From 83eb2d73640b732b4a935ec185e09a1f72d81961 Mon Sep 17 00:00:00 2001
From: Steven Foerster <steven@cyber5k.com>
Date: Wed, 5 May 2021 21:01:39 -0400
Subject: [PATCH] agent.conf

---
 scripts/services/scirius/files/agent.conf |  6 ++++
 scripts/services/scirius/init.sh          | 34 +++++++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 scripts/services/scirius/files/agent.conf

diff --git a/scripts/services/scirius/files/agent.conf b/scripts/services/scirius/files/agent.conf
new file mode 100644
index 0000000..7f82b98
--- /dev/null
+++ b/scripts/services/scirius/files/agent.conf
@@ -0,0 +1,6 @@
+<agent_config>
+    <localfile>
+        <log_format>json</log_format>
+        <location>/var/log/suricata/eve.json</location>
+    </localfile>
+</agent_config>
\ No newline at end of file
diff --git a/scripts/services/scirius/init.sh b/scripts/services/scirius/init.sh
index 56f1ba1..56b4e09 100755
--- a/scripts/services/scirius/init.sh
+++ b/scripts/services/scirius/init.sh
@@ -61,6 +61,40 @@ sudo sed -i "s/eth0/${IFACE}/g" /etc/default/suricata
 
 sudo systemctl restart suricata
 
+# wait for service to be listening
+while ! nc -z 10.2.3.1 55000; do
+    WAIT_TIME=10
+    echo "Waiting ${WAIT_TIME} seconds for Wazuh API..."
+    sleep ${WAIT_TIME}
+done
+
+# set working directory to mistborn for docker-compose
+pushd .
+cd /opt/mistborn
+
+# ensure group exists
+sudo docker-compose -f extra/wazuh.yml exec wazuh /var/ossec/bin/agent_groups -a -g suricata -q 2>/dev/null
+
+# add this host to group
+WAZUH_ID=$(sudo docker-compose -f extra/wazuh.yml exec wazuh /var/ossec/bin/manage_agents -l | grep $(hostname) | awk '{print $2}' | tr -d ',')
+sudo docker-compose -f extra/wazuh.yml exec wazuh /var/ossec/bin/agent_groups -a -i ${WAZUH_ID} -g suricata -q
+
+# write agent.conf
+sudo docker-compose -f extra/wazuh.yml exec wazuh cat > /var/ossec/etc/shared/linux/agent.conf << EOF
+<agent_config>
+    <localfile>
+        <log_format>json</log_format>
+        <location>/var/log/suricata/eve.json</location>
+    </localfile>
+</agent_config>
+EOF
+
+# restart manager
+sudo docker-compose -f extra/wazuh.yml restart wazuh
+
+popd
+
+
 mkdir -p /opt/mistborn_volumes/extra/scirius/init/ >/dev/null 2>&1
 chmod -R +x /opt/mistborn_volumes/extra/scirius/init/
 cp /opt/mistborn/scripts/services/scirius/files/filebeat.docker.yml /opt/mistborn_volumes/extra/scirius/init/
\ No newline at end of file