Merge pull request #55 from weslambert/master

More Wazuh updates

salt/filebeat/etc/filebeat.yml

@@ -12,6 +12,7 @@ filebeat.modules:
 # List of prospectors to fetch data.
 filebeat.prospectors:
 #------------------------------ Log prospector --------------------------------
+{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" %}
 {%- if BROVER != 'SURICATA' %}
 {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '')  %}
   - type: log
@@ -36,6 +37,7 @@ filebeat.prospectors:
     fields_under_root: true
     clean_removed: false
     close_removed: false
+{%- endif %}
 
 {%- if WAZUHENABLED == '1' %}
 
@@ -73,7 +75,6 @@ output.logstash:
   # Set gzip compression level.
   compression_level: 3
 
-
   # Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
   ssl.enabled: true
 
@@ -97,7 +98,6 @@ output.logstash:
   # Client Certificate Key
   ssl.key: "/usr/share/filebeat/filebeat.key"
 
-
 # Elasticsearch template settings
 #setup.template.settings:
 

salt/filebeat/init.sls

@@ -63,8 +63,13 @@ so-filebeat:
       - /opt/so/log/suricata:/suricata:ro
       - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
       - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
+{%- if grains['role'] == 'so-master' %}
+      - /etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
+      - /etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
+{%- else %}
       - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
+{%- endif %} 
       - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
     - watch:
       - file: /opt/so/conf/filebeat/etc

salt/firewall/init.sls

@@ -10,7 +10,7 @@
 
 {% elif grains['role'] == 'so-sensor'%}
 
-{%- set ip = salt['pillar.get']('node:mainip', '') %}
+{%- set ip = salt['pillar.get']('sensor:mainip', '') %}
 
 {% endif %}
 

salt/top.sls

@@ -10,6 +10,7 @@ base:
     {%- if BROVER != 'SURICATA' %}
     - bro
     {%- endif %}
+    - wazuh
     - filebeat
     - schedule
 
@@ -49,6 +50,8 @@ base:
     - logstash
     - kibana
     - elastalert
+    - wazuh
+    - filebeat
     - utility
     - schedule
     - fleet
@@ -87,6 +90,8 @@ base:
     - logstash
     - elasticsearch
     - curator
+    - wazuh
+    - filebeat
     - schedule
 
   'G@role:mastersensor':

salt/wazuh/files/agent/ossec.conf

@@ -1,5 +1,9 @@
 {%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
+{%- elif grains['role'] == 'so-node' }
+{%- set ip = salt['pillar.get']('node:mainip', '') %}
+{%- elif grains['role'] == 'so-sensor' }
+{%- set ip = salt['pillar.get']('sensor:mainip', '') %}
 {%- endif %} 
 <!--
   Wazuh - Agent - Default configuration for ubuntu 16.04

salt/wazuh/files/agent/wazuh-register-agent

@@ -1,4 +1,10 @@
+{%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
+{%- elif grains['role'] == 'so-node' } 
+{%- set ip = salt['pillar.get']('node:mainip', '') %}
+{%- elif grains['role'] == 'so-sensor' }
+{%- set ip = salt['pillar.get']('sensor:mainip', '') %}
+{%- endif %}
 #!/bin/bash
 
 ###