filebeat install on OwlH Node

build/html/_sources/main/OwlH-elk.rst.txt

@@ -1,6 +1,6 @@
 
-Sync with ELK 7.x
-=================
+Sync with ELK 7.x using Wazuh
+=============================
 
 .. warning::
 

build/html/_sources/main/OwlH-node-elk.rst.txt

@@ -0,0 +1,107 @@
+
+Sync with ELK 7.x
+=================
+
+.. warning::
+
+    Be sure you are running ELK (elasticsearch, filebeat and kibana) with version >7.3.2
+
+.. include:: keepincontact.rst
+
+This process will allow you to connect your OwlH environment directly to ELK. 
+
+You will do:
+
+  * install filebeat on OwlH Nodes
+  * install OwlH-Filebeat module 
+  * import OwlH-Kibana objects in Kibana
+  * load OwlH template in Elasticsearch
+  * modify Filebeat main configuration to include OwlH module
+
+
+.. note:: 
+  Please, check URLs and paths to ensure you use the right commands and that you adapt command lines as needed. 
+
+
+Install Filebeat in your OwlH Nodes
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+#. Import the GPG key:
+
+    .. code-block:: console
+
+      # rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
+
+#. Add the repository:
+
+    .. code-block:: console
+
+      # cat > /etc/yum.repos.d/elastic.repo << EOF
+      [elasticsearch-7.x]
+      name=Elasticsearch repository for 7.x packages
+      baseurl=https://artifacts.elastic.co/packages/7.x/yum
+      gpgcheck=1
+      gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
+      enabled=1
+      autorefresh=1
+      type=rpm-md
+      EOF
+
+#. Install Filebeat 
+
+    .. code-block:: console 
+
+      # yum install filebeat
+
+
+Download and configure
+^^^^^^^^^^^^^^^^^^^^^^
+
+::
+    
+    # cd /tmp
+    # mkdir /tmp/owlhfilebeat
+    # cd /tmp/owlhfilebeat
+    # wget repo.owlh.net/fbit/owlh-module.tar.gz
+    # tar -C /tmp/owlhfilebeat -xf owlh-module.tar.gz
+
+
+Install OwlH module
+-------------------
+
+::
+
+    # tar -C /usr/share/filebeat/module/ -xf /tmp/owlhfilebeat/owlh-filebeat-7.9.x.tar.gz
+
+
+Modify filebeat
+^^^^^^^^^^^^^^^
+
+Modify Filebeat configuration
+-----------------------------
+
+::
+
+    # cp /tmp/owlhfilebeat/filebeat.yml /etc/filebeat/filebeat.yml 
+
+.. attention:: 
+    be sure to update properly your filebeat.yml file to point to your elasticsearch server.
+
+
+
+Restart Filebeat
+----------------
+
+You should be done. check your kibana to see the OwlH dashboards in dashboards section, and indices in discovery section.
+
+::
+
+    Restart Filebeat
+
+    # systemctl restart filebeat 
+
+    Check Filebeat output
+
+    # journalctl -f -u filebeat
+
+    From your web browser, check kibana->discovery for owlh indices.

build/html/_sources/main/OwlHInstall.rst.txt

@@ -37,6 +37,7 @@ Visualization
 -------------
 
       * :doc:`OwlH dashboards integration Wazuh-ELK</main/OwlH-elk>`
+      * :doc:`OwlH dashboards integration ELK</main/OwlH-node-elk>`
 
 Appendices
 ----------

build/html/_sources/main/_resources/add_repo.rst.txt

@@ -0,0 +1,24 @@
+.. Copyright (C) 2020 OwlH.
+
+#. Import the GPG key:
+
+    .. code-block:: console
+
+      # rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
+
+#. Add the repository:
+
+    .. code-block:: console
+
+      # cat > /etc/yum.repos.d/elastic.repo << EOF
+      [elasticsearch-7.x]
+      name=Elasticsearch repository for 7.x packages
+      baseurl=https://artifacts.elastic.co/packages/7.x/yum
+      gpgcheck=1
+      gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
+      enabled=1
+      autorefresh=1
+      type=rpm-md
+      EOF
+
+.. End of include file

build/html/_sources/main/_resources/add_repo2.rst.txt

@@ -0,0 +1,24 @@
+.. Copyright (C) 2020 OwlH.
+
+#. Import the GPG key:
+
+    .. code-block:: console
+
+      # rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
+
+#. Add the repository:
+
+    .. code-block:: console
+
+      # cat > /etc/yum.repos.d/elastic.repo << EOF
+      [elasticsearch-7.x]
+      name=Elasticsearch repository for 7.x packages
+      baseurl=https://artifacts.elastic.co/packages/7.x/yum
+      gpgcheck=1
+      gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
+      enabled=1
+      autorefresh=1
+      type=rpm-md
+      EOF
+
+.. End of include file

build/html/_sources/main/_resources/add_repo3.rst.txt

@@ -0,0 +1,24 @@
+.. Copyright (C) 2020 OwlH.
+
+#. Import the GPG key:
+
+    .. code-block:: console
+
+      # rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
+
+#. Add the repository:
+
+    .. code-block:: console
+
+      # cat > /etc/yum.repos.d/elastic.repo << EOF
+      [elasticsearch-7.x]
+      name=Elasticsearch repository for 7.x packages
+      baseurl=https://artifacts.elastic.co/packages/7.x/yum
+      gpgcheck=1
+      gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
+      enabled=1
+      autorefresh=1
+      type=rpm-md
+      EOF
+
+.. End of include file

build/html/_sources/main/install/ins-owlh-node.rst.txt

@@ -7,6 +7,7 @@ install owlh node
     - install suricata
     - install zeek 
     - install wazuh
+    - connect OwlH to ELK
     - install owlh interface
     - install software tap related packets
     - configure your firewall
@@ -86,6 +87,18 @@ Check if your OwlH Node is running
     check if owlhnode service port is listening
     # netstat -nputa | grep 50002
 
+
+Deploy Suricata and Zeek
+````````````````````````
+
+Use these scripts to deploy Suricata and Zeek in your OwlH Node. Change current-centos, current-debian or current-arm as needed. 
+
+:suricata: wget repo.owlh.net/current-debian/services/owlhsuricata.sh
+:zeek: wget repo.owlh.net/current-debian/services/owlhzeek.sh
+
+Scripts will use source files to install Suricata and Zeek. After installation is done, you will need to configure both on UI.
+
+
 Register your new node in your OwlH Master
 ``````````````````````````````````````````
 

build/html/main/OwlH-elk.html

@@ -8,7 +8,7 @@
 
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
 
-  <title>Sync with ELK 7.x &mdash; owlh 0.17.x documentation</title>
+  <title>Sync with ELK 7.x using Wazuh &mdash; owlh 0.17.x documentation</title>
 
 
 
@@ -250,7 +250,7 @@
 
       <li><a href="../index.html">Docs</a> &raquo;</li>
 
-      <li>Sync with ELK 7.x</li>
+      <li>Sync with ELK 7.x using Wazuh</li>
 
 
       <li class="wy-breadcrumbs-aside">
@@ -269,8 +269,8 @@
           <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
            <div itemprop="articleBody">
 
-  <div class="section" id="sync-with-elk-7-x">
-<h1>Sync with ELK 7.x<a class="headerlink" href="#sync-with-elk-7-x" title="Permalink to this headline">¶</a></h1>
+  <div class="section" id="sync-with-elk-7-x-using-wazuh">
+<h1>Sync with ELK 7.x using Wazuh<a class="headerlink" href="#sync-with-elk-7-x-using-wazuh" title="Permalink to this headline">¶</a></h1>
 <div class="admonition warning">
 <p class="first admonition-title">Warning</p>
 <p class="last">Be sure you are running ELK (elasticsearch, filebeat and kibana) with version &gt;7.3.2</p>