Add OpenSearch integration

integrations/.gitignore

@@ -1,4 +1,3 @@
-opensearch
 splunk
 common
 config

integrations/docker/.env

@@ -21,3 +21,6 @@ KIBANA_PORT=5602
 
 # Increase or decrease based on the available host memory (in bytes)
 MEM_LIMIT=1073741824
+
+# OpenSearch destination cluster version
+OS_VERSION=2.14.0

integrations/docker/config/certs.yml

@@ -1,16 +1,20 @@
 nodes:
-  # Wazuh indexer server nodes
+  # Wazuh indexer and OpenSearch server nodes
   indexer:
     - name: wazuh.indexer
       ip: wazuh.indexer
+    - name: opensearch.node
+      ip: opensearch.node
 
   # Wazuh server nodes
   # Use node_type only with more than one Wazuh manager
   server:
     - name: wazuh.manager
       ip: wazuh.manager
 
-  # Wazuh dashboard node
+  # Wazuh dashboard and OpenSearch Dashboards nodes
   dashboard:
     - name: wazuh.dashboard
       ip: wazuh.dashboard
+    - name: opensearch.dashboards
+      ip: opensearch.dashboards

integrations/docker/opensearch.yml

@@ -0,0 +1,169 @@
+name: "opensearch-integration"
+
+services:
+  events-generator:
+    image: wazuh/indexer-events-generator
+    build:
+      context: ../tools/events-generator
+    container_name: events-generator
+    depends_on:
+      wazuh.indexer:
+        condition: service_healthy
+    command: bash -c "python run.py -a wazuh.indexer"
+
+  wazuh.indexer:
+    image: opensearchproject/opensearch:2.12.0
+    container_name: wazuh.indexer
+    depends_on:
+      wazuh-certs-generator:
+        condition: service_completed_successfully
+    hostname: wazuh.indexer
+    ports:
+      - 9200:9200
+    environment:
+      - node.name=wazuh.indexer
+      - discovery.type=single-node
+      - bootstrap.memory_lock=true
+      - "DISABLE_INSTALL_DEMO_CONFIG=true"
+      - plugins.security.ssl.http.enabled=true
+      - plugins.security.allow_default_init_securityindex=true
+      - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem
+      - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem
+      - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem
+      - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem
+      - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
+      - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
+      - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US"
+      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    healthcheck:
+      test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster
+      start_period: 10s
+      start_interval: 3s
+    volumes:
+      - data:/usr/share/opensearch/data
+      - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem
+      - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem
+      - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
+
+  wazuh.dashboard:
+    image: opensearchproject/opensearch-dashboards:2.12.0
+    container_name: wazuh.dashboard
+    depends_on:
+      - wazuh.indexer
+    hostname: wazuh.dashboard
+    ports:
+      - 5601:5601
+    expose:
+      - "5601"
+    volumes:
+      - ../opensearch/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
+      - ./certs/:/usr/share/opensearch-dashboards/config/certs/
+      - ./certs/opensearch.dashboards-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key
+      - ./certs/opensearch.dashboards.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem
+      - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem
+    environment:
+      OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]'
+      SERVER_SSL_ENABLED: 'true'
+      SERVER_SSL_KEY: '/usr/share/opensearch-dashboards/config/certs/opensearch.key'
+      SERVER.SSL_CERTIFICATE: '/usr/share/opensearch-dashboards/config/certs/opensearch.pem'
+      OPENSEARCH_SSL_CERTIFICATEAUTHORITIES: '/usr/share/opensearch-dashboards/config/certs/root-ca.pem'
+
+
+  wazuh-certs-generator:
+    image: wazuh/wazuh-certs-generator:0.0.1
+    hostname: wazuh-certs-generator
+    container_name: wazuh-certs-generator
+    entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*"
+    volumes:
+      - ./certs/:/certificates/
+      - ./config/certs.yml:/config/certs.yml
+
+
+  # ================================================
+  # OpenSearch, OpenSearch Dashboards and Logstash
+  # ================================================
+
+  opensearch.node:
+    image: opensearchproject/opensearch:${OS_VERSION}
+    depends_on:
+      wazuh-certs-generator:
+        condition: service_completed_successfully
+    container_name: opensearch.node
+    environment:
+      - cluster.name=opensearch-cluster
+      - node.name=opensearch.node
+      - discovery.type=single-node
+      - bootstrap.memory_lock=true
+      - 'OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m'
+      - "DISABLE_INSTALL_DEMO_CONFIG=true"
+    volumes:
+      - ../opensearch/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
+      - ./certs/opensearch.node-key.pem:/usr/share/opensearch/config/certs/opensearch.key
+      - ./certs/opensearch.node.pem:/usr/share/opensearch/config/certs/opensearch.pem
+      - ./certs/root-ca.pem:/usr/share/opensearch/config/certs/root-ca.pem
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    ports:
+      - 9201:9200
+      - 9600:9600
+    healthcheck:
+      test:
+        [
+          'CMD-SHELL',
+          "curl -sku admin:admin https://opensearch.node:9200 2>&1 | grep -q 'The OpenSearch Project: https://opensearch.org/'",
+        ]
+      interval: 1s
+      timeout: 5s
+      retries: 120
+
+  opensearch-dashboards:
+    image: opensearchproject/opensearch-dashboards:${OS_VERSION}
+    depends_on:
+      opensearch.node:
+        condition: service_healthy
+    container_name: opensearch-dashboards
+    ports:
+      - 5602:5601
+    expose:
+      - '5602'
+    volumes:
+      - ../opensearch/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
+      - ./certs/:/usr/share/opensearch-dashboards/config/certs/
+      - ./certs/opensearch.dashboards-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key
+      - ./certs/opensearch.dashboards.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem
+      - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem
+
+    environment:
+      - 'OPENSEARCH_HOSTS="https://opensearch.node:9200"'
+
+  logstash:
+    image: logstash-oss:8.6.2
+    depends_on:
+      opensearch.node:
+        condition: service_healthy
+    container_name: logstash
+    build:
+      context: ../opensearch
+    environment:
+      LOG_LEVEL: info
+      MONITORING_ENABLED: false
+    volumes:
+      - ../opensearch/logstash/pipeline:/usr/share/logstash/pipeline
+      - ./certs/root-ca.pem:/etc/ssl/root-ca.pem
+    command: logstash -f /usr/share/logstash/pipeline/indexer-to-opensearch.conf
+
+volumes:
+  data:
+  os_config:

integrations/opensearch/README.md

@@ -0,0 +1,49 @@
+# Wazuh to OpenSearch Integration Developer Guide
+
+This document describes how to prepare a Docker Compose environment to test the integration between Wazuh and the OpenSearch Stack. For a detailed guide on how to integrate Wazuh with OpenSearch Stack, please refer to the [Wazuh documentation](https://documentation.wazuh.com/current/integrations-guide/OpenSearch-stack/index.html).
+
+## Requirements
+
+- Docker and Docker Compose installed.
+
+## Usage
+
+1. Clone the Wazuh repository and navigate to the `integrations/` folder.
+2. Run the following command to start the environment:
+   ```bash
+   docker compose -f ./docker/opensearch.yml up -d
+   ```
+
+The Docker Compose project will bring up the following services:
+
+- 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)).
+- 1x Wazuh Indexer (OpenSearch).
+- 1x Wazuh Dashboards (OpenSearch Dashboards).
+- 1x Logstash
+- 1x OpenSearch
+- 1x OpenSearch Dashboards
+
+For custom configurations, you may need to modify these files:
+
+- [docker/opensearch.yml](../docker/opensearch.yml): Docker Compose file.
+- [docker/.env](../docker/.env): Environment variables file.
+- [opensearch/logstash/pipeline/indexer-to-opensearch.conf](./logstash/pipeline/indexer-to-opensearch.conf): Logstash Pipeline configuration file.
+
+Check the files above for **credentials**, ports, and other configurations.
+
+| Service               | Address                | Credentials |
+| --------------------- | ---------------------- | ----------- |
+| Wazuh Indexer         | https://localhost:9200 | admin:admin |
+| Wazuh Dashboard       | https://localhost:5601 | admin:admin |
+| OpenSearch            | https://localhost:9201 | admin:admin |
+| OpenSearch Dashboards | https://localhost:5602 | admin:admin |
+
+## Importing the dashboards
+
+The dashboards for OpenSearch are included in [dashboards.ndjson](./dashboards.ndjson). The steps to import them to OpenSearch are the following:
+
+- On OpenSearch Dashboards, expand the left menu, and go to `Dashboards Management`.
+- Click on `Saved Objects`, select `Import`, click on the `Import` icon and browse the dashboard file.
+- Click on Import and complete the process.
+
+Imported dashboards will appear in the `Dashboards` app on the left menu.

integrations/opensearch/logstash/pipeline/indexer-to-opensearch.conf

@@ -0,0 +1,38 @@
+input {
+  opensearch {
+	  hosts =>  ["wazuh.indexer:9200"]
+	  user  =>  "admin"
+	  password  =>  "admin"
+	  index =>  "wazuh-alerts-4.x-*"
+	  ssl => true
+	  ca_file => "/etc/ssl/root-ca.pem"
+	  query =>  '{
+   	   "query": {
+   		   "range": {
+   			   "@timestamp": {
+   				   "gt": "now-1m"
+   			   }
+   		   }
+   	   }
+	  }'
+	  schedule => "* * * * *"
+  }
+}
+output {
+  opensearch {
+    hosts => ["opensearch.node:9200"]
+    auth_type => {
+   	  type => 'basic'
+   	  user => 'admin'
+   	  password => 'admin'
+   	  }
+    index  => "wazuh-alerts-4.x-%{+YYYY.MM.dd}"
+    ssl => true
+    cacert => "/etc/ssl/root-ca.pem"
+	  template => '/usr/share/logstash/pipeline/os_template.json'
+    template_name => 'wazuh'
+    template_overwrite => true
+		legacy_template => false
+	}
+}
+