From d13e7559fe9349de27edd15b1fc5b588d2a038f3 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 13 Dec 2018 17:32:03 +0000
Subject: [PATCH 1/5] Filebeat - Enabled for master and only enable Bro/Suri
 inputs when needed

---
 salt/filebeat/etc/filebeat.yml | 4 ++--
 salt/filebeat/init.sls         | 5 +++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 4384d124e..b7ab91e12 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -12,6 +12,7 @@ filebeat.modules:
 # List of prospectors to fetch data.
 filebeat.prospectors:
 #------------------------------ Log prospector --------------------------------
+{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" %}
 {%- if BROVER != 'SURICATA' %}
 {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '')  %}
   - type: log
@@ -36,6 +37,7 @@ filebeat.prospectors:
     fields_under_root: true
     clean_removed: false
     close_removed: false
+{%- endif %}
 
 {%- if WAZUHENABLED == '1' %}
 
@@ -73,7 +75,6 @@ output.logstash:
   # Set gzip compression level.
   compression_level: 3
 
-
   # Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
   ssl.enabled: true
 
@@ -97,7 +98,6 @@ output.logstash:
   # Client Certificate Key
   ssl.key: "/usr/share/filebeat/filebeat.key"
 
-
 # Elasticsearch template settings
 #setup.template.settings:
 
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index da8f0637c..d3a1dfb14 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -63,8 +63,13 @@ so-filebeat:
       - /opt/so/log/suricata:/suricata:ro
       - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
       - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
+{%- if grains['role'] == 'so-master' %}
+      - /etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
+      - /etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
+{%- else %}
       - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
+{%- endif %} 
       - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
     - watch:
       - file: /opt/so/conf/filebeat/etc

From 62067f37cfa101f37776cb5cfb6022d89b487663 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 13 Dec 2018 17:33:12 +0000
Subject: [PATCH 2/5] Wazuh - Fix agent ip for storage nodes

---
 salt/wazuh/files/agent/wazuh-register-agent | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent
index b6199cf9a..7e8574613 100755
--- a/salt/wazuh/files/agent/wazuh-register-agent
+++ b/salt/wazuh/files/agent/wazuh-register-agent
@@ -1,4 +1,8 @@
+{%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
+{%- elif grains['role'] == 'so-node' } 
+{% set ip = salt['pillar.get']('node:mainip', '') %}
+{%- endif %}
 #!/bin/bash
 
 ###

From 5e23859557e1418c6c4ed8c434a9278ef7736aa7 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 13 Dec 2018 17:34:19 +0000
Subject: [PATCH 3/5] Salt - Add Wazuh to other roles

---
 salt/top.sls | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/salt/top.sls b/salt/top.sls
index 03c220047..a319209ca 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -10,6 +10,7 @@ base:
     {%- if BROVER != 'SURICATA' %}
     - bro
     {%- endif %}
+    - wazuh
     - filebeat
     - schedule
 
@@ -49,6 +50,8 @@ base:
     - logstash
     - kibana
     - elastalert
+    - wazuh
+    - filebeat
     - utility
     - schedule
     - fleet
@@ -87,6 +90,8 @@ base:
     - logstash
     - elasticsearch
     - curator
+    - wazuh
+    - filebeat
     - schedule
 
   'G@role:mastersensor':

From 4db52ec8654b115e798db7ca498c32a098f76424 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 13 Dec 2018 17:56:51 +0000
Subject: [PATCH 4/5] Wazuh - Add logic for sensors

---
 salt/wazuh/files/agent/ossec.conf           | 4 ++++
 salt/wazuh/files/agent/wazuh-register-agent | 4 +++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/salt/wazuh/files/agent/ossec.conf b/salt/wazuh/files/agent/ossec.conf
index c89b9ce06..b4725075b 100644
--- a/salt/wazuh/files/agent/ossec.conf
+++ b/salt/wazuh/files/agent/ossec.conf
@@ -1,5 +1,9 @@
 {%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
+{%- elif grains['role'] == 'so-node' }
+{%- set ip = salt['pillar.get']('node:mainip', '') %}
+{%- elif grains['role'] == 'so-sensor' }
+{%- set ip = salt['pillar.get']('sensor:mainip', '') %}
 {%- endif %} 
 <!--
   Wazuh - Agent - Default configuration for ubuntu 16.04
diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent
index 7e8574613..b9e0290ce 100755
--- a/salt/wazuh/files/agent/wazuh-register-agent
+++ b/salt/wazuh/files/agent/wazuh-register-agent
@@ -1,7 +1,9 @@
 {%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
 {%- elif grains['role'] == 'so-node' } 
-{% set ip = salt['pillar.get']('node:mainip', '') %}
+{%- set ip = salt['pillar.get']('node:mainip', '') %}
+{%- elif grains['role'] == 'so-sensor' }
+{%- set ip = salt['pillar.get']('sensor:mainip', '') %}
 {%- endif %}
 #!/bin/bash
 

From 75ed258d1963189edb3758e93b9783295cc9c12d Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 13 Dec 2018 17:57:22 +0000
Subject: [PATCH 5/5] Firewall - Fix Wazuh IP logic for sensors

---
 salt/firewall/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index ef2acd81f..47e230779 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -10,7 +10,7 @@
 
 {% elif grains['role'] == 'so-sensor'%}
 
-{%- set ip = salt['pillar.get']('node:mainip', '') %}
+{%- set ip = salt['pillar.get']('sensor:mainip', '') %}
 
 {% endif %}