forked from innovation-force/docker-ossec-elk
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrun.sh
119 lines (94 loc) · 3.02 KB
/
run.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
#!/bin/bash
#
# OSSEC container bootstrap. See the README for information of the environment
# variables expected by this script.
#
#
#
# Startup the services
#
source /data_dirs.env
FIRST_TIME_INSTALLATION=false
DATA_PATH=/var/ossec/data
for ossecdir in "${DATA_DIRS[@]}"; do
if [ ! -e "${DATA_PATH}/${ossecdir}" ]
then
echo "Installing ${ossecdir}"
cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}
FIRST_TIME_INSTALLATION=true
fi
done
touch ${DATA_PATH}/process_list
chgrp ossec ${DATA_PATH}/process_list
chmod g+rw ${DATA_PATH}/process_list
AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
if [ $FIRST_TIME_INSTALLATION == true ]
then
if [ $AUTO_ENROLLMENT_ENABLED == true ]
then
if [ ! -e ${DATA_PATH}/etc/sslmanager.key ]
then
echo "Creating ossec-authd key and cert"
openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096
openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key\
-out ${DATA_PATH}/etc/sslmanager.cert -days 3650\
-subj /CN=${HOSTNAME}/
fi
fi
#
# Support SYSLOG forwarding, if configured
#
SYSLOG_FORWADING_ENABLED=${SYSLOG_FORWADING_ENABLED:-false}
if [ $SYSLOG_FORWADING_ENABLED == true ]
then
if [ -z "$SYSLOG_FORWARDING_SERVER_IP" ]
then
echo "Cannot setup sylog forwarding because SYSLOG_FORWARDING_SERVER_IP is not defined"
else
SYSLOG_FORWARDING_SERVER_PORT=${SYSLOG_FORWARDING_SERVER_PORT:-514}
SYSLOG_FORWARDING_FORMAT=${SYSLOG_FORWARDING_FORMAT:-default}
SYSLOG_XML_SNIPPET="\
<syslog_output>\n\
<server>${SYSLOG_FORWARDING_SERVER_IP}</server>\n\
<port>${SYSLOG_FORWARDING_SERVER_PORT}</port>\n\
<format>${SYSLOG_FORWARDING_FORMAT}</format>\n\
</syslog_output>";
cat /var/ossec/etc/ossec.conf |\
perl -pe "s,<ossec_config>,<ossec_config>\n${SYSLOG_XML_SNIPPET}\n," \
> /var/ossec/etc/ossec.conf-new
mv -f /var/ossec/etc/ossec.conf-new /var/ossec/etc/ossec.conf
chgrp ossec /var/ossec/etc/ossec.conf
/var/ossec/bin/ossec-control enable client-syslog
fi
fi
fi
function ossec_shutdown(){
/var/ossec/bin/ossec-control stop;
if [ $AUTO_ENROLLMENT_ENABLED == true ]
then
kill $AUTHD_PID
fi
}
# Trap exit signals and do a proper shutdown
trap "ossec_shutdown; exit" SIGINT SIGTERM
chmod -R g+rw ${DATA_PATH}
if [ $AUTO_ENROLLMENT_ENABLED == true ]
then
echo "Starting ossec-authd..."
/var/ossec/bin/ossec-authd -p 1515 -g ossec $AUTHD_OPTIONS >/dev/null 2>&1 &
AUTHD_PID=$!
fi
sleep 15 # give ossec a reasonable amount of time to start before checking status
LAST_OK_DATE=`date +%s`
/etc/init.d/logstash start
/etc/init.d/elasticsearch start
/etc/init.d/kibana restart
echo "Waiting 60 secods until logstash and elasticsearch start to run"
sleep 60
cd /tmp
python wazuh_kibana_installer.py
## Update rules and decoders with Wazuh Ruleset
cd /var/ossec/update/ruleset && python ossec_ruleset.py
/usr/bin/nodejs /var/ossec/api/app.js > /var/ossec/api/api.log &
service ossec restart
tail -f /var/ossec/logs/ossec.log