afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #5 from wazuh/elasticstack

Browse Source 
Elasticstack roles
This commit is contained in:
Jose Luis 2017-07-19 17:57:24 +02:00 committed by GitHub
commit d96707f26e
22 changed files with 236 additions and 196 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
ansible-role-elasticsearch/README.md
View File

@ -1,45 +1,50 @@
# Ansible Role: Elasticsearch
Ansible Role: Elasticsearch
===========================
An Ansible Role that installs [Elasticsearch](https://www.elastic.co/products/elasticsearch).
An Ansible Role that installs Elasticsearch RedHat/CentOS.
Requirements
------------
## Requirements
This role will work on:
* Red Hat
* CentOS
* Fedora
* Debian
* Ubuntu
Requires at least Java 8 (Java 8+ preferred).
Role Variables
--------------
## Role Variables
Available variables are listed below, along with default values (see `vars/main.yml`):
Defaults variables are listed below, along with its values (see `defaults/main.yml`):
elasticsearch_cluster_name: wazuh
elasticsearch_node_name: node-1
elasticsearch_http_port: 9200
elasticsearch_network_host: 192.168.33.182
elasticsearch_jvm_xms: 1g
```
elasticsearch_cluster_name: wazuh
elasticsearch_node_name: node-1
elasticsearch_http_port: 9200
elasticsearch_network_host: 127.0.0.1
elasticsearch_jvm_xms: 1g
elastic_stack_version: 5.4.0
```
Example Playbook
----------------
Network host to listen for incoming connections on. By default we only listen on the localhost interface. Change this to the IP address to listen on a specific interface, or `0.0.0.0` to listen on all interfaces.
```
- hosts: elasticsearch
roles:
- { role: ansible-role-elasticsearch, elasticsearch_network_host: '192.168.33.182' }
```
elasticsearch_http_port: 9200
License and copyright
---------------------
Whether to allow inline scripting against ElasticSearch. You should read the following link as there are possible security implications for enabling these options: [Enable Dynamic Scripting](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-scripting.html#enable-dynamic-scripting). Available options include: `true`, `false`, and `sandbox`.
WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3)
### Based on previous work from geerlingguy
- https://github.com/geerlingguy/ansible-role-elasticsearch
## Example Playbook
### Modified by Wazuh
- hosts: search
roles:
- geerlingguy.java
- geerlingguy.elasticsearch
## License
MIT / BSD
## Author Information
This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).
## Modified
The playbooks have been modified by Wazuh, Inc, including some specific requirements, templates and configuration for integrating Elastic Stack and Wazuh ecosystem.
The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.

2
ansible-role-elasticsearch/defaults/main.yml
View File

@ -4,4 +4,4 @@ elasticsearch_node_name: node-1
elasticsearch_http_port: 9200
elasticsearch_network_host: 127.0.0.1
elasticsearch_jvm_xms: 1g
elk_stack_version: 5.4.0
elastic_stack_version: 5.4.0

4
ansible-role-elasticsearch/meta/main.yml
View File

@ -1,7 +1,7 @@
---
galaxy_info:
author: Jose Luis Ruiz
description: Installing and maintaining Elasticsearch.
author: Wazuh
description: Installing and maintaining Elasticsearch server.
company: wazuh.com
license: license (GPLv3)
min_ansible_version: 2.0

2
ansible-role-elasticsearch/tasks/Debian.yml
View File

@ -33,5 +33,5 @@
filename: 'elk_repo'
- name: Debian/Ubuntu | Install Elasticsarch
apt: name=elasticsearch={{ elk_stack_version }} state=present update_cache=yes
apt: name=elasticsearch={{ elastic_stack_version }} state=present update_cache=yes
tags: install

2
ansible-role-elasticsearch/tasks/RedHat.yml
View File

@ -26,6 +26,6 @@
gpgcheck: yes
- name: RedHat/CentOS/Fedora | Install Elasticsarch
package: name=elasticsearch-{{ elk_stack_version }} state=present
package: name=elasticsearch-{{ elastic_stack_version }} state=present
when: oracle_java_task_rpm_installed is defined
tags: install

104
ansible-role-filebeat/README.md
View File

@ -1,77 +1,63 @@
# Ansible Role: Filebeat for ELK Stack
Ansible Role: Filebeat for ELK Stack
------------------------------------
An Ansible Role that installs [Filebeat](https://www.elastic.co/products/beats/filebeat) on RedHat/CentOS or Debian/Ubuntu.
An Ansible Role that installs [Filebeat](https://www.elastic.co/products/beats/filebeat), this can be used in conjunction with [ansible-wazuh-manager](https://github.com/wazuh/wazuh-ansible/ansible-wazuh-server).
## Requirements
Requirements
------------
None.
This role will work on:
* Red Hat
* CentOS
* Fedora
* Debian
* Ubuntu
## Role Variables
Role Variables
--------------
Available variables are listed below, along with default values (see `defaults/main.yml`):
filebeat_create_config: true
```
filebeat_create_config: true
Whether to create the Filebeat configuration file and handle the copying of SSL key and cert for filebeat. If you prefer to create a configuration file yourself you can set this to `false`.
filebeat_prospectors:
- input_type: log
paths:
- "/var/ossec/logs/alerts/alerts.json"
document_type: json
json.message_key: log
json.keys_under_root: true
json.overwrite_keys: true
filebeat_prospectors:
- input_type: log
paths:
- "/var/log/*.log"
filebeat_output_elasticsearch_enabled: false
filebeat_output_elasticsearch_hosts:
- "localhost:9200"
Prospectors that will be listed in the `prospectors` section of the Filebeat configuration. Read through the [Filebeat Prospectors configuration guide](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html) for more options.
filebeat_output_logstash_enabled: true
filebeat_output_logstash_hosts:
- "192.168.212.158:5000"
filebeat_output_elasticsearch_enabled: false
filebeat_output_elasticsearch_hosts:
- "localhost:9200"
filebeat_enable_logging: true
filebeat_log_level: debug
filebeat_log_dir: /var/log/mybeat
filebeat_log_filename: mybeat.log
Whether to enable Elasticsearch output, and which hosts to send output to.
filebeat_ssl_dir: /etc/pki/logstash
filebeat_ssl_certificate_file: ""
filebeat_ssl_key_file: ""
filebeat_ssl_insecure: "false"
```
filebeat_output_logstash_enabled: true
filebeat_output_logstash_hosts:
- "localhost:5000"
License and copyright
---------------------
Whether to enable Logstash output, and which hosts to send output to.
WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3)
filebeat_enable_logging: false
filebeat_log_level: warning
filebeat_log_dir: /var/log/filebeat
filebeat_log_filename: filebeat.log
### Based on previous work from geerlingguy
Filebeat logging.
- https://github.com/geerlingguy/ansible-role-filebeat
filebeat_ssl_dir: /etc/pki/logstash
### Modified by Wazuh
The path where certificates and keyfiles will be stored.
filebeat_ssl_certificate_file: ""
filebeat_ssl_key_file: ""
Local paths to the SSL certificate and key files, which will be copied into the `filebeat_ssl_dir`.
For utmost security, you should use your own valid certificate and keyfile, and update the `filebeat_ssl_*` variables in your playbook to use your certificate.
To generate a self-signed certificate/key pair, you can use use the command:
$ sudo openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout filebeat.key -out filebeat.crt
Note that filebeat and logstash may not work correctly with self-signed certificates unless you also have the full chain of trust (including the Certificate Authority for your self-signed cert) added on your server. See: https://github.com/elastic/logstash/issues/4926#issuecomment-203936891
filebeat_ssl_insecure: "false"
Set this to `"true"` to allow the use of self-signed certificates (when a CA isn't available).
## Dependencies
None.
## License
MIT / BSD
## Author Information
This role was created in 2016 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).
## Modified
The playbooks have been modified by Wazuh, Inc, including some specific requirements, templates and configuration for integrating Elastic Stack and Wazuh ecosystem.
The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.

8
ansible-role-filebeat/meta/main.yml
View File

@ -2,10 +2,10 @@
dependencies: []
galaxy_info:
author: geerlingguy
description: Filebeat for Linux.
company: "Midwestern Mac, LLC"
license: "license (BSD, MIT)"
author: Wazuh
description: Installing and maintaining Elasticsearch server.
company: wazuh.com
license: license (GPLv3)
min_ansible_version: 2.0
platforms:
- name: EL

62
ansible-role-kibana/README.md
View File

@ -1,40 +1,48 @@
# Ansible Role: Elasticsearch
Ansible Role: Kibana for ELK Stack
------------------------------------
An Ansible Role that installs [Kibana](https://www.elastic.co/products/kibana) and [Wazuh APP](https://github.com/wazuh/wazuh-kibana-app).
An Ansible Role that installs Kibana and WazuhAPP on RedHat/CentOS.
Requirements
------------
## Requirements
This role will work on:
* Red Hat
* CentOS
* Fedora
* Debian
* Ubuntu
Requires at least Java 8 (Java 8+ preferred).
Role Variables
--------------
## Role Variables
Available variables are listed below, along with default values (see `vars/main.yml`):
```
---
elasticsearch_http_port: "9200"
elasticsearch_network_host: "127.0.0.1"
kibana_server_host: "0.0.0.0"
kibana_server_port: "5601"
elastic_stack_version: 5.4.0
```
elasticsearch_network_host: localhost
Example Playbook
----------------
Network host to listen for incoming connections on. By default we only listen on the localhost interface. Change this to the IP address to listen on a specific interface, or `0.0.0.0` to listen on all interfaces.
```
- hosts: kibana
roles:
- { role: ansible-role-kibana, elasticsearch_network_host: '192.168.33.182' }
```
elasticsearch_http_port: 9200
License and copyright
---------------------
Whether to allow inline scripting against ElasticSearch. You should read the following link as there are possible security implications for enabling these options: [Enable Dynamic Scripting](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-scripting.html#enable-dynamic-scripting). Available options include: `true`, `false`, and `sandbox`.
WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3)
### Based on previous work from geerlingguy
- https://github.com/geerlingguy/ansible-role-elasticsearch
## Example Playbook
### Modified by Wazuh
- hosts: search
roles:
- geerlingguy.java
- geerlingguy.elasticsearch
## License
MIT / BSD
## Author Information
This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).
## Modified
The playbooks have been modified by Wazuh, Inc, including some specific requirements, templates and configuration for integrating Elastic Stack and Wazuh ecosystem.
The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.

3
ansible-role-kibana/defaults/main.yml
View File

@ -2,4 +2,5 @@
elasticsearch_http_port: "9200"
elasticsearch_network_host: "127.0.0.1"
kibana_server_host: "0.0.0.0"
elk_stack_version: 5.4.0
kibana_server_port: "5601"
elastic_stack_version: 5.4.0

4
ansible-role-kibana/meta/main.yml
View File

@ -1,7 +1,7 @@
---
galaxy_info:
author: Jose Luis Ruiz
description: Kibana for Linux.
author: Wazuh
description: Installing and maintaining Elasticsearch server.
company: wazuh.com
license: license (GPLv3)
min_ansible_version: 2.0

2
ansible-role-kibana/tasks/Debian.yml
View File

@ -17,5 +17,5 @@
filename: 'elk_repo'
- name: Debian/Ubuntu | Install Kibana
apt: name=kibana={{ elk_stack_version }} state=present update_cache=yes
apt: name=kibana={{ elastic_stack_version }} state=present update_cache=yes
tags: install

2
ansible-role-kibana/tasks/RedHat.yml
View File

@ -13,5 +13,5 @@
gpgcheck: yes
- name: RedHat/CentOS/Fedora | Install Kibana
package: name=kibana-{{ elk_stack_version }} state=present
package: name=kibana-{{ elastic_stack_version }} state=present
tags: install

8
ansible-role-kibana/tasks/main.yml
View File

@ -19,14 +19,14 @@
notify: restart kibana
tags: configure
- name: Checking Wazuh-APP version compatibility
shell: "grep -c -E 'version.*{{ elk_stack_version }}' /usr/share/kibana/plugins/wazuh/package.json | xargs echo"
- name: Checking Wazuh-APP version
shell: "grep -c -E 'version.*{{ elastic_stack_version }}' /usr/share/kibana/plugins/wazuh/package.json | xargs echo"
args:
removes: /usr/share/kibana/plugins/wazuh/package.json
register: wazuh_app_verify
tags: install
- name: Removing Wazuh-APP by compatibility issues
- name: Upgrading Wazuh-APP
shell: "{{ item }}"
when: wazuh_app_verify.stdout == "0"
with_items:
@ -35,7 +35,7 @@
tags: install
- name: Install Wazuh-APP (can take a while)
shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_{{ elk_stack_version }}.zip"
shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_{{ elastic_stack_version }}.zip"
args:
creates: /usr/share/kibana/plugins/wazuh/package.json
notify: restart kibana

2
ansible-role-kibana/templates/kibana.yml.j2
View File

@ -1,6 +1,6 @@
# {{ ansible_managed }}
# Kibana is served by a back end server. This setting specifies the port to use.
#server.port: 5601
server.port: {{ kibana_server_port }}
# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.

61
ansible-role-logstash/README.md
View File

@ -1,40 +1,45 @@
# Ansible Role: Logstash
Ansible Role: Logstash
----------------------
An Ansible Role that installs [Logstash](https://www.elastic.co/products/logstash)
An Ansible Role that installs Logstash on RedHat/CentOS.
Requirements
------------
## Requirements
This role will work on:
* Red Hat
* CentOS
* Fedora
* Debian
* Ubuntu
Requires at least Java 8 (Java 8+ preferred).
Role Variables
--------------
```
---
elasticsearch_network_host: "127.0.0.1"
elasticsearch_http_port: "9200"
elastic_stack_version: 5.4.0
```
## Role Variables
Available variables are listed below, along with default values (see `vars/main.yml`):
Example Playbook
----------------
elasticsearch_network_host: localhost
```
- hosts: logstash
roles:
- { role: ansible-role-logstash, elasticsearch_network_host: '192.168.33.182' }
```
Network host to listen for incoming connections on. By default we only listen on the localhost interface. Change this to the IP address to listen on a specific interface, or `0.0.0.0` to listen on all interfaces.
License and copyright
---------------------
elasticsearch_http_port: 9200
WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3)
Whether to allow inline scripting against ElasticSearch. You should read the following link as there are possible security implications for enabling these options: [Enable Dynamic Scripting](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-scripting.html#enable-dynamic-scripting). Available options include: `true`, `false`, and `sandbox`.
### Based on previous work from geerlingguy
- https://github.com/geerlingguy/ansible-role-elasticsearch
### Modified by Wazuh
## Example Playbook
- hosts: search
roles:
- geerlingguy.java
- geerlingguy.elasticsearch
## License
MIT / BSD
## Author Information
This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).
## Modified
The playbooks have been modified by Wazuh, Inc, including some specific requirements, templates and configuration for integrating Elastic Stack and Wazuh ecosystem.
The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.

10
ansible-role-logstash/defaults/main.yml
View File

@ -1,4 +1,12 @@
---
logstash_create_config: true
logstash_input_beats: false
elasticsearch_network_host: "127.0.0.1"
elasticsearch_http_port: "9200"
elk_stack_version: 5.4.0
elastic_stack_version: 5.4.0
logstash_ssl: false
logstash_ssl_dir: /etc/pki/logstash
logstash_ssl_certificate_file: ""
logstash_ssl_key_file: ""

4
ansible-role-logstash/meta/main.yml
View File

@ -1,7 +1,7 @@
---
galaxy_info:
author: Jose Luis Ruiz
description: Logstash for Linux.
author: Wazuh
description: Installing and maintaining Elasticsearch server.
company: wazuh.com
license: license (GPLv3)
min_ansible_version: 2.0

2
ansible-role-logstash/tasks/Debian.yml
View File

@ -36,5 +36,5 @@
filename: 'elk_repo'
- name: Debian/Ubuntu | Install Logstash
apt: name=logstash=1:{{ elk_stack_version }}-1 state=present update_cache=yes
apt: name=logstash=1:{{ elastic_stack_version }}-1 state=present update_cache=yes
tags: install

2
ansible-role-logstash/tasks/RedHat.yml
View File

@ -26,6 +26,6 @@
gpgcheck: yes
- name: RedHat/CentOS/Fedora | Install Logstash
package: name=logstash-{{ elk_stack_version }} state=present
package: name=logstash-{{ elastic_stack_version }} state=present
when: oracle_java_task_rpm_installed is defined
tags: install

35
ansible-role-logstash/tasks/config.yml Normal file
View File

@ -0,0 +1,35 @@
---
- name: Logstash template
template:
src: wazuh-elastic5-template.json.j2
dest: /etc/logstash/wazuh-elastic5-template.json
owner: root
group: root
tags: configure
- name: Ensure Logstash SSL key pair directory exists.
file:
path: "{{ logstash_ssl_dir }}"
state: directory
when: logstash_ssl
tags: configure
- name: Copy SSL key and cert for logstash.
copy:
src: "{{ item }}"
dest: "{{ logstash_ssl_dir }}/{{ item | basename }}"
mode: 0644
with_items:
- "{{ logstash_ssl_key_file }}"
- "{{ logstash_ssl_certificate_file }}"
when: logstash_ssl
tags: configure
- name: Logstash configuration
template:
src: 01-wazuh.conf.j2
dest: /etc/logstash/conf.d/01-wazuh.conf
owner: root
group: root
notify: restart logstash
tags: configure

19
ansible-role-logstash/tasks/main.yml
View File

@ -5,23 +5,8 @@
- include: Debian.yml
when: ansible_os_family == "Debian"
- name: Logstash configuration
template:
src: 01-wazuh.conf.j2
dest: /etc/logstash/conf.d/01-wazuh.conf
owner: root
group: root
notify: restart logstash
tags: configure
- name: Logstash template
template:
src: wazuh-elastic5-template.json.j2
dest: /etc/logstash/wazuh-elastic5-template.json
owner: root
group: root
notify: restart logstash
tags: configure
- include: config.yml
when: logstash_create_config
- name: Ensure Logstash started and enabled
service:

27
ansible-role-logstash/templates/01-wazuh.conf.j2
View File

@ -1,23 +1,30 @@
# {{ ansible_managed }}
# Wazuh - Logstash configuration file
{% if logstash_input_beats == true %}
## Remote Wazuh Manager - Filebeat input
input {
beats {
port => 5000
codec => "json_lines"
# ssl => true
# ssl_certificate => "/etc/logstash/logstash.crt"
# ssl_key => "/etc/logstash/logstash.key"
{% if logstash_ssl == true %}
ssl => true
ssl_certificate => "{{ logstash_ssl_dir }}/{{ logstash_ssl_certificate_file | basename }}"
ssl_key => "{{ logstash_ssl_dir }}/{{ logstash_ssl_key_file | basename }}"
{% endif %}
}
}
{% else %}
## Local Wazuh Manager - JSON file input
#input {
# file {
# type => "wazuh-alerts"
# path => "/var/ossec/logs/alerts/alerts.json"
# codec => "json"
# }
#}
input {
file {
type => "wazuh-alerts"
path => "/var/ossec/logs/alerts/alerts.json"
codec => "json"
}
}
{% endif %}
filter {
geoip {
source => "srcip"