add functional for reading log files

env.sh

@@ -18,6 +18,8 @@ export INSTALL_WAZUH=yes
 export WAZUH_USER=foo
 export WAZUH_PWD=bar
 
+export INSTALL_FILEBEAT=yes
+
 # NOTE! settings for connection between collector and broker (alertflex controller)
 export AMQ_HOST=af-ctrl
 export AMQ_USER=client

install_centos7.sh

@@ -133,10 +133,15 @@ EOF'
 	sudo sed -i "s/_wazuh_user/$WAZUH_USER/g" /etc/alertflex/alertflex.yaml
 	sudo sed -i "s/_wazuh_pwd/$WAZUH_PWD/g" /etc/alertflex/alertflex.yaml
 
-	echo "*** installation filebeat***"
+fi
+
+if [ $INSTALL_FILEBEAT == yes ]
+then
+    echo "*** installation filebeat***"
 	curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.5.1-x86_64.rpm
 	sudo rpm -vi filebeat-6.5.1-x86_64.rpm
 	sudo cp ./configs/filebeat.yml /etc/filebeat/
 	sudo systemctl enable filebeat
 fi
+
 cd ..

install_ubuntu16.sh

@@ -122,14 +122,18 @@ then
 	sudo sed -i "s/_wazuh_user/$WAZUH_USER/g" /etc/alertflex/alertflex.yaml
 	sudo sed -i "s/_wazuh_pwd/$WAZUH_PWD/g" /etc/alertflex/alertflex.yaml
 
-	echo "*** installation filebeat***"
+fi
+
+if [ $INSTALL_FILEBEAT == yes ]
+then
+    echo "*** installation filebeat***"
 	sudo apt-get update
 	curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.2.2-amd64.deb
 	sudo dpkg -i filebeat-6.2.2-amd64.deb
 	sudo cp ./configs/filebeat.yml /etc/filebeat/
 	sudo systemctl enable filebeat
-
 fi
+
 cd ..
 
 

src/cobject.cpp

@@ -40,6 +40,13 @@ char CollectorObject::wazuh_pwd[OS_HEADER_SIZE];
 
 bool CollectorObject::wazuhServerStatus;
 
+char CollectorObject::suri_log[OS_BUFFER_SIZE]; 
+bool CollectorObject::surilog_status;
+char CollectorObject::wazuh_log[OS_BUFFER_SIZE];
+bool CollectorObject::wazuhlog_status;
+char CollectorObject::modsec_log[OS_BUFFER_SIZE];
+bool CollectorObject::modseclog_status;
+
 char CollectorObject::suri_path[OS_BUFFER_SIZE];
 char CollectorObject::suri_rules[OS_BUFFER_SIZE];
 char CollectorObject::suri_iprep[OS_BUFFER_SIZE];
@@ -171,17 +178,21 @@ int CollectorObject::GetConfig() {
     if (!strcmp (remote_upload, "false")) { 
         uploadStatus = false;
         SysLog("config file notification: remote upload of filters, rules and configs disabled");
-        return 1;
     }
-    strncpy(remote_upload, (char*) cy->getParameter("remote_upload").c_str(), sizeof(remote_upload));
-    if (!strcmp (remote_upload, "false")) {
+
+    if (!strcmp (remote_upload, "")) { 
         uploadStatus = false;
         SysLog("config file notification: remote upload of filters, rules and configs disabled");
-        return 1;
     }
 
     cy = new ConfigYaml( "sources");
 
+    cy->addKey("suri_log");
+
+    cy->addKey("wazuh_log");
+
+    cy->addKey("modsec_log");
+
     cy->addKey("suri_path");
 
     cy->addKey("suri_rules");
@@ -202,49 +213,67 @@ int CollectorObject::GetConfig() {
 
     cy->ParsConfig();
 
-    strncpy(suri_path, (char*) cy->getParameter("suri_path").c_str(), sizeof(suri_path));
-    if (!strcmp (suri_path, "none")) { 
-        SysLog("config file notification: remote update disabled, missing suri_path");
-    }
-
-    strncpy(suri_rules, (char*) cy->getParameter("suri_rules").c_str(), sizeof(suri_rules));
-    if (!strcmp (suri_rules, "none")) { 
-        SysLog("config file notification: remote update disabled, missing suri_rules");
-    }
-
-    strncpy(suri_iprep, (char*) cy->getParameter("suri_iprep").c_str(), sizeof(suri_iprep));
-    if (!strcmp (suri_iprep, "none")) { 
-        SysLog("config file notification: remote update disabled, missing suri_iprep");
-    }
-
-    strncpy(wazuh_path, (char*) cy->getParameter("wazuh_path").c_str(), sizeof(wazuh_path));
-    if (!strcmp (wazuh_path, "none")) { 
-        SysLog("config file notification: remote update disabled, missing wazuh_path");
-    }
-
-    strncpy(wazuh_rules, (char*) cy->getParameter("wazuh_rules").c_str(), sizeof(wazuh_rules));
-    if (!strcmp (wazuh_rules, "none")) { 
-        SysLog("config file notification: remote update disabled, missing wazuh_rules");
-    }
-
-    strncpy(wazuh_iprep, (char*) cy->getParameter("wazuh_iprep").c_str(), sizeof(wazuh_iprep));
-    if (!strcmp (wazuh_iprep, "none")) { 
-        SysLog("config file notification: remote update disabled, missing wazuh_iprep");
+    strncpy(suri_log, (char*) cy->getParameter("suri_log").c_str(), sizeof(suri_log));
+    if (!strcmp (suri_log, "none")) { 
+        surilog_status = false;
     }
 
-    strncpy(modsec_path, (char*) cy->getParameter("modsec_path").c_str(), sizeof(modsec_path));
-    if (!strcmp (modsec_path, "none")) { 
-        SysLog("config file notification: remote update disabled, missing modsec_path");
+    strncpy(wazuh_log, (char*) cy->getParameter("wazuh_log").c_str(), sizeof(wazuh_log));
+    if (!strcmp (wazuh_log, "none")) { 
+        wazuhlog_status = false;
     }
 
-    strncpy(modsec_rules, (char*) cy->getParameter("modsec_rules").c_str(), sizeof(modsec_rules));
-    if (!strcmp (modsec_rules, "none")) { 
-        SysLog("config file notification: remote update disabled, missing modsec_rules");
+    strncpy(modsec_log, (char*) cy->getParameter("modsec_log").c_str(), sizeof(modsec_log));
+    if (!strcmp (modsec_log, "none")) { 
+        modseclog_status = false;
     }
 
-    strncpy(modsec_iprep, (char*) cy->getParameter("modsec_iprep").c_str(), sizeof(modsec_iprep));
-    if (!strcmp (modsec_iprep, "none")) { 
-        SysLog("config file notification: remote update disabled, missing modsec_iprep");
+    if (uploadStatus) {
+
+        strncpy(suri_path, (char*) cy->getParameter("suri_path").c_str(), sizeof(suri_path));
+        if (!strcmp (suri_path, "none")) { 
+            SysLog("config file notification: remote update disabled, missing suri_path");
+        }
+
+        strncpy(suri_rules, (char*) cy->getParameter("suri_rules").c_str(), sizeof(suri_rules));
+        if (!strcmp (suri_rules, "none")) { 
+            SysLog("config file notification: remote update disabled, missing suri_rules");
+        }
+
+        strncpy(suri_iprep, (char*) cy->getParameter("suri_iprep").c_str(), sizeof(suri_iprep));
+        if (!strcmp (suri_iprep, "none")) { 
+            SysLog("config file notification: remote update disabled, missing suri_iprep");
+        }
+
+        strncpy(wazuh_path, (char*) cy->getParameter("wazuh_path").c_str(), sizeof(wazuh_path));
+        if (!strcmp (wazuh_path, "none")) { 
+            SysLog("config file notification: remote update disabled, missing wazuh_path");
+        }
+
+        strncpy(wazuh_rules, (char*) cy->getParameter("wazuh_rules").c_str(), sizeof(wazuh_rules));
+        if (!strcmp (wazuh_rules, "none")) { 
+            SysLog("config file notification: remote update disabled, missing wazuh_rules");
+        }
+
+        strncpy(wazuh_iprep, (char*) cy->getParameter("wazuh_iprep").c_str(), sizeof(wazuh_iprep));
+        if (!strcmp (wazuh_iprep, "none")) { 
+            SysLog("config file notification: remote update disabled, missing wazuh_iprep");
+        }
+
+        strncpy(modsec_path, (char*) cy->getParameter("modsec_path").c_str(), sizeof(modsec_path));
+        if (!strcmp (modsec_path, "none")) { 
+            SysLog("config file notification: remote update disabled, missing modsec_path");
+        }
+
+        strncpy(modsec_rules, (char*) cy->getParameter("modsec_rules").c_str(), sizeof(modsec_rules));
+        if (!strcmp (modsec_rules, "none")) { 
+            SysLog("config file notification: remote update disabled, missing modsec_rules");
+        }
+
+        strncpy(modsec_iprep, (char*) cy->getParameter("modsec_iprep").c_str(), sizeof(modsec_iprep));
+        if (!strcmp (modsec_iprep, "none")) { 
+            SysLog("config file notification: remote update disabled, missing modsec_iprep");
+        }
     }
 
     return 1;

src/cobject.h

@@ -39,6 +39,13 @@ class CollectorObject {
     static char wazuh_pwd[OS_HEADER_SIZE];
 
     static bool wazuhServerStatus;
+
+    static char suri_log[OS_BUFFER_SIZE]; 
+    static bool surilog_status;
+    static char wazuh_log[OS_BUFFER_SIZE];
+    static bool wazuhlog_status;
+    static char modsec_log[OS_BUFFER_SIZE];
+    static bool modseclog_status;
 
     static char suri_path[OS_BUFFER_SIZE]; 
     static char suri_rules[OS_BUFFER_SIZE];
@@ -64,6 +71,9 @@ class CollectorObject {
         wazuhServerStatus = true;
         arStatus = true;
         uploadStatus = true;
+        surilog_status = true;
+        wazuhlog_status = true;
+        modseclog_status = true;
         timezone = 0;
         log_size = 0;
         startup_timer = 0;

src/etc/alertflex.yaml

@@ -46,36 +46,43 @@ collector:
 
 sources:
   # redis list for metrics from ElasticStack Metricbeat  
-  metricbeat: "altprobe_metrics"
+  metric: "altprobe_metrics"
+
   # redis list for events from Altprobe clients 
   misc: "altprobe_misc"
+
+  # nginx/modsecurity log file - /var/log/nginx/error.log
+  modsec_log: "none"
   # redis list for events from Modsecurity WAF
-  modsec: "altprobe_waf"
-  # redis list for events from Suricata IDS 
-  suricata: "altprobe_nids"
-  # redis list for events from Wazuh IDS/OSSEC 
-  wazuh: "altprobe_hids"
+  modsec_redis: "altprobe_waf"
 
+  # suricata log file - /var/log/suricata/eve.json
+  suri_log: "none"
+  # redis list for events from Suricata IDS
+  suri_redis: "altprobe_nids"
+
+  # wazuh log file - /var/ossec/logs/alerts/alerts.json
+  wazuh_log: "/var/ossec/logs/alerts/alerts.json"  
+  # redis list for events from Wazuh IDS/OSSEC
+  wazuh_redis: "altprobe_hids"
+
   # modsec_path: "/etc/nginx/modsec/"
   # modsec_iprep: "owasp-modsecurity-crs-3.0.2/rules/"
   # modsec_rules: "owasp-modsecurity-crs-3.0.2/rules/"
-
   modsec_path: "none"
   modsec_iprep: "none"
   modsec_rules: "none"
 
   suri_path: "/etc/suricata/"
   suri_iprep: "iprep/"
   suri_rules: "rules/"
-
   # suri_path: "none"
   # suri_iprep: "none"
   # suri_rules: "none"
 
   wazuh_path: "/var/ossec/"
   wazuh_iprep: "etc/lists/"
   wazuh_rules: "ruleset/rules/"
-
   # wazuh_path: "none"
   # wazuh_iprep: "none"
   # wazuh_rules: "none"