From 9647c79e68c14ec8f345e16632c9a4ce577c47dc Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 25 Oct 2019 13:44:56 +0200 Subject: [PATCH 1/2] Updated Filebeat configuration file template --- .../templates/filebeat.yml.j2 | 56 ++++--------------- 1 file changed, 11 insertions(+), 45 deletions(-) diff --git a/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 b/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 index 466d9a89..da87ec8d 100644 --- a/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 +++ b/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 @@ -1,58 +1,24 @@ # Wazuh - Filebeat configuration file -filebeat.inputs: - - type: log - paths: - - '/var/ossec/logs/alerts/alerts.json' +# Wazuh - Filebeat configuration file +filebeat.modules: + - module: wazuh + alerts: + enabled: true + archives: + enabled: false setup.template.json.enabled: true -setup.template.json.path: "/etc/filebeat/wazuh-template.json" -setup.template.json.name: "wazuh" +setup.template.json.path: '/etc/filebeat/wazuh-template.json' +setup.template.json.name: 'wazuh' setup.template.overwrite: true +setup.ilm.enabled: false -processors: - - decode_json_fields: - fields: ['message'] - process_array: true - max_depth: 200 - target: '' - overwrite_keys: true - - drop_fields: - fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host'] - - rename: - fields: - - from: "data.aws.sourceIPAddress" - to: "@src_ip" - ignore_missing: true - fail_on_error: false - when: - regexp: - data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b - - rename: - fields: - - from: "data.srcip" - to: "@src_ip" - ignore_missing: true - fail_on_error: false - when: - regexp: - data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b - - rename: - fields: - - from: "data.win.eventdata.ipAddress" - to: "@src_ip" - ignore_missing: true - fail_on_error: false - when: - regexp: - data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b # Send events directly to Elasticsearch output.elasticsearch: hosts: {{ filebeat_output_elasticsearch_hosts | to_json }} - #pipeline: geoip - indices: - - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}' + {% if filebeat_xpack_security %} username: {{ elasticsearch_xpack_security_user }} password: {{ elasticsearch_xpack_security_password }} From 359f3e3cb40dfcf1c10cd99af7eee9c866e59d39 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 25 Oct 2019 13:45:03 +0200 Subject: [PATCH 2/2] Updated Wazuh template --- roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 b/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 index 06af6322..5387bf8c 100644 --- a/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 +++ b/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 @@ -162,6 +162,7 @@ "data.dstip", "data.dstport", "data.dstuser", + "data.extra_data", "data.hardware.serial", "data.id", "data.integration", @@ -943,6 +944,9 @@ "data": { "type": "keyword" }, + "extra_data": { + "type": "keyword" + }, "system_name": { "type": "keyword" }, @@ -1673,4 +1677,4 @@ } }, "version": 1 -} +} \ No newline at end of file