From 874a05b3ca14403bf7ad3cb7e60471dd8cf4f979 Mon Sep 17 00:00:00 2001 From: Okynos Date: Mon, 3 Jun 2019 18:53:25 -0700 Subject: [PATCH] Added a testing purposes workaround --- .../ansible-elasticsearch/defaults/main.yml | 2 +- .../ansible-elasticsearch/tasks/Debian.yml | 2 +- .../ansible-elasticsearch/tasks/RedHat.yml | 4 +- .../ansible-elasticsearch/tasks/main.yml | 2 +- .../wazuh-elastic7-template-alerts.json.j2 | 1456 +++++++++++++++++ .../ansible-kibana/defaults/main.yml | 2 +- .../ansible-kibana/tasks/Debian.yml | 2 +- .../ansible-kibana/tasks/RedHat.yml | 4 +- .../ansible-kibana/templates/kibana.yml.j2 | 2 +- .../ansible-logstash/defaults/main.yml | 2 +- .../ansible-logstash/tasks/Debian.yml | 2 +- .../ansible-logstash/tasks/RedHat.yml | 4 +- 12 files changed, 1470 insertions(+), 14 deletions(-) create mode 100644 roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index e03f7557..3328165a 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -4,7 +4,7 @@ elasticsearch_node_name: node-1 elasticsearch_http_port: 9200 elasticsearch_network_host: 127.0.0.1 elasticsearch_jvm_xms: null -elastic_stack_version: 6.8.0 +elastic_stack_version: 7.1.1 elasticsearch_shards: 5 elasticsearch_replicas: 1 elasticsearch_install_java: true diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml index f786d2a3..d5315805 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml @@ -17,7 +17,7 @@ - name: Debian/Ubuntu | Install Elastic repo apt_repository: - repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main' + repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main' state: present filename: 'elastic_repo' update_cache: true diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml index 79632b31..64cc0820 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml @@ -9,8 +9,8 @@ - name: RedHat/CentOS/Fedora | Install Elastic repo yum_repository: name: elastic_repo - description: Elastic repository for 6.x packages - baseurl: https://artifacts.elastic.co/packages/6.x/yum + description: Elastic repository for 7.x packages + baseurl: https://artifacts.elastic.co/packages/7.x/yum gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgcheck: true diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index a1f44f88..8d48441e 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -104,7 +104,7 @@ method: PUT status_code: 200 body_format: json - body: "{{ lookup('template','wazuh-elastic6-template-alerts.json.j2') }}" + body: "{{ lookup('template','wazuh-elastic7-template-alerts.json.j2') }}" when: wazuh_alerts_template_exits.status != 200 tags: init diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 new file mode 100644 index 00000000..836b2cb2 --- /dev/null +++ b/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 @@ -0,0 +1,1456 @@ +{ + "order": 0, + "index_patterns": ["wazuh-alerts-3.x-*"], + "settings": { + "index.refresh_interval": "5s", + "index.number_of_shards": "3", + "index.number_of_replicas": "0", + "index.auto_expand_replicas": "0-1", + "index.mapping.total_fields.limit": 2000 + }, + "mappings": { + "dynamic_templates": [ + { + "string_as_keyword": { + "match_mapping_type": "string", + "mapping": { + "type": "keyword", + "doc_values": "true" + } + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "timestamp": { + "type": "date", + "format": "date_optional_time||epoch_millis" + }, + "@version": { + "type": "text" + }, + "agent": { + "properties": { + "ip": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "manager": { + "properties": { + "name": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "cluster": { + "properties": { + "name": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "AlertsFile": { + "type": "keyword", + "doc_values": "true" + }, + "full_log": { + "enabled": false, + "type": "object" + }, + "previous_log": { + "type": "text" + }, + "GeoLocation": { + "properties": { + "area_code": { + "type": "long" + }, + "city_name": { + "type": "keyword", + "doc_values": "true" + }, + "continent_code": { + "type": "text" + }, + "coordinates": { + "type": "double" + }, + "country_code2": { + "type": "text" + }, + "country_code3": { + "type": "text" + }, + "country_name": { + "type": "keyword", + "doc_values": "true" + }, + "dma_code": { + "type": "long" + }, + "ip": { + "type": "keyword", + "doc_values": "true" + }, + "latitude": { + "type": "double" + }, + "location": { + "type": "geo_point" + }, + "longitude": { + "type": "double" + }, + "postal_code": { + "type": "keyword" + }, + "real_region_name": { + "type": "keyword", + "doc_values": "true" + }, + "region_name": { + "type": "keyword", + "doc_values": "true" + }, + "timezone": { + "type": "text" + } + } + }, + "host": { + "type": "keyword", + "doc_values": "true" + }, + "syscheck": { + "properties": { + "path": { + "type": "keyword", + "doc_values": "true" + }, + "sha1_before": { + "type": "keyword", + "doc_values": "true" + }, + "sha1_after": { + "type": "keyword", + "doc_values": "true" + }, + "uid_before": { + "type": "keyword", + "doc_values": "true" + }, + "uid_after": { + "type": "keyword", + "doc_values": "true" + }, + "gid_before": { + "type": "keyword", + "doc_values": "true" + }, + "gid_after": { + "type": "keyword", + "doc_values": "true" + }, + "perm_before": { + "type": "keyword", + "doc_values": "true" + }, + "perm_after": { + "type": "keyword", + "doc_values": "true" + }, + "md5_after": { + "type": "keyword", + "doc_values": "true" + }, + "md5_before": { + "type": "keyword", + "doc_values": "true" + }, + "gname_after": { + "type": "keyword", + "doc_values": "true" + }, + "gname_before": { + "type": "keyword", + "doc_values": "true" + }, + "inode_after": { + "type": "keyword", + "doc_values": "true" + }, + "inode_before": { + "type": "keyword", + "doc_values": "true" + }, + "mtime_after": { + "type": "date", + "format": "dateOptionalTime", + "doc_values": "true" + }, + "mtime_before": { + "type": "date", + "format": "dateOptionalTime", + "doc_values": "true" + }, + "uname_after": { + "type": "keyword", + "doc_values": "true" + }, + "uname_before": { + "type": "keyword", + "doc_values": "true" + }, + "size_before": { + "type": "long", + "doc_values": "true" + }, + "size_after": { + "type": "long", + "doc_values": "true" + }, + "diff": { + "type": "keyword", + "doc_values": "true" + }, + "event": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "location": { + "type": "keyword", + "doc_values": "true" + }, + "message": { + "type": "text" + }, + "offset": { + "type": "keyword" + }, + "rule": { + "properties": { + "description": { + "type": "keyword", + "doc_values": "true" + }, + "groups": { + "type": "keyword", + "doc_values": "true" + }, + "level": { + "type": "long", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "cve": { + "type": "keyword", + "doc_values": "true" + }, + "info": { + "type": "keyword", + "doc_values": "true" + }, + "frequency": { + "type": "long", + "doc_values": "true" + }, + "firedtimes": { + "type": "long", + "doc_values": "true" + }, + "cis": { + "type": "keyword", + "doc_values": "true" + }, + "pci_dss": { + "type": "keyword", + "doc_values": "true" + }, + "gdpr": { + "type": "keyword", + "doc_values": "true" + }, + "gpg13": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "predecoder": { + "properties": { + "program_name": { + "type": "keyword", + "doc_values": "true" + }, + "timestamp": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "decoder": { + "properties": { + "parent": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "ftscomment": { + "type": "keyword", + "doc_values": "true" + }, + "fts": { + "type": "long", + "doc_values": "true" + }, + "accumulate": { + "type": "long", + "doc_values": "true" + } + } + }, + "data": { + "properties": { + "protocol": { + "type": "keyword", + "doc_values": "true" + }, + "action": { + "type": "keyword", + "doc_values": "true" + }, + "srcip": { + "type": "keyword", + "doc_values": "true" + }, + "dstip": { + "type": "keyword", + "doc_values": "true" + }, + "srcport": { + "type": "keyword", + "doc_values": "true" + }, + "dstport": { + "type": "keyword", + "doc_values": "true" + }, + "srcuser": { + "type": "keyword", + "doc_values": "true" + }, + "dstuser": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "status": { + "type": "keyword", + "doc_values": "true" + }, + "data": { + "type": "keyword", + "doc_values": "true" + }, + "system_name": { + "type": "keyword", + "doc_values": "true" + }, + "url": { + "type": "keyword", + "doc_values": "true" + }, + "oscap": { + "properties": { + "check.title": { + "type": "keyword", + "doc_values": "true" + }, + "check.id": { + "type": "keyword", + "doc_values": "true" + }, + "check.result": { + "type": "keyword", + "doc_values": "true" + }, + "check.severity": { + "type": "keyword", + "doc_values": "true" + }, + "check.description": { + "type": "text" + }, + "check.rationale": { + "type": "text" + }, + "check.references": { + "type": "text" + }, + "check.identifiers": { + "type": "text" + }, + "check.oval.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.content": { + "type": "keyword", + "doc_values": "true" + }, + "scan.benchmark.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.profile.title": { + "type": "keyword", + "doc_values": "true" + }, + "scan.profile.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.score": { + "type": "double", + "doc_values": "true" + }, + "scan.return_code": { + "type": "long", + "doc_values": "true" + } + } + }, + "audit": { + "properties": { + "type": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "syscall": { + "type": "keyword", + "doc_values": "true" + }, + "exit": { + "type": "keyword", + "doc_values": "true" + }, + "ppid": { + "type": "keyword", + "doc_values": "true" + }, + "pid": { + "type": "keyword", + "doc_values": "true" + }, + "auid": { + "type": "keyword", + "doc_values": "true" + }, + "uid": { + "type": "keyword", + "doc_values": "true" + }, + "gid": { + "type": "keyword", + "doc_values": "true" + }, + "euid": { + "type": "keyword", + "doc_values": "true" + }, + "suid": { + "type": "keyword", + "doc_values": "true" + }, + "fsuid": { + "type": "keyword", + "doc_values": "true" + }, + "egid": { + "type": "keyword", + "doc_values": "true" + }, + "sgid": { + "type": "keyword", + "doc_values": "true" + }, + "fsgid": { + "type": "keyword", + "doc_values": "true" + }, + "tty": { + "type": "keyword", + "doc_values": "true" + }, + "session": { + "type": "keyword", + "doc_values": "true" + }, + "command": { + "type": "keyword", + "doc_values": "true" + }, + "exe": { + "type": "keyword", + "doc_values": "true" + }, + "key": { + "type": "keyword", + "doc_values": "true" + }, + "cwd": { + "type": "keyword", + "doc_values": "true" + }, + "directory.name": { + "type": "keyword", + "doc_values": "true" + }, + "directory.inode": { + "type": "keyword", + "doc_values": "true" + }, + "directory.mode": { + "type": "keyword", + "doc_values": "true" + }, + "file.name": { + "type": "keyword", + "doc_values": "true" + }, + "file.inode": { + "type": "keyword", + "doc_values": "true" + }, + "file.mode": { + "type": "keyword", + "doc_values": "true" + }, + "acct": { + "type": "keyword", + "doc_values": "true" + }, + "dev": { + "type": "keyword", + "doc_values": "true" + }, + "enforcing": { + "type": "keyword", + "doc_values": "true" + }, + "list": { + "type": "keyword", + "doc_values": "true" + }, + "old-auid": { + "type": "keyword", + "doc_values": "true" + }, + "old-ses": { + "type": "keyword", + "doc_values": "true" + }, + "old_enforcing": { + "type": "keyword", + "doc_values": "true" + }, + "old_prom": { + "type": "keyword", + "doc_values": "true" + }, + "op": { + "type": "keyword", + "doc_values": "true" + }, + "prom": { + "type": "keyword", + "doc_values": "true" + }, + "res": { + "type": "keyword", + "doc_values": "true" + }, + "srcip": { + "type": "keyword", + "doc_values": "true" + }, + "subj": { + "type": "keyword", + "doc_values": "true" + }, + "success": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "aws": { + "properties": { + "bytes": { + "type": "long", + "doc_values": "true" + }, + "dstaddr": { + "type": "ip", + "doc_values": "true" + }, + "srcaddr": { + "type": "ip", + "doc_values": "true" + }, + "end": { + "type": "date", + "doc_values": "true" + }, + "start": { + "type": "date", + "doc_values": "true" + }, + "source_ip_address": { + "type": "ip", + "doc_values": "true" + }, + "resource.instanceDetails.networkInterfaces": { + "properties": { + "privateIpAddress": { + "type": "ip", + "doc_values": "true" + }, + "publicIp": { + "type": "ip", + "doc_values": "true" + } + } + }, + "service": { + "properties": { + "count": { + "type": "long", + "doc_values": "true" + }, + "action.networkConnectionAction.remoteIpDetails": { + "properties": { + "ipAddressV4": { + "type": "ip", + "doc_values": "true" + }, + "geoLocation": { + "type": "geo_point", + "doc_values": "true" + } + } + } + } + } + } + }, + "type": { + "type": "keyword", + "doc_values": "true" + }, + "netinfo": { + "properties": { + "iface": { + "properties": { + "name": { + "type": "keyword", + "doc_values": "true" + }, + "mac": { + "type": "keyword", + "doc_values": "true" + }, + "adapter": { + "type": "keyword", + "doc_values": "true" + }, + "type": { + "type": "keyword", + "doc_values": "true" + }, + "state": { + "type": "keyword", + "doc_values": "true" + }, + "mtu": { + "type": "long", + "doc_values": "true" + }, + "tx_bytes": { + "type": "long", + "doc_values": "true" + }, + "rx_bytes": { + "type": "long", + "doc_values": "true" + }, + "tx_errors": { + "type": "long", + "doc_values": "true" + }, + "rx_errors": { + "type": "long", + "doc_values": "true" + }, + "tx_dropped": { + "type": "long", + "doc_values": "true" + }, + "rx_dropped": { + "type": "long", + "doc_values": "true" + }, + "tx_packets": { + "type": "long", + "doc_values": "true" + }, + "rx_packets": { + "type": "long", + "doc_values": "true" + }, + "ipv4": { + "properties": { + "gateway": { + "type": "keyword", + "doc_values": "true" + }, + "dhcp": { + "type": "keyword", + "doc_values": "true" + }, + "address": { + "type": "keyword", + "doc_values": "true" + }, + "netmask": { + "type": "keyword", + "doc_values": "true" + }, + "broadcast": { + "type": "keyword", + "doc_values": "true" + }, + "metric": { + "type": "long", + "doc_values": "true" + } + } + }, + "ipv6": { + "properties": { + "gateway": { + "type": "keyword", + "doc_values": "true" + }, + "dhcp": { + "type": "keyword", + "doc_values": "true" + }, + "address": { + "type": "keyword", + "doc_values": "true" + }, + "netmask": { + "type": "keyword", + "doc_values": "true" + }, + "broadcast": { + "type": "keyword", + "doc_values": "true" + }, + "metric": { + "type": "long", + "doc_values": "true" + } + } + } + } + } + } + }, + "os": { + "properties": { + "hostname": { + "type": "keyword", + "doc_values": "true" + }, + "architecture": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "version": { + "type": "keyword", + "doc_values": "true" + }, + "codename": { + "type": "keyword", + "doc_values": "true" + }, + "major": { + "type": "keyword", + "doc_values": "true" + }, + "minor": { + "type": "keyword", + "doc_values": "true" + }, + "build": { + "type": "keyword", + "doc_values": "true" + }, + "platform": { + "type": "keyword", + "doc_values": "true" + }, + "sysname": { + "type": "keyword", + "doc_values": "true" + }, + "release": { + "type": "keyword", + "doc_values": "true" + }, + "release_version": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "port": { + "properties": { + "protocol": { + "type": "keyword", + "doc_values": "true" + }, + "local_ip": { + "type": "ip", + "doc_values": "true" + }, + "local_port": { + "type": "long", + "doc_values": "true" + }, + "remote_ip": { + "type": "ip", + "doc_values": "true" + }, + "remote_port": { + "type": "long", + "doc_values": "true" + }, + "tx_queue": { + "type": "long", + "doc_values": "true" + }, + "rx_queue": { + "type": "long", + "doc_values": "true" + }, + "inode": { + "type": "long", + "doc_values": "true" + }, + "state": { + "type": "keyword", + "doc_values": "true" + }, + "pid": { + "type": "long", + "doc_values": "true" + }, + "process": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "hardware": { + "properties": { + "serial": { + "type": "keyword", + "doc_values": "true" + }, + "cpu_name": { + "type": "keyword", + "doc_values": "true" + }, + "cpu_cores": { + "type": "long", + "doc_values": "true" + }, + "cpu_mhz": { + "type": "double", + "doc_values": "true" + }, + "ram_total": { + "type": "long", + "doc_values": "true" + }, + "ram_free": { + "type": "long", + "doc_values": "true" + }, + "ram_usage": { + "type": "long", + "doc_values": "true" + } + } + }, + "program": { + "properties": { + "format": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "priority": { + "type": "keyword", + "doc_values": "true" + }, + "section": { + "type": "keyword", + "doc_values": "true" + }, + "size": { + "type": "long", + "doc_values": "true" + }, + "vendor": { + "type": "keyword", + "doc_values": "true" + }, + "install_time": { + "type": "keyword", + "doc_values": "true" + }, + "version": { + "type": "keyword", + "doc_values": "true" + }, + "architecture": { + "type": "keyword", + "doc_values": "true" + }, + "multiarch": { + "type": "keyword", + "doc_values": "true" + }, + "source": { + "type": "keyword", + "doc_values": "true" + }, + "description": { + "type": "keyword", + "doc_values": "true" + }, + "location": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "process": { + "properties": { + "pid": { + "type": "long", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "state": { + "type": "keyword", + "doc_values": "true" + }, + "ppid": { + "type": "long", + "doc_values": "true" + }, + "utime": { + "type": "long", + "doc_values": "true" + }, + "stime": { + "type": "long", + "doc_values": "true" + }, + "cmd": { + "type": "keyword", + "doc_values": "true" + }, + "args": { + "type": "keyword", + "doc_values": "true" + }, + "euser": { + "type": "keyword", + "doc_values": "true" + }, + "ruser": { + "type": "keyword", + "doc_values": "true" + }, + "suser": { + "type": "keyword", + "doc_values": "true" + }, + "egroup": { + "type": "keyword", + "doc_values": "true" + }, + "sgroup": { + "type": "keyword", + "doc_values": "true" + }, + "fgroup": { + "type": "keyword", + "doc_values": "true" + }, + "rgroup": { + "type": "keyword", + "doc_values": "true" + }, + "priority": { + "type": "long", + "doc_values": "true" + }, + "nice": { + "type": "long", + "doc_values": "true" + }, + "size": { + "type": "long", + "doc_values": "true" + }, + "vm_size": { + "type": "long", + "doc_values": "true" + }, + "resident": { + "type": "long", + "doc_values": "true" + }, + "share": { + "type": "long", + "doc_values": "true" + }, + "start_time": { + "type": "long", + "doc_values": "true" + }, + "pgrp": { + "type": "long", + "doc_values": "true" + }, + "session": { + "type": "long", + "doc_values": "true" + }, + "nlwp": { + "type": "long", + "doc_values": "true" + }, + "tgid": { + "type": "long", + "doc_values": "true" + }, + "tty": { + "type": "long", + "doc_values": "true" + }, + "processor": { + "type": "long", + "doc_values": "true" + } + } + }, + "sca": { + "properties": { + "type": { + "type": "keyword", + "doc_values": "true" + }, + "scan_id": { + "type": "keyword", + "doc_values": "true" + }, + "policy": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "file": { + "type": "keyword", + "doc_values": "true" + }, + "description": { + "type": "keyword", + "doc_values": "true" + }, + "passed": { + "type": "integer", + "doc_values": "true" + }, + "failed": { + "type": "integer", + "doc_values": "true" + }, + "score": { + "type": "long", + "doc_values": "true" + }, + "check": { + "properties": { + "id": { + "type": "keyword", + "doc_values": "true" + }, + "title": { + "type": "keyword", + "doc_values": "true" + }, + "description": { + "type": "keyword", + "doc_values": "true" + }, + "rationale": { + "type": "keyword", + "doc_values": "true" + }, + "remediation": { + "type": "keyword", + "doc_values": "true" + }, + "compliance": { + "properties": { + "cis": { + "type": "keyword", + "doc_values": "true" + }, + "cis_csc": { + "type": "keyword", + "doc_values": "true" + }, + "pci_dss": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "references": { + "type": "keyword", + "doc_values": "true" + }, + "file": { + "type": "keyword", + "doc_values": "true" + }, + "directory": { + "type": "keyword", + "doc_values": "true" + }, + "registry": { + "type": "keyword", + "doc_values": "true" + }, + "process": { + "type": "keyword", + "doc_values": "true" + }, + "result": { + "type": "keyword", + "doc_values": "true" + }, + "previous_result": { + "type": "keyword", + "doc_values": "true" + } + } + } + } + }, + "win": { + "properties": { + "system": { + "properties": { + "providerName": { + "type": "keyword", + "doc_values": "true" + }, + "providerGuid": { + "type": "keyword", + "doc_values": "true" + }, + "eventSourceName": { + "type": "keyword", + "doc_values": "true" + }, + "securityUserID": { + "type": "keyword", + "doc_values": "true" + }, + "userID": { + "type": "keyword", + "doc_values": "true" + }, + "eventID": { + "type": "keyword", + "doc_values": "true" + }, + "version": { + "type": "keyword", + "doc_values": "true" + }, + "level": { + "type": "keyword", + "doc_values": "true" + }, + "task": { + "type": "keyword", + "doc_values": "true" + }, + "opcode": { + "type": "keyword", + "doc_values": "true" + }, + "keywords": { + "type": "keyword", + "doc_values": "true" + }, + "systemTime": { + "type": "keyword", + "doc_values": "true" + }, + "eventRecordID": { + "type": "keyword", + "doc_values": "true" + }, + "processID": { + "type": "keyword", + "doc_values": "true" + }, + "threadID": { + "type": "keyword", + "doc_values": "true" + }, + "channel": { + "type": "keyword", + "doc_values": "true" + }, + "computer": { + "type": "keyword", + "doc_values": "true" + }, + "severityValue": { + "type": "keyword", + "doc_values": "true" + }, + "message": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "eventdata": { + "properties": { + "subjectUserSid": { + "type": "keyword", + "doc_values": "true" + }, + "subjectUserName": { + "type": "keyword", + "doc_values": "true" + }, + "subjectDomainName": { + "type": "keyword", + "doc_values": "true" + }, + "subjectLogonId": { + "type": "keyword", + "doc_values": "true" + }, + "targetUserSid": { + "type": "keyword", + "doc_values": "true" + }, + "targetUserName": { + "type": "keyword", + "doc_values": "true" + }, + "targetDomainName": { + "type": "keyword", + "doc_values": "true" + }, + "targetLogonId": { + "type": "keyword", + "doc_values": "true" + }, + "logonType": { + "type": "keyword", + "doc_values": "true" + }, + "logonProcessName": { + "type": "keyword", + "doc_values": "true" + }, + "authenticationPackageName": { + "type": "keyword", + "doc_values": "true" + }, + "logonGuid": { + "type": "keyword", + "doc_values": "true" + }, + "keyLength": { + "type": "keyword", + "doc_values": "true" + }, + "impersonationLevel": { + "type": "keyword", + "doc_values": "true" + }, + "transactionId": { + "type": "keyword", + "doc_values": "true" + }, + "newState": { + "type": "keyword", + "doc_values": "true" + }, + "resourceManager": { + "type": "keyword", + "doc_values": "true" + }, + "processId": { + "type": "keyword", + "doc_values": "true" + }, + "processName": { + "type": "keyword", + "doc_values": "true" + }, + "data": { + "type": "keyword", + "doc_values": "true" + }, + "image": { + "type": "keyword", + "doc_values": "true" + }, + "binary": { + "type": "keyword", + "doc_values": "true" + }, + "parentImage": { + "type": "keyword", + "doc_values": "true" + }, + "categoryId": { + "type": "keyword", + "doc_values": "true" + }, + "subcategoryId": { + "type": "keyword", + "doc_values": "true" + }, + "subcategoryGuid": { + "type": "keyword", + "doc_values": "true" + }, + "auditPolicyChangesId": { + "type": "keyword", + "doc_values": "true" + }, + "category": { + "type": "keyword", + "doc_values": "true" + }, + "subcategory": { + "type": "keyword", + "doc_values": "true" + }, + "auditPolicyChanges": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "rmSessionEvent": { + "properties": { + "rmSessionId": { + "type": "keyword", + "doc_values": "true" + }, + "uTCStartTime": { + "type": "keyword", + "doc_values": "true" + } + } + } + } + } + } + }, + "program_name": { + "type": "keyword", + "doc_values": "true" + }, + "command": { + "type": "keyword", + "doc_values": "true" + }, + "type": { + "type": "text" + }, + "title": { + "type": "keyword", + "doc_values": "true" + } + } + } +} + diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index c9842e7f..921cd436 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -3,5 +3,5 @@ elasticsearch_http_port: "9200" elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" -elastic_stack_version: 6.8.0 +elastic_stack_version: 7.1.1 wazuh_version: 3.9.1 diff --git a/roles/elastic-stack/ansible-kibana/tasks/Debian.yml b/roles/elastic-stack/ansible-kibana/tasks/Debian.yml index 097b19db..67081b86 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/Debian.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/Debian.yml @@ -11,7 +11,7 @@ - name: Debian/Ubuntu | Install Elastic repo apt_repository: - repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main' + repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main' state: present filename: 'elastic_repo' update_cache: true diff --git a/roles/elastic-stack/ansible-kibana/tasks/RedHat.yml b/roles/elastic-stack/ansible-kibana/tasks/RedHat.yml index f5fe2935..1d35d139 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/RedHat.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/RedHat.yml @@ -2,8 +2,8 @@ - name: RedHat/CentOS/Fedora | Install Elastic repo yum_repository: name: elastic_repo - description: Elastic repository for 6.x packages - baseurl: https://artifacts.elastic.co/packages/6.x/yum + description: Elastic repository for 7.x packages + baseurl: https://artifacts.elastic.co/packages/7.x/yum gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgcheck: true diff --git a/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 b/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 index 9b29f17a..edd1b4b4 100644 --- a/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 +++ b/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 @@ -19,7 +19,7 @@ server.host: {{ kibana_server_host }} #server.name: "your-hostname" # The URL of the Elasticsearch instance to use for all your queries. -elasticsearch.url: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" +elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" # When this setting's value is true Kibana uses the hostname specified in the server.host # setting. When the value of this setting is false, Kibana uses the hostname of the host diff --git a/roles/elastic-stack/ansible-logstash/defaults/main.yml b/roles/elastic-stack/ansible-logstash/defaults/main.yml index 31012c04..403a6127 100644 --- a/roles/elastic-stack/ansible-logstash/defaults/main.yml +++ b/roles/elastic-stack/ansible-logstash/defaults/main.yml @@ -9,7 +9,7 @@ elasticsearch_network_host: ["Localhost"] elasticsearch_http_port: "9200" elasticsearch_shards: 5 elasticsearch_replicas: 1 -elastic_stack_version: 6.8.0 +elastic_stack_version: 7.1.1 logstash_ssl: false logstash_ssl_dir: /etc/pki/logstash diff --git a/roles/elastic-stack/ansible-logstash/tasks/Debian.yml b/roles/elastic-stack/ansible-logstash/tasks/Debian.yml index 403ee88f..bf8f7a7a 100644 --- a/roles/elastic-stack/ansible-logstash/tasks/Debian.yml +++ b/roles/elastic-stack/ansible-logstash/tasks/Debian.yml @@ -17,7 +17,7 @@ - name: Debian/Ubuntu | Install Elasticsearch repo apt_repository: - repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main' + repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main' state: present filename: 'elastic_repo' diff --git a/roles/elastic-stack/ansible-logstash/tasks/RedHat.yml b/roles/elastic-stack/ansible-logstash/tasks/RedHat.yml index ed16fbc5..289f3a0c 100644 --- a/roles/elastic-stack/ansible-logstash/tasks/RedHat.yml +++ b/roles/elastic-stack/ansible-logstash/tasks/RedHat.yml @@ -9,8 +9,8 @@ - name: RedHat/CentOS/Fedora | Install Logstash repo yum_repository: name: elastic_repo - description: Elastic repository for 6.x packages - baseurl: https://artifacts.elastic.co/packages/6.x/yum + description: Elastic repository for 7.x packages + baseurl: https://artifacts.elastic.co/packages/7.x/yum gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgcheck: true