-
Notifications
You must be signed in to change notification settings - Fork 2
/
Dockerfile
83 lines (70 loc) · 4 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# Use Rocky Linux as the base image
FROM rockylinux:8
# Set environment variables
ENV WAZUH_VERSION=4.8.2
ENV LOGSTASH_VERSION=8.15.0
ENV OPENSEARCH_USERNAME=admin
ENV OPENSEARCH_PASSWORD=Anubhav@321
ENV OPENSEARCH_HOST=opensearch-node1
ENV OPENSEARCH_PORT=9200
ENV LOGSTASH_KEYSTORE_PASS=Anubhav@321
# Update the system and install dependencies
RUN dnf update -y && \
dnf install -y epel-release dnf-utils wget bzip2 policycoreutils-python-utils \
python3 python3-devel findutils java-11-openjdk-devel curl && \
dnf config-manager --set-enabled powertools && \
dnf clean all
# Install Wazuh manager
RUN curl -o /tmp/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH && \
rpm --import /tmp/GPG-KEY-WAZUH && \
curl -o /tmp/wazuh-manager-${WAZUH_VERSION}-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-manager-${WAZUH_VERSION}-1.x86_64.rpm && \
rpm -ivh /tmp/wazuh-manager*.rpm && \
rm /tmp/GPG-KEY-WAZUH /tmp/wazuh-manager*.rpm
# Install Logstash
RUN rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch && \
echo "[logstash-${LOGSTASH_VERSION}]" > /etc/yum.repos.d/logstash.repo && \
echo "name=Elastic repository for ${LOGSTASH_VERSION} packages" >> /etc/yum.repos.d/logstash.repo && \
echo "baseurl=https://artifacts.elastic.co/packages/8.x/yum" >> /etc/yum.repos.d/logstash.repo && \
echo "gpgcheck=1" >> /etc/yum.repos.d/logstash.repo && \
echo "gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch" >> /etc/yum.repos.d/logstash.repo && \
echo "enabled=1" >> /etc/yum.repos.d/logstash.repo && \
echo "autorefresh=1" >> /etc/yum.repos.d/logstash.repo && \
echo "type=rpm-md" >> /etc/yum.repos.d/logstash.repo && \
dnf install -y logstash-${LOGSTASH_VERSION} && \
/usr/share/logstash/bin/logstash-plugin install logstash-output-opensearch
# Configure Wazuh manager
RUN mkdir -p /var/ossec/logs && \
touch /var/ossec/logs/ossec.log && \
chown -R wazuh:wazuh /var/ossec
# Configure Logstash
RUN mkdir -p /etc/logstash/conf.d /etc/logstash/templates /etc/logstash/certs && \
curl -o /etc/logstash/templates/wazuh.json https://packages.wazuh.com/integrations/opensearch/4.x-2.x/dashboards/wz-os-4.x-2.x-template.json && \
chown -R logstash:logstash /etc/logstash/conf.d /etc/logstash/templates /etc/logstash/certs
# Add Logstash configuration
COPY logstash/config/wazuh-opensearch.conf /etc/logstash/conf.d/wazuh-opensearch.conf
# Copy OpenSearch root CA certificate
COPY opensearch/certs/root-ca.pem /etc/logstash/certs/root-ca.pem
# Set up Logstash keystore
RUN mkdir -p /etc/sysconfig && \
echo "LOGSTASH_KEYSTORE_PASS=${LOGSTASH_KEYSTORE_PASS}" | tee /etc/sysconfig/logstash && \
chown root:root /etc/sysconfig/logstash && \
chmod 600 /etc/sysconfig/logstash && \
/usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create && \
echo "${OPENSEARCH_USERNAME}" | /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add OPENSEARCH_USERNAME && \
echo "${OPENSEARCH_PASSWORD}" | /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add OPENSEARCH_PASSWORD
# Add logstash user to wazuh group
RUN usermod -a -G wazuh logstash
# Expose Wazuh manager and Logstash ports
EXPOSE 1514/udp 1515/tcp 1516/tcp 55000/tcp 5044/tcp
# Create a startup script
RUN echo '#!/bin/bash' > /start.sh && \
echo 'sed -i "s/OPENSEARCH_HOST/${OPENSEARCH_HOST}/g" /etc/logstash/conf.d/wazuh-opensearch.conf' >> /start.sh && \
echo 'sed -i "s/OPENSEARCH_PORT/${OPENSEARCH_PORT}/g" /etc/logstash/conf.d/wazuh-opensearch.conf' >> /start.sh && \
echo '/var/ossec/bin/wazuh-control start' >> /start.sh && \
echo 'sleep 10' >> /start.sh && \
echo 'export LOGSTASH_KEYSTORE_PASS' >> /start.sh && \
echo '/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-opensearch.conf --path.settings /etc/logstash &' >> /start.sh && \
echo 'tail -f /var/ossec/logs/ossec.log' >> /start.sh && \
chmod +x /start.sh
# Set the entrypoint to our startup script
ENTRYPOINT ["/start.sh"]