From a80eed24a9db6f3343b0c92534f925b694ed9840 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=81lex=20Ruiz?= <alejandro.ruiz.becerra@wazuh.com>
Date: Fri, 14 Jun 2024 12:00:18 +0200
Subject: [PATCH] Add Manager to Splunk integration (#268)

---
 integrations/docker/manager-splunk.yml        | 172 ++++++++++++++++++
 integrations/splunk/README.md                 |  11 +-
 .../logstash/pipeline/manager-to-splunk.conf  |  24 +++
 3 files changed, 205 insertions(+), 2 deletions(-)
 create mode 100644 integrations/docker/manager-splunk.yml
 create mode 100644 integrations/splunk/logstash/pipeline/manager-to-splunk.conf

diff --git a/integrations/docker/manager-splunk.yml b/integrations/docker/manager-splunk.yml
new file mode 100644
index 0000000000000..532eb73374b7f
--- /dev/null
+++ b/integrations/docker/manager-splunk.yml
@@ -0,0 +1,172 @@
+name: "manager-splunk-integration"
+
+services:
+  events-generator:
+    image: wazuh/indexer-events-generator
+    build:
+      context: ../tools/events-generator
+    depends_on:
+      wazuh.indexer:
+        condition: service_healthy
+    command: bash -c "python run.py -o filebeat"
+    volumes:
+      - alerts:/var/ossec/logs/alerts/
+
+  wazuh.manager:
+    image: wazuh/wazuh-manager:${WAZUH_VERSION}
+    hostname: wazuh.manager
+    restart: always
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 655360
+        hard: 655360
+    ports:
+      - "1514:1514"
+      - "1515:1515"
+      - "514:514/udp"
+      - "55000:55000"
+    environment:
+      - INDEXER_URL=https://wazuh.indexer:9200
+      - INDEXER_USERNAME=admin
+      - INDEXER_PASSWORD=admin
+      - FILEBEAT_SSL_VERIFICATION_MODE=full
+      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
+      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
+      - SSL_KEY=/etc/ssl/filebeat.key
+      - API_USERNAME=wazuh-wui
+      - API_PASSWORD=MyS3cr37P450r.*-
+      - LOG_LEVEL=info
+      - MONITORING_ENABLED=false
+    volumes:
+      - ./certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
+      - ./certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
+      - ./certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
+      - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem
+      - alerts:/var/ossec/logs/alerts/
+
+  wazuh.indexer:
+    image: opensearchproject/opensearch:2.12.0
+    depends_on:
+      wazuh-certs-generator:
+        condition: service_completed_successfully
+    hostname: wazuh.indexer
+    ports:
+      - 9200:9200
+    environment:
+      - node.name=wazuh.indexer
+      - discovery.type=single-node
+      - bootstrap.memory_lock=true
+      - "DISABLE_INSTALL_DEMO_CONFIG=true"
+      - plugins.security.ssl.http.enabled=true
+      - plugins.security.allow_default_init_securityindex=true
+      - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem
+      - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem
+      - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem
+      - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem
+      - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
+      - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
+      - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US"
+      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
+      - compatibility.override_main_response_version=true
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    healthcheck:
+      test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster
+      start_period: 10s
+      start_interval: 3s
+    volumes:
+      - data:/usr/share/opensearch/data
+      - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem
+      - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem
+      - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
+
+  wazuh-certs-generator:
+    image: wazuh/wazuh-certs-generator:0.0.1
+    hostname: wazuh-certs-generator
+    entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*"
+    volumes:
+      - ./certs/:/certificates/
+      - ./config/certs.yml:/config/certs.yml
+
+  logstash:
+    depends_on:
+      splunk:
+        condition: service_healthy
+      wazuh-certs-generator:
+        condition: service_completed_successfully
+    image: logstash-oss:8.6.2
+    build:
+      dockerfile: ../elastic/Dockerfile
+      context: ../splunk
+    environment:
+      LOG_LEVEL: info
+      MONITORING_ENABLED: false
+    volumes:
+      - ../splunk/logstash/pipeline:/usr/share/logstash/pipeline
+      - ./certs/root-ca.pem:/etc/ssl/root-ca.pem
+      - alerts:/var/ossec/logs/alerts/
+    command: logstash -f /usr/share/logstash/pipeline/manager-to-splunk.conf
+
+  # ================================================
+  # Splunk
+  # ================================================
+
+  generator:
+    image: cfssl/cfssl
+    depends_on:
+      wazuh-certs-generator:
+        condition: service_completed_successfully
+    volumes:
+      - ./certs/:/certs/
+      - ../splunk/cfssl/:/conf/
+    entrypoint: /bin/bash
+    command: >
+      -c '
+        cd /certs
+      	cat /conf/host.json | \
+      	cfssl gencert \
+      		-ca root-ca.pem \
+      		-ca-key root-ca.key \
+      		-config /conf/cfssl.json \
+      		-profile=server - | \
+      	cfssljson -bare splunk
+      	openssl pkcs8 -topk8 -inform pem -in splunk-key.pem -outform pem -nocrypt -out splunk.key
+        rm splunk.csr
+        cat splunk.pem splunk-key.pem root-ca.pem > splunkhec.pem
+        chown -R 1000:1000 /certs/splunk*
+      '
+
+  splunk:
+    image: splunk/splunk:9.0.4
+    volumes:
+      - ./certs/splunk.key:/opt/splunk/etc/auth/custom/splunk.key
+      - ./certs/splunk.pem:/opt/splunk/etc/auth/custom/splunk.pem
+      - ./certs/splunkhec.pem:/opt/splunk/etc/auth/custom/splunkhec.pem
+      - ../splunk/config/indexes.conf:/opt/splunk/etc/system/local/indexes.conf
+      - ../splunk/config/default.yml:/tmp/defaults/default.yml
+    depends_on:
+      generator:
+        condition: service_completed_successfully
+    ports:
+      - '8000:8000'
+      - '8088:8088'
+    environment:
+      SPLUNK_HEC_TOKEN: "abcd1234"
+      SPLUNK_HOSTNAME: splunk
+      SPLUNK_HTTP_ENABLESSL: 'true'
+      SPLUNK_PASSWORD: Password.1234
+      SPLUNK_STANDALONE_URL: https://splunk:8080
+      SPLUNK_START_ARGS: --accept-license
+
+volumes:
+  data:
+  es_certs:
+  alerts:
\ No newline at end of file
diff --git a/integrations/splunk/README.md b/integrations/splunk/README.md
index 203ea83457114..5e1bdbdccfb5b 100644
--- a/integrations/splunk/README.md
+++ b/integrations/splunk/README.md
@@ -13,14 +13,18 @@ This document describes how to prepare a Docker Compose environment to test the
    ```bash
    docker compose -f ./docker/splunk.yml up -d
    ```
+3. If you prefer, you can start the integration with the Wazuh Manager as data source:
+   ```bash
+   docker compose -f ./docker/manager-splunk.yml up -d
+   ```
 
 The Docker Compose project will bring up the following services:
 
 - 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)).
 - 1x Wazuh Indexer (OpenSearch).
-- 1x Wazuh Dashboards (OpenSearch Dashboards).
 - 1x Logstash
 - 1x Splunk
+- 1x Wazuh Manager (optional).
 
 For custom configurations, you may need to modify these files:
 
@@ -28,12 +32,15 @@ For custom configurations, you may need to modify these files:
 - [docker/.env](../docker/.env): Environment variables file.
 - [splunk/logstash/pipeline/indexer-to-splunk.conf](./logstash/pipeline/indexer-to-splunk.conf): Logstash Pipeline configuration file.
 
+If you opted to start the integration with the Wazuh Manager, you can modify the following files:
+- [docker/manager-splunk.yml](../docker/manager-splunk.yml): Docker Compose file.
+- [splunk/logstash/pipeline/manager-to-splunk.conf](./logstash/pipeline/manager-to-splunk.conf): Logstash Pipeline configuration file.
+
 Check the files above for **credentials**, ports, and other configurations.
 
 | Service          | Address                | Credentials         |
 | ---------------- | ---------------------- | ------------------- |
 | Wazuh Indexer    | https://localhost:9200 | admin:admin         |
-| Wazuh Dashboards | https://localhost:5601 | admin:admin         |
 | Splunk           | https://localhost:8000 | admin:Password.1234 |
 
 ## Importing the dashboards
diff --git a/integrations/splunk/logstash/pipeline/manager-to-splunk.conf b/integrations/splunk/logstash/pipeline/manager-to-splunk.conf
new file mode 100644
index 0000000000000..8953866646b7a
--- /dev/null
+++ b/integrations/splunk/logstash/pipeline/manager-to-splunk.conf
@@ -0,0 +1,24 @@
+input {
+    file {
+        id => "wazuh_alerts"
+        codec => "json"
+        start_position => "beginning"
+        stat_interval => "1 second"
+        path => "/var/ossec/logs/alerts/alerts.json"
+        mode => "tail"
+        ecs_compatibility => "disabled"
+    }
+}
+
+
+output {
+    http {
+        format => "json"
+        http_method => "post"
+        url => "https://splunk:8088/services/collector/raw"
+        headers => ["Authorization", "Splunk abcd1234"]
+        cacert => "/etc/ssl/root-ca.pem"
+    }
+    stdout{}
+}
+