How to to retrieve OSSEC's log alerts into Elasticsearch (ELK)? - elastic-stack

I have tried this tutorial. But it didn't catch the OSSEC log (alerts, syslog, etc), it just give me this message for my Kibana apps.
Couldn't find any Elasticsearch data
You'll need to index some data into Elasticsearch before you can create an index pattern.
I know that there is some tutorial like this. But it's required to use wazuh package and I dont want to use it, I just want to use the pure OSSEC. My OSSEC and ELK apps are located in the samw machine
My question is, How can I integrate OSSEC with ELK ? What configuration do i have to do first before starting connected OSSEC to ELK ?

You need to load the data template so that Elastisearch can understand the format of the alert data. You can use the one made by Wazuh, or you could download it and modify it to "make your own". If you go down this road you will eventually end up trying to re-write Wazuh, which you don't need to do because it is open source. You can just download all the source files and do whatever you want with them.
Command to load template:
curl https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d #-
Download Template:
https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-alerts.json
-OR-
You could just spin up a Docker container that is ready to go:
https://github.com/wazuh/docker-ossec-elk

Related

Trying to debug a spring dataflow stream deployed in kubernetes

I have succesfully deployed a stream using spring dataflow in eks, but I need to debug an application of the stream.
I have set up spring.cloud.deployer.kubernetes.environment-variables: JAVA_TOOL_OPTIONS='-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8000' in the application I want to debug, and the application starts an it is listening on that port.
Is there any property to tell kubernetes to map this port and make it accessible?
Thank you.
Try this:
And then try a kubectl port-forward
service/YOUR_SERVICE_NAME Host port:Service port
The documentation is really complete btw, there's a lot of information here:
https://docs.spring.io/spring-cloud-dataflow/docs/current/reference/htmlsingle/
Thanks #bguess for point me into the rigth direcction.
Finally this is what I have done:
When we are going to deploy With web interface we click edit button of the application we want to debug:
add JAVA_TOOL_OPTIONS='-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8000' into environment-variables.
In my case I have kubernetes on aws and is deployed in private mode and the only way I have found in this moment is to create a LoadBalancer for the application. I know it is insecure but itś enough for my needs.
Finally as #bguess pointed we have to add our debug port to serverPorts, this property isn't in the list when we psuh edit button in the application so we have to write it:
So this is the way to configure with the web interface.
If we want to use a terminal in linux or similar we can do this steps:
definition="app-source | app-process | app-sink"
curl "$scdf_url/streams/definitions" --write-out '%{http_code}' --silent --output /dev/null -X POST -d "name=poc-stream&definition=$definition&deploy=false"
Where definition is our stream definition and scdf_url is the spring cloud dataflow server url. After the curl call we will have our stream created but undeployed, To deploy with the debug configuration:
properties="$(cat << EOF
{
"deployer.app-source.kubernetes.environment-variables":
"JAVA_TOOL_OPTIONS=’-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8000’",
"deployer.app-source.kubernetes.servicePorts":"8000",
"deployer.app-source.kubernetes.create-load-balancer":"true"
}
EOF
)"
curl "$scdf_url/streams/deployments/poc-stream" --write-out '%{http_code}' --silent --output /dev/null -X POST -H "Content-Type: application/json" -d "$properties"
And that's the way I have configured it.
Additionally you will have to increase inactivity time of the LoadBalancer because his value is 60s and after that time it will disconnects you.

IBM Urbancode Deploy get current component versions deployed to an environment

I am trying get current component version of component that is deployed to an environment in UCD via REST API/Curl command . Below is sample code which returns all versions of that component which is available in UCD. It does not give me latest version of that component deployed to an environment. Any help / suggestion?
curl -k -u userName:passw0rd \
-H "Accept: application/json" \
"https://myserver.example.com:8443/rest/deploy/environment/{environmentID}/versions/{componentID}"
uDeploy has a bunch of api endpoints that are undocumented. I could not figure out how to do this from their docs but inspecting the uDeploy web interface many times can help you find the endpoint to hit.
https://{your-udeploy-url}/rest/deploy/environment/{your-environment-id}/latestDesiredInventory/true?rowsPerPage=10000&pageNumber=1&orderField=name&sortType=desc
This will return json that you can parse to get the versions deployed in an environment.

Deploy and run a Go API server on Ubuntu/Centos

I just finished my first backend with Go using Iris framework but now I need to put it on production so I can use it in the Slack app I built.
In order to test the code locally I only run my file with go run main.go and ngrok to test with the Slack API, it's working and it's finished.
I have a droplet with Ubuntu 16.04.3 and other one with Centos 7... I was searching for something like pm2 for go, running the server and using nginx to point that port but I read that with Go it's different and I have to use something like this https://fabianlee.org/2017/05/21/golang-running-a-go-binary-as-a-systemd-service-on-ubuntu-16-04/
But that's a very long configuration for a simple server and my questions are:
Is this the usual way to config the APIs with Go?
Apart of DigitalOcean, do you recommend to use a different service to run my API?
This is really my first time with Go and I just want to learn more, I am a backend developer with Laravel and NodeJS.
You can use pm2 if you want. When you build a go project it creates a binary executable, lets say backend-server, which you can run from terminal and will start the app like this:
$ ./backend-server
If it's not executable or has permission denied issue, add the executable permission to it.
$ chmod +x backend-server
You binary should be ready to run. I like to do it with a json config file (process.json) so that I can pass extra env variables as well and don't have to type a lot in terminal.
My process.json looks something like this:
{
"apps" : [{
"name" : "backend-app",
"script" : "./backend-server",
"env": {
"DB_USER": "db_user",
"PORT": 8080
}
}]
}
Finally you can start the app using pm2 like this:
$ pm2 start process.json
More details about json config can be found in official doc
I think most people use Supervisor for this purpose, including me.
To make it very easy for you, just take a look at my Golang project, isaac-racing-server and use it as a template for yours by replacing isaac-racing-server with the name of your app. (The Supervisor files are in a subdirectory.)

Copy graphite dashboard to another graphite dashboard

I have a production graphite dashboard. I've saved some graphs under the tag abc so that you can access it using http://prod-graphite.com/dashboard/abc.
I've another dashboard for staging hosted on different server. Let's say the URL is http://staging-graphite.com/dashboard/.
I want to copy all the graphs of prod /abc to staging as I don't want to go through the trouble of creating 20 graphs again. I've tried the Copy Dashboard feature provided by graphite but it is not working. Nothing happens when I enter the prod URL. any help?
GET/POST http://your.graphite.host/dashboard/load/YOUR_DASHBOARD_NAME - gives you dump of specified dashboard. It returns json with state as root object, that holds dashboards' structure.
POST http://your.graphite.host/dashboard/save/NEW_DASHBOARD_NAME - lets you save data as new dashboard. Requires state parameter with dashboards' structure.
Oneliner, fetchs dump, prepares body, save:
curl -o- http://graphite.host/dashboard/load/DASH_NAME | \
python -c "import json,sys,urllib;o=json.load(sys.stdin);print('state=%s' % urllib.quote(json.dumps(o['state'])));" | \
curl -X POST http://graphite.host/dashboard/save/COPY_OF_DASH_NAME -d #-

How do you access a MongoDB database from two Openshift apps?

I want to be able to access my MongoDB database from 2 Openshift apps- one app is an interactive database maintenance app via the browser, the other is the principle web application which runs on mobile devices via an Openshift app. As I see it in Openshift, MongoDB gets set up within a particular app's folder space, not independent of that space.
What would be the method to accomplish this multiple app access to the database ?
It's not ideal but is my only choice to merge the functionality of both Openshift apps into one ? That's tastes like a bad plate of spaghetti.
2018 update: this applies to Openshift 2. Version 3 is very different, and however the general rules of linux and scaling apply, the details got obsolete.
Although #MartinB answer was timely and correct, it's just a link, so let me put the essentials here.
Assuming that setting up a non-shared DB is already done, you need to find it's host and port. You can ssh to your app (the one with the DB) or use the rhc:
rhc ssh -a appwithdb
env | grep MONGODB
env brings all the environment variables, and grep filters them to show only Mongo-related ones. You should see something like:
OPENSHIFT_MONGODB_DB_HOST=xxxxx-yyyyy.apps.osecloud.com
OPENSHIFT_MONGODB_DB_PORT=zzzzz
xxxxx is the ID of the gear that Mongo sits on
yyyyy is your domain/namespace
zzzzz is MongoDB port
Now, you can use these to create a connection to the DB from anywhere in your Openshift environment. Another application has to use the xxxxx-yyyyy:zzzzz URL. You can store them in custom variables to make maintenance easier.
$ rhc env-set \
MYOWN_DB_HOST=xxxxx-yyyyy \
MYOWN_DB_PORT=zzzzz \
MYOWN_DB_PASSWORD=****** \
MYOWN_DB_USERNAME=admin..... \
MYOWN_DB_NAME=dbname...
And then use the environment variables instead of the standard ones. Just remember they don't get updated automatically when the DB moves away.
Please read the following article from the open shift blog: https://blog.openshift.com/sharing-database-across-applications/