diff --git a/.circleci/config.yml b/.circleci/config.yml deleted file mode 100644 index 08b3ff16..00000000 --- a/.circleci/config.yml +++ /dev/null @@ -1,25 +0,0 @@ -version: 2 -jobs: - test: - machine: - python: - version: 2.7 - services: - - docker - working_directory: ~/wazuh-ansible - steps: - - checkout - - run: - name: Install pipenv - command: pip install pipenv - - run: - name: Install molecule - command: pipenv install --dev --system - - run: - name: Run molecule - command: pipenv run test -workflows: - version: 2 - test_molecule: - jobs: - - test \ No newline at end of file diff --git a/.gitignore b/.gitignore index 148b831f..04c7b54b 100644 --- a/.gitignore +++ b/.gitignore @@ -4,6 +4,5 @@ wazuh-elastic_stack-distributed.yml wazuh-elastic_stack-single.yml wazuh-elastic.yml wazuh-kibana.yml -wazuh-logstash.yml wazuh-manager.yml *.pyc \ No newline at end of file diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 97c0427b..00000000 --- a/.travis.yml +++ /dev/null @@ -1,8 +0,0 @@ -language: python -services: docker -before_script: - - pip install pipenv - - pipenv install --dev --system -script: - - pipenv run test - - pipenv run agent diff --git a/CHANGELOG.md b/CHANGELOG.md index f8fae5c3..af79a017 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,26 @@ # Change Log All notable changes to this project will be documented in this file. +## [v3.9.2_7.1.1] + +### Added + +- Update to Wazuh v3.9.2 +- Support for Elastic 7 +- Ability to deploy an Elasticsearch cluster [#6b95e3](https://github.com/wazuh/wazuh-ansible/commit/6b95e304b6ac4dfec08df5cd0fe29be9cc7dc22c) + +## [v3.9.2_6.8.0] + +### Added + +- Update to Wazuh v3.9.2 + +## [v3.9.1] + +### Added + +- Update to Wazuh v3.9.1 +- Support for ELK v6.8.0 ## [v3.9.0] @@ -120,7 +140,6 @@ Ansible starting point. Roles: - Elastic Stack: - ansible-elasticsearch: This role is prepared to install elasticsearch on the host that runs it. - - ansible-logstash: This role involves the installation of logstash on the host that runs it. - ansible-kibana: Using this role we will install Kibana on the host that runs it. - Wazuh: - ansible-filebeat: This role is prepared to install filebeat on the host that runs it. diff --git a/README.md b/README.md index e91018c8..f684d1a8 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,6 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack. │ ├── roles │ │ ├── elastic-stack │ │ │ ├── ansible-elasticsearch - │ │ │ ├── ansible-logstash │ │ │ ├── ansible-kibana │ │ │ │ ├── wazuh @@ -35,7 +34,6 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack. │ │ ├── wazuh-elastic_stack-distributed.yml │ │ ├── wazuh-elastic_stack-single.yml │ │ ├── wazuh-kibana.yml - │ │ ├── wazuh-logstash.yml │ │ ├── wazuh-manager.yml │ │ ├── README.md diff --git a/VERSION b/VERSION index 53f0359c..36af7bee 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -WAZUH-ANSIBLE_VERSION="v3.9.0" -REVISION="3900" +WAZUH-ANSIBLE_VERSION="v3.9.1" +REVISION="3901" diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml index ba33c758..639e6320 100644 --- a/molecule/default/playbook.yml +++ b/molecule/default/playbook.yml @@ -4,8 +4,7 @@ roles: - role: wazuh/ansible-wazuh-manager -# - {role: wazuh/ansible-filebeat} #, filebeat_output_logstash_hosts: 'your elastic stack server IP' +# - {role: wazuh/ansible-filebeat} #, filebeat_output_elasticsearch_hosts: 'your elastic stack server IP' # Elasticsearch requires too much memory to test multiple containers concurrently - To Fix # - {role: elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'localhost'} -# - {role: elastic-stack/ansible-logstash, logstash_input_beats: true, elasticsearch_network_host: 'localhost'} # - {role: elastic-stack/ansible-kibana, elasticsearch_network_host: 'localhost'} diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py index 9cfab500..27ee3238 100644 --- a/molecule/default/tests/test_default.py +++ b/molecule/default/tests/test_default.py @@ -9,7 +9,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( def get_wazuh_version(): """This return the version of Wazuh.""" - return "3.9" + return "3.9.1" def test_wazuh_packages_are_installed(host): diff --git a/playbooks/wazuh-elastic_stack-distributed.yml b/playbooks/wazuh-elastic_stack-distributed.yml index 6bdf4857..887cafbd 100644 --- a/playbooks/wazuh-elastic_stack-distributed.yml +++ b/playbooks/wazuh-elastic_stack-distributed.yml @@ -6,5 +6,4 @@ - hosts: roles: - {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'localhost'} - - {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-logstash, logstash_input_beats: true, elasticsearch_network_host: 'localhost'} - {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'localhost'} diff --git a/playbooks/wazuh-elastic_stack-single.yml b/playbooks/wazuh-elastic_stack-single.yml index 9d3d761a..ac5efaf1 100644 --- a/playbooks/wazuh-elastic_stack-single.yml +++ b/playbooks/wazuh-elastic_stack-single.yml @@ -1,7 +1,6 @@ --- -- hosts: +- hosts: roles: - - {role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager} - - {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'localhost'} - - { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-logstash, elasticsearch_network_host: 'localhost' } - - { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'localhost' } + - {role: ../roles/wazuh/ansible-wazuh-manager} + - {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '0.0.0.0', single_node: true} + - { role: ../roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'localhost' } diff --git a/playbooks/wazuh-logstash.yml b/playbooks/wazuh-logstash.yml deleted file mode 100644 index e3d44687..00000000 --- a/playbooks/wazuh-logstash.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: - roles: - - {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-logstash, elasticsearch_network_host: ["localhost"]} diff --git a/playbooks/wazuh-manager.yml b/playbooks/wazuh-manager.yml index dc2ad637..d9cc667d 100644 --- a/playbooks/wazuh-manager.yml +++ b/playbooks/wazuh-manager.yml @@ -2,4 +2,4 @@ - hosts: roles: - role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager - - {role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-filebeat, filebeat_output_logstash_hosts: 'your logstash IP'} + - {role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-filebeat, filebeat_output_elasticsearch_hosts: 'your elasticsearch IP'} diff --git a/roles/elastic-stack/ansible-elasticsearch/README.md b/roles/elastic-stack/ansible-elasticsearch/README.md index 3dd45b08..f3089e7e 100644 --- a/roles/elastic-stack/ansible-elasticsearch/README.md +++ b/roles/elastic-stack/ansible-elasticsearch/README.md @@ -30,10 +30,27 @@ Defaults variables are listed below, along with its values (see `defaults/main.y Example Playbook ---------------- +- Single-node ``` - hosts: elasticsearch roles: - - { role: ansible-role-elasticsearch, elasticsearch_network_host: '192.168.33.182' } + - { role: ansible-role-elasticsearch, elasticsearch_network_host: '192.168.33.182', single_host: true } +``` + +- Three nodes Elasticsearch cluster +``` +--- +- hosts: 172.16.0.161 + roles: + - {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.161', elasticsearch_bootstrap_node: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']} + +- hosts: 172.16.0.162 + roles: + - {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.162', elasticsearch_master_candidate: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']} + +- hosts: 172.16.0.163 + roles: + - {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.163', elasticsearch_master_candidate: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']} ``` License and copyright diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index 4103bca6..5d380b6b 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -4,7 +4,9 @@ elasticsearch_node_name: node-1 elasticsearch_http_port: 9200 elasticsearch_network_host: 127.0.0.1 elasticsearch_jvm_xms: null -elastic_stack_version: 6.7.1 -elasticsearch_shards: 5 -elasticsearch_replicas: 1 -elasticsearch_install_java: true +elastic_stack_version: 7.1.1 +single_node: false +elasticsearch_bootstrap_node: false +elasticsearch_master_candidate: false +elasticsearch_cluster_nodes: + - 127.0.0.1 \ No newline at end of file diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml index f786d2a3..844da315 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml @@ -4,12 +4,6 @@ name: ['apt-transport-https', 'ca-certificates'] state: present -- when: elasticsearch_install_java - block: - - name: Debian/Ubuntu | Install OpenJDK 1.8 - apt: name=openjdk-8-jre state=present cache_valid_time=3600 - tags: install - - name: Debian/Ubuntu | Add Elasticsearch GPG key. apt_key: url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" @@ -17,7 +11,7 @@ - name: Debian/Ubuntu | Install Elastic repo apt_repository: - repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main' + repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main' state: present filename: 'elastic_repo' update_cache: true diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/RMDebian.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/RMDebian.yml index 74c59c37..b11eec45 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/RMDebian.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/RMDebian.yml @@ -1,5 +1,5 @@ --- - name: Debian/Ubuntu | Removing Elasticsearch repository apt_repository: - repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main + repo: deb https://artifacts.elastic.co/packages/7.x/apt stable main state: absent diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml index 79632b31..54728b0c 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml @@ -1,20 +1,13 @@ --- -- when: elasticsearch_install_java - block: - - name: RedHat/CentOS/Fedora | Install OpenJDK 1.8 - yum: name=java-1.8.0-openjdk state=present - register: oracle_java_task_rpm_installed - tags: install - name: RedHat/CentOS/Fedora | Install Elastic repo yum_repository: name: elastic_repo - description: Elastic repository for 6.x packages - baseurl: https://artifacts.elastic.co/packages/6.x/yum + description: Elastic repository for 7.x packages + baseurl: https://artifacts.elastic.co/packages/7.x/yum gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgcheck: true - name: RedHat/CentOS/Fedora | Install Elasticsarch package: name=elasticsearch-{{ elastic_stack_version }} state=present - when: not elasticsearch_install_java or oracle_java_task_rpm_installed is defined tags: install diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index a1f44f88..bd7bc0d4 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -95,6 +95,8 @@ url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh" method: GET status_code: 200, 404 + when: not elasticsearch_bootstrap_node or single_node + poll: 30 register: wazuh_alerts_template_exits tags: init @@ -104,8 +106,10 @@ method: PUT status_code: 200 body_format: json - body: "{{ lookup('template','wazuh-elastic6-template-alerts.json.j2') }}" - when: wazuh_alerts_template_exits.status != 200 + body: "{{ lookup('template','wazuh-elastic7-template-alerts.json.j2') }}" + when: + - wazuh_alerts_template_exits.status is defined + - wazuh_alerts_template_exits.status != 200 tags: init - import_tasks: "RMRedHat.yml" diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 index 69f666fc..595dd58a 100644 --- a/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 @@ -1,89 +1,24 @@ # {{ ansible_managed }} -# ======================== Elasticsearch Configuration ========================= -# -# NOTE: Elasticsearch comes with reasonable defaults for most settings. -# Before you set out to tweak and tune the configuration, make sure you -# understand what are you trying to accomplish and the consequences. -# -# The primary way of configuring a node is via this file. This template lists -# the most important settings you may want to configure for a production cluster. -# -# Please consult the documentation for further information on configuration options: -# https://www.elastic.co/guide/en/elasticsearch/reference/index.html -# -# ---------------------------------- Cluster ----------------------------------- -# -# Use a descriptive name for your cluster: -# + cluster.name: {{ elasticsearch_cluster_name }} -# -# ------------------------------------ Node ------------------------------------ -# -# Use a descriptive name for the node: -# node.name: {{ elasticsearch_node_name }} -# -# Add custom attributes to the node: -# -#node.attr.rack: r1 -# -# ----------------------------------- Paths ------------------------------------ -# -# Path to directory where to store the data (separate multiple locations by comma): -# path.data: /var/lib/elasticsearch -# -# Path to log files: -# path.logs: /var/log/elasticsearch -# -# ----------------------------------- Memory ----------------------------------- -# -# Lock the memory on startup: -# bootstrap.memory_lock: true -# -# Make sure that the heap size is set to about half the memory available -# on the system and that the owner of the process is allowed to use this -# limit. -# -# Elasticsearch performs poorly when the system is swapping the memory. -# -# ---------------------------------- Network ----------------------------------- -# -# Set the bind address to a specific IP (IPv4 or IPv6): -# network.host: {{ elasticsearch_network_host }} -# -# Set a custom port for HTTP: -# -#http.port: 9200 -# -# For more information, consult the network module documentation. -# -# --------------------------------- Discovery ---------------------------------- -# -# Pass an initial list of hosts to perform discovery when new node is started: -# The default list of hosts is ["127.0.0.1", "[::1]"] -# -#discovery.zen.ping.unicast.hosts: ["host1", "host2"] -# -# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1): -# -#discovery.zen.minimum_master_nodes: 3 -# -# For more information, consult the zen discovery module documentation. -# -# ---------------------------------- Gateway ----------------------------------- -# -# Block initial recovery after a full cluster restart until N nodes are started: -# -#gateway.recover_after_nodes: 3 -# -# For more information, consult the gateway module documentation. -# -# ---------------------------------- Various ----------------------------------- -# -# Require explicit names when deleting indices: -# -#action.destructive_requires_name: true + +{% if single_node %} +discovery.type: single-node +{% elif elasticsearch_bootstrap_node %} +node.master: true +cluster.initial_master_nodes: +{% for item in elasticsearch_cluster_nodes %} + - {{ item }} +{% endfor %} +{% elif elasticsearch_master_candidate %} +node.master: true +discovery.seed_hosts: +{% for item in elasticsearch_cluster_nodes %} + - {{ item }} +{% endfor %} +{% endif %} diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 new file mode 100644 index 00000000..836b2cb2 --- /dev/null +++ b/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 @@ -0,0 +1,1456 @@ +{ + "order": 0, + "index_patterns": ["wazuh-alerts-3.x-*"], + "settings": { + "index.refresh_interval": "5s", + "index.number_of_shards": "3", + "index.number_of_replicas": "0", + "index.auto_expand_replicas": "0-1", + "index.mapping.total_fields.limit": 2000 + }, + "mappings": { + "dynamic_templates": [ + { + "string_as_keyword": { + "match_mapping_type": "string", + "mapping": { + "type": "keyword", + "doc_values": "true" + } + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "timestamp": { + "type": "date", + "format": "date_optional_time||epoch_millis" + }, + "@version": { + "type": "text" + }, + "agent": { + "properties": { + "ip": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "manager": { + "properties": { + "name": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "cluster": { + "properties": { + "name": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "AlertsFile": { + "type": "keyword", + "doc_values": "true" + }, + "full_log": { + "enabled": false, + "type": "object" + }, + "previous_log": { + "type": "text" + }, + "GeoLocation": { + "properties": { + "area_code": { + "type": "long" + }, + "city_name": { + "type": "keyword", + "doc_values": "true" + }, + "continent_code": { + "type": "text" + }, + "coordinates": { + "type": "double" + }, + "country_code2": { + "type": "text" + }, + "country_code3": { + "type": "text" + }, + "country_name": { + "type": "keyword", + "doc_values": "true" + }, + "dma_code": { + "type": "long" + }, + "ip": { + "type": "keyword", + "doc_values": "true" + }, + "latitude": { + "type": "double" + }, + "location": { + "type": "geo_point" + }, + "longitude": { + "type": "double" + }, + "postal_code": { + "type": "keyword" + }, + "real_region_name": { + "type": "keyword", + "doc_values": "true" + }, + "region_name": { + "type": "keyword", + "doc_values": "true" + }, + "timezone": { + "type": "text" + } + } + }, + "host": { + "type": "keyword", + "doc_values": "true" + }, + "syscheck": { + "properties": { + "path": { + "type": "keyword", + "doc_values": "true" + }, + "sha1_before": { + "type": "keyword", + "doc_values": "true" + }, + "sha1_after": { + "type": "keyword", + "doc_values": "true" + }, + "uid_before": { + "type": "keyword", + "doc_values": "true" + }, + "uid_after": { + "type": "keyword", + "doc_values": "true" + }, + "gid_before": { + "type": "keyword", + "doc_values": "true" + }, + "gid_after": { + "type": "keyword", + "doc_values": "true" + }, + "perm_before": { + "type": "keyword", + "doc_values": "true" + }, + "perm_after": { + "type": "keyword", + "doc_values": "true" + }, + "md5_after": { + "type": "keyword", + "doc_values": "true" + }, + "md5_before": { + "type": "keyword", + "doc_values": "true" + }, + "gname_after": { + "type": "keyword", + "doc_values": "true" + }, + "gname_before": { + "type": "keyword", + "doc_values": "true" + }, + "inode_after": { + "type": "keyword", + "doc_values": "true" + }, + "inode_before": { + "type": "keyword", + "doc_values": "true" + }, + "mtime_after": { + "type": "date", + "format": "dateOptionalTime", + "doc_values": "true" + }, + "mtime_before": { + "type": "date", + "format": "dateOptionalTime", + "doc_values": "true" + }, + "uname_after": { + "type": "keyword", + "doc_values": "true" + }, + "uname_before": { + "type": "keyword", + "doc_values": "true" + }, + "size_before": { + "type": "long", + "doc_values": "true" + }, + "size_after": { + "type": "long", + "doc_values": "true" + }, + "diff": { + "type": "keyword", + "doc_values": "true" + }, + "event": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "location": { + "type": "keyword", + "doc_values": "true" + }, + "message": { + "type": "text" + }, + "offset": { + "type": "keyword" + }, + "rule": { + "properties": { + "description": { + "type": "keyword", + "doc_values": "true" + }, + "groups": { + "type": "keyword", + "doc_values": "true" + }, + "level": { + "type": "long", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "cve": { + "type": "keyword", + "doc_values": "true" + }, + "info": { + "type": "keyword", + "doc_values": "true" + }, + "frequency": { + "type": "long", + "doc_values": "true" + }, + "firedtimes": { + "type": "long", + "doc_values": "true" + }, + "cis": { + "type": "keyword", + "doc_values": "true" + }, + "pci_dss": { + "type": "keyword", + "doc_values": "true" + }, + "gdpr": { + "type": "keyword", + "doc_values": "true" + }, + "gpg13": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "predecoder": { + "properties": { + "program_name": { + "type": "keyword", + "doc_values": "true" + }, + "timestamp": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "decoder": { + "properties": { + "parent": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "ftscomment": { + "type": "keyword", + "doc_values": "true" + }, + "fts": { + "type": "long", + "doc_values": "true" + }, + "accumulate": { + "type": "long", + "doc_values": "true" + } + } + }, + "data": { + "properties": { + "protocol": { + "type": "keyword", + "doc_values": "true" + }, + "action": { + "type": "keyword", + "doc_values": "true" + }, + "srcip": { + "type": "keyword", + "doc_values": "true" + }, + "dstip": { + "type": "keyword", + "doc_values": "true" + }, + "srcport": { + "type": "keyword", + "doc_values": "true" + }, + "dstport": { + "type": "keyword", + "doc_values": "true" + }, + "srcuser": { + "type": "keyword", + "doc_values": "true" + }, + "dstuser": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "status": { + "type": "keyword", + "doc_values": "true" + }, + "data": { + "type": "keyword", + "doc_values": "true" + }, + "system_name": { + "type": "keyword", + "doc_values": "true" + }, + "url": { + "type": "keyword", + "doc_values": "true" + }, + "oscap": { + "properties": { + "check.title": { + "type": "keyword", + "doc_values": "true" + }, + "check.id": { + "type": "keyword", + "doc_values": "true" + }, + "check.result": { + "type": "keyword", + "doc_values": "true" + }, + "check.severity": { + "type": "keyword", + "doc_values": "true" + }, + "check.description": { + "type": "text" + }, + "check.rationale": { + "type": "text" + }, + "check.references": { + "type": "text" + }, + "check.identifiers": { + "type": "text" + }, + "check.oval.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.content": { + "type": "keyword", + "doc_values": "true" + }, + "scan.benchmark.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.profile.title": { + "type": "keyword", + "doc_values": "true" + }, + "scan.profile.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.score": { + "type": "double", + "doc_values": "true" + }, + "scan.return_code": { + "type": "long", + "doc_values": "true" + } + } + }, + "audit": { + "properties": { + "type": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "syscall": { + "type": "keyword", + "doc_values": "true" + }, + "exit": { + "type": "keyword", + "doc_values": "true" + }, + "ppid": { + "type": "keyword", + "doc_values": "true" + }, + "pid": { + "type": "keyword", + "doc_values": "true" + }, + "auid": { + "type": "keyword", + "doc_values": "true" + }, + "uid": { + "type": "keyword", + "doc_values": "true" + }, + "gid": { + "type": "keyword", + "doc_values": "true" + }, + "euid": { + "type": "keyword", + "doc_values": "true" + }, + "suid": { + "type": "keyword", + "doc_values": "true" + }, + "fsuid": { + "type": "keyword", + "doc_values": "true" + }, + "egid": { + "type": "keyword", + "doc_values": "true" + }, + "sgid": { + "type": "keyword", + "doc_values": "true" + }, + "fsgid": { + "type": "keyword", + "doc_values": "true" + }, + "tty": { + "type": "keyword", + "doc_values": "true" + }, + "session": { + "type": "keyword", + "doc_values": "true" + }, + "command": { + "type": "keyword", + "doc_values": "true" + }, + "exe": { + "type": "keyword", + "doc_values": "true" + }, + "key": { + "type": "keyword", + "doc_values": "true" + }, + "cwd": { + "type": "keyword", + "doc_values": "true" + }, + "directory.name": { + "type": "keyword", + "doc_values": "true" + }, + "directory.inode": { + "type": "keyword", + "doc_values": "true" + }, + "directory.mode": { + "type": "keyword", + "doc_values": "true" + }, + "file.name": { + "type": "keyword", + "doc_values": "true" + }, + "file.inode": { + "type": "keyword", + "doc_values": "true" + }, + "file.mode": { + "type": "keyword", + "doc_values": "true" + }, + "acct": { + "type": "keyword", + "doc_values": "true" + }, + "dev": { + "type": "keyword", + "doc_values": "true" + }, + "enforcing": { + "type": "keyword", + "doc_values": "true" + }, + "list": { + "type": "keyword", + "doc_values": "true" + }, + "old-auid": { + "type": "keyword", + "doc_values": "true" + }, + "old-ses": { + "type": "keyword", + "doc_values": "true" + }, + "old_enforcing": { + "type": "keyword", + "doc_values": "true" + }, + "old_prom": { + "type": "keyword", + "doc_values": "true" + }, + "op": { + "type": "keyword", + "doc_values": "true" + }, + "prom": { + "type": "keyword", + "doc_values": "true" + }, + "res": { + "type": "keyword", + "doc_values": "true" + }, + "srcip": { + "type": "keyword", + "doc_values": "true" + }, + "subj": { + "type": "keyword", + "doc_values": "true" + }, + "success": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "aws": { + "properties": { + "bytes": { + "type": "long", + "doc_values": "true" + }, + "dstaddr": { + "type": "ip", + "doc_values": "true" + }, + "srcaddr": { + "type": "ip", + "doc_values": "true" + }, + "end": { + "type": "date", + "doc_values": "true" + }, + "start": { + "type": "date", + "doc_values": "true" + }, + "source_ip_address": { + "type": "ip", + "doc_values": "true" + }, + "resource.instanceDetails.networkInterfaces": { + "properties": { + "privateIpAddress": { + "type": "ip", + "doc_values": "true" + }, + "publicIp": { + "type": "ip", + "doc_values": "true" + } + } + }, + "service": { + "properties": { + "count": { + "type": "long", + "doc_values": "true" + }, + "action.networkConnectionAction.remoteIpDetails": { + "properties": { + "ipAddressV4": { + "type": "ip", + "doc_values": "true" + }, + "geoLocation": { + "type": "geo_point", + "doc_values": "true" + } + } + } + } + } + } + }, + "type": { + "type": "keyword", + "doc_values": "true" + }, + "netinfo": { + "properties": { + "iface": { + "properties": { + "name": { + "type": "keyword", + "doc_values": "true" + }, + "mac": { + "type": "keyword", + "doc_values": "true" + }, + "adapter": { + "type": "keyword", + "doc_values": "true" + }, + "type": { + "type": "keyword", + "doc_values": "true" + }, + "state": { + "type": "keyword", + "doc_values": "true" + }, + "mtu": { + "type": "long", + "doc_values": "true" + }, + "tx_bytes": { + "type": "long", + "doc_values": "true" + }, + "rx_bytes": { + "type": "long", + "doc_values": "true" + }, + "tx_errors": { + "type": "long", + "doc_values": "true" + }, + "rx_errors": { + "type": "long", + "doc_values": "true" + }, + "tx_dropped": { + "type": "long", + "doc_values": "true" + }, + "rx_dropped": { + "type": "long", + "doc_values": "true" + }, + "tx_packets": { + "type": "long", + "doc_values": "true" + }, + "rx_packets": { + "type": "long", + "doc_values": "true" + }, + "ipv4": { + "properties": { + "gateway": { + "type": "keyword", + "doc_values": "true" + }, + "dhcp": { + "type": "keyword", + "doc_values": "true" + }, + "address": { + "type": "keyword", + "doc_values": "true" + }, + "netmask": { + "type": "keyword", + "doc_values": "true" + }, + "broadcast": { + "type": "keyword", + "doc_values": "true" + }, + "metric": { + "type": "long", + "doc_values": "true" + } + } + }, + "ipv6": { + "properties": { + "gateway": { + "type": "keyword", + "doc_values": "true" + }, + "dhcp": { + "type": "keyword", + "doc_values": "true" + }, + "address": { + "type": "keyword", + "doc_values": "true" + }, + "netmask": { + "type": "keyword", + "doc_values": "true" + }, + "broadcast": { + "type": "keyword", + "doc_values": "true" + }, + "metric": { + "type": "long", + "doc_values": "true" + } + } + } + } + } + } + }, + "os": { + "properties": { + "hostname": { + "type": "keyword", + "doc_values": "true" + }, + "architecture": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "version": { + "type": "keyword", + "doc_values": "true" + }, + "codename": { + "type": "keyword", + "doc_values": "true" + }, + "major": { + "type": "keyword", + "doc_values": "true" + }, + "minor": { + "type": "keyword", + "doc_values": "true" + }, + "build": { + "type": "keyword", + "doc_values": "true" + }, + "platform": { + "type": "keyword", + "doc_values": "true" + }, + "sysname": { + "type": "keyword", + "doc_values": "true" + }, + "release": { + "type": "keyword", + "doc_values": "true" + }, + "release_version": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "port": { + "properties": { + "protocol": { + "type": "keyword", + "doc_values": "true" + }, + "local_ip": { + "type": "ip", + "doc_values": "true" + }, + "local_port": { + "type": "long", + "doc_values": "true" + }, + "remote_ip": { + "type": "ip", + "doc_values": "true" + }, + "remote_port": { + "type": "long", + "doc_values": "true" + }, + "tx_queue": { + "type": "long", + "doc_values": "true" + }, + "rx_queue": { + "type": "long", + "doc_values": "true" + }, + "inode": { + "type": "long", + "doc_values": "true" + }, + "state": { + "type": "keyword", + "doc_values": "true" + }, + "pid": { + "type": "long", + "doc_values": "true" + }, + "process": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "hardware": { + "properties": { + "serial": { + "type": "keyword", + "doc_values": "true" + }, + "cpu_name": { + "type": "keyword", + "doc_values": "true" + }, + "cpu_cores": { + "type": "long", + "doc_values": "true" + }, + "cpu_mhz": { + "type": "double", + "doc_values": "true" + }, + "ram_total": { + "type": "long", + "doc_values": "true" + }, + "ram_free": { + "type": "long", + "doc_values": "true" + }, + "ram_usage": { + "type": "long", + "doc_values": "true" + } + } + }, + "program": { + "properties": { + "format": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "priority": { + "type": "keyword", + "doc_values": "true" + }, + "section": { + "type": "keyword", + "doc_values": "true" + }, + "size": { + "type": "long", + "doc_values": "true" + }, + "vendor": { + "type": "keyword", + "doc_values": "true" + }, + "install_time": { + "type": "keyword", + "doc_values": "true" + }, + "version": { + "type": "keyword", + "doc_values": "true" + }, + "architecture": { + "type": "keyword", + "doc_values": "true" + }, + "multiarch": { + "type": "keyword", + "doc_values": "true" + }, + "source": { + "type": "keyword", + "doc_values": "true" + }, + "description": { + "type": "keyword", + "doc_values": "true" + }, + "location": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "process": { + "properties": { + "pid": { + "type": "long", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "state": { + "type": "keyword", + "doc_values": "true" + }, + "ppid": { + "type": "long", + "doc_values": "true" + }, + "utime": { + "type": "long", + "doc_values": "true" + }, + "stime": { + "type": "long", + "doc_values": "true" + }, + "cmd": { + "type": "keyword", + "doc_values": "true" + }, + "args": { + "type": "keyword", + "doc_values": "true" + }, + "euser": { + "type": "keyword", + "doc_values": "true" + }, + "ruser": { + "type": "keyword", + "doc_values": "true" + }, + "suser": { + "type": "keyword", + "doc_values": "true" + }, + "egroup": { + "type": "keyword", + "doc_values": "true" + }, + "sgroup": { + "type": "keyword", + "doc_values": "true" + }, + "fgroup": { + "type": "keyword", + "doc_values": "true" + }, + "rgroup": { + "type": "keyword", + "doc_values": "true" + }, + "priority": { + "type": "long", + "doc_values": "true" + }, + "nice": { + "type": "long", + "doc_values": "true" + }, + "size": { + "type": "long", + "doc_values": "true" + }, + "vm_size": { + "type": "long", + "doc_values": "true" + }, + "resident": { + "type": "long", + "doc_values": "true" + }, + "share": { + "type": "long", + "doc_values": "true" + }, + "start_time": { + "type": "long", + "doc_values": "true" + }, + "pgrp": { + "type": "long", + "doc_values": "true" + }, + "session": { + "type": "long", + "doc_values": "true" + }, + "nlwp": { + "type": "long", + "doc_values": "true" + }, + "tgid": { + "type": "long", + "doc_values": "true" + }, + "tty": { + "type": "long", + "doc_values": "true" + }, + "processor": { + "type": "long", + "doc_values": "true" + } + } + }, + "sca": { + "properties": { + "type": { + "type": "keyword", + "doc_values": "true" + }, + "scan_id": { + "type": "keyword", + "doc_values": "true" + }, + "policy": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "file": { + "type": "keyword", + "doc_values": "true" + }, + "description": { + "type": "keyword", + "doc_values": "true" + }, + "passed": { + "type": "integer", + "doc_values": "true" + }, + "failed": { + "type": "integer", + "doc_values": "true" + }, + "score": { + "type": "long", + "doc_values": "true" + }, + "check": { + "properties": { + "id": { + "type": "keyword", + "doc_values": "true" + }, + "title": { + "type": "keyword", + "doc_values": "true" + }, + "description": { + "type": "keyword", + "doc_values": "true" + }, + "rationale": { + "type": "keyword", + "doc_values": "true" + }, + "remediation": { + "type": "keyword", + "doc_values": "true" + }, + "compliance": { + "properties": { + "cis": { + "type": "keyword", + "doc_values": "true" + }, + "cis_csc": { + "type": "keyword", + "doc_values": "true" + }, + "pci_dss": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "references": { + "type": "keyword", + "doc_values": "true" + }, + "file": { + "type": "keyword", + "doc_values": "true" + }, + "directory": { + "type": "keyword", + "doc_values": "true" + }, + "registry": { + "type": "keyword", + "doc_values": "true" + }, + "process": { + "type": "keyword", + "doc_values": "true" + }, + "result": { + "type": "keyword", + "doc_values": "true" + }, + "previous_result": { + "type": "keyword", + "doc_values": "true" + } + } + } + } + }, + "win": { + "properties": { + "system": { + "properties": { + "providerName": { + "type": "keyword", + "doc_values": "true" + }, + "providerGuid": { + "type": "keyword", + "doc_values": "true" + }, + "eventSourceName": { + "type": "keyword", + "doc_values": "true" + }, + "securityUserID": { + "type": "keyword", + "doc_values": "true" + }, + "userID": { + "type": "keyword", + "doc_values": "true" + }, + "eventID": { + "type": "keyword", + "doc_values": "true" + }, + "version": { + "type": "keyword", + "doc_values": "true" + }, + "level": { + "type": "keyword", + "doc_values": "true" + }, + "task": { + "type": "keyword", + "doc_values": "true" + }, + "opcode": { + "type": "keyword", + "doc_values": "true" + }, + "keywords": { + "type": "keyword", + "doc_values": "true" + }, + "systemTime": { + "type": "keyword", + "doc_values": "true" + }, + "eventRecordID": { + "type": "keyword", + "doc_values": "true" + }, + "processID": { + "type": "keyword", + "doc_values": "true" + }, + "threadID": { + "type": "keyword", + "doc_values": "true" + }, + "channel": { + "type": "keyword", + "doc_values": "true" + }, + "computer": { + "type": "keyword", + "doc_values": "true" + }, + "severityValue": { + "type": "keyword", + "doc_values": "true" + }, + "message": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "eventdata": { + "properties": { + "subjectUserSid": { + "type": "keyword", + "doc_values": "true" + }, + "subjectUserName": { + "type": "keyword", + "doc_values": "true" + }, + "subjectDomainName": { + "type": "keyword", + "doc_values": "true" + }, + "subjectLogonId": { + "type": "keyword", + "doc_values": "true" + }, + "targetUserSid": { + "type": "keyword", + "doc_values": "true" + }, + "targetUserName": { + "type": "keyword", + "doc_values": "true" + }, + "targetDomainName": { + "type": "keyword", + "doc_values": "true" + }, + "targetLogonId": { + "type": "keyword", + "doc_values": "true" + }, + "logonType": { + "type": "keyword", + "doc_values": "true" + }, + "logonProcessName": { + "type": "keyword", + "doc_values": "true" + }, + "authenticationPackageName": { + "type": "keyword", + "doc_values": "true" + }, + "logonGuid": { + "type": "keyword", + "doc_values": "true" + }, + "keyLength": { + "type": "keyword", + "doc_values": "true" + }, + "impersonationLevel": { + "type": "keyword", + "doc_values": "true" + }, + "transactionId": { + "type": "keyword", + "doc_values": "true" + }, + "newState": { + "type": "keyword", + "doc_values": "true" + }, + "resourceManager": { + "type": "keyword", + "doc_values": "true" + }, + "processId": { + "type": "keyword", + "doc_values": "true" + }, + "processName": { + "type": "keyword", + "doc_values": "true" + }, + "data": { + "type": "keyword", + "doc_values": "true" + }, + "image": { + "type": "keyword", + "doc_values": "true" + }, + "binary": { + "type": "keyword", + "doc_values": "true" + }, + "parentImage": { + "type": "keyword", + "doc_values": "true" + }, + "categoryId": { + "type": "keyword", + "doc_values": "true" + }, + "subcategoryId": { + "type": "keyword", + "doc_values": "true" + }, + "subcategoryGuid": { + "type": "keyword", + "doc_values": "true" + }, + "auditPolicyChangesId": { + "type": "keyword", + "doc_values": "true" + }, + "category": { + "type": "keyword", + "doc_values": "true" + }, + "subcategory": { + "type": "keyword", + "doc_values": "true" + }, + "auditPolicyChanges": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "rmSessionEvent": { + "properties": { + "rmSessionId": { + "type": "keyword", + "doc_values": "true" + }, + "uTCStartTime": { + "type": "keyword", + "doc_values": "true" + } + } + } + } + } + } + }, + "program_name": { + "type": "keyword", + "doc_values": "true" + }, + "command": { + "type": "keyword", + "doc_values": "true" + }, + "type": { + "type": "text" + }, + "title": { + "type": "keyword", + "doc_values": "true" + } + } + } +} + diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index c2779fe8..cf33aeff 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -3,5 +3,5 @@ elasticsearch_http_port: "9200" elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" -elastic_stack_version: 6.7.1 -wazuh_version: 3.9.0 +elastic_stack_version: 7.1.1 +wazuh_version: 3.9.1 \ No newline at end of file diff --git a/roles/elastic-stack/ansible-kibana/tasks/Debian.yml b/roles/elastic-stack/ansible-kibana/tasks/Debian.yml index 097b19db..67081b86 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/Debian.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/Debian.yml @@ -11,7 +11,7 @@ - name: Debian/Ubuntu | Install Elastic repo apt_repository: - repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main' + repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main' state: present filename: 'elastic_repo' update_cache: true diff --git a/roles/elastic-stack/ansible-kibana/tasks/RMDebian.yml b/roles/elastic-stack/ansible-kibana/tasks/RMDebian.yml index 74c59c37..b11eec45 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/RMDebian.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/RMDebian.yml @@ -1,5 +1,5 @@ --- - name: Debian/Ubuntu | Removing Elasticsearch repository apt_repository: - repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main + repo: deb https://artifacts.elastic.co/packages/7.x/apt stable main state: absent diff --git a/roles/elastic-stack/ansible-kibana/tasks/RedHat.yml b/roles/elastic-stack/ansible-kibana/tasks/RedHat.yml index f5fe2935..1d35d139 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/RedHat.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/RedHat.yml @@ -2,8 +2,8 @@ - name: RedHat/CentOS/Fedora | Install Elastic repo yum_repository: name: elastic_repo - description: Elastic repository for 6.x packages - baseurl: https://artifacts.elastic.co/packages/6.x/yum + description: Elastic repository for 7.x packages + baseurl: https://artifacts.elastic.co/packages/7.x/yum gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgcheck: true diff --git a/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 b/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 index 9b29f17a..edd1b4b4 100644 --- a/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 +++ b/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 @@ -19,7 +19,7 @@ server.host: {{ kibana_server_host }} #server.name: "your-hostname" # The URL of the Elasticsearch instance to use for all your queries. -elasticsearch.url: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" +elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" # When this setting's value is true Kibana uses the hostname specified in the server.host # setting. When the value of this setting is false, Kibana uses the hostname of the host diff --git a/roles/elastic-stack/ansible-logstash/README.md b/roles/elastic-stack/ansible-logstash/README.md deleted file mode 100644 index 7be8951d..00000000 --- a/roles/elastic-stack/ansible-logstash/README.md +++ /dev/null @@ -1,53 +0,0 @@ -Ansible Role: Logstash ----------------------- - -An Ansible Role that installs [Logstash](https://www.elastic.co/products/logstash) - -Requirements ------------- - -This role will work on: - * Red Hat - * CentOS - * Fedora - * Debian - * Ubuntu - -Role Variables --------------- -``` - --- - logstash_create_config: true - logstash_input_beats: false - - elasticsearch_network_host: "127.0.0.1" - elasticsearch_http_port: "9200" - elastic_stack_version: 5.5.0 - - logstash_ssl: false - logstash_ssl_dir: /etc/pki/logstash - logstash_ssl_certificate_file: "" - logstash_ssl_key_file: "" -``` - -Example Playbook ----------------- - -``` - - hosts: logstash - roles: - - { role: ansible-role-logstash, elasticsearch_network_host: '192.168.33.182' } -``` - -License and copyright ---------------------- - -WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3) - -### Based on previous work from geerlingguy - - - https://github.com/geerlingguy/ansible-role-elasticsearch - -### Modified by Wazuh - -The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem. diff --git a/roles/elastic-stack/ansible-logstash/defaults/main.yml b/roles/elastic-stack/ansible-logstash/defaults/main.yml deleted file mode 100644 index a83f68cc..00000000 --- a/roles/elastic-stack/ansible-logstash/defaults/main.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -logstash_create_config: true -logstash_input_beats: false - -# You can introduce Multiples IPs -# elasticseacrh_network_host: ["Localhost1", "Localhost2", "Localhost3", ...] -elasticsearch_network_host: ["Localhost"] - -elasticsearch_http_port: "9200" -elasticsearch_shards: 5 -elasticsearch_replicas: 1 -elastic_stack_version: 6.7.1 - -logstash_ssl: false -logstash_ssl_dir: /etc/pki/logstash -logstash_ssl_certificate_file: "" -logstash_ssl_key_file: "" - -logstash_install_java: true diff --git a/roles/elastic-stack/ansible-logstash/handlers/main.yml b/roles/elastic-stack/ansible-logstash/handlers/main.yml deleted file mode 100644 index 56f376c8..00000000 --- a/roles/elastic-stack/ansible-logstash/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: restart logstash - service: name=logstash state=restarted diff --git a/roles/elastic-stack/ansible-logstash/meta/main.yml b/roles/elastic-stack/ansible-logstash/meta/main.yml deleted file mode 100644 index 90234871..00000000 --- a/roles/elastic-stack/ansible-logstash/meta/main.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -galaxy_info: - author: Wazuh - description: Installing and maintaining Elasticsearch server. - company: wazuh.com - license: license (GPLv3) - min_ansible_version: 2.0 - platforms: - - name: EL - versions: - - all - - name: Fedora - versions: - - all - - name: Debian - versions: - - all - - name: Ubuntu - versions: - - all - galaxy_tags: - - web - - system - - monitoring diff --git a/roles/elastic-stack/ansible-logstash/tasks/Debian.yml b/roles/elastic-stack/ansible-logstash/tasks/Debian.yml deleted file mode 100644 index 403ee88f..00000000 --- a/roles/elastic-stack/ansible-logstash/tasks/Debian.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates - apt: - name: ['apt-transport-https', 'ca-certificates'] - state: present - -- when: logstash_install_java - block: - - name: Debian/Ubuntu | Install OpenJDK 1.8 - apt: name=openjdk-8-jre state=present cache_valid_time=3600 - tags: install - -- name: Debian/Ubuntu | Add Elasticsearch GPG key - apt_key: - url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" - state: present - -- name: Debian/Ubuntu | Install Elasticsearch repo - apt_repository: - repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main' - state: present - filename: 'elastic_repo' - -- name: Debian/Ubuntu | Install Logstash - apt: - name: "logstash=1:{{ elastic_stack_version }}-1" - state: present - update_cache: true - tags: install - -- name: Debian/Ubuntu | Checking if wazuh-manager is installed - command: dpkg -l wazuh-manager - register: wazuh_manager_check_deb - when: logstash_input_beats == false - args: - warn: false - -- name: Debian/Ubuntu | Add user logstash to group ossec - user: - name: logstash - groups: ossec - append: true - when: - - logstash_input_beats == false - - wazuh_manager_check_deb.rc == 0 diff --git a/roles/elastic-stack/ansible-logstash/tasks/RMDebian.yml b/roles/elastic-stack/ansible-logstash/tasks/RMDebian.yml deleted file mode 100644 index 74c59c37..00000000 --- a/roles/elastic-stack/ansible-logstash/tasks/RMDebian.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Debian/Ubuntu | Removing Elasticsearch repository - apt_repository: - repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main - state: absent diff --git a/roles/elastic-stack/ansible-logstash/tasks/RMRedHat.yml b/roles/elastic-stack/ansible-logstash/tasks/RMRedHat.yml deleted file mode 100644 index 78538fe9..00000000 --- a/roles/elastic-stack/ansible-logstash/tasks/RMRedHat.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: RedHat/CentOS/Fedora | Remove logstash repository (and clean up left-over metadata) - yum_repository: - name: elastic_repo - state: absent diff --git a/roles/elastic-stack/ansible-logstash/tasks/RedHat.yml b/roles/elastic-stack/ansible-logstash/tasks/RedHat.yml deleted file mode 100644 index ed16fbc5..00000000 --- a/roles/elastic-stack/ansible-logstash/tasks/RedHat.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -- when: logstash_install_java - block: - - name: RedHat/CentOS/Fedora | Install OpenJDK 1.8 - yum: name=java-1.8.0-openjdk state=present - register: oracle_java_task_rpm_installed - tags: install - -- name: RedHat/CentOS/Fedora | Install Logstash repo - yum_repository: - name: elastic_repo - description: Elastic repository for 6.x packages - baseurl: https://artifacts.elastic.co/packages/6.x/yum - gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch - gpgcheck: true - -- name: RedHat/CentOS/Fedora | Install Logstash - package: name=logstash-{{ elastic_stack_version }} state=present - when: not logstash_install_java or oracle_java_task_rpm_installed is defined - tags: install - -- name: RedHat/CentOS/Fedora | Checking if wazuh-manager is installed - command: rpm -q wazuh-manager - register: wazuh_manager_check_rpm - when: logstash_input_beats == false - args: - warn: false - -- name: RedHat/CentOS/Fedora | Add user logstash to group ossec - user: - name: logstash - groups: ossec - append: true - when: - - logstash_input_beats == false - - wazuh_manager_check_rpm.rc == 0 - -- name: Amazon Linux change startup group - shell: sed -i 's/.*LS_GROUP=logstash.*/LS_GROUP=ossec/' /etc/logstash/startup.options - when: - - logstash_input_beats == false - - wazuh_manager_check_rpm.rc == 0 - - ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA" diff --git a/roles/elastic-stack/ansible-logstash/tasks/config.yml b/roles/elastic-stack/ansible-logstash/tasks/config.yml deleted file mode 100644 index 037f0d85..00000000 --- a/roles/elastic-stack/ansible-logstash/tasks/config.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: Ensure Logstash SSL key pair directory exists. - file: - path: "{{ logstash_ssl_dir }}" - state: directory - when: logstash_ssl - tags: configure - -- name: Copy SSL key and cert for logstash. - copy: - src: "{{ item }}" - dest: "{{ logstash_ssl_dir }}/{{ item | basename }}" - mode: 0644 - with_items: - - "{{ logstash_ssl_key_file }}" - - "{{ logstash_ssl_certificate_file }}" - when: logstash_ssl - tags: configure - -- name: Logstash configuration - template: - src: 01-wazuh.conf.j2 - dest: /etc/logstash/conf.d/01-wazuh.conf - owner: root - group: root - notify: restart logstash - tags: configure diff --git a/roles/elastic-stack/ansible-logstash/tasks/main.yml b/roles/elastic-stack/ansible-logstash/tasks/main.yml deleted file mode 100644 index e114a82f..00000000 --- a/roles/elastic-stack/ansible-logstash/tasks/main.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -- import_tasks: RedHat.yml - when: ansible_os_family == 'RedHat' - -- import_tasks: Debian.yml - when: ansible_os_family == "Debian" - -- import_tasks: config.yml - when: logstash_create_config - -- name: Reload systemd - systemd: daemon_reload=yes - ignore_errors: true - when: - - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") - - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) - - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) - -- name: Amazon Linux create service - shell: /usr/share/logstash/bin/system-install /etc/logstash/startup.options - when: ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA" - -- name: Ensure Logstash started and enabled - service: - name: logstash - enabled: true - state: started - -- name: Amazon Linux start Logstash - service: - name: logstash - enabled: true - state: started - when: ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA" - -- import_tasks: "RMRedHat.yml" - when: ansible_os_family == "RedHat" - -- import_tasks: "RMDebian.yml" - when: ansible_os_family == "Debian" diff --git a/roles/elastic-stack/ansible-logstash/templates/01-wazuh.conf.j2 b/roles/elastic-stack/ansible-logstash/templates/01-wazuh.conf.j2 deleted file mode 100644 index 6ef868e1..00000000 --- a/roles/elastic-stack/ansible-logstash/templates/01-wazuh.conf.j2 +++ /dev/null @@ -1,73 +0,0 @@ -#jinja2: trim_blocks:False -# {{ ansible_managed }} -# Wazuh - Logstash configuration file - -{% if logstash_input_beats == true %} -## Remote Wazuh Manager - Filebeat input -input { - beats { - port => 5000 - codec => "json_lines" -{% if logstash_ssl == true %} - ssl => true - ssl_certificate => "{{ logstash_ssl_dir }}/{{ logstash_ssl_certificate_file | basename }}" - ssl_key => "{{ logstash_ssl_dir }}/{{ logstash_ssl_key_file | basename }}" -{% endif %} - } -} -{% else %} -## Local Wazuh Manager - JSON file input -input { - file { - type => "wazuh-alerts" - path => "/var/ossec/logs/alerts/alerts.json" - codec => "json" - } -} -{% endif %} -filter { - if [data][srcip] { - mutate { - add_field => [ "@src_ip", "%{[data][srcip]}" ] - } - } - if [data][aws][sourceIPAddress] { - mutate { - add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ] - } - } -} -filter { - if [data][srcip] { - mutate { - add_field => [ "@src_ip", "%{[data][srcip]}" ] - } - } - if [data][aws][sourceIPAddress] { - mutate { - add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ] - } - } -} -filter { - geoip { - source => "@src_ip" - target => "GeoLocation" - fields => ["city_name", "country_name", "region_name", "location"] - } - date { - match => ["timestamp", "ISO8601"] - target => "@timestamp" - } - mutate { - remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"] - } -} -output { - #stdout { codec => rubydebug } - elasticsearch { - hosts => {{ elasticsearch_network_host | to_json}} - index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}" - document_type => "wazuh" - } -} diff --git a/roles/wazuh/ansible-filebeat/README.md b/roles/wazuh/ansible-filebeat/README.md index 6801e373..ad588e64 100644 --- a/roles/wazuh/ansible-filebeat/README.md +++ b/roles/wazuh/ansible-filebeat/README.md @@ -19,34 +19,10 @@ Role Variables Available variables are listed below, along with default values (see `defaults/main.yml`): ``` - filebeat_create_config: true - - filebeat_prospectors: - - input_type: log - paths: - - "/var/ossec/logs/alerts/alerts.json" - document_type: json - json.message_key: log - json.keys_under_root: true - json.overwrite_keys: true - filebeat_output_elasticsearch_enabled: false filebeat_output_elasticsearch_hosts: - "localhost:9200" - filebeat_output_logstash_enabled: true - filebeat_output_logstash_hosts: - - "192.168.212.158:5000" - - filebeat_enable_logging: true - filebeat_log_level: debug - filebeat_log_dir: /var/log/mybeat - filebeat_log_filename: mybeat.log - - filebeat_ssl_dir: /etc/pki/logstash - filebeat_ssl_certificate_file: "" - filebeat_ssl_key_file: "" - filebeat_ssl_insecure: "false" ``` License and copyright diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index 0f9b5c5a..a00cbbb4 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -14,16 +14,12 @@ filebeat_output_elasticsearch_enabled: false filebeat_output_elasticsearch_hosts: - "localhost:9200" -filebeat_output_logstash_enabled: true -filebeat_output_logstash_hosts: - - "192.168.212.158:5000" - filebeat_enable_logging: true filebeat_log_level: debug filebeat_log_dir: /var/log/mybeat filebeat_log_filename: mybeat.log -filebeat_ssl_dir: /etc/pki/logstash +filebeat_ssl_dir: /etc/pki/filebeat filebeat_ssl_certificate_file: "" filebeat_ssl_key_file: "" filebeat_ssl_insecure: "false" diff --git a/roles/wazuh/ansible-filebeat/tasks/Debian.yml b/roles/wazuh/ansible-filebeat/tasks/Debian.yml index 455034d6..95b31e0e 100644 --- a/roles/wazuh/ansible-filebeat/tasks/Debian.yml +++ b/roles/wazuh/ansible-filebeat/tasks/Debian.yml @@ -12,6 +12,6 @@ - name: Debian/Ubuntu | Add Filebeat repository. apt_repository: - repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main' + repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main' state: present update_cache: true diff --git a/roles/wazuh/ansible-filebeat/tasks/RMDebian.yml b/roles/wazuh/ansible-filebeat/tasks/RMDebian.yml index 580e6d86..f027d4f9 100644 --- a/roles/wazuh/ansible-filebeat/tasks/RMDebian.yml +++ b/roles/wazuh/ansible-filebeat/tasks/RMDebian.yml @@ -1,5 +1,5 @@ --- - name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata) apt_repository: - repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main + repo: deb https://artifacts.elastic.co/packages/7.x/apt stable main state: absent diff --git a/roles/wazuh/ansible-filebeat/tasks/RedHat.yml b/roles/wazuh/ansible-filebeat/tasks/RedHat.yml index 80798897..e4ddd652 100644 --- a/roles/wazuh/ansible-filebeat/tasks/RedHat.yml +++ b/roles/wazuh/ansible-filebeat/tasks/RedHat.yml @@ -3,6 +3,6 @@ yum_repository: name: elastic_repo description: Elastic repository for 6.x packages - baseurl: https://artifacts.elastic.co/packages/6.x/yum + baseurl: https://artifacts.elastic.co/packages/7.x/yum gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgcheck: true diff --git a/roles/wazuh/ansible-filebeat/tasks/config.yml b/roles/wazuh/ansible-filebeat/tasks/config.yml index a21e32ac..ce63503d 100644 --- a/roles/wazuh/ansible-filebeat/tasks/config.yml +++ b/roles/wazuh/ansible-filebeat/tasks/config.yml @@ -9,6 +9,16 @@ notify: restart filebeat tags: configure +- name: Copy Elasticsearch template. + template: + src: elasticsearch.yml.j2 + dest: "/etc/filebeat/wazuh-template.json" + owner: root + group: root + mode: 0644 + notify: restart filebeat + tags: configure + - name: Ensure Filebeat SSL key pair directory exists. file: path: "{{ filebeat_ssl_dir }}" diff --git a/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 b/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 new file mode 100644 index 00000000..11ef6176 --- /dev/null +++ b/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 @@ -0,0 +1,1455 @@ +{ + "order": 0, + "index_patterns": ["wazuh-alerts-3.x-*"], + "settings": { + "index.refresh_interval": "5s", + "index.number_of_shards": "3", + "index.number_of_replicas": "0", + "index.auto_expand_replicas": "0-1", + "index.mapping.total_fields.limit": 2000 + }, + "mappings": { + "dynamic_templates": [ + { + "string_as_keyword": { + "match_mapping_type": "string", + "mapping": { + "type": "keyword", + "doc_values": "true" + } + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "timestamp": { + "type": "date", + "format": "date_optional_time||epoch_millis" + }, + "@version": { + "type": "text" + }, + "agent": { + "properties": { + "ip": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "manager": { + "properties": { + "name": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "cluster": { + "properties": { + "name": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "AlertsFile": { + "type": "keyword", + "doc_values": "true" + }, + "full_log": { + "enabled": false, + "type": "object" + }, + "previous_log": { + "type": "text" + }, + "GeoLocation": { + "properties": { + "area_code": { + "type": "long" + }, + "city_name": { + "type": "keyword", + "doc_values": "true" + }, + "continent_code": { + "type": "text" + }, + "coordinates": { + "type": "double" + }, + "country_code2": { + "type": "text" + }, + "country_code3": { + "type": "text" + }, + "country_name": { + "type": "keyword", + "doc_values": "true" + }, + "dma_code": { + "type": "long" + }, + "ip": { + "type": "keyword", + "doc_values": "true" + }, + "latitude": { + "type": "double" + }, + "location": { + "type": "geo_point" + }, + "longitude": { + "type": "double" + }, + "postal_code": { + "type": "keyword" + }, + "real_region_name": { + "type": "keyword", + "doc_values": "true" + }, + "region_name": { + "type": "keyword", + "doc_values": "true" + }, + "timezone": { + "type": "text" + } + } + }, + "host": { + "type": "keyword", + "doc_values": "true" + }, + "syscheck": { + "properties": { + "path": { + "type": "keyword", + "doc_values": "true" + }, + "sha1_before": { + "type": "keyword", + "doc_values": "true" + }, + "sha1_after": { + "type": "keyword", + "doc_values": "true" + }, + "uid_before": { + "type": "keyword", + "doc_values": "true" + }, + "uid_after": { + "type": "keyword", + "doc_values": "true" + }, + "gid_before": { + "type": "keyword", + "doc_values": "true" + }, + "gid_after": { + "type": "keyword", + "doc_values": "true" + }, + "perm_before": { + "type": "keyword", + "doc_values": "true" + }, + "perm_after": { + "type": "keyword", + "doc_values": "true" + }, + "md5_after": { + "type": "keyword", + "doc_values": "true" + }, + "md5_before": { + "type": "keyword", + "doc_values": "true" + }, + "gname_after": { + "type": "keyword", + "doc_values": "true" + }, + "gname_before": { + "type": "keyword", + "doc_values": "true" + }, + "inode_after": { + "type": "keyword", + "doc_values": "true" + }, + "inode_before": { + "type": "keyword", + "doc_values": "true" + }, + "mtime_after": { + "type": "date", + "format": "dateOptionalTime", + "doc_values": "true" + }, + "mtime_before": { + "type": "date", + "format": "dateOptionalTime", + "doc_values": "true" + }, + "uname_after": { + "type": "keyword", + "doc_values": "true" + }, + "uname_before": { + "type": "keyword", + "doc_values": "true" + }, + "size_before": { + "type": "long", + "doc_values": "true" + }, + "size_after": { + "type": "long", + "doc_values": "true" + }, + "diff": { + "type": "keyword", + "doc_values": "true" + }, + "event": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "location": { + "type": "keyword", + "doc_values": "true" + }, + "message": { + "type": "text" + }, + "offset": { + "type": "keyword" + }, + "rule": { + "properties": { + "description": { + "type": "keyword", + "doc_values": "true" + }, + "groups": { + "type": "keyword", + "doc_values": "true" + }, + "level": { + "type": "long", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "cve": { + "type": "keyword", + "doc_values": "true" + }, + "info": { + "type": "keyword", + "doc_values": "true" + }, + "frequency": { + "type": "long", + "doc_values": "true" + }, + "firedtimes": { + "type": "long", + "doc_values": "true" + }, + "cis": { + "type": "keyword", + "doc_values": "true" + }, + "pci_dss": { + "type": "keyword", + "doc_values": "true" + }, + "gdpr": { + "type": "keyword", + "doc_values": "true" + }, + "gpg13": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "predecoder": { + "properties": { + "program_name": { + "type": "keyword", + "doc_values": "true" + }, + "timestamp": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "decoder": { + "properties": { + "parent": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "ftscomment": { + "type": "keyword", + "doc_values": "true" + }, + "fts": { + "type": "long", + "doc_values": "true" + }, + "accumulate": { + "type": "long", + "doc_values": "true" + } + } + }, + "data": { + "properties": { + "protocol": { + "type": "keyword", + "doc_values": "true" + }, + "action": { + "type": "keyword", + "doc_values": "true" + }, + "srcip": { + "type": "keyword", + "doc_values": "true" + }, + "dstip": { + "type": "keyword", + "doc_values": "true" + }, + "srcport": { + "type": "keyword", + "doc_values": "true" + }, + "dstport": { + "type": "keyword", + "doc_values": "true" + }, + "srcuser": { + "type": "keyword", + "doc_values": "true" + }, + "dstuser": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "status": { + "type": "keyword", + "doc_values": "true" + }, + "data": { + "type": "keyword", + "doc_values": "true" + }, + "system_name": { + "type": "keyword", + "doc_values": "true" + }, + "url": { + "type": "keyword", + "doc_values": "true" + }, + "oscap": { + "properties": { + "check.title": { + "type": "keyword", + "doc_values": "true" + }, + "check.id": { + "type": "keyword", + "doc_values": "true" + }, + "check.result": { + "type": "keyword", + "doc_values": "true" + }, + "check.severity": { + "type": "keyword", + "doc_values": "true" + }, + "check.description": { + "type": "text" + }, + "check.rationale": { + "type": "text" + }, + "check.references": { + "type": "text" + }, + "check.identifiers": { + "type": "text" + }, + "check.oval.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.content": { + "type": "keyword", + "doc_values": "true" + }, + "scan.benchmark.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.profile.title": { + "type": "keyword", + "doc_values": "true" + }, + "scan.profile.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.score": { + "type": "double", + "doc_values": "true" + }, + "scan.return_code": { + "type": "long", + "doc_values": "true" + } + } + }, + "audit": { + "properties": { + "type": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "syscall": { + "type": "keyword", + "doc_values": "true" + }, + "exit": { + "type": "keyword", + "doc_values": "true" + }, + "ppid": { + "type": "keyword", + "doc_values": "true" + }, + "pid": { + "type": "keyword", + "doc_values": "true" + }, + "auid": { + "type": "keyword", + "doc_values": "true" + }, + "uid": { + "type": "keyword", + "doc_values": "true" + }, + "gid": { + "type": "keyword", + "doc_values": "true" + }, + "euid": { + "type": "keyword", + "doc_values": "true" + }, + "suid": { + "type": "keyword", + "doc_values": "true" + }, + "fsuid": { + "type": "keyword", + "doc_values": "true" + }, + "egid": { + "type": "keyword", + "doc_values": "true" + }, + "sgid": { + "type": "keyword", + "doc_values": "true" + }, + "fsgid": { + "type": "keyword", + "doc_values": "true" + }, + "tty": { + "type": "keyword", + "doc_values": "true" + }, + "session": { + "type": "keyword", + "doc_values": "true" + }, + "command": { + "type": "keyword", + "doc_values": "true" + }, + "exe": { + "type": "keyword", + "doc_values": "true" + }, + "key": { + "type": "keyword", + "doc_values": "true" + }, + "cwd": { + "type": "keyword", + "doc_values": "true" + }, + "directory.name": { + "type": "keyword", + "doc_values": "true" + }, + "directory.inode": { + "type": "keyword", + "doc_values": "true" + }, + "directory.mode": { + "type": "keyword", + "doc_values": "true" + }, + "file.name": { + "type": "keyword", + "doc_values": "true" + }, + "file.inode": { + "type": "keyword", + "doc_values": "true" + }, + "file.mode": { + "type": "keyword", + "doc_values": "true" + }, + "acct": { + "type": "keyword", + "doc_values": "true" + }, + "dev": { + "type": "keyword", + "doc_values": "true" + }, + "enforcing": { + "type": "keyword", + "doc_values": "true" + }, + "list": { + "type": "keyword", + "doc_values": "true" + }, + "old-auid": { + "type": "keyword", + "doc_values": "true" + }, + "old-ses": { + "type": "keyword", + "doc_values": "true" + }, + "old_enforcing": { + "type": "keyword", + "doc_values": "true" + }, + "old_prom": { + "type": "keyword", + "doc_values": "true" + }, + "op": { + "type": "keyword", + "doc_values": "true" + }, + "prom": { + "type": "keyword", + "doc_values": "true" + }, + "res": { + "type": "keyword", + "doc_values": "true" + }, + "srcip": { + "type": "keyword", + "doc_values": "true" + }, + "subj": { + "type": "keyword", + "doc_values": "true" + }, + "success": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "aws": { + "properties": { + "bytes": { + "type": "long", + "doc_values": "true" + }, + "dstaddr": { + "type": "ip", + "doc_values": "true" + }, + "srcaddr": { + "type": "ip", + "doc_values": "true" + }, + "end": { + "type": "date", + "doc_values": "true" + }, + "start": { + "type": "date", + "doc_values": "true" + }, + "source_ip_address": { + "type": "ip", + "doc_values": "true" + }, + "resource.instanceDetails.networkInterfaces": { + "properties": { + "privateIpAddress": { + "type": "ip", + "doc_values": "true" + }, + "publicIp": { + "type": "ip", + "doc_values": "true" + } + } + }, + "service": { + "properties": { + "count": { + "type": "long", + "doc_values": "true" + }, + "action.networkConnectionAction.remoteIpDetails": { + "properties": { + "ipAddressV4": { + "type": "ip", + "doc_values": "true" + }, + "geoLocation": { + "type": "geo_point", + "doc_values": "true" + } + } + } + } + } + } + }, + "type": { + "type": "keyword", + "doc_values": "true" + }, + "netinfo": { + "properties": { + "iface": { + "properties": { + "name": { + "type": "keyword", + "doc_values": "true" + }, + "mac": { + "type": "keyword", + "doc_values": "true" + }, + "adapter": { + "type": "keyword", + "doc_values": "true" + }, + "type": { + "type": "keyword", + "doc_values": "true" + }, + "state": { + "type": "keyword", + "doc_values": "true" + }, + "mtu": { + "type": "long", + "doc_values": "true" + }, + "tx_bytes": { + "type": "long", + "doc_values": "true" + }, + "rx_bytes": { + "type": "long", + "doc_values": "true" + }, + "tx_errors": { + "type": "long", + "doc_values": "true" + }, + "rx_errors": { + "type": "long", + "doc_values": "true" + }, + "tx_dropped": { + "type": "long", + "doc_values": "true" + }, + "rx_dropped": { + "type": "long", + "doc_values": "true" + }, + "tx_packets": { + "type": "long", + "doc_values": "true" + }, + "rx_packets": { + "type": "long", + "doc_values": "true" + }, + "ipv4": { + "properties": { + "gateway": { + "type": "keyword", + "doc_values": "true" + }, + "dhcp": { + "type": "keyword", + "doc_values": "true" + }, + "address": { + "type": "keyword", + "doc_values": "true" + }, + "netmask": { + "type": "keyword", + "doc_values": "true" + }, + "broadcast": { + "type": "keyword", + "doc_values": "true" + }, + "metric": { + "type": "long", + "doc_values": "true" + } + } + }, + "ipv6": { + "properties": { + "gateway": { + "type": "keyword", + "doc_values": "true" + }, + "dhcp": { + "type": "keyword", + "doc_values": "true" + }, + "address": { + "type": "keyword", + "doc_values": "true" + }, + "netmask": { + "type": "keyword", + "doc_values": "true" + }, + "broadcast": { + "type": "keyword", + "doc_values": "true" + }, + "metric": { + "type": "long", + "doc_values": "true" + } + } + } + } + } + } + }, + "os": { + "properties": { + "hostname": { + "type": "keyword", + "doc_values": "true" + }, + "architecture": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "version": { + "type": "keyword", + "doc_values": "true" + }, + "codename": { + "type": "keyword", + "doc_values": "true" + }, + "major": { + "type": "keyword", + "doc_values": "true" + }, + "minor": { + "type": "keyword", + "doc_values": "true" + }, + "build": { + "type": "keyword", + "doc_values": "true" + }, + "platform": { + "type": "keyword", + "doc_values": "true" + }, + "sysname": { + "type": "keyword", + "doc_values": "true" + }, + "release": { + "type": "keyword", + "doc_values": "true" + }, + "release_version": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "port": { + "properties": { + "protocol": { + "type": "keyword", + "doc_values": "true" + }, + "local_ip": { + "type": "ip", + "doc_values": "true" + }, + "local_port": { + "type": "long", + "doc_values": "true" + }, + "remote_ip": { + "type": "ip", + "doc_values": "true" + }, + "remote_port": { + "type": "long", + "doc_values": "true" + }, + "tx_queue": { + "type": "long", + "doc_values": "true" + }, + "rx_queue": { + "type": "long", + "doc_values": "true" + }, + "inode": { + "type": "long", + "doc_values": "true" + }, + "state": { + "type": "keyword", + "doc_values": "true" + }, + "pid": { + "type": "long", + "doc_values": "true" + }, + "process": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "hardware": { + "properties": { + "serial": { + "type": "keyword", + "doc_values": "true" + }, + "cpu_name": { + "type": "keyword", + "doc_values": "true" + }, + "cpu_cores": { + "type": "long", + "doc_values": "true" + }, + "cpu_mhz": { + "type": "double", + "doc_values": "true" + }, + "ram_total": { + "type": "long", + "doc_values": "true" + }, + "ram_free": { + "type": "long", + "doc_values": "true" + }, + "ram_usage": { + "type": "long", + "doc_values": "true" + } + } + }, + "program": { + "properties": { + "format": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "priority": { + "type": "keyword", + "doc_values": "true" + }, + "section": { + "type": "keyword", + "doc_values": "true" + }, + "size": { + "type": "long", + "doc_values": "true" + }, + "vendor": { + "type": "keyword", + "doc_values": "true" + }, + "install_time": { + "type": "keyword", + "doc_values": "true" + }, + "version": { + "type": "keyword", + "doc_values": "true" + }, + "architecture": { + "type": "keyword", + "doc_values": "true" + }, + "multiarch": { + "type": "keyword", + "doc_values": "true" + }, + "source": { + "type": "keyword", + "doc_values": "true" + }, + "description": { + "type": "keyword", + "doc_values": "true" + }, + "location": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "process": { + "properties": { + "pid": { + "type": "long", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "state": { + "type": "keyword", + "doc_values": "true" + }, + "ppid": { + "type": "long", + "doc_values": "true" + }, + "utime": { + "type": "long", + "doc_values": "true" + }, + "stime": { + "type": "long", + "doc_values": "true" + }, + "cmd": { + "type": "keyword", + "doc_values": "true" + }, + "args": { + "type": "keyword", + "doc_values": "true" + }, + "euser": { + "type": "keyword", + "doc_values": "true" + }, + "ruser": { + "type": "keyword", + "doc_values": "true" + }, + "suser": { + "type": "keyword", + "doc_values": "true" + }, + "egroup": { + "type": "keyword", + "doc_values": "true" + }, + "sgroup": { + "type": "keyword", + "doc_values": "true" + }, + "fgroup": { + "type": "keyword", + "doc_values": "true" + }, + "rgroup": { + "type": "keyword", + "doc_values": "true" + }, + "priority": { + "type": "long", + "doc_values": "true" + }, + "nice": { + "type": "long", + "doc_values": "true" + }, + "size": { + "type": "long", + "doc_values": "true" + }, + "vm_size": { + "type": "long", + "doc_values": "true" + }, + "resident": { + "type": "long", + "doc_values": "true" + }, + "share": { + "type": "long", + "doc_values": "true" + }, + "start_time": { + "type": "long", + "doc_values": "true" + }, + "pgrp": { + "type": "long", + "doc_values": "true" + }, + "session": { + "type": "long", + "doc_values": "true" + }, + "nlwp": { + "type": "long", + "doc_values": "true" + }, + "tgid": { + "type": "long", + "doc_values": "true" + }, + "tty": { + "type": "long", + "doc_values": "true" + }, + "processor": { + "type": "long", + "doc_values": "true" + } + } + }, + "sca": { + "properties": { + "type": { + "type": "keyword", + "doc_values": "true" + }, + "scan_id": { + "type": "keyword", + "doc_values": "true" + }, + "policy": { + "type": "keyword", + "doc_values": "true" + }, + "name": { + "type": "keyword", + "doc_values": "true" + }, + "file": { + "type": "keyword", + "doc_values": "true" + }, + "description": { + "type": "keyword", + "doc_values": "true" + }, + "passed": { + "type": "integer", + "doc_values": "true" + }, + "failed": { + "type": "integer", + "doc_values": "true" + }, + "score": { + "type": "long", + "doc_values": "true" + }, + "check": { + "properties": { + "id": { + "type": "keyword", + "doc_values": "true" + }, + "title": { + "type": "keyword", + "doc_values": "true" + }, + "description": { + "type": "keyword", + "doc_values": "true" + }, + "rationale": { + "type": "keyword", + "doc_values": "true" + }, + "remediation": { + "type": "keyword", + "doc_values": "true" + }, + "compliance": { + "properties": { + "cis": { + "type": "keyword", + "doc_values": "true" + }, + "cis_csc": { + "type": "keyword", + "doc_values": "true" + }, + "pci_dss": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "references": { + "type": "keyword", + "doc_values": "true" + }, + "file": { + "type": "keyword", + "doc_values": "true" + }, + "directory": { + "type": "keyword", + "doc_values": "true" + }, + "registry": { + "type": "keyword", + "doc_values": "true" + }, + "process": { + "type": "keyword", + "doc_values": "true" + }, + "result": { + "type": "keyword", + "doc_values": "true" + }, + "previous_result": { + "type": "keyword", + "doc_values": "true" + } + } + } + } + }, + "win": { + "properties": { + "system": { + "properties": { + "providerName": { + "type": "keyword", + "doc_values": "true" + }, + "providerGuid": { + "type": "keyword", + "doc_values": "true" + }, + "eventSourceName": { + "type": "keyword", + "doc_values": "true" + }, + "securityUserID": { + "type": "keyword", + "doc_values": "true" + }, + "userID": { + "type": "keyword", + "doc_values": "true" + }, + "eventID": { + "type": "keyword", + "doc_values": "true" + }, + "version": { + "type": "keyword", + "doc_values": "true" + }, + "level": { + "type": "keyword", + "doc_values": "true" + }, + "task": { + "type": "keyword", + "doc_values": "true" + }, + "opcode": { + "type": "keyword", + "doc_values": "true" + }, + "keywords": { + "type": "keyword", + "doc_values": "true" + }, + "systemTime": { + "type": "keyword", + "doc_values": "true" + }, + "eventRecordID": { + "type": "keyword", + "doc_values": "true" + }, + "processID": { + "type": "keyword", + "doc_values": "true" + }, + "threadID": { + "type": "keyword", + "doc_values": "true" + }, + "channel": { + "type": "keyword", + "doc_values": "true" + }, + "computer": { + "type": "keyword", + "doc_values": "true" + }, + "severityValue": { + "type": "keyword", + "doc_values": "true" + }, + "message": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "eventdata": { + "properties": { + "subjectUserSid": { + "type": "keyword", + "doc_values": "true" + }, + "subjectUserName": { + "type": "keyword", + "doc_values": "true" + }, + "subjectDomainName": { + "type": "keyword", + "doc_values": "true" + }, + "subjectLogonId": { + "type": "keyword", + "doc_values": "true" + }, + "targetUserSid": { + "type": "keyword", + "doc_values": "true" + }, + "targetUserName": { + "type": "keyword", + "doc_values": "true" + }, + "targetDomainName": { + "type": "keyword", + "doc_values": "true" + }, + "targetLogonId": { + "type": "keyword", + "doc_values": "true" + }, + "logonType": { + "type": "keyword", + "doc_values": "true" + }, + "logonProcessName": { + "type": "keyword", + "doc_values": "true" + }, + "authenticationPackageName": { + "type": "keyword", + "doc_values": "true" + }, + "logonGuid": { + "type": "keyword", + "doc_values": "true" + }, + "keyLength": { + "type": "keyword", + "doc_values": "true" + }, + "impersonationLevel": { + "type": "keyword", + "doc_values": "true" + }, + "transactionId": { + "type": "keyword", + "doc_values": "true" + }, + "newState": { + "type": "keyword", + "doc_values": "true" + }, + "resourceManager": { + "type": "keyword", + "doc_values": "true" + }, + "processId": { + "type": "keyword", + "doc_values": "true" + }, + "processName": { + "type": "keyword", + "doc_values": "true" + }, + "data": { + "type": "keyword", + "doc_values": "true" + }, + "image": { + "type": "keyword", + "doc_values": "true" + }, + "binary": { + "type": "keyword", + "doc_values": "true" + }, + "parentImage": { + "type": "keyword", + "doc_values": "true" + }, + "categoryId": { + "type": "keyword", + "doc_values": "true" + }, + "subcategoryId": { + "type": "keyword", + "doc_values": "true" + }, + "subcategoryGuid": { + "type": "keyword", + "doc_values": "true" + }, + "auditPolicyChangesId": { + "type": "keyword", + "doc_values": "true" + }, + "category": { + "type": "keyword", + "doc_values": "true" + }, + "subcategory": { + "type": "keyword", + "doc_values": "true" + }, + "auditPolicyChanges": { + "type": "keyword", + "doc_values": "true" + } + } + }, + "rmSessionEvent": { + "properties": { + "rmSessionId": { + "type": "keyword", + "doc_values": "true" + }, + "uTCStartTime": { + "type": "keyword", + "doc_values": "true" + } + } + } + } + } + } + }, + "program_name": { + "type": "keyword", + "doc_values": "true" + }, + "command": { + "type": "keyword", + "doc_values": "true" + }, + "type": { + "type": "text" + }, + "title": { + "type": "keyword", + "doc_values": "true" + } + } + } +} \ No newline at end of file diff --git a/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 b/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 index dc4cac82..8e6287ec 100644 --- a/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 +++ b/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 @@ -1,150 +1,58 @@ -filebeat: - # List of prospectors to fetch data. - prospectors: - {{ filebeat_prospectors | to_json }} +# Wazuh - Filebeat configuration file -# Configure what outputs to use when sending the data collected by the beat. -# Multiple outputs may be used. -output: +filebeat.inputs: + - type: log + paths: + - '/var/ossec/logs/alerts/alerts.json' -{% if filebeat_output_elasticsearch_enabled %} - ### Elasticsearch as output - elasticsearch: - # Array of hosts to connect to. - hosts: {{ filebeat_output_elasticsearch_hosts | to_json }} +setup.template.json.enabled: true +setup.template.json.path: "/etc/filebeat/wazuh-template.json" +setup.template.json.name: "wazuh" +setup.template.overwrite: true - # Optional protocol and basic auth credentials. These are deprecated. - #protocol: "https" - #username: "admin" - #password: "s3cr3t" +processors: + - decode_json_fields: + fields: ['message'] + process_array: true + max_depth: 200 + target: '' + overwrite_keys: true + - drop_fields: + fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host'] + - rename: + fields: + - from: "data.aws.sourceIPAddress" + to: "@src_ip" + ignore_missing: true + fail_on_error: false + when: + regexp: + data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b + - rename: + fields: + - from: "data.srcip" + to: "@src_ip" + ignore_missing: true + fail_on_error: false + when: + regexp: + data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b + - rename: + fields: + - from: "data.win.eventdata.ipAddress" + to: "@src_ip" + ignore_missing: true + fail_on_error: false + when: + regexp: + data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b - # Number of workers per Elasticsearch host. - #worker: 1 +# Send events directly to Elasticsearch +output.elasticsearch: + hosts: {{ filebeat_output_elasticsearch_hosts | to_json }} + #pipeline: geoip + indices: + - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}' - # Optional index name. The default is "filebeat" and generates - # [filebeat-]YYYY.MM.DD keys. - #index: "filebeat" - - # Optional HTTP Path - #path: "/elasticsearch" - - # Proxy server URL - # proxy_url: http://proxy:3128 - - # The number of times a particular Elasticsearch index operation is attempted. If - # the indexing operation doesn't succeed after this many retries, the events are - # dropped. The default is 3. - #max_retries: 3 - - # The maximum number of events to bulk in a single Elasticsearch bulk API index request. - # The default is 50. - #bulk_max_size: 50 - - # Configure http request timeout before failing an request to Elasticsearch. - #timeout: 90 - - # The number of seconds to wait for new events between two bulk API index requests. - # If `bulk_max_size` is reached before this interval expires, addition bulk index - # requests are made. - #flush_interval: 1 - - # Boolean that sets if the topology is kept in Elasticsearch. The default is - # false. This option makes sense only for Packetbeat. - #save_topology: false - - # The time to live in seconds for the topology information that is stored in - # Elasticsearch. The default is 15 seconds. - #topology_expire: 15 - -{% if filebeat_ssl_certificate_file and filebeat_ssl_key_file %} - # tls configuration. By default is off. - tls: - # List of root certificates for HTTPS server verifications - #certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Certificate for TLS client authentication - certificate: "{{ filebeat_ssl_dir }}/{{ filebeat_ssl_certificate_file | basename }}" - - # Client Certificate Key - certificate_key: "{{ filebeat_ssl_dir }}/{{ filebeat_ssl_key_file | basename}}" - - # Controls whether the client verifies server certificates and host name. - # If insecure is set to true, all server host names and certificates will be - # accepted. In this mode TLS based connections are susceptible to - # man-in-the-middle attacks. Use only for testing. - insecure: {{ filebeat_ssl_insecure }} - - # Configure cipher suites to be used for TLS connections - #cipher_suites: [] - - # Configure curve types for ECDHE based cipher suites - #curve_types: [] - - # Configure minimum TLS version allowed for connection to logstash - #min_version: 1.0 - - # Configure maximum TLS version allowed for connection to logstash - #max_version: 1.2 -{% endif %} -{% endif %} - -{% if filebeat_output_logstash_enabled %} - ### Logstash as output - logstash: - # The Logstash hosts - hosts: {{ filebeat_output_logstash_hosts | to_json }} - - # Number of workers per Logstash host. - #worker: 1 - - # Optional load balance the events between the Logstash hosts - #loadbalance: true - - # Optional index name. The default index name depends on the each beat. - # For Packetbeat, the default is set to packetbeat, for Topbeat - # top topbeat and for Filebeat to filebeat. - #index: filebeat - -{% if filebeat_ssl_certificate_file and filebeat_ssl_key_file %} - # Optional TLS. By default is off. - tls: - # List of root certificates for HTTPS server verifications - #certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Certificate for TLS client authentication - certificate: "{{ filebeat_ssl_dir }}/{{ filebeat_ssl_certificate_file | basename }}" - - # Client Certificate Key - certificate_key: "{{ filebeat_ssl_dir }}/{{ filebeat_ssl_key_file | basename}}" - - # Controls whether the client verifies server certificates and host name. - # If insecure is set to true, all server host names and certificates will be - # accepted. In this mode TLS based connections are susceptible to - # man-in-the-middle attacks. Use only for testing. - #insecure: true - insecure: {{ filebeat_ssl_insecure }} - - # Configure cipher suites to be used for TLS connections - #cipher_suites: [] - - # Configure curve types for ECDHE based cipher suites - #curve_types: [] -{% endif %} - -{% if filebeat_enable_logging %} -logging: - ### Filebeat log - level: {{ filebeat_log_level }} - - # Enable file rotation with default configuration - to_files: true - - # Do not log to syslog - to_syslog: false - - files: - path: {{ filebeat_log_dir }} - name: {{ filebeat_log_filename }} - keepfiles: 7 -{% endif %} -{% endif %} +# Optional. Send events to Logstash instead of Elasticsearch +#output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"] \ No newline at end of file diff --git a/roles/wazuh/ansible-filebeat/tests/requirements.yml b/roles/wazuh/ansible-filebeat/tests/requirements.yml index 141fecdb..63d857e2 100644 --- a/roles/wazuh/ansible-filebeat/tests/requirements.yml +++ b/roles/wazuh/ansible-filebeat/tests/requirements.yml @@ -1,4 +1,3 @@ --- - src: geerlingguy.java - src: geerlingguy.elasticsearch -- src: geerlingguy.logstash diff --git a/roles/wazuh/ansible-filebeat/tests/test.yml b/roles/wazuh/ansible-filebeat/tests/test.yml index 5e71b672..3a4c8f21 100644 --- a/roles/wazuh/ansible-filebeat/tests/test.yml +++ b/roles/wazuh/ansible-filebeat/tests/test.yml @@ -17,5 +17,4 @@ roles: - geerlingguy.java - geerlingguy.elasticsearch - - geerlingguy.logstash - role_under_test diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index baeb6f25..28ab6d7c 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -23,7 +23,7 @@ wazuh_winagent_config: install_dir_x86: 'C:\Program Files (x86)\ossec-agent\' auth_path: C:\'Program Files'\ossec-agent\agent-auth.exe auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe - version: '3.9.0' + version: '3.9.1' revision: '1' repo: https://packages.wazuh.com/3.x/windows/ md5: 43936e7bc7eb51bd186f47dac4a6f477 diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 index 5cbe7670..39eb6a94 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 @@ -1,6 +1,7 @@ + @@ -15,21 +16,4 @@ authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5, - - - - - - syscheck - /var/ossec/etc/shared/agent.conf - Linux | agent.conf was modified - - - syscheck - C:\wazuh-agent/shared/agent.conf - Windows | agent.conf was modified - - + \ No newline at end of file