Update Elastic Stack to version 6.3.2

ansible-role-elasticsearch/defaults/main.yml

@@ -4,7 +4,7 @@ elasticsearch_node_name: node-1
 elasticsearch_http_port: 9200
 elasticsearch_network_host: 127.0.0.1
 elasticsearch_jvm_xms: null
-elastic_stack_version: 6.3.0
+elastic_stack_version: 6.3.2
 elasticsearch_shards: 5
 elasticsearch_replicas: 1
 elasticsearch_install_java: yes

ansible-role-elasticsearch/tasks/RedHat.yml

@@ -3,7 +3,7 @@
   block:
     - name: RedHat/CentOS/Fedora | download Oracle Java RPM
       get_url:
-        url: http://download.oracle.com/otn-pub/java/jdk/8u172-b11/a58eab1ec242421181065cdc37240b08/jre-8u172-linux-x64.rpm
+        url: https://download.oracle.com/otn-pub/java/jdk/8u181-b13/96a7b8442fe848ef90c96a2fad6ed6d1/jre-8u181-linux-x64.rpm
         dest: /tmp/jre-8-linux-x64.rpm
         headers: 'Cookie:oraclelicense=accept-securebackup-cookie'
       register: oracle_java_task_rpm_download

ansible-role-elasticsearch/tasks/main.yml

@@ -102,34 +102,6 @@
   when: wazuh_alerts_template_exits.status != 200
   tags: init
 
-- name: Injecting sample alert
-  uri:
-    url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/wazuh-alerts-3.x-{{ ansible_date_time.date | regex_replace('-', '.') }}/wazuh/sample"
-    method: PUT
-    status_code: 200, 201
-    body_format: json
-    body: "{{ lookup('template','alert_sample.json.j2') }}"
-  when: wazuh_alerts_template_exits.status != 200
-  tags: init
-
-- name: Check for Wazuh Monitoring template
-  uri:
-    url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh-agent"
-    method: GET
-    status_code: 200, 404
-  register: wazuh_monitoring_template_exits
-  tags: init
-
-- name: Installing Wazuh Monitoring template
-  uri:
-    url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh-agent"
-    method: PUT
-    status_code: 200
-    body_format: json
-    body: "{{ lookup('template','wazuh-elastic6-template-monitoring.json.j2') }}"
-  when: wazuh_monitoring_template_exits.status != 200
-  tags: init
-
 - import_tasks: "RMRedHat.yml"
   when: ansible_os_family == "RedHat"
 

ansible-role-elasticsearch/templates/alert_sample.json.j2

@@ -1,84 +0,0 @@
-{
-  "@timestamp": "2015-03-18T15:55:55.000Z",
-  "AlertsFile": "sample",
-  "full_log": "sample",
-  "location": "sample",
-  "GeoLocation": {
-    "country_name": "sample",
-    "location": [0.0,0.0]
-  },
-  "agent": {
-    "name": "sample"
-  },
-  "data": {
-    "title": "sample",
-    "protocol": "sample",
-    "action": "sample",
-    "srcip": "sample",
-    "dstip": "sample",
-    "srcport": "sample",
-    "dstport": "sample",
-    "srcuser": "sample",
-    "dstuser": "sample",
-    "id": "sample",
-    "status": "sample",
-    "data": "sample",
-    "system_name": "sample",
-    "url": "sample",
-	"audit": {
-      "command": "sample",
-      "type": "sample",
-      "egid": "sample",
-      "euid": "sample",
-      "exe": "sample",
-      "gid": "sample",
-      "uid": "sample",
-      "directory": {
-        "name": "sample"
-      },
-      "file": {
-        "mode": "sample",
-        "name": "sample"
-      }
-	},
-	"oscap": {
-      "check": {
-        "result": "sample",
-        "severity": "sample",
-        "title": "sample"
-      },
-      "scan": {
-        "id": "sample",
-        "content": "sample",
-        "score": 1.55,
-        "profile": {
-          "title": "sample"
-        }
-      }
-    }
-  },
-  "rule": {
-    "cis": ["sample"],
-    "description": "sample",
-    "groups": ["sample"],
-    "id": "sample",
-    "level": 0,
-    "pci_dss": ["sample"]
-  },
-  "syscheck": {
-    "gname_after": "sample",
-    "gname_before": "sample",
-    "guid_after": "sample",
-    "guid_before": "sample",
-    "md5_after": "sample",
-    "md5_before": "sample",
-    "path": "sample",
-    "perm_after": "sample",
-    "perm_before": "sample",
-    "uid_after": "sample",
-    "uid_before": "sample",
-    "uname_after": "sample",
-    "uname_before": "sample",
-    "event": "sample"
-  }
-}

ansible-role-elasticsearch/templates/wazuh-elastic6-template-alerts.json.j2

@@ -2,9 +2,7 @@
   "order": 0,
   "template": "wazuh-alerts-3.x-*",
   "settings": {
-    "index.refresh_interval": "5s",
+    "index.refresh_interval": "5s"
-    "number_of_shards": {{ elasticsearch_shards }},
-    "number_of_replicas": {{ elasticsearch_replicas }}
   },
   "mappings": {
     "wazuh": {
@@ -279,6 +277,14 @@
             "pci_dss": {
               "type": "keyword",
               "doc_values": "true"
+            },
+            "gdpr": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "gpg13": {
+              "type": "keyword",
+              "doc_values": "true"
             }
           }
         },

ansible-role-elasticsearch/templates/wazuh-elastic6-template-monitoring.json.j2

@@ -1,34 +0,0 @@
-{
-  "order": 0,
-  "template": "wazuh-monitoring*",
-  "settings": {
-    "index.refresh_interval": "5s",
-    "number_of_shards": {{ elasticsearch_shards }},
-    "number_of_replicas": {{ elasticsearch_replicas }}
-  },
-  "mappings": {
-    "wazuh-agent": {
-      "properties": {
-        "@timestamp": {
-          "type": "date",
-          "format": "dateOptionalTime"
-        },
-        "status": {
-          "type": "keyword"
-        },
-        "ip": {
-          "type": "keyword"
-        },
-        "host": {
-          "type": "keyword"
-        },
-        "name": {
-          "type": "keyword"
-        },
-        "id": {
-          "type": "keyword"
-        }
-      }
-    }
-  }
-}

ansible-role-kibana/defaults/main.yml

@@ -3,5 +3,5 @@ elasticsearch_http_port: "9200"
 elasticsearch_network_host: "127.0.0.1"
 kibana_server_host: "0.0.0.0"
 kibana_server_port: "5601"
-elastic_stack_version: 6.3.0
+elastic_stack_version: 6.3.1
-wazuh_version: 3.3.1
+wazuh_version: 3.4.0

ansible-role-logstash/defaults/main.yml

@@ -6,7 +6,7 @@ elasticsearch_network_host: "127.0.0.1"
 elasticsearch_http_port: "9200"
 elasticsearch_shards: 5
 elasticsearch_replicas: 1
-elastic_stack_version: 6.3.0
+elastic_stack_version: 6.3.2
 
 logstash_ssl: false
 logstash_ssl_dir: /etc/pki/logstash

ansible-role-logstash/tasks/RedHat.yml

@@ -3,7 +3,7 @@
   block:
     - name: RedHat/CentOS/Fedora | download Oracle Java RPM
       get_url:
-        url: http://download.oracle.com/otn-pub/java/jdk/8u172-b11/a58eab1ec242421181065cdc37240b08/jre-8u172-linux-x64.rpm
+        url: https://download.oracle.com/otn-pub/java/jdk/8u181-b13/96a7b8442fe848ef90c96a2fad6ed6d1/jre-8u181-linux-x64.rpm
         dest: /tmp/jre-8-linux-x64.rpm
         headers: 'Cookie:oraclelicense=accept-securebackup-cookie'
       register: oracle_java_task_rpm_download

ansible-role-logstash/templates/01-wazuh.conf.j2

@@ -37,18 +37,30 @@ filter {
         }
     }
 }
+filter {
+    if [data][srcip] {
+        mutate {
+            add_field => [ "@src_ip", "%{[data][srcip]}" ]
+        }
+    }
+    if [data][aws][sourceIPAddress] {
+        mutate {
+            add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
+        }
+    }
+}
 filter {
     geoip {
         source => "@src_ip"
         target => "GeoLocation"
-        fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
+        fields => ["city_name", "country_name", "region_name", "location"]
     }
     date {
         match => ["timestamp", "ISO8601"]
         target => "@timestamp"
     }
     mutate {
-        remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"]
+        remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
     }
 }
 output {