Merge pull request #199 from wazuh/elk-sercurity-dev

Elastic xpack security support

playbooks/wazuh-elastic_stack-distributed.yml

@@ -1,9 +1,87 @@
 ---
-- hosts: <your wazuh server host>
+
+- hosts: <node-1 IP>
   roles:
-    - role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager
+    - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch
-    - {role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-filebeat, filebeat_output_logstash_hosts: 'your elastic stack server IP'}
+      elasticsearch_network_host: <node-1 IP>
-- hosts: <your elastic stack server host>
+      node_name: node-1
+      elasticsearch_bootstrap_node: true
+      elasticsearch_cluster_nodes: 
+        - <node-1 IP>
+        - <node-2 IP>
+        - <node-3 IP>
+      elasticsearch_discovery_nodes:
+        - <node-1 IP>
+        - <node-2 IP>
+        - <node-3 IP>
+      elasticsearch_xpack_security: true
+      node_certs_generator: true
+      elasticsearch_xpack_security_password: elastic_pass
+
+  vars:
+    instances:
+      - name: node-1       # Important: must be equal to elasticsearch_node_name.                    
+        ip: <node-1 IP>   # When unzipping, the node will search for its node name folder to get the cert.
+
+      - name: node-2
+        ip: <node-2 IP>
+
+      - name: node-3
+        ip: <node-3 IP>
+
+- hosts: <node-2 IP>
   roles:
-    - {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'localhost'}
+    - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch
-    - {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'localhost'}
+      elasticsearch_network_host: <node-2 IP>
+      elasticsearch_node_name: node-2
+      elasticsearch_xpack_security: true
+      elasticsearch_master_candidate: true
+      elasticsearch_discovery_nodes:
+        - <node-1 IP>
+        - <node-2 IP>
+        - <node-3 IP>
+  
+- hosts: <node-3 IP>
+  roles:
+    - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch 
+      elasticsearch_network_host: <node-3 IP>
+      elasticsearch_node_name: node-3
+      elasticsearch_xpack_security: true
+      elasticsearch_master_candidate: true
+      elasticsearch_discovery_nodes:
+        - <node-1 IP>
+        - <node-2 IP>
+        - <node-3 IP>
+
+
+# - hosts: 172.16.0.162
+#   roles:
+#     - role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager
+
+#     - role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-filebeat
+#       filebeat_output_elasticsearch_hosts: 172.16.0.161:9200
+#       filebeat_xpack_security: true
+#       filebeat_node_name: node-2
+#       node_certs_generator: false
+#       elasticsearch_xpack_security_password: elastic_pass
+
+#     - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch
+#       elasticsearch_network_host: 172.16.0.162
+#       node_name: node-2
+#       elasticsearch_bootstrap_node: false
+#       elasticsearch_master_candidate: true
+#       elasticsearch_discovery_nodes: 
+#         - 172.16.0.161
+#         - 172.16.0.162
+#       elasticsearch_xpack_security: true
+#       node_certs_generator: false
+
+
+# - hosts: 172.16.0.163
+#   roles:
+#     - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana
+#       kibana_xpack_security: true
+#       kibana_node_name: node-3
+#       elasticsearch_network_host: 172.16.0.161
+#       node_certs_generator: false
+#       elasticsearch_xpack_security_password: elastic_pass

playbooks/wazuh-kibana.yml

@@ -1,4 +1,10 @@
 ---
-- hosts: <your kibana host>
+- hosts: 172.16.0.162
   roles:
-    - {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'your elasticsearch IP'}
+    - role: ../roles/elastic-stack/ansible-kibana
+      kibana_xpack_security: true
+      kibana_user: elastic
+      kibana_password: elastic_pass
+      kibana_node_name: node-2
+      elasticsearch_network_host: 172.16.0.161
+      node_certs_generator: false

playbooks/wazuh-manager.yml

@@ -1,5 +1,10 @@
 ---
-- hosts: <your wazuh server host>
+- hosts: 172.16.0.161
   roles:
-    - role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager
+    - role: ../roles/wazuh/ansible-wazuh-manager
-    - {role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-filebeat, filebeat_output_elasticsearch_hosts: 'your elasticsearch IP'}
+    - role: ../roles/wazuh/ansible-filebeat
+      filebeat_output_elasticsearch_hosts: 172.16.0.161:9200
+      filebeat_xpack_security: true
+      filebeat_node_name: node-1
+      node_certs_generator: true
+

roles/elastic-stack/ansible-elasticsearch/defaults/main.yml

@@ -10,3 +10,25 @@ elasticsearch_bootstrap_node: false
 elasticsearch_master_candidate: false
 elasticsearch_cluster_nodes:
   - 127.0.0.1
+elasticsearch_discovery_nodes:
+  - 127.0.0.1
+
+# X-Pack Security 
+elasticsearch_xpack_security: false
+elasticsearch_xpack_security_user: elastic
+elasticsearch_xpack_security_password: elastic_pass
+
+node_certs_generator: false
+node_certs_generator_ip: 172.16.0.161
+node_certs_source: /usr/share/elasticsearch
+node_certs_destination: /etc/elasticsearch/certs
+
+# Rsync
+rsync_path: /usr/bin/rsync
+rsync_user: vagrant
+rsync_extra_parameters: -avg -e 'ssh -o StrictHostKeyChecking=no' --rsync-path='sudo rsync'
+
+
+
+
+

roles/elastic-stack/ansible-elasticsearch/tasks/main.yml

@@ -48,16 +48,6 @@
     - ansible_service_mgr != "systemd"
     - ansible_os_family == "RedHat"
 
-- name: Configure Elasticsearch.
-  template:
-    src: elasticsearch.yml.j2
-    dest: /etc/elasticsearch/elasticsearch.yml
-    owner: root
-    group: elasticsearch
-    mode: 0660
-  notify: restart elasticsearch
-  tags: configure
-
 - name: Configure Elasticsearch JVM memmory.
   template:
     src: jvm.options.j2
@@ -69,6 +59,144 @@
   tags: configure
 
 # fix in new PR (ignore_errors)
+
+- import_tasks: "RMRedHat.yml"
+  when: ansible_os_family == "RedHat"
+
+- name: Check if certificate exists locally
+  stat:
+    path: "{{node_certs_destination}}/{{ elasticsearch_node_name }}.crt"
+  register: certificate_file_exists
+  when:
+    - elasticsearch_xpack_security
+
+- name: Write the instances.yml file in the selected node (force = no)
+  template:
+    src: instances.yml.j2
+    dest: "{{node_certs_source}}/instances.yml"
+    force: no
+  register: instances_file_exists
+  tags:
+    - config
+    - xpack-security
+  when:
+    - node_certs_generator
+    - elasticsearch_xpack_security
+    - not certificate_file_exists.stat.exists
+
+- name: Update instances.yml status after generation
+  stat:
+    path: "{{node_certs_source}}/instances.yml"
+  register: instances_file_exists
+  when: 
+    - node_certs_generator
+    - elasticsearch_xpack_security
+
+- name: Check if the certificates ZIP file exists
+  stat:
+    path: "{{node_certs_source}}/certs.zip"
+  register: xpack_certs_zip
+  when: 
+    - node_certs_generator
+    - elasticsearch_xpack_security
+
+- name: Generating certificates for Elasticsearch security
+  shell: "/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in {{node_certs_source}}/instances.yml --out {{node_certs_source}}/certs.zip"
+  when: 
+    - node_certs_generator
+    - elasticsearch_xpack_security
+    - not xpack_certs_zip.stat.exists
+    - not certificate_file_exists.stat.exists
+  register: certs_file_generated
+  tags: xpack-security
+
+- name: Unzip generated certs.zip
+  unarchive:
+    src: "{{node_certs_source}}/certs.zip"
+    dest: "{{node_certs_source}}/"
+    remote_src: yes
+  when: 
+    - node_certs_generator
+    - elasticsearch_xpack_security
+    - certs_file_generated is defined
+    - not certificate_file_exists.stat.exists
+  tags: xpack-security
+
+- name: Copy key & certificate files in generator node (locally)
+  synchronize:
+    src: "{{node_certs_source}}/{{elasticsearch_node_name}}/"
+    dest: "{{node_certs_destination}}/"
+  delegate_to: "{{ node_certs_generator_ip }}"
+  when: 
+    - node_certs_generator
+    - elasticsearch_xpack_security
+  tags: xpack-security
+
+- name: Copy ca certificate file in generator node (locally)
+  synchronize:
+    src: "{{node_certs_source}}/ca/"
+    dest: "{{node_certs_destination}}/"
+  delegate_to: "{{ node_certs_generator_ip }}"
+  register: check_certs_permissions
+  when: 
+    - node_certs_generator
+    - elasticsearch_xpack_security
+  tags: xpack-security
+
+- name: Importing key & certificate files from generator node
+  shell: "{{rsync_path}} {{rsync_extra_parameters}} {{rsync_user}}@{{node_certs_generator_ip}}:{{node_certs_source}}/{{elasticsearch_node_name}}/ {{node_certs_destination}}/"
+  when:
+    - not node_certs_generator
+    - elasticsearch_xpack_security
+    - not certificate_file_exists.stat.exists
+  tags: xpack-security
+
+- name: Importing ca certificate file from generator node 
+  shell: "{{rsync_path}} {{rsync_extra_parameters}} {{rsync_user}}@{{node_certs_generator_ip}}:{{node_certs_source}}/ca/ {{node_certs_destination}}/"
+  when:
+    - not node_certs_generator
+    - elasticsearch_xpack_security
+    - not certificate_file_exists.stat.exists
+  register: check_certs_permissions
+  tags: xpack-security
+
+- name: Ensuring certificates folder owner
+  shell: "chown -R elasticsearch: {{node_certs_destination}}/"
+  when:
+    - check_certs_permissions is defined
+    - elasticsearch_xpack_security
+  tags: xpack-security
+
+- name: Ensuring certificates folder owner
+  shell: "chmod -R 770 {{node_certs_destination}}/"
+  when:
+    - check_certs_permissions is defined
+    - elasticsearch_xpack_security
+  tags: xpack-security
+  
+
+- name: Remove generated certs file
+  shell: /bin/rm -f {{node_certs_source}}/certs.zip*
+  when: 
+    - node_certs_generator
+    - elasticsearch_xpack_security
+  tags: xpack-security
+
+- name: Configure Elasticsearch.
+  template:
+    src: elasticsearch.yml.j2
+    dest: /etc/elasticsearch/elasticsearch.yml
+    owner: root
+    group: elasticsearch
+    mode: 0660
+  notify: restart elasticsearch
+  tags: configure
+
+- name: Set elasticsearch bootstrap password
+  shell: "echo '{{elasticsearch_xpack_security_password}}' | {{node_certs_source}}/bin/elasticsearch-keystore add -xf 'bootstrap.password'"
+  when:
+    - elasticsearch_xpack_security
+  
 - name: Reload systemd
   systemd: daemon_reload=true
   ignore_errors: true
@@ -90,17 +218,19 @@
     - configure
     - init
 
-- name: Check for Wazuh Alerts template
+- name: Check for Wazuh Alerts template (http)
   uri:
     url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh"
     method: GET
     status_code: 200, 404
-  when: not elasticsearch_bootstrap_node or single_node
+  when: 
+    - elasticsearch_bootstrap_node or single_node
+    - not elasticsearch_xpack_security
   poll: 30
   register: wazuh_alerts_template_exits
   tags: init
 
-- name: Installing Wazuh Alerts template
+- name: Installing Wazuh Alerts template (http)
   uri:
     url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh"
     method: PUT
@@ -110,10 +240,12 @@
   when: 
     - wazuh_alerts_template_exits.status is defined
     - wazuh_alerts_template_exits.status != 200
+    - not elasticsearch_xpack_security
   tags: init
 
 - import_tasks: "RMRedHat.yml"
   when: ansible_os_family == "RedHat"
 
+
 - import_tasks: "RMDebian.yml"
   when: ansible_os_family == "Debian"

roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2

@@ -15,10 +15,31 @@ cluster.initial_master_nodes:
 {% for item in elasticsearch_cluster_nodes %}
   - {{ item }}
 {% endfor %}
-{% elif elasticsearch_master_candidate %}
-node.master: true
 discovery.seed_hosts:
-{% for item in elasticsearch_cluster_nodes %}
+{% for item in elasticsearch_discovery_nodes %}
+  - {{ item }}
+{% endfor %}
+{% else %}
+node.master: {{ elasticsearch_master_candidate|lower }}
+discovery.seed_hosts:
+{% for item in elasticsearch_discovery_nodes %}
   - {{ item }}
 {% endfor %}
 {% endif %}
+
+# XPACK Security
+
+{% if elasticsearch_xpack_security %}
+xpack.security.enabled: true
+xpack.security.transport.ssl.enabled: true
+xpack.security.transport.ssl.verification_mode: certificate 
+xpack.security.transport.ssl.key: {{node_certs_destination}}/{{ elasticsearch_node_name }}.key 
+xpack.security.transport.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt 
+xpack.security.transport.ssl.certificate_authorities: [ "{{ node_certs_destination }}/ca.crt" ]
+
+xpack.security.http.ssl.enabled: true
+xpack.security.http.ssl.verification_mode: certificate
+xpack.security.http.ssl.key: {{node_certs_destination}}/{{ elasticsearch_node_name }}.key 
+xpack.security.http.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt 
+xpack.security.http.ssl.certificate_authorities: [ "{{ node_certs_destination }}/ca.crt" ]
+{% endif %}

roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2

@@ -0,0 +1,13 @@
+
+# {{ ansible_managed }}
+# TO-DO
+
+{% if node_certs_generator %}
+instances:
+{% for node in instances %}
+- name: "{{ node.name }}"
+  ip:
+   - "{{ node.ip }}"
+{% endfor %}
+
+{% endif %}

roles/elastic-stack/ansible-kibana/defaults/main.yml

@@ -1,7 +1,25 @@
 ---
+kibana_node_name: node-1
+
 elasticsearch_http_port: "9200"
 elasticsearch_network_host: "127.0.0.1"
 kibana_server_host: "0.0.0.0"
 kibana_server_port: "5601"
 elastic_stack_version: 7.1.1
 wazuh_version: 3.9.2
+
+# Xpack Security
+kibana_xpack_security: false
+
+elasticsearch_xpack_security_user: elastic
+elasticsearch_xpack_security_password: elastic_pass
+
+node_certs_generator: false
+node_certs_generator_ip: 172.16.0.161
+node_certs_source: /usr/share/elasticsearch
+node_certs_destination: /etc/kibana/certs
+
+# Rsync
+rsync_path: /usr/bin/rsync
+rsync_user: vagrant
+rsync_extra_parameters: -avg -e 'ssh -o StrictHostKeyChecking=no' --rsync-path='sudo rsync'

roles/elastic-stack/ansible-kibana/tasks/main.yml

@@ -5,11 +5,6 @@
 - import_tasks: Debian.yml
   when: ansible_os_family == 'Debian'
 
-- name: Make sure Elasticsearch is running before proceeding.
-  wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300
-  tags: configure
-  ignore_errors: true
-
 - name: Reload systemd
   systemd: daemon_reload=true
   ignore_errors: true
@@ -18,6 +13,66 @@
     - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<'))
     - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<'))
 
+- name: Check if certificate exists locally
+  stat:
+    path: "{{node_certs_destination}}/{{ kibana_node_name }}.crt"
+  register: certificate_file_exists
+  when:
+    - kibana_xpack_security 
+
+- name: Copy key & certificate files in generator node (locally)
+  synchronize:
+    src: "{{node_certs_source}}/{{kibana_node_name}}/"
+    dest: "{{node_certs_destination}}/"
+  delegate_to: "{{ node_certs_generator_ip }}"
+  when: 
+    - node_certs_generator
+    - kibana_xpack_security
+    - not certificate_file_exists.stat.exists
+  tags: xpack-security
+
+- name: Copy ca certificate file in generator node (locally)
+  synchronize:
+    src: "{{node_certs_source}}/ca/"
+    dest: "{{node_certs_destination}}/"
+  delegate_to: "{{ node_certs_generator_ip }}"
+  when: 
+    - node_certs_generator
+    - kibana_xpack_security
+    - not certificate_file_exists.stat.exists
+  tags: xpack-security
+  
+- name: Importing key & certificate files from generator node
+  shell: "{{rsync_path}} {{rsync_extra_parameters}} {{rsync_user}}@{{node_certs_generator_ip}}:{{node_certs_source}}/{{kibana_node_name}}/ {{node_certs_destination}}/"
+  when:
+    - not node_certs_generator
+    - kibana_xpack_security
+    - not certificate_file_exists.stat.exists
+  tags: xpack-security
+
+- name: Importing ca certificate file from generator node 
+  shell: "{{rsync_path}} {{rsync_extra_parameters}} {{rsync_user}}@{{node_certs_generator_ip}}:{{node_certs_source}}/ca/ {{node_certs_destination}}/"
+  when:
+    - not node_certs_generator
+    - kibana_xpack_security
+    - not certificate_file_exists.stat.exists
+  register: check_certs_permissions
+  tags: xpack-security
+
+- name: Ensuring certificates folder owner
+  shell: "chown -R kibana: {{node_certs_destination}}/"
+  when:
+    - check_certs_permissions is defined
+    - kibana_xpack_security
+  tags: xpack-security
+
+- name: Ensuring certificates folder owner
+  shell: "chmod -R 770 {{node_certs_destination}}/"
+  when:
+    - check_certs_permissions is defined
+    - kibana_xpack_security
+  tags: xpack-security
+
 - name: Kibana configuration
   template:
     src: kibana.yml.j2

roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2

@@ -19,7 +19,11 @@ server.host: {{ kibana_server_host }}
 #server.name: "your-hostname"
 
 # The URL of the Elasticsearch instance to use for all your queries.
+{% if kibana_xpack_security %}
+elasticsearch.hosts: "https://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"
+{% else %}
 elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"
+{% endif %}
 
 # When this setting's value is true Kibana uses the hostname specified in the server.host
 # setting. When the value of this setting is false, Kibana uses the hostname of the host
@@ -98,3 +102,13 @@ elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_h
 # Set the interval in milliseconds to sample system and process performance
 # metrics. Minimum is 100ms. Defaults to 5000.
 #ops.interval: 5000
+
+# Xpack Security
+{% if kibana_xpack_security %}
+elasticsearch.username: "{{ elasticsearch_xpack_security_user }}"
+elasticsearch.password: "{{ elasticsearch_xpack_security_password }}"
+server.ssl.enabled: true
+server.ssl.key: "{{node_certs_destination}}/{{ kibana_node_name }}.key"
+server.ssl.certificate: "{{node_certs_destination}}/{{ kibana_node_name }}.crt" 
+elasticsearch.ssl.certificateAuthorities: ["{{ node_certs_destination }}/ca.crt"]
+{% endif %}

roles/wazuh/ansible-filebeat/defaults/main.yml

@@ -10,6 +10,8 @@ filebeat_prospectors:
     json.keys_under_root: true
     json.overwrite_keys: true
 
+filebeat_node_name: node-1
+
 filebeat_output_elasticsearch_enabled: false
 filebeat_output_elasticsearch_hosts:
   - "localhost:9200"
@@ -23,3 +25,19 @@ filebeat_ssl_dir: /etc/pki/filebeat
 filebeat_ssl_certificate_file: ""
 filebeat_ssl_key_file: ""
 filebeat_ssl_insecure: "false"
+
+# Xpack Security
+filebeat_xpack_security: false
+
+elasticsearch_xpack_security_user: elastic
+elasticsearch_xpack_security_password: elastic_pass
+
+node_certs_generator : false
+node_certs_generator_ip: 172.16.0.161
+node_certs_source: /usr/share/elasticsearch
+node_certs_destination: /etc/filebeat/certs
+
+# Rsync
+rsync_path: /usr/bin/rsync
+rsync_user: vagrant
+rsync_extra_parameters: -avg -e 'ssh -o StrictHostKeyChecking=no' --rsync-path='sudo rsync'

roles/wazuh/ansible-filebeat/tasks/main.yml

@@ -10,8 +10,63 @@
   tags:
     - install
 
+- name: Check if certificate exists locally
+  stat:
+    path: "{{node_certs_destination}}/{{ filebeat_node_name }}.crt"
+  register: certificate_file_exists
+  when:
+    - filebeat_xpack_security
+
+- name: Copy key & certificate files in generator node (locally)
+  synchronize:
+    src: "{{node_certs_source}}/{{filebeat_node_name}}/"
+    dest: "{{node_certs_destination}}/"
+  delegate_to: "{{ node_certs_generator_ip }}"
+  when: 
+    - node_certs_generator
+    - filebeat_xpack_security
+    - not certificate_file_exists.stat.exists
+  tags: xpack-security
+
+- name: Copy ca certificate file in generator node (locally)
+  synchronize:
+    src: "{{node_certs_source}}/ca/"
+    dest: "{{node_certs_destination}}/"
+  delegate_to: "{{ node_certs_generator_ip }}"
+  when: 
+    - node_certs_generator
+    - filebeat_xpack_security
+    - not certificate_file_exists.stat.exists
+  register: check_certs_permissions
+  tags: xpack-security
+  
+- name: Importing key & certificate files from generator node
+  shell: "{{rsync_path}} {{rsync_extra_parameters}} {{rsync_user}}@{{node_certs_generator_ip}}:{{node_certs_source}}/{{filebeat_node_name}}/ {{node_certs_destination}}/"
+  when:
+    - not node_certs_generator
+    - filebeat_xpack_security
+    - not certificate_file_exists.stat.exists
+  tags: xpack-security
+
+- name: Importing ca certificate file from generator node 
+  shell: "{{rsync_path}} {{rsync_extra_parameters}} {{rsync_user}}@{{node_certs_generator_ip}}:{{node_certs_source}}/ca/ {{node_certs_destination}}/"
+  when:
+    - not node_certs_generator
+    - filebeat_xpack_security
+    - not certificate_file_exists.stat.exists
+  register: check_certs_permissions
+  tags: xpack-security
+
+- name: Ensuring certificates folder owner
+  shell: "chmod -R 770 {{node_certs_destination}}/"
+  when:
+    - check_certs_permissions is defined
+    - filebeat_xpack_security
+  tags: xpack-security
+
 - import_tasks: config.yml
   when: filebeat_create_config
+  notify: restart filebeat
 
 - name: Reload systemd
   systemd: daemon_reload=yes

roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2

@@ -53,6 +53,15 @@ output.elasticsearch:
   #pipeline: geoip
   indices:
     - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'
+{% if filebeat_xpack_security %}
+  username: {{ elasticsearch_xpack_security_user }}
+  password: {{ elasticsearch_xpack_security_password }}
+  protocol: https
+  ssl.certificate_authorities: 
+    - {{node_certs_destination}}/ca.crt
+  ssl.certificate: "{{node_certs_destination}}/{{ filebeat_node_name }}.crt" 
+  ssl.key: "{{node_certs_destination}}/{{ filebeat_node_name }}.key"
+{% endif %}
 
 # Optional. Send events to Logstash instead of Elasticsearch
 #output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"]