Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrations maintenance request [Month 12] #604

Open
4 tasks
mcasas993 opened this issue Dec 19, 2024 · 4 comments · May be fixed by #614
Open
4 tasks

Integrations maintenance request [Month 12] #604

mcasas993 opened this issue Dec 19, 2024 · 4 comments · May be fixed by #614
Assignees
@mcasas993
Labels
level/task Task issue request/operational Operational requests type/maintenance Maintenance issue

Comments

@mcasas993
Copy link
Member

Description

The Wazuh Indexer team is responsible for the maintenance of the third-party integrations hosted in the wazuh/wazuh-indexer repository. We must ensure these integrations work under new releases of the third-party software (Splunk, Elastic, Logstash, …) and our own.

For that, we need to:

  • Create a pull request that upgrades the components to the latest version.
  • Update our testing environments to verify the integrations work under new versions.
  • Test the integrations, checking that:
  • The Docker Compose project starts without errors.
  • The data arrives to the destination.
  • All the dashboards can be imported successfully.
  • All the dashboards are populated with data.
  • Finally, upgrade the compatibility matrix in integrations/README.md with the new versions.

Note

  • For Logstash, we use the logstash-oss image.
  • For Wazuh Indexer and Wazuh Dashboard, we use the opensearch and opensearch-dashboards images. These must match the opensearch version that we support (e.g: for Wazuh 4.9.0 it is OpenSearch 2.13.0).

Issues

  • List here the detected issues
@mcasas993 mcasas993 added level/task Task issue request/operational Operational requests type/maintenance Maintenance issue labels Dec 19, 2024
@mcasas993 mcasas993 self-assigned this Dec 19, 2024
@mcasas993
Copy link
Member Author

mcasas993 commented Dec 20, 2024
edited
Loading

Wazuh Indexer Splunk integration

Built Docker compose 
docker compose -f compose.indexer-splunk.yml up -d                   
[+] Running 12/12
 ✔ splunk Pulled                                                                                                                                                                                      47.2s 
   ✔ a09bb1026942 Pull complete                                                                                                                                                                        2.9s 
   ✔ 59de139ab4a7 Pull complete                                                                                                                                                                        2.9s 
   ✔ 240852bc4e7c Pull complete                                                                                                                                                                       11.5s 
   ✔ 570e3b526dc7 Pull complete                                                                                                                                                                       11.5s 
   ✔ 4bd60e134244 Pull complete                                                                                                                                                                       11.6s 
   ✔ d0501d93737f Pull complete                                                                                                                                                                       39.7s 
   ✔ 4f4fb700ef54 Pull complete                                                                                                                                                                       39.7s 
   ✔ e1b7b6f16b3d Pull complete                                                                                                                                                                       43.9s 
   ✔ dcabfc195708 Pull complete                                                                                                                                                                       43.9s 
   ✔ 74f154f0ed61 Pull complete                                                                                                                                                                       43.9s 
   ✔ de8d9d75b1c5 Pull complete                                                                                                                                                                       44.0s 
[+] Running 8/8
 ✔ Container splunk-integration-generate-certs-config-1  Exited                                                                                                                                        1.3s 
 ✔ Container splunk-integration-wazuh-certs-generator-1  Exited                                                                                                                                        4.0s 
 ✔ Container splunk-integration-wazuh.indexer-1          Healthy                                                                                                                                      46.5s 
 ✔ Container splunk-integration-generator-1              Exited                                                                                                                                        4.0s 
 ✔ Container splunk-integration-wazuh.dashboard-1        Started                                                                                                                                       3.7s 
 ✔ Container splunk-integration-events-generator-1       Started                                                                                                                                      46.7s 
 ✔ Container splunk-integration-splunk-1                 Healthy                                                                                                                                      55.7s 
 ✔ Container splunk-integration-logstash-1               Started

-Splunk version
Image

  • Wazuh-malware-detection-v1.0 Image

  • Wazuh-incident-response-v1.0 Image

  • Wazuh-docker-listener-v1.0 Image

  • Wazuh-security-events-v1.0 Image

  • Wazuh-pci-dss-v1.0 Image

  • Wazuh-amazon-aws-v1.0 Image

  • Wazuh-vulnerabilities-v1.0 Image

@mcasas993
Copy link
Member Author

mcasas993 commented Dec 20, 2024
edited
Loading

Wazuh indexer OpenSearch integration

  • Wazuh-amazon-aws-v1.0 Image

  • Wazuh-docker-listener-v1.0 Image

  • Wazuh-incident-response-v1.0 Image

  • Wazuh-malware-detection-v1.0 Image

  • Wazuh-pci-dss-v1.0 Image

-Wazuh-security-events-v1.0 Image

-Wazuh-vulnerabilities-v1.0 Image

@mcasas993
Copy link
Member Author

Wazuh Indexer Elastic Stack integration

  • Elastic version
    Image

  • Wazuh-amazon-aws-v1.0
    Image

  • Wazuh-security-events-v1.0
    Image

  • Wazuh-vulnerabilities-v1.0
    Image

  • Wazuh-pci-dss-v1.0
    Image

  • Wazuh-incident-response-v1.0
    Image

  • Wazuh-docker-listener-v1.0
    Image

  • Wazuh-malware-detection-v1.0
    Image

@mcasas993
Copy link
Member Author

Because the dashboard did not work in the Splunk integration I tried again several times.

I stopped all the docker images that were generated, deleted them and recreated them.

I did not manage to see data in any of the Splunk dashboards again.

The only error I found within the docker containers was within the splunk-integration-logstash-1 container:
[2024-12-20T16:28:00,367][ERROR][logstash.outputs.http ][main][a926e49c792ce0b380eac5676e5aeda3b074fa7c29d7182b845bf0c89b29cc2c] Encountered non-2xx HTTP code 400 {:response_code=>400, :url=>“https://splunk:8088/services/collector/raw”, :event=>#<LogStash::Event:0x3002948c>}

Same error repeatedly with different Events

@mcasas993 mcasas993 linked a pull request Dec 21, 2024 that will close this issue
Upgrade third-party integrations to latest versions available in december #614
Open
3 tasks
@mcasas993 mcasas993 linked a pull request Dec 21, 2024 that will close this issue
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mcasas993 mcasas993

Labels
level/task Task issue request/operational Operational requests type/maintenance Maintenance issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade third-party integrations to latest versions available in december wazuh/wazuh-indexer
1 participant
@mcasas993