piping

5 years ago · 3968000c89
5 changed files with 106 additions and 14 deletions
--- a/extra/scirius.yml
+++ b/extra/scirius.yml
@ -27,7 +27,45 @@ services:
				@@ -27,7 +27,45 @@ services:
      - "traefik.http.services.scirius-service.loadbalancer.server.port=8000"
    restart: unless-stopped 

+  filebeat:
+    image: docker.elastic.co/beats/filebeat:${ELASTIC_VERSION:-7.9.1}
+    # https://github.com/docker/swarmkit/issues/1951
+    hostname: "{{.Node.Hostname}}-filebeat"
+    # Need to override user so we can access the log files, and docker.sock
+    user: root
+    configs:
+      - source: fb_config
+        target: /usr/share/filebeat/filebeat.yml
+    volumes:
+      - filebeat:/usr/share/filebeat/data
+      - /var/run/docker.sock:/var/run/docker.sock
+      # This is needed for filebeat to load container log path as specified in filebeat.yml
+      - /var/lib/docker/containers/:/var/lib/docker/containers/:ro
+
+      # # This is needed for filebeat to load jenkins build log path as specified in filebeat.yml
+      # - /var/lib/docker/volumes/jenkins_home/_data/jobs/:/var/lib/docker/volumes/jenkins_home/_data/jobs/:ro
+
+      # This is needed for filebeat to load logs for system and auth modules
+      - /var/log/:/var/log/:ro
+      # This is needed for filebeat to load logs for auditd module. you might have to install audit system
+      # on ubuntu first (sudo apt-get install -y auditd audispd-plugins)
+      - /var/log/audit/:/var/log/audit/:ro
+    environment:
+      - ELASTICSEARCH_HOST=${ELASTICSEARCH_HOST}
+      - KIBANA_HOST=${KIBANA_HOST}
+      - ELASTICSEARCH_USERNAME=${ELASTICSEARCH_USERNAME}
+      - ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_PASSWORD}
+    # disable strict permission checks
+    command: ["--strict.perms=false"]
+
+volumes:
+  filebeat:
+
 networks:
  default:
    external:
      name: mistborn_default
+
+configs:
+  fb_config:
+    file: /opt/mistborn_volumes/scirius/init/filebeat.docker.yml
--- a/scripts/services/Mistborn-scirius.service
+++ b/scripts/services/Mistborn-scirius.service
@ -11,17 +11,17 @@ User=root
				@@ -11,17 +11,17 @@ User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius docker-compose -f /opt/mistborn/extra/scirius.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius docker-compose -f /opt/mistborn/extra/scirius.yml down

 # Start container when unit is started
-ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius docker-compose -f /opt/mistborn/extra/scirius.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius docker-compose -f /opt/mistborn/extra/scirius.yml up --build
 # Suricata
-ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius /opt/mistborn/scripts/services/scirius/suricata_start.sh
+ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius /opt/mistborn/scripts/services/scirius/suricata_start.sh

 # Stop container when unit is stopped
-ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius docker-compose -f /opt/mistborn/extra/scirius.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius docker-compose -f /opt/mistborn/extra/scirius.yml down
 # Post stop
-ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius /opt/mistborn/scripts/services/scirius/suricata_stop.sh
+ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius /opt/mistborn/scripts/services/scirius/suricata_stop.sh

 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/scirius/files/filebeat.docker.yml
+++ b/scripts/services/scirius/files/filebeat.docker.yml
@ -1,17 +1,62 @@
				@@ -1,17 +1,62 @@
-filebeat.config:
-  modules:
-    path: ${path.config}/modules.d/*.yml
-    reload.enabled: false
+filebeat.modules:
+- module: suricata 
+  eve:
+    enabled: true
+    var.paths: ["/var/log/suricata/eve.json"]
+# - module: system
+#   syslog:
+#     enabled: true
+#   auth:
+#     enabled: true
+# - module: auditd
+#   log:
+#     # - Does not look like Auditd is supported in Alpine linux: https://github.com/linuxkit/linuxkit/issues/52
+#     # - CentOS does not need us to install the audit system, it ships as standard. If you are using Ubuntu, though,
+#     # this is probably something you would want to install. (sudo apt-get install -y auditd audispd-plugins)
+#     enabled: true

+#filebeat.inputs:
+#- type: container
+#  enabled: true
+#  paths:
+#    -/var/lib/docker/containers/*/*.log
+#  stream: all # can be all, stdout or stderr
+
+#========================== Filebeat autodiscover ==============================
+# See this URL on how to run Apache2 Filebeat module: # https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html
 filebeat.autodiscover:
  providers:
    - type: docker
+      # https://www.elastic.co/guide/en/beats/filebeat/current/configuration-autodiscover-hints.html
+      # This URL alos contains instructions on multi-line logs
      hints.enabled: true

+#================================ Processors ===================================
 processors:
- add_cloud_metadata: ~
+#- add_cloud_metadata: ~
+- add_docker_metadata: ~
+- add_locale:
+    format: offset
+- add_host_metadata:
+    netinfo.enabled: true

+#========================== Elasticsearch output ===============================
 output.elasticsearch:
-  hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}'
-  username: '${ELASTICSEARCH_USERNAME:}'
-  password: '${ELASTICSEARCH_PASSWORD:}'
+  hosts: ["${ELASTICSEARCH_HOST}:9200"]
+  username: ${ELASTICSEARCH_USERNAME}
+  password: ${ELASTICSEARCH_PASSWORD}
+
+#============================== Dashboards =====================================
+setup.dashboards:
+  enabled: true
+
+#============================== Kibana =========================================
+setup.kibana:
+  host: "${KIBANA_HOST}:80"
+  username: ${ELASTICSEARCH_USERNAME}
+  password: ${ELASTICSEARCH_PASSWORD}
+
+#============================== Xpack Monitoring ===============================
+xpack.monitoring:
+  enabled: true
+  elasticsearch:
--- a/scripts/services/scirius/init.sh
+++ b/scripts/services/scirius/init.sh
@ -58,3 +58,7 @@ fi
				@@ -58,3 +58,7 @@ fi
 IFACE=$(ip -o -4 route show to default | awk 'NR==1{print $5}')
 sudo sed -i "s/eth0/${IFACE}/g" /etc/suricata/suricata.yml
 sudo sed -i "s/eth0/${IFACE}/g" /etc/default/suricata
+
+mkdir -p /opt/mistborn_volumes/extra/scirius/init/ >/dev/null 2>&1
+chmod -R +x /opt/mistborn_volumes/extra/scirius/init/
+cp /opt/mistborn/scripts/services/scirius/files/filebeat.docker.yml /opt/mistborn_volumes/extra/scirius/init/
--- a/scripts/subinstallers/extra/scirius.sh
+++ b/scripts/subinstallers/extra/scirius.sh
@ -6,4 +6,9 @@ SCIRIUS_SECRET_KEY=$(python3 -c "import secrets; import string; print(f''.join([
				@@ -6,4 +6,9 @@ SCIRIUS_SECRET_KEY=$(python3 -c "import secrets; import string; print(f''.join([
 echo "SECRET_KEY=$SCIRIUS_SECRET_KEY" > $SCIRIUS_PROD_FILE
 echo "ALLOWED_HOSTS=scirius.mistborn" >> $SCIRIUS_PROD_FILE
 echo "DJANGO_SUPERUSER_USERNAME=mistborn" >> $SCIRIUS_PROD_FILE
-echo "DJANGO_SUPERUSER_EMAIL=mistborn@email.mistborn" >> $SCIRIUS_PROD_FILE
+echo "DJANGO_SUPERUSER_EMAIL=mistborn@email.mistborn" >> $SCIRIUS_PROD_FILE
+
+echo "ELASTICSEARCH_HOST=10.2.3.1" >> $SCIRIUS_PROD_FILE
+echo "KIBANA_HOST=wazuh.mistborn" >> $SCIRIUS_PROD_FILE
+
+chmod 600 $SCIRIUS_PROD_FILE