Migrate wazuh.yml configuration to opensearch_dashboard.yml

[asteriscos]

Description

As part of the Reporting revamp objective, we need to migrate wazuh.yml configuration to opensearch_dashboard.yml file. Moreover, we want to rename the opensearch_dashboard.yml file to wazuh_dashboard.yml.

Objective

• Reporting revamp #164

References

• Define plugin settings: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/index.ts#L295-L315

[Machi3mfl]

Moving the host's config to the opensearch_dashboards.yml

When we move the config from wazuh.yml to opensearch_dashboard.yml, the plugin name must be placed before the configuration name. In this case, as the configuration will be used in the core plugin, the configuration will be preceded by the word wazuh_core (always must match with the plugin name).

After

wazuh_core.hosts:
  manager:
    url: 'https://wazuh.manager'
    port: 55000
    username: wazuh-wui
    password: API_PASSWORD
    run_as: false

Before

hosts:
  - manager:
      url: 'https://wazuh.manager'
      port: 55000
      username: wazuh-wui
      password: API_PASSWORD
      run_as: false
 

[Machi3mfl]

Configuration Management

There are various types of configurations, including global and context-specific (plugin). Currently, the configuration located in the wazuh.yml file is centralized in one location, regardless of the context in which it is managed.

When transferring the configuration to the opensearch_dashboards.yml file, it is crucial to determine whether it will be defined in the core or within a specific plugin.

The configurations defined to date are as follows:

export const PLUGIN_SETTINGS = {
  'alerts.sample.prefix': {
    title: 'Sample alerts prefix',
    description: 'Define the index name prefix of sample alerts. It must match the template used by the index pattern to avoid unknown fields in dashboards.',
  },
  'checks.api': {
    title: 'API connection',
    description: 'Enable or disable the API health check when opening the app.',
  },
  'checks.fields': {
    title: 'Known fields',
    description: 'Enable or disable the known fields health check when opening the app.',
  },
  'checks.maxBuckets': {
    title: 'Set max buckets to 200000',
    description: 'Change the default value of the plugin platform max buckets configuration.',
  },
  'checks.metaFields': {
    title: 'Remove meta fields',
    description: 'Change the default value of the plugin platform metaField configuration.',
  },
  'checks.pattern': {
    title: 'Index pattern',
    description: 'Enable or disable the index pattern health check when opening the app.',
  },
  'checks.setup': {
    title: 'API version',
    description: 'Enable or disable the setup health check when opening the app.',
  },
  'checks.template': {
    title: 'Index template',
    description: 'Enable or disable the template health check when opening the app.',
  },
  'checks.timeFilter': {
    title: 'Set time filter to 24h',
    description: 'Change the default value of the plugin platform timeFilter configuration.',
  },
  'configuration.ui_api_editable': {
    title: 'Configuration UI editable',
    description: 'Enable or disable the ability to edit the configuration from UI or API endpoints. When disabled, this can only be edited from the configuration file, the related API endpoints are disabled, and the UI is inaccessible.',
  },
  'cron.prefix': {
    title: 'Cron prefix',
    description: 'Define the index prefix of predefined jobs.',
  },
  'cron.statistics.apis': {
    title: 'Includes APIs',
    description: 'Enter the ID of the hosts you want to save data from, leave this empty to run the task on every host.',
  },
  'customization.enabled': {
    title: 'Status',
    description: 'Enable or disable the customization.',
  },
  'enrollment.dns': {
    title: 'Enrollment DNS',
    description: 'Specifies the Wazuh registration server, used for the agent enrollment.',
  },
  'enrollment.password': {
    title: 'Enrollment password',
    description: 'Specifies the password used to authenticate during the agent enrollment.',
  },
  hideManagerAlerts: {
    title: 'Hide manager alerts',
    description: 'Hide the alerts of the manager in every dashboard.',
  },
  hosts: {
    title: 'Server hosts',
    description: 'Configure the API connections.',
  },
  'ip.ignore': {
    title: 'Index pattern ignore',
    description: 'Disable certain index pattern names from being available in index pattern selector.',
  },
  'ip.selector': {
    title: 'IP selector',
    description:  'Define if the user is allowed to change the selected index pattern directly from the top menu bar.'
  },
'wazuh.updates.disabled': {
    title: 'Check updates',
    description: 'Define if the check updates service is active.'
  },
  'timeout': {
    title: 'Request timeout'
  },
  'wazuh.monitoring.creation': {
    title: 'Index creation',
    description: 'Define the interval in which a new wazuh-monitoring index will be created.'
  },
  'wazuh.monitoring.enabled': {
    title: 'Status',
    description: 'Enable or disable the wazuh-monitoring index creation and/or visualization.'
  },
  'wazuh.monitoring.frequency': {
    title: 'Frequency',
    description: 'Frequency, in seconds, of API requests to get the state of the agents and create a new document in the wazuh-monitoring index with this data.'
  },
  'wazuh.monitoring.pattern': {
    title: 'Index pattern',
    description: 'Default index pattern to use for Wazuh monitoring.'
  },
  'wazuh.monitoring.replicas': {
    title: 'Index replicas',
    description: 'Define the number of replicas to use for the wazuh-monitoring-* indices.'
  },
  'wazuh.monitoring.shards': {
    title: 'Index shards',
    description: 'Define the number of shards to use for the wazuh-monitoring-* indices.'
  },
  'vulnerabilities.pattern': {
    title: 'Index pattern',
    description: 'Default index pattern to use for vulnerabilities.'
  }
}

Configuration Availability Types

It is also important to define the availability requirements for each type of configuration. We can categorize them into several types:

• Static: Changes take effect only after a restart.
• Dynamic: Modifications can be made at any time, and the configuration should take effect without requiring a restart.

Categorizing Configurations

These criteria necessitate categorizing all available configurations to decide which implementation approach to use. Here are some options:

1. Using the initializerContext of OSD: This retrieves the configuration defined in opensearch_dashboards.yml and makes it available to plugins for use.

2. Creating an Endpoint: This allows for obtaining the configuration at any time through an HTTP call. Performance considerations must be taken into account for this solution.

3. Developing an Interface: This would create a hybrid solution between the aforementioned methods, facilitating easier resolution of issues when modifications are made to native OpenSearch methods (especially when using initializerContext).

Configuration Overview Table

Here’s a table summarizing the types of configurations and their characteristics:

Configuration Type	Description	Implementation Options
Static	Requires restart for changes to take effect	using OSD contextInitializer
Dynamic	Takes effect immediately upon modification	create custom solution

This table provides a clear overview of the different types of configurations, their descriptions, and possible implementation options, making it easier to understand and decide on the appropriate approach for configuration management.

[Machi3mfl]

Configurations categorizations

Steps to transform the JSON into a Markdown table:

1. Extract name, title and description from PLUGIN_SETTINGS
2. Create table headers
3. Format each entry as a row
4. Leave type, deprecated and annotations columns empty

Config	Title	Description	Type	Deprecated	Annotations
alerts.sample.prefix	Sample alerts prefix	Define the index name prefix of sample alerts. It must match the template used by the index pattern to avoid unknown fields in dashboards.
checks.api	API connection	Enable or disable the API health check when opening the app.
checks.fields	Known fields	Enable or disable the known fields health check when opening the app.
checks.maxBuckets	Set max buckets to 200000	Change the default value of the plugin platform max buckets configuration.
checks.metaFields	Remove meta fields	Change the default value of the plugin platform metaField configuration.
checks.pattern	Index pattern	Enable or disable the index pattern health check when opening the app.
checks.setup	API version	Enable or disable the setup health check when opening the app.
checks.template	Index template	Enable or disable the template health check when opening the app.
checks.timeFilter	Set time filter to 24h	Change the default value of the plugin platform timeFilter configuration.
configuration.ui_api_editable	Configuration UI editable	Enable or disable the ability to edit the configuration from UI or API endpoints. When disabled, this can only be edited from the configuration file, the related API endpoints are disabled, and the UI is inaccessible.
cron.prefix	Cron prefix	Define the index prefix of predefined jobs.
cron.statistics.apis	Includes APIs	Enter the ID of the hosts you want to save data from, leave this empty to run the task on every host.		🚫
cron.statistics.index.creation	Index creation	Define the interval in which a new index will be created.		🚫
cron.statistics.index.name	Index name	Define the name of the index in which the documents will be saved.		🚫
cron.statistics.index.replicas	Index replicas	Define the number of replicas to use for the statistics indices.		🚫
cron.statistics.index.shards	Index shards	Define the number of shards to use for the statistics indices.		🚫
cron.statistics.interval	Interval	Define the frequency of task execution using cron schedule expressions.		🚫
cron.statistics.status	Status	Enable or disable the statistics tasks.		🚫
customization.enabled	Status	Enable or disable the customization.
customization.logo.app	App main logo	This logo is used as loading indicator while the user is logging into Wazuh API.
customization.logo.healthcheck	Healthcheck logo	This logo is displayed during the Healthcheck routine of the app.
customization.logo.reports	PDF reports logo	This logo is used in the PDF reports generated by the app. It's placed at the top left corner of every page of the PDF.			Moved to reporting plugin
customization.reports.footer	Reports footer	Set the footer of the reports.			Moved to reporting plugin
customization.reports.header	Reports header	Set the header of the reports.			Moved to reporting plugin
enrollment.dns	Enrollment DNS	Specifies the Wazuh registration server, used for the agent enrollment.
enrollment.password	Enrollment password	Specifies the password used to authenticate during the agent enrollment.
hideManagerAlerts	Hide manager alerts	Hide the alerts of the manager in every dashboard.
hosts	Server hosts	Configure the API connections.
ip.ignore	Index pattern ignore	Disable certain index pattern names from being available in index pattern selector.
ip.selector	IP selector	Define if the user is allowed to change the selected index pattern directly from the top menu bar.
pattern	Index pattern	Default index pattern to use on the app. If there's no valid index pattern, the app will automatically create one with the name indicated in this option.
timeout	Request timeout	Maximum time, in milliseconds, the app will wait for an API response when making requests to it. It will be ignored if the value is set under 1500 milliseconds.
vulnerabilities.pattern	Index pattern	Default index pattern to use for vulnerabilities.
wazuh.monitoring.creation	Index creation	Define the interval in which a new wazuh-monitoring index will be created.		🚫
wazuh.monitoring.enabled	Status	Enable or disable the wazuh-monitoring index creation and/or visualization.		🚫
wazuh.monitoring.frequency	Frequency	Frequency, in seconds, of API requests to get the state of the agents and create a new document in the wazuh-monitoring index with this data.		🚫
wazuh.monitoring.pattern	Index pattern	Default index pattern to use for Wazuh monitoring.		🚫
wazuh.monitoring.replicas	Index replicas	Define the number of replicas to use for the wazuh-monitoring-* indices.		🚫
wazuh.monitoring.shards	Index shards	Define the number of shards to use for the wazuh-monitoring-* indices.		🚫
wazuh.updates.disabled	Check updates	Define if the check updates service is active.		🚫

[Machi3mfl]

How to create configuration at the tenant level

The tenant configuration is displayed on the Dashboard Management > Advanced Settings section

export const CONTEXT_DEFAULT_SIZE_SETTING = 'context:defaultSize';
export const CONTEXT_STEP_SETTING = 'context:step';
export const CONTEXT_TIE_BREAKER_FIELDS_SETTING = 'context:tieBreakerFields';

export const uiSettings: Record<string, UiSettingsParams> = {
  [CONTEXT_DEFAULT_SIZE_SETTING]: {
    name: i18n.translate('discover.advancedSettings.context.defaultSizeTitle', {
      defaultMessage: 'Context size',
    }),
    value: 5,
    description: i18n.translate('discover.advancedSettings.context.defaultSizeText', {
      defaultMessage: 'The number of surrounding entries to show in the context view',
    }),
    category: ['discover'],
    schema: schema.number(),
  },
  [CONTEXT_STEP_SETTING]: {
    name: i18n.translate('discover.advancedSettings.context.sizeStepTitle', {
      defaultMessage: 'Context size step',
    }),
    value: 5,
    description: i18n.translate('discover.advancedSettings.context.sizeStepText', {
      defaultMessage: 'The step size to increment or decrement the context size by',
    }),
    category: ['discover'],
    schema: schema.number(),
  },
  [CONTEXT_TIE_BREAKER_FIELDS_SETTING]: {
    name: i18n.translate('discover.advancedSettings.context.tieBreakerFieldsTitle', {
      defaultMessage: 'Tie breaker fields',
    }),
    value: ['_doc'],
    description: i18n.translate('discover.advancedSettings.context.tieBreakerFieldsText', {
      defaultMessage:
        'A comma-separated list of fields to use for tie-breaking between documents that have the same timestamp value. ' +
        'From this list the first field that is present and sortable in the current index pattern is used.',
    }),
    category: ['discover'],
    schema: schema.arrayOf(schema.string()),
  },
};

Register the uiSetting on the plugin lifecycle methods

export class DiscoverServerPlugin implements Plugin<object, object> {
  public setup(core: CoreSetup) {
    core.uiSettings.register(uiSettings);
    return {};
  }

  public start(core: CoreStart) {
    return {};
  }

  public stop() {}
}

Use the uiSettings

 core.uiSettings.get(CONTEXT_TIE_BREAKER_FIELDS_SETTING)

[Machi3mfl]

Adding plugin advanced settings

const HIDE_MANAGER_ALERTS_SETTING = 'hideManagerAlerts';

export const uiSettings: Record<string, UiSettingsParams> = {
    [HIDE_MANAGER_ALERTS_SETTING]: {
      name: i18n.translate('wazuhCore.advancedSettings.hideManagerAlerts', {
        defaultMessage: 'Hide manager alerts',
      }),
      type: 'boolean',
      value: true,
      description: i18n.translate('wazuhCore.advancedSettings.hideManagerAlertsText', {
        defaultMessage: 'Hide the alerts of the manager in every dashboard.',
      }),
      category: ['wazuhCore'],
      schema: schema.boolean()
    },
}

Get the settings values

 core.uiSettings.get('hideManagerAlerts')

[Machi3mfl]

Tasks

• Create providers types on public/server context
• Adapt configurationStore on public/server context
• Test configuration getter on public/server context
• Check configuration availability on other plugins (like main)
• Fix configurationStore and configuration service unit tests wazuh/wazuh-dashboard-plugins@ff50249 wazuh/wazuh-dashboard-plugins@86bc999

• Create a settings adapter to transform the current settings format to the config.yml and uiSettings format
  • adapt uiSetings: wazuh/wazuh-dashboard-plugins@bced596
  • adapt corePluginConfig: wazuh/wazuh-dashboard-plugins@d6ae59d
• Check all settings definition

[Machi3mfl]

Transform the plugin settings to ui settings

• Creating an adapter to reuse the constant already defined in the wazuh plugin

Screen.Recording.2024-12-16.at.6.31.37.PM.mov

• Reuse the validate function to create the uiSettings definitions

Screen.Recording.2024-12-17.at.3.01.58.PM.mov

Details on: wazuh/wazuh-dashboard-plugins@bced596