doc_values": "true"
}
}
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"protocol": {
"type": "keyword",
"doc_values": "true"
},
"action": {
"type": "keyword",
"doc_values": "true"
},
"dstip": {
"type": "keyword",
"doc_values": "true"
},
"dstport": {
"type": "keyword",
"doc_values": "true"
},
"srcuser": {
"type": "keyword",
"doc_values": "true"
},
"program_name": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"status": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"url": {
"type": "keyword",
"doc_values": "true"
},
"data": {
"type": "keyword",
"doc_values": "true"
},
"system_name": {
"type": "keyword",
"doc_values": "true"
},
"type": {
"type": "text"
},
"title": {
"type": "keyword",
"doc_values": "true"
},
"oscap": {
"properties": {
"check.title": {
"type": "keyword",
"doc_values": "true"
},
"check.id": {
"type": "keyword",
"doc_values": "true"
},
"check.result": {
"type": "keyword",
"doc_values": "true"
},
"check.severity": {
"type": "keyword",
"doc_values": "true"
},
"check.description": {
"type": "text"
},
"check.rationale": {
"type": "text"
},
"check.references": {
"type": "text"
},
"check.identifiers": {
"type": "text"
},
"check.oval.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.content": {
"type": "keyword",
"doc_values": "true"
},
"scan.benchmark.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.title": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.score": {
"type": "double",
"doc_values": "true"
},
"scan.return_code": {
"type": "long",
"doc_values": "true"
}
}
},
"audit": {
"properties": {
"type": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"syscall": {
"type": "keyword",
"doc_values": "true"
},
"exit": {
"type": "keyword",
"doc_values": "true"
},
"ppid": {
"type": "keyword",
"doc_values": "true"
},
"pid": {
"type": "keyword",
"doc_values": "true"
},
"auid": {
"type": "keyword",
"doc_values": "true"
},
"uid": {
"type": "keyword",
"doc_values": "true"
},
"gid": {
"type": "keyword",
"doc_values": "true"
},
"euid": {
"type": "keyword",
"doc_values": "true"
},
"suid": {
"type": "keyword",
"doc_values": "true"
},
"fsuid": {
"type": "keyword",
"doc_values": "true"
},
"egid": {
"type": "keyword",
"doc_values": "true"
},
"sgid": {
"type": "keyword",
"doc_values": "true"
},
"fsgid": {
"type": "keyword",
"doc_values": "true"
},
"tty": {
"type": "keyword",
"doc_values": "true"
},
"session": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"exe": {
"type": "keyword",
"doc_values": "true"
},
"key": {
"type": "keyword",
"doc_values": "true"
},
"cwd": {
"type": "keyword",
"doc_values": "true"
},
"directory.name": {
"type": "keyword",
"doc_values": "true"
},
"directory.inode": {
"type": "keyword",
"doc_values": "true"
},
"directory.mode": {
"type": "keyword",
"doc_values": "true"
},
"file.name": {
"type": "keyword",
"doc_values": "true"
},
"file.inode": {
"type": "keyword",
"doc_values": "true"
},
"file.mode": {
"type": "keyword",
"doc_values": "true"
},
"acct": {
"type": "keyword",
"doc_values": "true"
},
"dev": {
"type": "keyword",
"doc_values": "true"
},
"enforcing": {
"type": "keyword",
"doc_values": "true"
},
"list": {
"type": "keyword",
"doc_values": "true"
},
"old-auid": {
"type": "keyword",
"doc_values": "true"
},
"old-ses": {
"type": "keyword",
"doc_values": "true"
},
"old_enforcing": {
"type": "keyword",
"doc_values": "true"
},
"old_prom": {
"type": "keyword",
"doc_values": "true"
},
"op": {
"type": "keyword",
"doc_values": "true"
},
"prom": {
"type": "keyword",
"doc_values": "true"
},
"res": {
"type": "keyword",
"doc_values": "true"
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"subj": {
"type": "keyword",
"doc_values": "true"
},
"success": {
"type": "keyword",
"doc_values": "true"
}
}
}
}
},
"agent": {
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"status": {
"type": "keyword"
},
"ip": {
"type": "keyword"
},
"host": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
}
}
}