Added changes for ELK 7

playbooks/wazuh-elastic_stack-single.yml

@@ -1,7 +1,6 @@
 ---
-- hosts: <your single server host>
+- hosts: <your server host>
   roles:
-      - {role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager}
+      - {role: ../roles/wazuh/ansible-wazuh-manager}
-      - {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'localhost'}
+      - {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '0.0.0.0', single_node: true}
-      - { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-logstash, elasticsearch_network_host: 'localhost' }
+      - { role: ../roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'localhost' }
-      - { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'localhost' }

roles/elastic-stack/ansible-elasticsearch/defaults/main.yml

@@ -5,6 +5,8 @@ elasticsearch_http_port: 9200
 elasticsearch_network_host: 127.0.0.1
 elasticsearch_jvm_xms: null
 elastic_stack_version: 7.1.1
-elasticsearch_shards: 5
+single_node: false
-elasticsearch_replicas: 1
+elasticsearch_bootstrap_node: false
-elasticsearch_install_java: true
+elasticsearch_master_candidate: false
+elasticsearch_cluster_nodes:
+  - 127.0.0.1

roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml

@@ -4,12 +4,6 @@
     name: ['apt-transport-https', 'ca-certificates']
     state: present
 
-- when: elasticsearch_install_java
-  block:
-    - name: Debian/Ubuntu | Install OpenJDK 1.8
-      apt: name=openjdk-8-jre state=present cache_valid_time=3600
-      tags: install
-
 - name: Debian/Ubuntu | Add Elasticsearch GPG key.
   apt_key:
     url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch"

roles/elastic-stack/ansible-elasticsearch/tasks/RMDebian.yml

@@ -1,5 +1,5 @@
 ---
 - name: Debian/Ubuntu | Removing Elasticsearch repository
   apt_repository:
-    repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main
+    repo: deb https://artifacts.elastic.co/packages/7.x/apt stable main
     state: absent

roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml

@@ -1,10 +1,4 @@
 ---
-- when: elasticsearch_install_java
-  block:
-    - name: RedHat/CentOS/Fedora | Install OpenJDK 1.8
-      yum: name=java-1.8.0-openjdk state=present
-      register: oracle_java_task_rpm_installed
-      tags: install
 
 - name: RedHat/CentOS/Fedora | Install Elastic repo
   yum_repository:
@@ -16,5 +10,4 @@
 
 - name: RedHat/CentOS/Fedora | Install Elasticsarch
   package: name=elasticsearch-{{ elastic_stack_version }} state=present
-  when: not elasticsearch_install_java or oracle_java_task_rpm_installed is defined
   tags: install

roles/elastic-stack/ansible-kibana/defaults/main.yml

@@ -4,4 +4,4 @@ elasticsearch_network_host: "127.0.0.1"
 kibana_server_host: "0.0.0.0"
 kibana_server_port: "5601"
 elastic_stack_version: 7.1.1
-wazuh_version: 3.9.1
+wazuh_version: 3.9.1

roles/elastic-stack/ansible-kibana/tasks/RMDebian.yml

@@ -1,5 +1,5 @@
 ---
 - name: Debian/Ubuntu | Removing Elasticsearch repository
   apt_repository:
-    repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main
+    repo: deb https://artifacts.elastic.co/packages/7.x/apt stable main
     state: absent

roles/wazuh/ansible-filebeat/tasks/Debian.yml

@@ -12,6 +12,6 @@
 
 - name: Debian/Ubuntu | Add Filebeat repository.
   apt_repository:
-    repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main'
+    repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main'
     state: present
     update_cache: true

roles/wazuh/ansible-filebeat/tasks/RMDebian.yml

@@ -1,5 +1,5 @@
 ---
 - name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata)
   apt_repository:
-    repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main
+    repo: deb https://artifacts.elastic.co/packages/7.x/apt stable main
     state: absent

roles/wazuh/ansible-filebeat/tasks/RedHat.yml

@@ -3,6 +3,6 @@
   yum_repository:
     name: elastic_repo
     description: Elastic repository for 6.x packages
-    baseurl: https://artifacts.elastic.co/packages/6.x/yum
+    baseurl: https://artifacts.elastic.co/packages/7.x/yum
     gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
     gpgcheck: true

roles/wazuh/ansible-filebeat/tasks/config.yml

@@ -9,6 +9,16 @@
   notify: restart filebeat
   tags: configure
 
+- name: Copy Elasticsearch template.
+  template:
+    src: elasticsearch.yml.j2
+    dest: "/etc/filebeat/wazuh-template.json"
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart filebeat
+  tags: configure
+
 - name: Ensure Filebeat SSL key pair directory exists.
   file:
     path: "{{ filebeat_ssl_dir }}"

roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2

@@ -1,6 +1,7 @@
 <!-- Local rules -->
 
 <!-- Modify it at your will. -->
+<!-- Copyright (C) 2015-2019, Wazuh Inc. -->
 
 <!-- Example -->
 <group name="local,syslog,sshd,">
@@ -15,21 +16,4 @@
     <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
   </rule>
 
-</group>
+</group>
-
-<!--
-Used with active-response to restart an agent when agent.conf file
-is successfully retrieved.
--->
-<group name="local,ossec,">
-  <rule id="100002" level="1">
-    <if_group>syscheck</if_group>
-    <match>/var/ossec/etc/shared/agent.conf</match>
-    <description>Linux | agent.conf was modified</description>
-  </rule>
-  <rule id="100003" level="1">
-    <if_group>syscheck</if_group>
-    <match>C:\wazuh-agent/shared/agent.conf</match>
-    <description>Windows | agent.conf was modified</description>
-  </rule>
-</group>