From 92c7d339738e9cf502f3792876b5417fb9e7cfdf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Luis=20Ruiz=20Ruiz?= Date: Sun, 5 Aug 2018 11:41:35 -0400 Subject: [PATCH] Update Elastic Stack to version 6.3.2 --- ansible-role-elasticsearch/defaults/main.yml | 2 +- ansible-role-elasticsearch/tasks/RedHat.yml | 2 +- ansible-role-elasticsearch/tasks/main.yml | 28 ------- .../templates/alert_sample.json.j2 | 84 ------------------- .../wazuh-elastic6-template-alerts.json.j2 | 12 ++- ...wazuh-elastic6-template-monitoring.json.j2 | 34 -------- ansible-role-kibana/defaults/main.yml | 4 +- ansible-role-logstash/defaults/main.yml | 2 +- ansible-role-logstash/tasks/RedHat.yml | 2 +- .../templates/01-wazuh.conf.j2 | 16 +++- 10 files changed, 29 insertions(+), 157 deletions(-) delete mode 100644 ansible-role-elasticsearch/templates/alert_sample.json.j2 delete mode 100644 ansible-role-elasticsearch/templates/wazuh-elastic6-template-monitoring.json.j2 diff --git a/ansible-role-elasticsearch/defaults/main.yml b/ansible-role-elasticsearch/defaults/main.yml index b2105954..02b265dc 100644 --- a/ansible-role-elasticsearch/defaults/main.yml +++ b/ansible-role-elasticsearch/defaults/main.yml @@ -4,7 +4,7 @@ elasticsearch_node_name: node-1 elasticsearch_http_port: 9200 elasticsearch_network_host: 127.0.0.1 elasticsearch_jvm_xms: null -elastic_stack_version: 6.3.0 +elastic_stack_version: 6.3.2 elasticsearch_shards: 5 elasticsearch_replicas: 1 elasticsearch_install_java: yes diff --git a/ansible-role-elasticsearch/tasks/RedHat.yml b/ansible-role-elasticsearch/tasks/RedHat.yml index 7bbf76bd..41154c2d 100644 --- a/ansible-role-elasticsearch/tasks/RedHat.yml +++ b/ansible-role-elasticsearch/tasks/RedHat.yml @@ -3,7 +3,7 @@ block: - name: RedHat/CentOS/Fedora | download Oracle Java RPM get_url: - url: http://download.oracle.com/otn-pub/java/jdk/8u172-b11/a58eab1ec242421181065cdc37240b08/jre-8u172-linux-x64.rpm + url: https://download.oracle.com/otn-pub/java/jdk/8u181-b13/96a7b8442fe848ef90c96a2fad6ed6d1/jre-8u181-linux-x64.rpm dest: /tmp/jre-8-linux-x64.rpm headers: 'Cookie:oraclelicense=accept-securebackup-cookie' register: oracle_java_task_rpm_download diff --git a/ansible-role-elasticsearch/tasks/main.yml b/ansible-role-elasticsearch/tasks/main.yml index 8c83861d..95f44436 100644 --- a/ansible-role-elasticsearch/tasks/main.yml +++ b/ansible-role-elasticsearch/tasks/main.yml @@ -102,34 +102,6 @@ when: wazuh_alerts_template_exits.status != 200 tags: init -- name: Injecting sample alert - uri: - url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/wazuh-alerts-3.x-{{ ansible_date_time.date | regex_replace('-', '.') }}/wazuh/sample" - method: PUT - status_code: 200, 201 - body_format: json - body: "{{ lookup('template','alert_sample.json.j2') }}" - when: wazuh_alerts_template_exits.status != 200 - tags: init - -- name: Check for Wazuh Monitoring template - uri: - url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh-agent" - method: GET - status_code: 200, 404 - register: wazuh_monitoring_template_exits - tags: init - -- name: Installing Wazuh Monitoring template - uri: - url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh-agent" - method: PUT - status_code: 200 - body_format: json - body: "{{ lookup('template','wazuh-elastic6-template-monitoring.json.j2') }}" - when: wazuh_monitoring_template_exits.status != 200 - tags: init - - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" diff --git a/ansible-role-elasticsearch/templates/alert_sample.json.j2 b/ansible-role-elasticsearch/templates/alert_sample.json.j2 deleted file mode 100644 index a9b1e348..00000000 --- a/ansible-role-elasticsearch/templates/alert_sample.json.j2 +++ /dev/null @@ -1,84 +0,0 @@ -{ - "@timestamp": "2015-03-18T15:55:55.000Z", - "AlertsFile": "sample", - "full_log": "sample", - "location": "sample", - "GeoLocation": { - "country_name": "sample", - "location": [0.0,0.0] - }, - "agent": { - "name": "sample" - }, - "data": { - "title": "sample", - "protocol": "sample", - "action": "sample", - "srcip": "sample", - "dstip": "sample", - "srcport": "sample", - "dstport": "sample", - "srcuser": "sample", - "dstuser": "sample", - "id": "sample", - "status": "sample", - "data": "sample", - "system_name": "sample", - "url": "sample", - "audit": { - "command": "sample", - "type": "sample", - "egid": "sample", - "euid": "sample", - "exe": "sample", - "gid": "sample", - "uid": "sample", - "directory": { - "name": "sample" - }, - "file": { - "mode": "sample", - "name": "sample" - } - }, - "oscap": { - "check": { - "result": "sample", - "severity": "sample", - "title": "sample" - }, - "scan": { - "id": "sample", - "content": "sample", - "score": 1.55, - "profile": { - "title": "sample" - } - } - } - }, - "rule": { - "cis": ["sample"], - "description": "sample", - "groups": ["sample"], - "id": "sample", - "level": 0, - "pci_dss": ["sample"] - }, - "syscheck": { - "gname_after": "sample", - "gname_before": "sample", - "guid_after": "sample", - "guid_before": "sample", - "md5_after": "sample", - "md5_before": "sample", - "path": "sample", - "perm_after": "sample", - "perm_before": "sample", - "uid_after": "sample", - "uid_before": "sample", - "uname_after": "sample", - "uname_before": "sample", - "event": "sample" - } -} diff --git a/ansible-role-elasticsearch/templates/wazuh-elastic6-template-alerts.json.j2 b/ansible-role-elasticsearch/templates/wazuh-elastic6-template-alerts.json.j2 index 9c07e297..18dda52f 100644 --- a/ansible-role-elasticsearch/templates/wazuh-elastic6-template-alerts.json.j2 +++ b/ansible-role-elasticsearch/templates/wazuh-elastic6-template-alerts.json.j2 @@ -2,9 +2,7 @@ "order": 0, "template": "wazuh-alerts-3.x-*", "settings": { - "index.refresh_interval": "5s", - "number_of_shards": {{ elasticsearch_shards }}, - "number_of_replicas": {{ elasticsearch_replicas }} + "index.refresh_interval": "5s" }, "mappings": { "wazuh": { @@ -279,6 +277,14 @@ "pci_dss": { "type": "keyword", "doc_values": "true" + }, + "gdpr": { + "type": "keyword", + "doc_values": "true" + }, + "gpg13": { + "type": "keyword", + "doc_values": "true" } } }, diff --git a/ansible-role-elasticsearch/templates/wazuh-elastic6-template-monitoring.json.j2 b/ansible-role-elasticsearch/templates/wazuh-elastic6-template-monitoring.json.j2 deleted file mode 100644 index e67588e4..00000000 --- a/ansible-role-elasticsearch/templates/wazuh-elastic6-template-monitoring.json.j2 +++ /dev/null @@ -1,34 +0,0 @@ -{ - "order": 0, - "template": "wazuh-monitoring*", - "settings": { - "index.refresh_interval": "5s", - "number_of_shards": {{ elasticsearch_shards }}, - "number_of_replicas": {{ elasticsearch_replicas }} - }, - "mappings": { - "wazuh-agent": { - "properties": { - "@timestamp": { - "type": "date", - "format": "dateOptionalTime" - }, - "status": { - "type": "keyword" - }, - "ip": { - "type": "keyword" - }, - "host": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "id": { - "type": "keyword" - } - } - } - } -} diff --git a/ansible-role-kibana/defaults/main.yml b/ansible-role-kibana/defaults/main.yml index c64a752c..8e261168 100644 --- a/ansible-role-kibana/defaults/main.yml +++ b/ansible-role-kibana/defaults/main.yml @@ -3,5 +3,5 @@ elasticsearch_http_port: "9200" elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" -elastic_stack_version: 6.3.0 -wazuh_version: 3.3.1 +elastic_stack_version: 6.3.1 +wazuh_version: 3.4.0 diff --git a/ansible-role-logstash/defaults/main.yml b/ansible-role-logstash/defaults/main.yml index c58b9f05..9d510632 100644 --- a/ansible-role-logstash/defaults/main.yml +++ b/ansible-role-logstash/defaults/main.yml @@ -6,7 +6,7 @@ elasticsearch_network_host: "127.0.0.1" elasticsearch_http_port: "9200" elasticsearch_shards: 5 elasticsearch_replicas: 1 -elastic_stack_version: 6.3.0 +elastic_stack_version: 6.3.2 logstash_ssl: false logstash_ssl_dir: /etc/pki/logstash diff --git a/ansible-role-logstash/tasks/RedHat.yml b/ansible-role-logstash/tasks/RedHat.yml index 884c8fa3..d10c989d 100644 --- a/ansible-role-logstash/tasks/RedHat.yml +++ b/ansible-role-logstash/tasks/RedHat.yml @@ -3,7 +3,7 @@ block: - name: RedHat/CentOS/Fedora | download Oracle Java RPM get_url: - url: http://download.oracle.com/otn-pub/java/jdk/8u172-b11/a58eab1ec242421181065cdc37240b08/jre-8u172-linux-x64.rpm + url: https://download.oracle.com/otn-pub/java/jdk/8u181-b13/96a7b8442fe848ef90c96a2fad6ed6d1/jre-8u181-linux-x64.rpm dest: /tmp/jre-8-linux-x64.rpm headers: 'Cookie:oraclelicense=accept-securebackup-cookie' register: oracle_java_task_rpm_download diff --git a/ansible-role-logstash/templates/01-wazuh.conf.j2 b/ansible-role-logstash/templates/01-wazuh.conf.j2 index 96e7d916..e0a6f2c7 100644 --- a/ansible-role-logstash/templates/01-wazuh.conf.j2 +++ b/ansible-role-logstash/templates/01-wazuh.conf.j2 @@ -37,18 +37,30 @@ filter { } } } +filter { + if [data][srcip] { + mutate { + add_field => [ "@src_ip", "%{[data][srcip]}" ] + } + } + if [data][aws][sourceIPAddress] { + mutate { + add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ] + } + } +} filter { geoip { source => "@src_ip" target => "GeoLocation" - fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"] + fields => ["city_name", "country_name", "region_name", "location"] } date { match => ["timestamp", "ISO8601"] target => "@timestamp" } mutate { - remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"] + remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"] } } output {