Author: Erick Rodríguez
Email: erickrr.tbd93@gmail.com, erodriguez@tekium.mx
License: GPLv3
Application that obtains a daily inventory of hosts that report to a specific index in ElasticSearch.
Inv-Alert was born from the need to have a tool that would obtain a daily inventory of the equipment that ingests events to ElasticSearch. In order to have an inventory of hosts that allows better control.
For example, having an inventory of Windows (Winlogbeat) and/or Linux (Auditbeat) servers.
Inv-Alert also sends an alert via Telegram with the changes found in the new inventory obtained compared to the previous day. In addition, it sends a text file with the names of all the hosts found in the same message.
Application that obtains the daily inventory of a certain index hosted in ElasticSearch.
Characteristics:
- Connection with ElasticSearch emulating HTTP or HTTPS. Allows you to validate or not the SSL certificate used.
- Use of HTTP authentication to connect to ElasticSearch (this feature must be enabled in the ElasticSearch cluster).
- It has been tested to work with the indices generated by Auditbeat and Winlogbeat.
- The inventory is obtained daily, at a specific configurable time.
- The inventory obtained is sent to a Telegram channel. In the sent message it shows the total of hosts added and removed compared to the inventory of the previous day.
- In the Telegram message, a txt file is attached with the list of hosts.
Application that allows the configuration of Inv-Alert, as well as the management of inventories through a graphical interface.
Characteristics:
- Allows you to create and modify the Inv-Alert connection settings.
- Allows you to create, modify and delete inventories.
- Encrypts sensitive data such as passwords so that they are not stored in plain text.
- Allows you to start, restart, stop and get the status of the Inv-Alert service.
- CentOS 8, RedHat 8 or Rocky Linux 8 (So far it has only been tested in this version)
- ElasticSearch 7.x
- Python 3.6
- Python Libraries
- libPyDialog (https://github.com/erickrr-bd/libPyDialog)
- libPyElk (https://github.com/erickrr-bd/libPyElk)
- libPyTelegram (https://github.com/erickrr-bd/libPyTelegram)
- libPyLog (https://github.com/erickrr-bd/libPyLog)
- libPyUtils (https://github.com/erickrr-bd/libPyUtils)
To install or update Inv-Alert, you must run the installer_inv_alert.sh executable with administrator rights. The installer will perform the following actions:
- Copy and creation of directories and files necessary for the operation of Inv-Alert.
- Creation of user and specific group for the operation of Inv-Alert.
- It changes the owner of the files and directories necessary for the operation of Inv-Alert, assigning them to the user created for this purpose.
- Creation of passphrase for the encryption and decryption of sensitive information, which is generated randomly, so it is unique for each Inv-Alert installation.
- Creation of Inv-Alert service.
Tekium is a cybersecurity company specialized in red team and blue team activities based in Mexico, it has clients in the financial, telecom and retail sectors.
Tekium is an active sponsor of the project, and provides commercial support in the case you need it.
For integration with other platforms such as the Elastic stack, SIEMs, managed security providers in-house solutions, or for any other requests for extending current functionality that you wish to see included in future versions, please contact us: info at tekium.mx
For more information, go to: https://www.tekium.mx/