diff --git a/README.md b/README.md index 579afb7b..5cbb52c1 100644 --- a/README.md +++ b/README.md @@ -8,10 +8,11 @@ It will give you the ability to analyze any data set by using the searching/aggr Based on the official images: -* [elasticsearch](https://registry.hub.docker.com/_/elasticsearch/) -* [logstash](https://registry.hub.docker.com/_/logstash/) -* [kibana](https://registry.hub.docker.com/_/kibana/) * [Wazuh](https://github.com/wazuh/wazuh) +* [logstash](https://registry.hub.docker.com/_/logstash/) +* [elasticsearch](https://registry.hub.docker.com/_/elasticsearch/) +* [kibana](https://registry.hub.docker.com/_/kibana/) + # Requirements @@ -28,6 +29,7 @@ You need to increase `max_map_count` on your Docker host: ```bash $ sudo sysctl -w vm.max_map_count=262144 ``` +To set this value permanently, update the vm.max_map_count setting in /etc/sysctl.conf. To verify after rebooting, run sysctl vm.max_map_count. ## SELinux @@ -53,19 +55,13 @@ You can also choose to run it in background (detached mode): $ docker-compose up -d ``` -Now that the stack is running, you'll want to inject logs in it. The shipped logstash configuration allows you to send content via tcp: - -```bash -$ nc localhost 5000 < /path/to/logfile.log -``` - And then access Kibana UI by hitting [http://localhost:5601](http://localhost:5601) with a web browser. -*NOTE*: You'll need to inject data into logstash before being able to create a logstash index in Kibana. Then all you should have to do is to hit the create button. - -See: https://www.elastic.co/guide/en/kibana/current/setup.html#connect - By default, the stack exposes the following ports: +* 1514: Wazuh UDP. +* 1515: Wazuh TCP. +* 514 : Wazuh UDP. +* 55000: Wazuh API. * 5000: Logstash TCP input. * 9200: Elasticsearch HTTP * 9300: Elasticsearch TCP transport @@ -94,6 +90,26 @@ can create more than one file in that folder if you'd like to. However, you must The Logstash container use the *LS_HEAP_SIZE* environment variable to determine how much memory should be associated to the JVM heap memory (defaults to 500m). +## How can I configure Wazuhapp plugin? + +Select Wazuh APP in the left menu and then add the parameters + +![Alt text](images/image-1.png?raw=true "Image 1") + +The default configuration is: + +``` +User: foo +Password: bar +URL: http://wazuh +Port: 55000 +``` + +![Alt text](images/image-2.png?raw=true "Image 2") + + +![Alt text](images/image-3.png?raw=true "Image 2") + If you want to override the default configuration, add the *LS_HEAP_SIZE* environment variable to the container in the `docker-compose.yml`: ```yml @@ -165,6 +181,7 @@ version: '2' services: wazuh: image: wazuh/wazuh:latest + hostname: wazuh-manager ports: - "1514:1514" - "1515:1515" @@ -174,7 +191,8 @@ services: - docker_elk elasticsearch: image: elasticsearch:latest - command: elasticsearch -E node.name="node-1" -E cluster.name="wazuh " -E network.host=0.0.0.0 + hostname: elasticsearch + command: elasticsearch -E node.name="node-1" -E cluster.name="wazuh" -E network.host=0.0.0.0 ports: - "9200:9200" - "9300:9300" @@ -184,11 +202,12 @@ services: - docker_elk logstash: image: wazuh/wazuh-logstash:latest + hostname: logstash command: -f /etc/logstash/conf.d/ ports: - "5000:5000" - volumes_from: - - wazuh +# volumes_from: +# - wazuh networks: - docker_elk depends_on: @@ -197,12 +216,15 @@ services: - LS_HEAP_SIZE=2048m kibana: image: wazuh/wazuh-kibana:latest + hostname: kibana ports: - "5601:5601" networks: - docker_elk depends_on: - wazuh/wazuh-elasticsearch + entrypoint: sh wait-for-it.sh elasticsearch + networks: docker_elk: diff --git a/docker-compose.yml b/docker-compose.yml index 79040253..aebc9f2c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -11,42 +11,68 @@ services: # - "514/udp:514/udp" - "55000:55000" networks: - - docker_elk - volumes: - - /mnt/data/ossec/wazuh:/var/ossec/data + docker_elk: + ipv4_address: 172.25.0.101 + extra_hosts: + - "logstash:172.25.0.102" + - "elasticsearch:172.25.0.103" + - "kibana:172.25.0.104" +# volumes: +# - /mnt/data/ossec/wazuh:/var/ossec/data depends_on: - elasticsearch + logstash: + build: logstash/ + hostname: logstash + command: -f /etc/logstash/conf.d/ + links: + - kibana + - elasticsearch +# ports: +# - "5000:5000" + networks: + docker_elk: + ipv4_address: 172.25.0.102 + extra_hosts: + - "wazuh:172.25.0.101" + - "elasticsearch:172.25.0.103" + - "kibana:172.25.0.104" + depends_on: + - elasticsearch + environment: + - LS_HEAP_SIZE=2048m elasticsearch: image: elasticsearch:5.1.2 + hostname: elasticsearch restart: always command: elasticsearch -E node.name="node-1" -E cluster.name="wazuh" -E network.host=0.0.0.0 ports: - "9200:9200" - "9300:9300" environment: - ES_JAVA_OPTS: "-Xms64g -Xmx64g" - volumes: - - /mnt/data/ossec/elasticsearch:/usr/share/elasticsearch/data + ES_JAVA_OPTS: "-Xms2g -Xmx2g" +# volumes: +# - /mnt/data/ossec/elasticsearch:/usr/share/elasticsearch/data networks: - - docker_elk - logstash: - build: logstash/ - command: -f /etc/logstash/conf.d/ -# ports: -# - "5000:5000" - networks: - - docker_elk - depends_on: - - elasticsearch - environment: - - LS_HEAP_SIZE=2048m + docker_elk: + ipv4_address: 172.25.0.103 + extra_hosts: + - "wazuh:172.25.0.101" + - "logstash:172.25.0.102" + - "kibana:172.25.0.104" kibana: build: kibana/ + hostname: kibana restart: always ports: - "5601:5601" networks: - - docker_elk + docker_elk: + ipv4_address: 172.25.0.104 + extra_hosts: + - "wazuh:172.25.0.101" + - "logstash:172.25.0.102" + - "elasticsearch:172.25.0.103" depends_on: - elasticsearch entrypoint: sh wait-for-it.sh elasticsearch @@ -54,3 +80,6 @@ services: networks: docker_elk: driver: bridge + ipam: + config: + - subnet: 172.25.0.0/24 diff --git a/images/image-1.png b/images/image-1.png new file mode 100644 index 00000000..b680f3aa Binary files /dev/null and b/images/image-1.png differ diff --git a/images/image-2.png b/images/image-2.png new file mode 100644 index 00000000..20c727af Binary files /dev/null and b/images/image-2.png differ diff --git a/images/image-3.png b/images/image-3.png new file mode 100644 index 00000000..ce63bad1 Binary files /dev/null and b/images/image-3.png differ