Merge pull request #5 from wazuh/elasticstack

Elasticstack roles

ansible-role-elasticsearch/README.md

@@ -1,45 +1,50 @@
-# Ansible Role: Elasticsearch
+Ansible Role: Elasticsearch
+===========================
 
+An Ansible Role that installs [Elasticsearch](https://www.elastic.co/products/elasticsearch).
 
-An Ansible Role that installs Elasticsearch RedHat/CentOS.
+Requirements
+------------
 
-## Requirements
+This role will work on:
+ * Red Hat
+ * CentOS
+ * Fedora
+ * Debian
+ * Ubuntu
 
-Requires at least Java 8 (Java 8+ preferred).
+Role Variables
+--------------
 
-## Role Variables
+Defaults variables are listed below, along with its values (see `defaults/main.yml`):
-Available variables are listed below, along with default values (see `vars/main.yml`):
 
-    elasticsearch_cluster_name: wazuh
+```
-    elasticsearch_node_name: node-1
+  elasticsearch_cluster_name: wazuh
-    elasticsearch_http_port: 9200
+  elasticsearch_node_name: node-1
-    elasticsearch_network_host: 192.168.33.182
+  elasticsearch_http_port: 9200
-    elasticsearch_jvm_xms: 1g
+  elasticsearch_network_host: 127.0.0.1
+  elasticsearch_jvm_xms: 1g
+  elastic_stack_version: 5.4.0
+```
 
+Example Playbook
+----------------
 
-Network host to listen for incoming connections on. By default we only listen on the localhost interface. Change this to the IP address to listen on a specific interface, or `0.0.0.0` to listen on all interfaces.
+```
+  - hosts: elasticsearch
+    roles:
+      - { role: ansible-role-elasticsearch, elasticsearch_network_host: '192.168.33.182' }
+```
 
-    elasticsearch_http_port: 9200
+License and copyright
+---------------------
 
-Whether to allow inline scripting against ElasticSearch. You should read the following link as there are possible security implications for enabling these options: [Enable Dynamic Scripting](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-scripting.html#enable-dynamic-scripting). Available options include: `true`, `false`, and `sandbox`.
+WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3)
 
+### Based on previous work from geerlingguy
 
+ - https://github.com/geerlingguy/ansible-role-elasticsearch
 
-## Example Playbook
+### Modified by Wazuh
 
-    - hosts: search
+The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.
-      roles:
-        - geerlingguy.java
-        - geerlingguy.elasticsearch
-
-## License
-
-MIT / BSD
-
-## Author Information
-
-This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).
-
-## Modified
-
-The playbooks have been modified by Wazuh, Inc, including some specific requirements, templates and configuration for integrating Elastic Stack and Wazuh ecosystem.

ansible-role-elasticsearch/defaults/main.yml

@@ -4,4 +4,4 @@ elasticsearch_node_name: node-1
 elasticsearch_http_port: 9200
 elasticsearch_network_host: 127.0.0.1
 elasticsearch_jvm_xms: 1g
-elk_stack_version: 5.4.0
+elastic_stack_version: 5.4.0

ansible-role-elasticsearch/meta/main.yml

@@ -1,7 +1,7 @@
 ---
 galaxy_info:
-  author: Jose Luis Ruiz
+  author: Wazuh
-  description: Installing and maintaining Elasticsearch.
+  description: Installing and maintaining Elasticsearch server.
   company: wazuh.com
   license: license (GPLv3)
   min_ansible_version: 2.0

ansible-role-elasticsearch/tasks/Debian.yml

@@ -33,5 +33,5 @@
     filename: 'elk_repo'
 
 - name: Debian/Ubuntu | Install Elasticsarch
-  apt: name=elasticsearch={{ elk_stack_version }} state=present update_cache=yes
+  apt: name=elasticsearch={{ elastic_stack_version }} state=present update_cache=yes
   tags: install

ansible-role-elasticsearch/tasks/RedHat.yml

@@ -26,6 +26,6 @@
     gpgcheck: yes
 
 - name: RedHat/CentOS/Fedora | Install Elasticsarch
-  package: name=elasticsearch-{{ elk_stack_version }} state=present
+  package: name=elasticsearch-{{ elastic_stack_version }} state=present
   when: oracle_java_task_rpm_installed is defined
   tags: install

ansible-role-filebeat/README.md

@@ -1,77 +1,63 @@
-# Ansible Role: Filebeat for ELK Stack
+Ansible Role: Filebeat for ELK Stack
+------------------------------------
 
-An Ansible Role that installs [Filebeat](https://www.elastic.co/products/beats/filebeat) on RedHat/CentOS or Debian/Ubuntu.
+An Ansible Role that installs [Filebeat](https://www.elastic.co/products/beats/filebeat), this can be used in conjunction with [ansible-wazuh-manager](https://github.com/wazuh/wazuh-ansible/ansible-wazuh-server).
 
-## Requirements
+Requirements
+------------
 
-None.
+This role will work on:
+ * Red Hat
+ * CentOS
+ * Fedora
+ * Debian
+ * Ubuntu
 
-## Role Variables
+Role Variables
+--------------
 
 Available variables are listed below, along with default values (see `defaults/main.yml`):
 
-    filebeat_create_config: true
+```
+  filebeat_create_config: true
 
-Whether to create the Filebeat configuration file and handle the copying of SSL key and cert for filebeat. If you prefer to create a configuration file yourself you can set this to `false`.
+  filebeat_prospectors:
+    - input_type: log
+      paths:
+        - "/var/ossec/logs/alerts/alerts.json"
+      document_type: json
+      json.message_key: log
+      json.keys_under_root: true
+      json.overwrite_keys: true
 
-    filebeat_prospectors:
+  filebeat_output_elasticsearch_enabled: false
-      - input_type: log
+  filebeat_output_elasticsearch_hosts:
-        paths:
+    - "localhost:9200"
-          - "/var/log/*.log"
 
-Prospectors that will be listed in the `prospectors` section of the Filebeat configuration. Read through the [Filebeat Prospectors configuration guide](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html) for more options.
+  filebeat_output_logstash_enabled: true
+  filebeat_output_logstash_hosts:
+    - "192.168.212.158:5000"
 
-    filebeat_output_elasticsearch_enabled: false
+  filebeat_enable_logging: true
-    filebeat_output_elasticsearch_hosts:
+  filebeat_log_level: debug
-      - "localhost:9200"
+  filebeat_log_dir: /var/log/mybeat
+  filebeat_log_filename: mybeat.log
 
-Whether to enable Elasticsearch output, and which hosts to send output to.
+  filebeat_ssl_dir: /etc/pki/logstash
+  filebeat_ssl_certificate_file: ""
+  filebeat_ssl_key_file: ""
+  filebeat_ssl_insecure: "false"
+```
 
-    filebeat_output_logstash_enabled: true
+License and copyright
-    filebeat_output_logstash_hosts:
+---------------------
-      - "localhost:5000"
 
-Whether to enable Logstash output, and which hosts to send output to.
+WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3)
 
-    filebeat_enable_logging: false
+### Based on previous work from geerlingguy
-    filebeat_log_level: warning
-    filebeat_log_dir: /var/log/filebeat
-    filebeat_log_filename: filebeat.log
 
-Filebeat logging.
+ - https://github.com/geerlingguy/ansible-role-filebeat
 
-    filebeat_ssl_dir: /etc/pki/logstash
+### Modified by Wazuh
 
-The path where certificates and keyfiles will be stored.
+The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.
-
-    filebeat_ssl_certificate_file: ""
-    filebeat_ssl_key_file: ""
-
-Local paths to the SSL certificate and key files, which will be copied into the `filebeat_ssl_dir`.
-
-For utmost security, you should use your own valid certificate and keyfile, and update the `filebeat_ssl_*` variables in your playbook to use your certificate.
-
-To generate a self-signed certificate/key pair, you can use use the command:
-
-    $ sudo openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout filebeat.key -out filebeat.crt
-
-Note that filebeat and logstash may not work correctly with self-signed certificates unless you also have the full chain of trust (including the Certificate Authority for your self-signed cert) added on your server. See: https://github.com/elastic/logstash/issues/4926#issuecomment-203936891
-
-    filebeat_ssl_insecure: "false"
-
-Set this to `"true"` to allow the use of self-signed certificates (when a CA isn't available).
-
-## Dependencies
-
-None.
-
-## License
-
-MIT / BSD
-
-## Author Information
-
-This role was created in 2016 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).
-
-## Modified
-The playbooks have been modified by Wazuh, Inc, including some specific requirements, templates and configuration for integrating Elastic Stack and Wazuh ecosystem.

ansible-role-filebeat/meta/main.yml

@@ -2,10 +2,10 @@
 dependencies: []
 
 galaxy_info:
-  author: geerlingguy
+  author: Wazuh
-  description: Filebeat for Linux.
+  description: Installing and maintaining Elasticsearch server.
-  company: "Midwestern Mac, LLC"
+  company: wazuh.com
-  license: "license (BSD, MIT)"
+  license: license (GPLv3)
   min_ansible_version: 2.0
   platforms:
   - name: EL

ansible-role-kibana/README.md

@@ -1,40 +1,48 @@
-# Ansible Role: Elasticsearch
+Ansible Role: Kibana for ELK Stack
+------------------------------------
 
+An Ansible Role that installs [Kibana](https://www.elastic.co/products/kibana) and [Wazuh APP](https://github.com/wazuh/wazuh-kibana-app).
 
-An Ansible Role that installs Kibana and WazuhAPP  on RedHat/CentOS.
+Requirements
+------------
 
-## Requirements
+This role will work on:
+ * Red Hat
+ * CentOS
+ * Fedora
+ * Debian
+ * Ubuntu
 
-Requires at least Java 8 (Java 8+ preferred).
+Role Variables
+--------------
 
-## Role Variables
+```
-Available variables are listed below, along with default values (see `vars/main.yml`):
+---
+  elasticsearch_http_port: "9200"
+  elasticsearch_network_host: "127.0.0.1"
+  kibana_server_host: "0.0.0.0"
+  kibana_server_port: "5601"
+  elastic_stack_version: 5.4.0
+```
 
-    elasticsearch_network_host: localhost
+Example Playbook
+----------------
 
-Network host to listen for incoming connections on. By default we only listen on the localhost interface. Change this to the IP address to listen on a specific interface, or `0.0.0.0` to listen on all interfaces.
+```
+  - hosts: kibana
+    roles:
+      - { role: ansible-role-kibana, elasticsearch_network_host: '192.168.33.182' }
+```
 
-    elasticsearch_http_port: 9200
+License and copyright
+---------------------
 
-Whether to allow inline scripting against ElasticSearch. You should read the following link as there are possible security implications for enabling these options: [Enable Dynamic Scripting](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-scripting.html#enable-dynamic-scripting). Available options include: `true`, `false`, and `sandbox`.
+WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3)
 
+### Based on previous work from geerlingguy
 
+ - https://github.com/geerlingguy/ansible-role-elasticsearch
 
-## Example Playbook
+### Modified by Wazuh
 
-    - hosts: search
+The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.
-      roles:
-        - geerlingguy.java
-        - geerlingguy.elasticsearch
-
-## License
-
-MIT / BSD
-
-## Author Information
-
-This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).
-
-## Modified
-
-The playbooks have been modified by Wazuh, Inc, including some specific requirements, templates and configuration for integrating Elastic Stack and Wazuh ecosystem.

ansible-role-kibana/defaults/main.yml

@@ -2,4 +2,5 @@
 elasticsearch_http_port: "9200"
 elasticsearch_network_host: "127.0.0.1"
 kibana_server_host: "0.0.0.0"
-elk_stack_version: 5.4.0
+kibana_server_port: "5601"
+elastic_stack_version: 5.4.0

ansible-role-kibana/meta/main.yml

@@ -1,7 +1,7 @@
 ---
 galaxy_info:
-  author: Jose Luis Ruiz
+  author: Wazuh
-  description: Kibana for Linux.
+  description: Installing and maintaining Elasticsearch server.
   company: wazuh.com
   license: license (GPLv3)
   min_ansible_version: 2.0

ansible-role-kibana/tasks/Debian.yml

@@ -17,5 +17,5 @@
     filename: 'elk_repo'
 
 - name: Debian/Ubuntu | Install Kibana
-  apt: name=kibana={{ elk_stack_version }} state=present update_cache=yes
+  apt: name=kibana={{ elastic_stack_version }} state=present update_cache=yes
   tags: install

ansible-role-kibana/tasks/RedHat.yml

@@ -13,5 +13,5 @@
     gpgcheck: yes
 
 - name: RedHat/CentOS/Fedora | Install Kibana
-  package: name=kibana-{{ elk_stack_version }} state=present
+  package: name=kibana-{{ elastic_stack_version }} state=present
   tags: install

ansible-role-kibana/tasks/main.yml

@@ -19,14 +19,14 @@
   notify: restart kibana
   tags: configure
 
-- name: Checking Wazuh-APP version compatibility
+- name: Checking Wazuh-APP version
-  shell: "grep -c -E 'version.*{{ elk_stack_version }}' /usr/share/kibana/plugins/wazuh/package.json | xargs echo"
+  shell: "grep -c -E 'version.*{{ elastic_stack_version }}' /usr/share/kibana/plugins/wazuh/package.json | xargs echo"
   args:
     removes: /usr/share/kibana/plugins/wazuh/package.json
   register: wazuh_app_verify
   tags: install
 
-- name: Removing Wazuh-APP by compatibility issues
+- name: Upgrading Wazuh-APP
   shell: "{{ item }}"
   when: wazuh_app_verify.stdout == "0"
   with_items:
@@ -35,7 +35,7 @@
   tags: install
 
 - name: Install Wazuh-APP (can take a while)
-  shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_{{ elk_stack_version }}.zip"
+  shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_{{ elastic_stack_version }}.zip"
   args:
     creates: /usr/share/kibana/plugins/wazuh/package.json
   notify: restart kibana

ansible-role-kibana/templates/kibana.yml.j2

@@ -1,6 +1,6 @@
 # {{ ansible_managed }}
 # Kibana is served by a back end server. This setting specifies the port to use.
-#server.port: 5601
+server.port: {{ kibana_server_port }}
 
 # Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
 # The default is 'localhost', which usually means remote machines will not be able to connect.

ansible-role-logstash/README.md

@@ -1,40 +1,45 @@
-# Ansible Role: Logstash
+Ansible Role: Logstash
+----------------------
 
+An Ansible Role that installs [Logstash](https://www.elastic.co/products/logstash)
 
-An Ansible Role that installs Logstash  on RedHat/CentOS.
+Requirements
+------------
 
-## Requirements
+This role will work on:
+ * Red Hat
+ * CentOS
+ * Fedora
+ * Debian
+ * Ubuntu
 
-Requires at least Java 8 (Java 8+ preferred).
+Role Variables
+--------------
+```
+  ---
+  elasticsearch_network_host: "127.0.0.1"
+  elasticsearch_http_port: "9200"
+  elastic_stack_version: 5.4.0
+```
 
-## Role Variables
+Example Playbook
-Available variables are listed below, along with default values (see `vars/main.yml`):
+----------------
 
-    elasticsearch_network_host: localhost
+```
+  - hosts: logstash
+    roles:
+      - { role: ansible-role-logstash, elasticsearch_network_host: '192.168.33.182' }
+```
 
-Network host to listen for incoming connections on. By default we only listen on the localhost interface. Change this to the IP address to listen on a specific interface, or `0.0.0.0` to listen on all interfaces.
+License and copyright
+---------------------
 
-    elasticsearch_http_port: 9200
+WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3)
 
-Whether to allow inline scripting against ElasticSearch. You should read the following link as there are possible security implications for enabling these options: [Enable Dynamic Scripting](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-scripting.html#enable-dynamic-scripting). Available options include: `true`, `false`, and `sandbox`.
+### Based on previous work from geerlingguy
 
+ - https://github.com/geerlingguy/ansible-role-elasticsearch
 
+### Modified by Wazuh
 
-## Example Playbook
+The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.
-
-    - hosts: search
-      roles:
-        - geerlingguy.java
-        - geerlingguy.elasticsearch
-
-## License
-
-MIT / BSD
-
-## Author Information
-
-This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).
-
-## Modified
-
-The playbooks have been modified by Wazuh, Inc, including some specific requirements, templates and configuration for integrating Elastic Stack and Wazuh ecosystem.

ansible-role-logstash/defaults/main.yml

@@ -1,4 +1,12 @@
 ---
+logstash_create_config: true
+logstash_input_beats: false
+
 elasticsearch_network_host: "127.0.0.1"
 elasticsearch_http_port: "9200"
-elk_stack_version: 5.4.0
+elastic_stack_version: 5.4.0
+
+logstash_ssl: false
+logstash_ssl_dir: /etc/pki/logstash
+logstash_ssl_certificate_file: ""
+logstash_ssl_key_file: ""

ansible-role-logstash/meta/main.yml

@@ -1,7 +1,7 @@
 ---
 galaxy_info:
-  author: Jose Luis Ruiz
+  author: Wazuh
-  description: Logstash for Linux.
+  description: Installing and maintaining Elasticsearch server.
   company: wazuh.com
   license: license (GPLv3)
   min_ansible_version: 2.0

ansible-role-logstash/tasks/Debian.yml

@@ -36,5 +36,5 @@
     filename: 'elk_repo'
 
 - name: Debian/Ubuntu | Install Logstash
-  apt: name=logstash=1:{{ elk_stack_version }}-1 state=present update_cache=yes
+  apt: name=logstash=1:{{ elastic_stack_version }}-1 state=present update_cache=yes
   tags: install

ansible-role-logstash/tasks/RedHat.yml

@@ -26,6 +26,6 @@
     gpgcheck: yes
 
 - name: RedHat/CentOS/Fedora | Install Logstash
-  package: name=logstash-{{ elk_stack_version }} state=present
+  package: name=logstash-{{ elastic_stack_version }} state=present
   when: oracle_java_task_rpm_installed is defined
   tags: install

ansible-role-logstash/tasks/config.yml

@@ -0,0 +1,35 @@
+---
+- name: Logstash template
+  template:
+    src: wazuh-elastic5-template.json.j2
+    dest: /etc/logstash/wazuh-elastic5-template.json
+    owner: root
+    group: root
+  tags: configure
+
+- name: Ensure Logstash SSL key pair directory exists.
+  file:
+    path: "{{ logstash_ssl_dir }}"
+    state: directory
+  when: logstash_ssl
+  tags: configure
+
+- name: Copy SSL key and cert for logstash.
+  copy:
+    src: "{{ item }}"
+    dest: "{{ logstash_ssl_dir }}/{{ item | basename }}"
+    mode: 0644
+  with_items:
+    - "{{ logstash_ssl_key_file }}"
+    - "{{ logstash_ssl_certificate_file }}"
+  when: logstash_ssl
+  tags: configure
+
+- name: Logstash configuration
+  template:
+    src: 01-wazuh.conf.j2
+    dest: /etc/logstash/conf.d/01-wazuh.conf
+    owner: root
+    group: root
+  notify: restart logstash
+  tags: configure

ansible-role-logstash/tasks/main.yml

@@ -5,23 +5,8 @@
 - include: Debian.yml
   when: ansible_os_family == "Debian"
 
-- name: Logstash configuration
+- include: config.yml
-  template:
+  when: logstash_create_config
-    src: 01-wazuh.conf.j2
-    dest: /etc/logstash/conf.d/01-wazuh.conf
-    owner: root
-    group: root
-  notify: restart logstash
-  tags: configure
-
-- name: Logstash template
-  template:
-    src: wazuh-elastic5-template.json.j2
-    dest: /etc/logstash/wazuh-elastic5-template.json
-    owner: root
-    group: root
-  notify: restart logstash
-  tags: configure
 
 - name: Ensure Logstash started and enabled
   service:

ansible-role-logstash/templates/01-wazuh.conf.j2

@@ -1,23 +1,30 @@
 # {{ ansible_managed }}
 # Wazuh - Logstash configuration file
+
+{% if logstash_input_beats == true %}
 ## Remote Wazuh Manager - Filebeat input
 input {
     beats {
         port => 5000
         codec => "json_lines"
-#        ssl => true
+{% if logstash_ssl == true %}
-#        ssl_certificate => "/etc/logstash/logstash.crt"
+        ssl => true
-#        ssl_key => "/etc/logstash/logstash.key"
+        ssl_certificate => "{{ logstash_ssl_dir }}/{{ logstash_ssl_certificate_file | basename }}"
+        ssl_key => "{{ logstash_ssl_dir }}/{{ logstash_ssl_key_file | basename }}"
+{% endif %}
     }
 }
+{% else %}
 ## Local Wazuh Manager - JSON file input
-#input {
+input {
-#   file {
+   file {
-#       type => "wazuh-alerts"
+       type => "wazuh-alerts"
-#       path => "/var/ossec/logs/alerts/alerts.json"
+       path => "/var/ossec/logs/alerts/alerts.json"
-#       codec => "json"
+       codec => "json"
-#   }
+   }
-#}
+}
+{% endif %}
+
 filter {
     geoip {
         source => "srcip"