Create required files for Filebeat.

wazuh · Jun 7, 2019 · f36be69 · f36be69
1 parent 890fb88
commit f36be69
Show file tree

Hide file tree

Showing 2 changed files with 97 additions and 0 deletions.
diff --git a/manifests/filebeat.pp b/manifests/filebeat.pp
@@ -0,0 +1,39 @@
+class wazuh::filebeat (
+ $filebeat_elasticsearch_ip = "172.17.0.101",
+ $filebeat_elasticsearch_port = "9200",
+ $elasticsearch_server_ip = "\"${filebeat_elasticsearch_ip}:${filebeat_elasticsearch_port}\"",
+
+ $filebeat_package = "filebeat",
+ $filebeat_service = "filebeat",
+ $filebeat_version = "7.1.1",
+ $wazuh_app_version = "3.9.1_7.1.0",
+ $wazuh_extensions_version = "v3.9.1",
+){
+
+ package { 'Installing Filebeat...':
+ name => $filebeat_package,
+ ensure => $filebeat_version,
+ }
+
+ file { 'Configure filebeat.yml':
+ owner => 'root',
+ path => '/etc/filebeat/filebeat.yml', 
+ group => 'root',
+ mode => '0644',
+ notify => Service[$filebeat_service], ## Restarts the service
+ content => template("wazuh/filebeat_yml.erb"),
+ }
+
+ exec { 'Installing wazuh-template.json...':
+ command => "curl -so /etc/filebeat/wazuh-template.json 'https://raw.githubusercontent.com/wazuh/wazuh/$wazuh_extensions_version/extensions/elasticsearch/7.x/wazuh-template.json'",
+ provider => 'shell',
+ notify => Service['filebeat']
+ }
+
+ service { "filebeat":
+ ensure => running,
+ enable => true,
+ }
+
+
+}
diff --git a/templates/filebeat_yml.erb b/templates/filebeat_yml.erb
@@ -0,0 +1,58 @@
+# Wazuh - Filebeat configuration file
+
+filebeat.inputs:
+ - type: log
+ paths:
+ - '/var/ossec/logs/alerts/alerts.json'
+
+setup.template.json.enabled: true
+setup.template.json.path: "/etc/filebeat/wazuh-template.json"
+setup.template.json.name: "wazuh"
+setup.template.overwrite: true
+
+processors:
+ - decode_json_fields:
+ fields: ['message']
+ process_array: true
+ max_depth: 200
+ target: ''
+ overwrite_keys: true
+ - drop_fields:
+ fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
+ - rename:
+ fields:
+ - from: "data.aws.sourceIPAddress"
+ to: "@src_ip"
+ ignore_missing: true
+ fail_on_error: false
+ when:
+ regexp:
+ data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+ - rename:
+ fields:
+ - from: "data.srcip"
+ to: "@src_ip"
+ ignore_missing: true
+ fail_on_error: false
+ when:
+ regexp:
+ data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+ - rename:
+ fields:
+ - from: "data.win.eventdata.ipAddress"
+ to: "@src_ip"
+ ignore_missing: true
+ fail_on_error: false
+ when:
+ regexp:
+ data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+
+# Send events directly to Elasticsearch
+output.elasticsearch:
+ hosts: [<%= @elasticsearch_server_ip %>]
+ #pipeline: geoip
+ indices:
+ - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'
+
+# Optional. Send events to Logstash instead of Elasticsearch
+#output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"]