From bb90cd7c4e921d864507f6aeb02c485e7489c856 Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Wed, 4 Aug 2021 13:05:34 +0200 Subject: [PATCH 01/22] Update Dockerfile Former-commit-id: 72f8bc123b0f6f624ff8e0bb1fe6a78832dc51dc --- wazuh/Dockerfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index 471746f0..0cc43159 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -10,7 +10,6 @@ ENV API_USER="foo" \ API_PASS="bar" ARG TEMPLATE_VERSION="4.0" -ENV FILEBEAT_DESTINATION="elasticsearch" RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH @@ -109,8 +108,7 @@ COPY config/85-save_wazuh_version.sh /entrypoint-scripts/85-save_wazuh_version.s RUN chmod 755 /entrypoint.sh && \ chmod 755 /entrypoint-scripts/00-decrypt_credentials.sh && \ chmod 755 /entrypoint-scripts/01-wazuh.sh && \ - chmod 755 /entrypoint-scripts/02-set_filebeat_destination.sh && \ - chmod 755 /entrypoint-scripts/03-config_filebeat.sh && \ + chmod 755 /entrypoint-scripts/02-set_config_filebeat_destination.sh && \ chmod 755 /entrypoint-scripts/20-ossec-configuration.sh && \ chmod 755 /entrypoint-scripts/25-backups.sh && \ chmod 755 /entrypoint-scripts/35-remove_credentials_file.sh && \ From 5d08586a979732135267ab0f547fd4f84c7ade47 Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Wed, 4 Aug 2021 13:29:47 +0200 Subject: [PATCH 02/22] Join 02 and 03 scripts. Former-commit-id: 3789661c71e66249fa3b9677f22b6c1cdcae545e --- .../02-set_config_filebeat_destination.sh | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 wazuh/config/02-set_config_filebeat_destination.sh diff --git a/wazuh/config/02-set_config_filebeat_destination.sh b/wazuh/config/02-set_config_filebeat_destination.sh new file mode 100644 index 00000000..f37c63a8 --- /dev/null +++ b/wazuh/config/02-set_config_filebeat_destination.sh @@ -0,0 +1,22 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +set -e + +############################################################################## +# Set Filebeat config. +############################################################################## + +echo "FILEBEAT - Copy Filebeat config file" +cp filebeat.yml /etc/filebeat/filebeat.yml + +echo "FILEBEAT - Set permissions" + +chmod go-w /etc/filebeat/filebeat.yml + +echo "FILEBEAT - Get Filebeat Wazuh module" + +>&2 echo "FILEBEAT - Install Wazuh Filebeat Module." +curl -s "https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module +mkdir -p /usr/share/filebeat/module/wazuh +chmod 755 -R /usr/share/filebeat/module/wazuh From 75f5c07b96d1d9f69f9a4cbcc247f18e96d30383 Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Wed, 4 Aug 2021 13:30:21 +0200 Subject: [PATCH 03/22] File renamed Former-commit-id: 53533fed203bf65822d6454d1207d3f5f85ee272 --- ...t_config_filebeat_destination.sh => 02-set_config_filebeat.sh} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename wazuh/config/{02-set_config_filebeat_destination.sh => 02-set_config_filebeat.sh} (100%) diff --git a/wazuh/config/02-set_config_filebeat_destination.sh b/wazuh/config/02-set_config_filebeat.sh similarity index 100% rename from wazuh/config/02-set_config_filebeat_destination.sh rename to wazuh/config/02-set_config_filebeat.sh From 5e2c4f2c1d397d45c2563e3fc2839704bc7b173c Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Wed, 4 Aug 2021 13:30:54 +0200 Subject: [PATCH 04/22] Delete unused old script 02 Former-commit-id: 7f0d7139d818a29a4908557d8e7fadd4e2a178a1 --- wazuh/config/02-set_filebeat_destination.sh | 30 --------------------- 1 file changed, 30 deletions(-) delete mode 100644 wazuh/config/02-set_filebeat_destination.sh diff --git a/wazuh/config/02-set_filebeat_destination.sh b/wazuh/config/02-set_filebeat_destination.sh deleted file mode 100644 index 3ba11dfa..00000000 --- a/wazuh/config/02-set_filebeat_destination.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) - -############################################################################## -# Set Filebeat destination. -############################################################################## - -if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then - - echo "FILEBEAT - Set destination to Elasticsearch" - cp filebeat_to_elasticsearch.yml /etc/filebeat/filebeat.yml - if [[ $FILEBEAT_OUTPUT != "" ]]; then - sed -i "s/elasticsearch:9200/$FILEBEAT_OUTPUT:9200/" /etc/filebeat/filebeat.yml - fi - -elif [[ $FILEBEAT_DESTINATION == "logstash" ]]; then - - echo "FILEBEAT - Set destination to Logstash" - cp filebeat_to_logstash.yml /etc/filebeat/filebeat.yml - if [[ $FILEBEAT_OUTPUT != "" ]]; then - sed -i "s/logstash:5000/$FILEBEAT_OUTPUT:5000/" /etc/filebeat/filebeat.yml - fi - -else - echo "FILEBEAT - Error choosing destination. Set default filebeat.yml " -fi - -echo "FILEBEAT - Set permissions" - -chmod go-w /etc/filebeat/filebeat.yml \ No newline at end of file From c409f2080ea49bc4a0e931d687577bd4cf207de6 Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Wed, 4 Aug 2021 13:31:14 +0200 Subject: [PATCH 05/22] Delete unused script 03 Former-commit-id: 767ffcdfae25ed303be480d50e124e77fe619a13 --- wazuh/config/03-config_filebeat.sh | 23 ----------------------- 1 file changed, 23 deletions(-) delete mode 100644 wazuh/config/03-config_filebeat.sh diff --git a/wazuh/config/03-config_filebeat.sh b/wazuh/config/03-config_filebeat.sh deleted file mode 100644 index 9edc4b07..00000000 --- a/wazuh/config/03-config_filebeat.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) - -set -e - -if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then - - WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz - - # Modify the output to Elasticsearch if th ELASTICSEARCH_URL is set - if [ "$ELASTICSEARCH_URL" != "" ]; then - >&2 echo "FILEBEAT - Customize Elasticsearch ouput IP." - sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml - fi - - # Install Wazuh Filebeat Module - - >&2 echo "FILEBEAT - Install Wazuh Filebeat Module." - curl -s "https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module - mkdir -p /usr/share/filebeat/module/wazuh - chmod 755 -R /usr/share/filebeat/module/wazuh - -fi \ No newline at end of file From 55ef95a14737238ed211c74e514709c341c5b0f8 Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Wed, 4 Aug 2021 13:32:49 +0200 Subject: [PATCH 06/22] Delete unused logstash config file Former-commit-id: 21c6f9b0bfe319e83d6d4bca1b57e5d20cf508bb --- wazuh/config/filebeat_to_logstash.yml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 wazuh/config/filebeat_to_logstash.yml diff --git a/wazuh/config/filebeat_to_logstash.yml b/wazuh/config/filebeat_to_logstash.yml deleted file mode 100644 index 0e4dd97c..00000000 --- a/wazuh/config/filebeat_to_logstash.yml +++ /dev/null @@ -1,20 +0,0 @@ -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) - -# Wazuh - Filebeat configuration file -filebeat: - inputs: - - type: log - paths: - - "/var/ossec/logs/alerts/alerts.json" - # - type: log - # paths: - # - "/var/ossec/logs/archives/archives.json" - # fields: - # wazuh_log_file: "archives" - -output: - logstash: - # The Logstash hosts - hosts: ["logstash:5000"] -# ssl: -# certificate_authorities: ["/etc/filebeat/logstash.crt"] From def6d084692d320e2f1037ceb381d41504e64aab Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Wed, 4 Aug 2021 13:40:48 +0200 Subject: [PATCH 07/22] Updated filebeat config to use only odfe Former-commit-id: 33d195a0cfcf35472029b6a7be12efaa53369a88 --- wazuh/config/filebeat.yml | 19 ++++++++ wazuh/config/filebeat_to_elasticsearch.yml | 55 ---------------------- 2 files changed, 19 insertions(+), 55 deletions(-) create mode 100644 wazuh/config/filebeat.yml delete mode 100644 wazuh/config/filebeat_to_elasticsearch.yml diff --git a/wazuh/config/filebeat.yml b/wazuh/config/filebeat.yml new file mode 100644 index 00000000..ad9666e4 --- /dev/null +++ b/wazuh/config/filebeat.yml @@ -0,0 +1,19 @@ +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +# Wazuh - Filebeat configuration file +filebeat.inputs: + - type: log + paths: + - '/var/ossec/logs/alerts/alerts.json' + +setup.template.json.enabled: true +setup.template.json.path: "/etc/filebeat/wazuh-template.json" +setup.template.json.name: "wazuh" +setup.template.overwrite: true + + +output.elasticsearch: + hosts: ['http://odfe:9200'] + #pipeline: geoip + indices: + - index: 'wazuh-alerts-4.x-%{+yyyy.MM.dd}' diff --git a/wazuh/config/filebeat_to_elasticsearch.yml b/wazuh/config/filebeat_to_elasticsearch.yml deleted file mode 100644 index 3b7819b7..00000000 --- a/wazuh/config/filebeat_to_elasticsearch.yml +++ /dev/null @@ -1,55 +0,0 @@ -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) - -# Wazuh - Filebeat configuration file -filebeat.inputs: - - type: log - paths: - - '/var/ossec/logs/alerts/alerts.json' - -setup.template.json.enabled: true -setup.template.json.path: "/etc/filebeat/wazuh-template.json" -setup.template.json.name: "wazuh" -setup.template.overwrite: true - -processors: - - decode_json_fields: - fields: ['message'] - process_array: true - max_depth: 200 - target: '' - overwrite_keys: true - - drop_fields: - fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host'] - - rename: - fields: - - from: "data.aws.sourceIPAddress" - to: "@src_ip" - ignore_missing: true - fail_on_error: false - when: - regexp: - data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b - - rename: - fields: - - from: "data.srcip" - to: "@src_ip" - ignore_missing: true - fail_on_error: false - when: - regexp: - data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b - - rename: - fields: - - from: "data.win.eventdata.ipAddress" - to: "@src_ip" - ignore_missing: true - fail_on_error: false - when: - regexp: - data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b - -output.elasticsearch: - hosts: ['http://elasticsearch:9200'] - #pipeline: geoip - indices: - - index: 'wazuh-alerts-4.x-%{+yyyy.MM.dd}' \ No newline at end of file From 23258cf6cd23cfc0fb63b19b9563bb930e1019b6 Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Wed, 18 Aug 2021 10:39:38 +0200 Subject: [PATCH 08/22] Fixed names of the new script and added to the copy Former-commit-id: a55a356a2abf58eb94b2eda0cf413f160b711efa --- wazuh/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index 0cc43159..844139b5 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -99,7 +99,7 @@ COPY config/entrypoint.sh /entrypoint.sh COPY --chown=root:ossec config/create_user.py /var/ossec/framework/scripts/create_user.py COPY config/00-decrypt_credentials.sh /entrypoint-scripts/00-decrypt_credentials.sh COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh -COPY config/02-set_filebeat_destination.sh /entrypoint-scripts/02-set_filebeat_destination.sh +COPY config/02-set_config_filebeat.sh /entrypoint-scripts/02-set_config_filebeat.sh COPY config/03-config_filebeat.sh /entrypoint-scripts/03-config_filebeat.sh COPY config/20-ossec-configuration.sh /entrypoint-scripts/20-ossec-configuration.sh COPY config/25-backups.sh /entrypoint-scripts/25-backups.sh @@ -108,7 +108,7 @@ COPY config/85-save_wazuh_version.sh /entrypoint-scripts/85-save_wazuh_version.s RUN chmod 755 /entrypoint.sh && \ chmod 755 /entrypoint-scripts/00-decrypt_credentials.sh && \ chmod 755 /entrypoint-scripts/01-wazuh.sh && \ - chmod 755 /entrypoint-scripts/02-set_config_filebeat_destination.sh && \ + chmod 755 /entrypoint-scripts/02-set_config_filebeat.sh && \ chmod 755 /entrypoint-scripts/20-ossec-configuration.sh && \ chmod 755 /entrypoint-scripts/25-backups.sh && \ chmod 755 /entrypoint-scripts/35-remove_credentials_file.sh && \ From 8a9eb91f4b6adb3091b056b4ccf949658cb46d83 Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Fri, 20 Aug 2021 14:14:21 +0200 Subject: [PATCH 09/22] Erase filebeat to logstash and only leave to elastic Former-commit-id: 313d3576ff14a93d985afb060d1e8fce4140a28c --- wazuh/Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index 844139b5..9414d092 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -59,8 +59,7 @@ RUN chmod +x /etc/service/wazuh/run && \ chmod +x /etc/service/filebeat/run # Copy configuration files from repository -COPY config/filebeat_to_elasticsearch.yml ./ -COPY config/filebeat_to_logstash.yml ./ +COPY config/filebeat.yml ./ # Prepare permanent data # Sync calls are due to https://github.com/docker/docker/issues/9547 From ed10511b3e5d31f0e5ac51eee9dd307e22d319e8 Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Fri, 20 Aug 2021 14:20:20 +0200 Subject: [PATCH 10/22] Delete old config to filebeat. Former-commit-id: d7e54ef2a57a572d7d04555d6c45eaafd6ed2634 --- wazuh/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index 9414d092..d5825ebe 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -99,7 +99,6 @@ COPY --chown=root:ossec config/create_user.py /var/ossec/framework/scripts/creat COPY config/00-decrypt_credentials.sh /entrypoint-scripts/00-decrypt_credentials.sh COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh COPY config/02-set_config_filebeat.sh /entrypoint-scripts/02-set_config_filebeat.sh -COPY config/03-config_filebeat.sh /entrypoint-scripts/03-config_filebeat.sh COPY config/20-ossec-configuration.sh /entrypoint-scripts/20-ossec-configuration.sh COPY config/25-backups.sh /entrypoint-scripts/25-backups.sh COPY config/35-remove_credentials_file.sh /entrypoint-scripts/35-remove_credentials_file.sh From 75fc45ca25e4c58cee032bb36beb9ce67399422b Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Mon, 23 Aug 2021 10:28:30 +0200 Subject: [PATCH 11/22] Updated to use 4.x Former-commit-id: 6f82840cec37c3ff0e57c55a61fcca1354d05554 --- wazuh/config/02-set_config_filebeat.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/wazuh/config/02-set_config_filebeat.sh b/wazuh/config/02-set_config_filebeat.sh index f37c63a8..b7b8b96c 100644 --- a/wazuh/config/02-set_config_filebeat.sh +++ b/wazuh/config/02-set_config_filebeat.sh @@ -5,8 +5,11 @@ set -e ############################################################################## # Set Filebeat config. + ############################################################################## +WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz + echo "FILEBEAT - Copy Filebeat config file" cp filebeat.yml /etc/filebeat/filebeat.yml @@ -17,6 +20,6 @@ chmod go-w /etc/filebeat/filebeat.yml echo "FILEBEAT - Get Filebeat Wazuh module" >&2 echo "FILEBEAT - Install Wazuh Filebeat Module." -curl -s "https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module +curl -s "https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module mkdir -p /usr/share/filebeat/module/wazuh chmod 755 -R /usr/share/filebeat/module/wazuh From da77826fc74cf175171f1a00d5575c0d7e1825da Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Mon, 23 Aug 2021 10:51:32 +0200 Subject: [PATCH 12/22] fixing folder creation bug Former-commit-id: d376107b7c75adc7bf6cec50eb4fa2e2334db072 --- wazuh/config/02-set_config_filebeat.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh/config/02-set_config_filebeat.sh b/wazuh/config/02-set_config_filebeat.sh index b7b8b96c..6ac9c848 100644 --- a/wazuh/config/02-set_config_filebeat.sh +++ b/wazuh/config/02-set_config_filebeat.sh @@ -20,6 +20,6 @@ chmod go-w /etc/filebeat/filebeat.yml echo "FILEBEAT - Get Filebeat Wazuh module" >&2 echo "FILEBEAT - Install Wazuh Filebeat Module." +mkdir -p /usr/share/filebeat/module/ curl -s "https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module -mkdir -p /usr/share/filebeat/module/wazuh chmod 755 -R /usr/share/filebeat/module/wazuh From 1bfcf197f5f77dc429f3840d453299cfc32ff47d Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Wed, 25 Aug 2021 12:54:30 +0200 Subject: [PATCH 13/22] Changing creation of filebeat directory Former-commit-id: 9788d6f41adc6bfdeda733772940860226d209a0 --- wazuh/config/02-set_config_filebeat.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/wazuh/config/02-set_config_filebeat.sh b/wazuh/config/02-set_config_filebeat.sh index 6ac9c848..2418e361 100644 --- a/wazuh/config/02-set_config_filebeat.sh +++ b/wazuh/config/02-set_config_filebeat.sh @@ -20,6 +20,5 @@ chmod go-w /etc/filebeat/filebeat.yml echo "FILEBEAT - Get Filebeat Wazuh module" >&2 echo "FILEBEAT - Install Wazuh Filebeat Module." -mkdir -p /usr/share/filebeat/module/ curl -s "https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module chmod 755 -R /usr/share/filebeat/module/wazuh From f99d60b58b7fba0fa3ea09989aa4feb6124079e2 Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Wed, 25 Aug 2021 12:56:10 +0200 Subject: [PATCH 14/22] adding creation of directories for filebeat Former-commit-id: 851bdaf4a8396afec534cb57ea64f39af1c14fb4 --- wazuh/Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index d5825ebe..cdff057a 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -116,5 +116,8 @@ RUN chmod 755 /entrypoint.sh && \ ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat RUN chmod go-w /etc/filebeat/wazuh-template.json +# Create filebeat directories +RUN mkdir -p /usr/share/filebeat/module/ +RUN mkdir /usr/share/filebeat/config # Run all services ENTRYPOINT ["/entrypoint.sh"] From 13a5b59723bc2c831e7e8fe02dcc9be59f304070 Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Fri, 27 Aug 2021 09:40:07 +0200 Subject: [PATCH 15/22] Update 02-set_config_filebeat.sh Former-commit-id: 6a9d230accaebb97a7d1176b9f2ae8a50d4602d3 --- wazuh/config/02-set_config_filebeat.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/wazuh/config/02-set_config_filebeat.sh b/wazuh/config/02-set_config_filebeat.sh index 2418e361..b5d0b2aa 100644 --- a/wazuh/config/02-set_config_filebeat.sh +++ b/wazuh/config/02-set_config_filebeat.sh @@ -11,8 +11,10 @@ set -e WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz echo "FILEBEAT - Copy Filebeat config file" -cp filebeat.yml /etc/filebeat/filebeat.yml - +if ! [[ -L /etc/filebeat/filebeat.yml ]] + cp filebeat.yml /etc/filebeat/filebeat.yml +else + echo "Not needed. File already exist." echo "FILEBEAT - Set permissions" chmod go-w /etc/filebeat/filebeat.yml From ea29943364c793e865b7bd762cab119e30cbc73e Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Fri, 27 Aug 2021 10:20:43 +0200 Subject: [PATCH 16/22] Update 02-set_config_filebeat.sh Former-commit-id: 941bb524ebd8bcebc90064dbb758839133beefd8 --- wazuh/config/02-set_config_filebeat.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/wazuh/config/02-set_config_filebeat.sh b/wazuh/config/02-set_config_filebeat.sh index b5d0b2aa..bcbe91ee 100644 --- a/wazuh/config/02-set_config_filebeat.sh +++ b/wazuh/config/02-set_config_filebeat.sh @@ -11,10 +11,11 @@ set -e WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz echo "FILEBEAT - Copy Filebeat config file" -if ! [[ -L /etc/filebeat/filebeat.yml ]] +if ! [[ -L /etc/filebeat/filebeat.yml ]]; then cp filebeat.yml /etc/filebeat/filebeat.yml else echo "Not needed. File already exist." +fi echo "FILEBEAT - Set permissions" chmod go-w /etc/filebeat/filebeat.yml From 04298beb3d7e5881c1606a65ed7a70737aeb9948 Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Fri, 27 Aug 2021 10:40:15 +0200 Subject: [PATCH 17/22] Update 02-set_config_filebeat.sh Former-commit-id: 6bf2db79c12bb24f4fe3832820c190788b2d9cf3 --- wazuh/config/02-set_config_filebeat.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/wazuh/config/02-set_config_filebeat.sh b/wazuh/config/02-set_config_filebeat.sh index bcbe91ee..c5208351 100644 --- a/wazuh/config/02-set_config_filebeat.sh +++ b/wazuh/config/02-set_config_filebeat.sh @@ -13,13 +13,12 @@ WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz echo "FILEBEAT - Copy Filebeat config file" if ! [[ -L /etc/filebeat/filebeat.yml ]]; then cp filebeat.yml /etc/filebeat/filebeat.yml + chmod go-w /etc/filebeat/filebeat.yml else echo "Not needed. File already exist." fi echo "FILEBEAT - Set permissions" -chmod go-w /etc/filebeat/filebeat.yml - echo "FILEBEAT - Get Filebeat Wazuh module" >&2 echo "FILEBEAT - Install Wazuh Filebeat Module." From 9f3397f78b3096030eb065a2651c91289e42212e Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Fri, 27 Aug 2021 11:52:09 +0200 Subject: [PATCH 18/22] Update Dockerfile Former-commit-id: 0fbaff86c858bd69695ba7c0f65e8068afa88e46 --- wazuh/Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index cdff057a..16e637b0 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -4,7 +4,7 @@ FROM waystonesystems/baseimage-centos:0.2.0 # Arguments ARG FILEBEAT_VERSION=7.10.2 ARG WAZUH_VERSION=4.1.5-1 - +ARG FILEBEAT_CHANNEL=filebeat-oss # Environment variables ENV API_USER="foo" \ API_PASS="bar" @@ -41,8 +41,8 @@ RUN set -x && \ rm -f /var/ossec/logs/api/*/*/* && \ rm -f /var/ossec/logs/cluster/*/*/* && \ rm -f /var/ossec/logs/ossec/*/*/* && \ - curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-x86_64.rpm && \ - rpm -vi filebeat-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-${FILEBEAT_VERSION}-x86_64.rpm && \ + curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && \ + rpm -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo # Services From 157c139126a3d18359f862e24691a18135faaf4d Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Fri, 27 Aug 2021 11:55:28 +0200 Subject: [PATCH 19/22] Update Dockerfile Former-commit-id: 01e9c47afec3caac6c83238b561aa31f5138594c --- wazuh/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index 16e637b0..cc07bbbe 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -42,7 +42,7 @@ RUN set -x && \ rm -f /var/ossec/logs/cluster/*/*/* && \ rm -f /var/ossec/logs/ossec/*/*/* && \ curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && \ - rpm -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm + rpm -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm \ sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo # Services From d6034e19bba654c9d5f9d8912e10fe8b83efb729 Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Fri, 27 Aug 2021 12:02:23 +0200 Subject: [PATCH 20/22] Update Dockerfile Former-commit-id: e777c8dbbf6e92ab909c703ed55a1676d8a82146 --- wazuh/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index cc07bbbe..b3cfdaab 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -42,7 +42,7 @@ RUN set -x && \ rm -f /var/ossec/logs/cluster/*/*/* && \ rm -f /var/ossec/logs/ossec/*/*/* && \ curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && \ - rpm -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm \ + rpm -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && \ sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo # Services From 7332d55bc905a774db5b3c0806f7254ef6a35811 Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Fri, 27 Aug 2021 12:51:03 +0200 Subject: [PATCH 21/22] Update Dockerfile Former-commit-id: 43a04fdbc34f60d6f699b545f6a4b827409fee97 --- wazuh/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index b3cfdaab..090b11ee 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -42,7 +42,7 @@ RUN set -x && \ rm -f /var/ossec/logs/cluster/*/*/* && \ rm -f /var/ossec/logs/ossec/*/*/* && \ curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && \ - rpm -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && \ + rpm -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && \ sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo # Services From bd256d83bfdace3bef8a7986cfa76ffc0aca9149 Mon Sep 17 00:00:00 2001 From: Julio Reyes Date: Fri, 27 Aug 2021 12:55:06 +0200 Subject: [PATCH 22/22] Update Dockerfile Former-commit-id: 3d7ef8494f3f240365f2631567c43c5be3446afb --- wazuh/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index 090b11ee..b3cfdaab 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -42,7 +42,7 @@ RUN set -x && \ rm -f /var/ossec/logs/cluster/*/*/* && \ rm -f /var/ossec/logs/ossec/*/*/* && \ curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && \ - rpm -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && \ + rpm -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && \ sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo # Services