Init. Amazon Security Lake integration (#143)

* Init. Amazon Security Lake integration Signed-off-by: Álex Ruiz <[email protected]>
wazuh · Jan 31, 2024 · 620d8b6 · 620d8b6
1 parent a87a6fb
commit 620d8b6
Show file tree

Hide file tree

Showing 2 changed files with 83 additions and 0 deletions.
diff --git a/integrations/amazon-security-lake/README.md b/integrations/amazon-security-lake/README.md
@@ -0,0 +1,49 @@
+### Amazon Security Lake integration - Logstash
+
+Follow the [Wazuh indexer integration using Logstash](https://documentation.wazuh.com/current/integrations-guide/opensearch/index.html#wazuh-indexer-integration-using-logstash)
+to install `Logstash` and the `logstash-input-opensearch` plugin.
+
+> RPM: https://www.elastic.co/guide/en/logstash/current/installing-logstash.html#_yum
+```markdown
+
+# Install plugins (logstash-output-s3 is already installed)
+sudo /usr/share/logstash/bin/logstash-plugin install logstash-input-opensearch
+
+# Copy certificates
+mkdir -p /etc/logstash/wi-certs/
+cp /etc/wazuh-indexer/certs/root-ca.pem /etc/logstash/wi-certs/root-ca.pem
+chown logstash:logstash /etc/logstash/wi-certs/root-ca.pem
+
+# Configuring new indexes
+SKIP
+
+# Configuring a pipeline
+
+# Keystore
+## Prepare keystore
+set +o history
+echo 'LOGSTASH_KEYSTORE_PASS="123456"'| sudo tee /etc/sysconfig/logstash
+export LOGSTASH_KEYSTORE_PASS=123456
+set -o history
+sudo chown root /etc/sysconfig/logstash
+sudo chmod 600 /etc/sysconfig/logstash
+sudo systemctl start logstash
+
+## Create keystore
+sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create
+
+## Store Wazuh indexer credentials (admin user)
+sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add WAZUH_INDEXER_USERNAME
+sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add WAZUH_INDEXER_PASSWORD
+
+# Pipeline
+sudo touch /etc/logstash/conf.d/wazuh-s3.conf
+# Replace with cp /vagrant/wazuh-s3.conf /etc/logstash/conf.d/wazuh-s3.conf
+sudo systemctl stop logstash
+sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-s3.conf --path.settings /etc/logstash/
+    |- Success: `[INFO ][logstash.agent           ] Pipelines running ...`
+
+# Start Logstash
+sudo systemctl enable logstash
+sudo systemctl start logstash
+```
diff --git a/integrations/amazon-security-lake/wazuh-s3.conf b/integrations/amazon-security-lake/wazuh-s3.conf
@@ -0,0 +1,34 @@
+input {
+   opensearch {
+      hosts =>  ["localhost:9200"]
+      user  =>  "${WAZUH_INDEXER_USERNAME}"
+      password  =>  "${WAZUH_INDEXER_PASSWORD}"
+      index =>  "wazuh-alerts-4.x-*"
+      ssl => true
+      ca_file => "/etc/logstash/wi-certs/root-ca.pem"
+      query =>  '{
+            "query": {
+               "range": {
+                  "@timestamp": {
+                     "gt": "now-1m"
+                  }
+               }
+            }
+      }'
+      schedule => "* * * * *"
+   }
+}
+
+output {
+   stdout { codec => rubydebug }
+   s3 {
+      access_key_id => "<aws-access-key>"
+      secret_access_key => "<aws-secret-key>"
+      region => "<your-region>"
+      server_side_encryption => true
+      server_side_encryption_algorithm => "AES256"
+      bucket => "wazuh-indexer-amazon-security-lake-bucket"
+      canned_acl => "bucket-owner-full-control"
+      codec => "json"
+   }
+}