weixin_39719127 2020-11-29 17:47
浏览 0

[Filebeat-3.9.3]Custom module for Filebeat and Wazuh

Overview

From the Beats docs:

Each Filebeat module is composed of one or more "filesets". We usually create a module for each service that we support (nginx for Nginx, mysql for Mysql, and so on) and a fileset for each type of log that the service creates. For example, the Nginx module has access and error filesets. You can contribute a new module (with at least one fileset), or a new fileset for an existing module.

Why does Wazuh need a Filebeat module?

Here is a list of issues we are working on it but may be solved using a custom Filebeat module:

  • Problems indexing rotated events or Filebeat is stopped more than one day https://github.com/wazuh/wazuh-documentation/issues/1269
  • Workarounds about the GeoIP features, renaming fields, ingest pipelines https://github.com/wazuh/wazuh/issues/3512
  • Problems with the full_log field, JSON formats, mapping conflicts https://github.com/wazuh/wazuh/issues/3513

In addition, most of the logic we are doing in configuration files, pipelines and some other files can be achieved using a custom module for Filebeat.

Creating the module

  1. The first step is to learn about Filebeat modules, the reference docs are https://www.elastic.co/guide/en/beats/devguide/current/filebeat-modules-devguide.html, where we can find useful information on how to create a simple module.
  2. Once we know how to create the module, we can start to migrate all the Wazuh related logic to this module.

Tasks - [x] Researching about Filebeat modules. - [x] Implement a simple module to apply acquired knowledge. - [x] Design and decide what our module should do for us. - [x] Implement the module, test the module against different use cases. - [x] Create/update the proper documentation. - [ ] Should we try to publish it as an official Filebeat module (their website)?

该提问来源于开源项目:wazuh/wazuh

  • 写回答

5条回答 默认 最新

  • weixin_39719127 2020-11-29 17:47
    关注

    Getting started with Filebeat modules

    Following the how-to docs from the Elastic docs, I've created the very first Filebeat module for testing purposes.

    Since it needs "Go" to be installed, I've installed it as follow (using 1.11.5 because is the version for beats v7.1.1):

    sh
GO_VERSION="1.11.5"
curl -so go.tar.gz "https://dl.google.com/go/go$GO_VERSION.linux-amd64.tar.gz"
tar -xzf go.tar.gz 
mv go /usr/local/
rm -f go.tar.gz

    Setup Go environment:

    sh
export GOROOT=/usr/local/go
export GOPATH=/home/vagrant/filebeat-wazuh-module
export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
go version
// go version go1.11.5 linux/amd64

    Prepare Filebeat:

    sh
go get github.com/elastic/beats
cd src/github.com/elastic/beats/filebeat/
git checkout v7.1.1
go get
make

    Create an empty module:

    sh
make create-module MODULE=wazuh
// New module was generated, now you can start creating filesets by create-fileset command.

    Verify the generated empty module:

    
tree module/wazuh/
module/wazuh/
├── _meta
│   ├── config.yml
│   ├── docs.asciidoc
│   └── fields.yml
└── module.yml

    Now, create the fileset for the module:

    
make create-fileset MODULE=wazuh FILESET=wazuh-fileset
New fileset was generated, please check that module.yml file have proper fileset dashboard settings. After setting up Grok pattern in pipeline.json, please generate fields.yml

    Verify the generated fileset for the Wazuh module:

    
├── _meta
│   ├── config.yml
│   ├── docs.asciidoc
│   └── fields.yml
├── module.yml
└── wazuh-fileset
    ├── config
    │   └── wazuh-fileset.yml
    ├── ingest
    │   └── pipeline.json
    ├── manifest.yml
    ├── _meta
    └── test

    After doing a tiny modification in the manifest.yml, I've tried to build the module, then I've noticed virtualenv is also needed.

    
yum install python-virtualenv -y

    Now, and following their docs:

    
make update
mage update
Generated fields.yml for filebeat to /home/vagrant/filebeat-wazuh-module/src/github.com/elastic/beats/filebeat/fields.yml
No fields files for module apache2
Generated fields.yml for filebeat to /home/vagrant/filebeat-wazuh-module/src/github.com/elastic/beats/filebeat/fields.yml
>> Building filebeat.yml for linux/amd64
>> Building filebeat.reference.yml for linux/amd64
>> Building filebeat.docker.yml for linux/amd64
Generated fields.yml for filebeat to /home/vagrant/filebeat-wazuh-module/src/github.com/elastic/beats/filebeat/build/fields/fields.all.yml

    Load the fake module into Filebeat:

    1. First step is to stop Filebeat and to modify its current configuration.
    sh
systemctl stop filebeat
vi /etc/filebeat/filebeat.yml

    Here is the testing config I've used:

    yaml
filebeat.modules:
- module: wazuh

output.elasticsearch.hosts: ['http://172.16.1.4:9200']
output.elasticsearch.indices:
  - index: 'testing-module'

    Copy our module to Filebeat:

    sh
cp modules.d/wazuh.yml.disabled /etc/filebeat/modules.d/
cp module/wazuh/ /usr/share/filebeat/module/ -R
stat -c "%a %n" /usr/share/filebeat/module/zeek # Not needed, just looking for the right perms (755)
chmod 755 /usr/share/filebeat/module/wazuh -R

    Run Filebeat in debug mode:

    
/usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat -d '*'

    Add an alert to the alerts.json:

    
cat myalert.json >> /var/ossec/logs/alerts/alerts.json

    And here is the Filebeat output (reduced because the debug messages are too long):

    
[root filebeat]# cat /tmp/output.txt | grep wazuh
    "pipeline": "filebeat-7.1.0-wazuh-wazuh-fileset-pipeline"
    "type": "wazuh"
  "message": "{\"timestamp\":\"2019-06-11T08:29:26.125+0000\",\"rule\":{\"level\":3,\"description\":\"Service startup type was changed\",\"id\":\"61104\",\"info\":\"This does not appear to be logged on Windows 2000\",\"firedtimes\":2,\"mail\":false,\"groups\":[\"windows\",\" windows_systempolicy_changed\"],\"pci_dss\":[\"10.6\"],\"gdpr\":[\"IV_35.7.d\"]},\"agent\":{\"id\":\"010\",\"name\":\"windows-ag\",\"ip\":\"10.0.2.15\"},\"manager\":{\"name\":\"master\"},\"id\":\"1560241766.129973\",\"cluster\":{\"name\":\"wazuh\",\"node\":\"node01\"},\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"foo\":\"bar\"},\"location\":\"EventChannel\"}",
    "module": "wazuh",
    "dataset": "wazuh.wazuh-fileset"
    "name": "wazuh-fileset"
2019-06-24T15:36:27.186Z    DEBUG   [elasticsearch] elasticsearch/client.go:752 GET http://172.16.1.4:9200/_ingest/pipeline/filebeat-7.1.0-wazuh-wazuh-fileset-pipeline  <nil>
2019-06-24T15:36:27.187Z    DEBUG   [modules]   fileset/pipelines.go:120    Pipeline filebeat-7.1.0-wazuh-wazuh-fileset-pipeline already loaded
</nil>

    As we can see our pipeline is doing the basic job, the event is not wazuh-comptaible yet of course, but it's a first step that I think is useful.

    It's in Elasticsearch, and we can see it was indexed in the right index (testing-module):

    image

    评论

报告相同问题?

  • apache-maven-3.9.3(含windows和linux版本).zip
    2024-09-19 09:46
    - apache-maven-3.9.3-bin.tar.gz:适用于类Unix系统(例如Linux)的tar压缩包文件,gzip格式; - apache-maven-3.9.3-bin.zip:适用于Windows的.zip格式文件; - apache-maven-3.9.3-src.tar.gz:同为类Unix系统...
  • apache-zookeeper-3.9.3-bin.tar.gz
    2025-02-10 14:13
    该版本的安装包文件名为apache-zookeeper-3.9.3-bin.tar.gz,表明这是一个二进制格式的压缩包,适用于类Unix操作系统。 在安装ZooKeeper之前,通常需要准备一个安装脚本以简化安装过程,而提供的安装脚本install.sh...
  • zookeeper-3.9.3 arm64架构 docker 镜像包
    2024-12-19 11:58
    标题中提到的“zookeeper-3.9.3 arm64架构 docker 镜像包”,意味着这是针对arm64架构优化的Zookeeper版本3.9.3的Docker镜像包。ARM架构是一种精简指令集(RISC)处理器架构,广泛应用于移动设备和嵌入式系统中。arm...
  • springsource-tool-suite-3.9.3.RELEASE-e4.7.3-updatesite.zip
    2020-05-14 00:20
    《SpringSource Tool Suite 3.9.3.RELEASE在Eclipse 4.7.3中的安装与使用详解》 SpringSource Tool Suite(STS)是一款基于Eclipse IDE的高度集成开发环境,专为Spring框架的开发而设计。这个工具集提供了一系列...
  • zookeeper 3.9.3
    2025-06-27 09:53
    此外,ZooKeeper的安装和部署通常涉及到将包含所有必要运行文件的压缩包解压到指定的目录,比如用户可以在Linux环境下通过解压"apache-zookeeper-3.9.3-bin.tar.gz"来安装ZooKeeper。安装完成后,通过配置zkEnv.sh和...
  • spire.xls-3.9.3.jar
    2022-08-07 22:56
    spire.xls-3.9.3.jar
  • VisualSVN-Server-3.9.3(64位)
    2019-03-01 12:47
    VisualSVN Server 3.9.3,64位。集成的svn服务端工具,包含mmc管理工具
  • transactions-jta-3.9.3.jar中文-英文对照文档.zip
    2025-09-06 14:04
    1、压缩文件中包含: 中文-英文对照文档、jar包下载地址、Maven依赖、Gradle依赖、源代码下载地址。 2、使用方法: ... 3、特殊说明: (1)本文档为人性化翻译,精心制作,请放心使用; (2)只翻译了该翻译的内容,如...
  • atomikos-util-3.9.3.jar中文-英文对照文档.zip
    2025-09-06 14:04
    1、压缩文件中包含: 中文-英文对照文档、jar包下载地址、Maven依赖、Gradle依赖、源代码下载地址。 2、使用方法: ... 3、特殊说明: (1)本文档为人性化翻译,精心制作,请放心使用; (2)只翻译了该翻译的内容,如...
  • transactions-api-3.9.3.jar中文-英文对照文档.zip
    2025-09-06 14:03
    1、压缩文件中包含: 中文-英文对照文档、jar包下载地址、Maven依赖、Gradle依赖、源代码下载地址。 2、使用方法: ... 3、特殊说明: (1)本文档为人性化翻译,精心制作,请放心使用; (2)只翻译了该翻译的内容,如...
  • zookeeper-jute-3.9.3.jar中文-英文对照文档.zip
    2025-08-30 20:32
    1、压缩文件中包含: 中文-英文对照文档、jar包下载地址、Maven依赖、Gradle依赖、源代码下载地址。 2、使用方法: ... 3、特殊说明: (1)本文档为人性化翻译,精心制作,请放心使用; (2)只翻译了该翻译的内容,如...
  • transactions-3.9.3.jar中文-英文对照文档.zip
    2025-09-06 14:04
    1、压缩文件中包含: 中文-英文对照文档、jar包下载地址、Maven依赖、Gradle依赖、源代码下载地址。 2、使用方法: ... 3、特殊说明: (1)本文档为人性化翻译,精心制作,请放心使用; (2)只翻译了该翻译的内容,如...
  • zookeeper-3.9.3.jar中文-英文对照文档.zip
    2025-09-01 15:06
    1、压缩文件中包含: 中文-英文对照文档、jar包下载地址、Maven依赖、Gradle依赖、源代码下载地址。 2、使用方法: ... 3、特殊说明: (1)本文档为人性化翻译,精心制作,请放心使用; (2)只翻译了该翻译的内容,如...
  • gdal-3.9.3.tar.gz
    2024-10-29 16:04
    gdal-3.9.3版本是GDAL库的更新迭代,其中包含了许多新功能和改进。例如,在这个版本中可能会包括对特定数据格式的增强支持,对API的优化,或者是对性能的提升等。具体的功能需要结合版本更新日志来详细研究。 在...
  • apache-maven-3.9.3
    2023-06-30 14:26
    Maven 3.9.3是这个工具的最新稳定版本,包含了多项改进和修复。 在Java开发中,Maven简化了构建过程,使得开发者不再需要手动管理库文件和编译步骤。Maven通过POM.xml文件来配置项目,这个文件包含了项目的基本信息...
  • magisk-riru-module-xfingerprint-pay-wechat-v3.9.3.zip
    2019-09-29 14:14
    【标题】"magisk-riru-module-xfingerprint-pay-wechat-v3.9.3.zip" 是一个Magisk模块,特别设计用于实现微信支付的指纹识别功能。Magisk是一款流行的Android系统修改工具,它允许用户在不Root设备的情况下对系统...
  • cmake-3.9.3-win32-x86.zip
    2024-02-03 23:41
    标题"cmake-3.9.3-win32-x86.zip"表明这是一个针对Windows 32位系统的CMake版本3.9.3的安装包。这个版本可能包含了CMake的可执行文件、库文件、文档以及其他必要的组件,用于在32位Windows环境下设置和运行CMake。 ...
  • cmake-3.9.3.zip
    2024-02-03 23:40
    总之,CMake-3.9.3.zip这个压缩包包含了构建和安装CMake 3.9.3版本所需的所有资源。无论你是开发者还是系统管理员,熟悉CMake的使用都能提高你的软件构建效率,特别是在处理多平台或多模块项目时。
  • cmake-3.9.3.tar.gz
    2024-02-03 23:40
    标题"cmake-3.9.3.tar.gz"表明这是一个CMake的源码包,版本号为3.9.3,采用gzip压缩并打包成tar格式。这种格式在Linux和类Unix系统中常见,用于存储和分发软件源代码。要使用这个安装包,你需要先使用`tar`命令解压...
  • transactions-jta-3.9.3.jar
    2024-04-20 08:20
    jta.jar 各个版本,免费下载 transactions-jta.jar 各个版本,免费下载 ow2-jta-1.1-spec.jar 各个版本,免费下载 JTA规范,当 Hibernate 使用 JTA 的时候需要,不过 App Server 都会带上
  • 没有解决我的问题, 去提问