From b597b78036d2b75d7164604ee328efb78b9d08d6 Mon Sep 17 00:00:00 2001
From: Jose Luis Ruiz <jose@wazuh.com>
Date: Sat, 28 Jan 2017 21:29:26 +0100
Subject: [PATCH] update containers to work with filebeat

---
 .DS_Store                     | Bin 0 -> 6148 bytes
 docker-compose.yml            |   4 +---
 kibana/Dockerfile             |   4 ++--
 logstash/config/logstash.conf |  28 ++++++++++++++--------------
 logstash/config/run.sh        |   4 ----
 wait-for-it.sh                |  15 +++++++++++++++
 wazuh/Dockerfile              |   5 +++++
 wazuh/config/default_agent    |   1 -
 wazuh/config/filebeat.yml     |  16 ++++++++++++++++
 wazuh/config/run.sh           |   1 +
 10 files changed, 54 insertions(+), 24 deletions(-)
 create mode 100644 .DS_Store
 create mode 100755 wait-for-it.sh
 delete mode 100644 wazuh/config/default_agent
 create mode 100644 wazuh/config/filebeat.yml

diff --git a/.DS_Store b/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..7dfc999c629264a515793da73b9d58181eb89a53
GIT binary patch
literal 6148
zcmeHKu};G<5IwgA6|t0!F*^v+KL{o4NR^P-T3V?^w4_oKAu$DhfnQ+aGgw*q4kjd4
z-kq(;Zju!txRcH=@!k2(&uwfIks0LEK2eW|x=_Z}4w@QaJ8MN+u7`sSkFl8bhm&-<
zs(5P0Z)Jeju0uyOqif2-^?U93wq=?m(>$9Hy+5D4$#lxNWjbxNt>)fuqJ7SR+jN6$
zS2U(u8izT1Uz>I>@5AMx<PGAz+_m-~KOOS`U0P6z8Lufr4QrZ*HJpCb`S^8Qyht6D
zar|1Ee8PI<ud+pVsN<gU%}Vwjk;k)oH9UPDNDYCtT!k8In0F+>+9(6cz`tbxdp1jV
z*P^z{fHI&Alnn6qA%Zf-4hxI&=|Ce_03aU~Mexi=N{)#f#tsXMut1Cr1=>*Kt{BFK
zqd#(fvBScm4JYF+AI4=i?uKF{JI0U1olI;|TV+5Q2pMSG*B<ZxXU+HjFi78&0cGG%
zF<?5$Fd1M<Zf~tjj`!LKI)bvWUtzHf!GmnY@a3&|A1Z?Wh#!El!@?qZAbJoG8njUc
Hew2Z4DNlSq

literal 0
HcmV?d00001

diff --git a/docker-compose.yml b/docker-compose.yml
index 1b161e1b..505a6f19 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -27,8 +27,6 @@ services:
     command: -f /etc/logstash/conf.d/
     ports:
       - "5000:5000"
-    volumes_from:
-      - wazuh
 #    networks:
 #      - docker_elk
     depends_on:
@@ -43,7 +41,7 @@ services:
 #      - docker_elk
     depends_on:
       - elasticsearch
-    entrypoint: ./wait-for-it.sh elasticsearch
+    entrypoint: sh wait-for-it.sh elasticsearch
 
 #networks:
 #  docker_elk:
diff --git a/kibana/Dockerfile b/kibana/Dockerfile
index 0389a507..c13271d3 100644
--- a/kibana/Dockerfile
+++ b/kibana/Dockerfile
@@ -4,6 +4,6 @@ RUN apt-get update && apt-get install -y curl
 
 COPY ./config/kibana.yml /opt/kibana/config/kibana.yml
 
-RUN /usr/share/kibana/bin/kibana-plugin install http://packages.wazuh.com.s3-website-us-west-1.amazonaws.com/wazuhapp/wazuhapp-5.1.2.zip
+RUN /usr/share/kibana/bin/kibana-plugin install http://packages.wazuh.com.s3-website-us-west-1.amazonaws.com/wazuhapp/wazuhapp.zip
 
-#COPY config/wait-for-it.sh /
+COPY config/wait-for-it.sh /
diff --git a/logstash/config/logstash.conf b/logstash/config/logstash.conf
index dadaa30b..5ab0c42a 100644
--- a/logstash/config/logstash.conf
+++ b/logstash/config/logstash.conf
@@ -1,22 +1,22 @@
 # Wazuh - Logstash configuration file
 ## Remote Wazuh Manager - Filebeat input
-#input {
-#    beats {
-#        port => 5000
-#        codec => "json_lines"
+input {
+    beats {
+        port => 5000
+        codec => "json_lines"
 #        ssl => true
 #        ssl_certificate => "/etc/logstash/logstash.crt"
 #        ssl_key => "/etc/logstash/logstash.key"
-#    }
-#}
-## Local Wazuh Manager - JSON file input
-input {
-   file {
-       type => "wazuh-alerts"
-       path => "/var/ossec/logs/alerts/alerts.json"
-       codec => "json"
-   }
+    }
 }
+## Local Wazuh Manager - JSON file input
+#input {
+#   file {
+#       type => "wazuh-alerts"
+#       path => "/var/ossec/data/logs/alerts/alerts.json"
+#       codec => "json"
+#   }
+#}
 filter {
     geoip {
         source => "srcip"
@@ -28,7 +28,7 @@ filter {
 }
 output {
     elasticsearch {
-        hosts => ["localhost:9200"]
+        hosts => ["elasticsearch:9200"]
         index => "wazuh-alerts-%{+YYYY.MM.dd}"
         document_type => "wazuh"
         template => "/etc/logstash/wazuh-elastic5-template.json"
diff --git a/logstash/config/run.sh b/logstash/config/run.sh
index 97840f88..ddbd7bc9 100644
--- a/logstash/config/run.sh
+++ b/logstash/config/run.sh
@@ -24,7 +24,3 @@ if [ "$1" = 'logstash' ]; then
 fi
 
 exec "$@"
-
-#echo "Wait one min to logstash restart"
-#sleep 60
-#curl -XPUT -v -H "Expect:"  "http://elasticsearch:9200/_template/ossec" -d@/etc/logstash/elastic5-ossec-template.json
diff --git a/wait-for-it.sh b/wait-for-it.sh
new file mode 100755
index 00000000..cdbc01d7
--- /dev/null
+++ b/wait-for-it.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -e
+
+host="$1"
+shift
+cmd="$@"
+
+until curl -XGET $host:9200; do
+  >&2 echo "Elastic is unavailable - sleeping"
+  sleep 1
+done
+
+>&2 echo "Elastic is up - executing command"
+exec $cmd
diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile
index ae88ad55..58b81365 100644
--- a/wazuh/Dockerfile
+++ b/wazuh/Dockerfile
@@ -16,6 +16,11 @@ RUN chmod 755 /init.bash &&\
   sync && rm /init.bash
 
 
+RUN  curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.1.2-x86_64.rpm &&\
+  rpm -vi filebeat-5.1.2-x86_64.rpm && rm filebeat-5.1.2-x86_64.rpm
+
+COPY config/filebeat.yml /etc/filebeat/
+
 ADD config/run.sh /tmp/run.sh
 RUN chmod 755 /tmp/run.sh
 
diff --git a/wazuh/config/default_agent b/wazuh/config/default_agent
deleted file mode 100644
index e2c8ff8c..00000000
--- a/wazuh/config/default_agent
+++ /dev/null
@@ -1 +0,0 @@
-127.0.0.1,DEFAULT_LOCAL_AGENT
diff --git a/wazuh/config/filebeat.yml b/wazuh/config/filebeat.yml
new file mode 100644
index 00000000..7f076793
--- /dev/null
+++ b/wazuh/config/filebeat.yml
@@ -0,0 +1,16 @@
+filebeat:
+ prospectors:
+  - input_type: log
+    paths:
+     - "/var/ossec/data/logs/alerts/alerts.json"
+    document_type: wazuh-alerts
+    json.message_key: log
+    json.keys_under_root: true
+    json.overwrite_keys: true
+
+output:
+ logstash:
+   # The Logstash hosts
+   hosts: ["logstash:5000"]
+#   ssl:
+#     certificate_authorities: ["/etc/filebeat/logstash.crt"]
diff --git a/wazuh/config/run.sh b/wazuh/config/run.sh
index 1b442a74..4a0ad464 100644
--- a/wazuh/config/run.sh
+++ b/wazuh/config/run.sh
@@ -100,6 +100,7 @@ LAST_OK_DATE=`date +%s`
 #cd /var/ossec/update/ruleset && python ossec_ruleset.py
 
 /bin/node /var/ossec/api/app.js &
+/usr/bin/filebeat.sh &
 /var/ossec/bin/ossec-control restart