Variables references
Elasticseach
- elasticsearch_cluster_name
Name of the Elasticsearch cluster
Default wazuh
- elasticsearch_node_name
Name of the Elasticsearch node
Default node-1
- elasticsearch_http_port
ElasticSearch listening port
Default 9200
- elasticsearch_network_host
ElasticSearch, listening ip address
Default 127.0.0.1
- elasticsearch_jvm_xms
JVM heap size
Default null
- elastic_stack_version
Version of Elasticsearch to install
Default 5.6.3
- elasticsearch_shards
Set number of shards for indices
Default 5
- elasticsearch_replicas
Set number of shards for indices
Default 1
Kibana
- elasticsearch_http_port
Elasticsearch node port.
Default 9200
- elasticsearch_network_host
IP address or hostname of Elasticsearch node.
Default 127.0.0.1
- kibana_server_host
Listening IP address of Kibana.
Default 0.0.0.0
- kibana_server_port
Listening port of Kibana.
Default 5601
- elastic_stack_version
Version of Kibana to install
Default 5.6.3
Logstash
- logstash_create_config
Generate or not Logstash config.
Defaults true
- logstash_input_beats
When is set to true, it will configure Logstash to use Filebeat input. Otherwise it will use File input.
Defaults false
- elasticsearch_network_host
Ip address or hostname of Elasticsearch node.
Default 127.0.0.1
- elasticsearch_http_port
Port of Elasticsearch node.
Default 9200
- elasticsearch_shards
Set number of shards for indices
Default 5
- elasticsearch_replicas
Set number of shards for indices
Default 1
- elastic_stack_version
Version of Logstash to install
Default 5.6.3
- logstash_ssl
Using ssl between filebeat and logstash
Default false
- logstash_ssl_dir
Folder where the SSL key and cert will be stored.
Default /etc/pki/logstash
- logstash_ssl_certificate_file
SSL certificate file to be copied from Ansible server to logstash server.
Default null
- logstash_ssl_key_file
SSL key file to be copied from Ansible server to logstash server.
Default null
Filebeat
- filebeat_create_config:
Generate or not Filebeat config.
Default true
- filebeat_prospectors:
Set filebeat propectors to fetch data.
Example:
filebeat_prospectors: - input_type: log paths: - "/var/ossec/logs/alerts/alerts.json" document_type: json json.message_key: log json.keys_under_root: true json.overwrite_keys: true
- filebeat_output_elasticsearch_enabled:
Send output to Elasticsearch node(s).
Default false
- filebeat_output_elasticsearch_hosts:
Elasticsearch node(s) to send output.
Example:
filebeat_output_elasticsearch_hosts: - "localhost:9200" - "10.1.1.10:9200"
- filebeat_output_logstash_enabled:
Send output to Logstash node(s).
Default true
- filebeat_output_logstash_hosts:
Logstash node(s) to send output.
Example:
filebeat_output_logstash_hosts: - "10.1.1.10:5000" - "10.1.1.11:5000"
- filebeat_enable_logging:
Enable/disable logging.
Default true
- filebeat_log_level:
Set filebeat log level.
Default debug
- filebeat_log_dir:
Set filebeat log directory.
Default: /var/log/mybeat
- filebeat_log_filename:
Set filebeat log filename.
Default mybeat.log
- filebeat_ssl_dir:
Set the folder containing SSL certs.
Default /etc/pki/logstash
- filebeat_ssl_certificate_file:
Set certificate filename.
Default null
- filebeat_ssl_key_file:
Set certificate key filename.
Default null
- filebeat_ssl_insecure:
Verify validity of the server certificate hostname.
Default false
Wazuh Manager
- wazuh_manager_fqdn:
Set Wazuh Manager fqdn hostname.
Default wazuh-server
- wazuh_manager_config:
This store the Wazuh Manager configuration.
Example:
wazuh_manager_config: json_output: 'yes' alerts_log: 'yes' logall: 'no' log_format: 'plain' connection: - type: 'secure' port: '1514' protocol: 'tcp' authd: enable: false port: 1515 use_source_ip: 'no' force_insert: 'no' force_time: 0 purge: 'no' use_password: 'no' ssl_agent_ca: null ssl_verify_host: 'no' ssl_manager_cert: null ssl_manager_key: null ssl_auto_negotiate: 'no' email_notification: 'no' mail_to: - 'admin@example.net' mail_smtp_server: localhost mail_from: wazuh-server@example.com extra_emails: - enable: false mail_to: 'admin@example.net' format: full level: 7 event_location: null group: null do_not_delay: false do_not_group: false rule_id: null reports: - enable: false category: 'syscheck' title: 'Daily report: File changes' email_to: 'admin@example.net' location: null group: null rule: null level: null srcip: null user: null showlogs: null syscheck: frequency: 43200 scan_on_start: 'yes' auto_ignore: 'no' alert_new_files: 'yes' ignore: - /etc/mtab - /etc/mnttab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/random.seed - /etc/adjtime - /etc/httpd/logs - /etc/utmpx - /etc/wtmpx - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile no_diff: - /etc/ssl/private.key directories: - dirs: /etc,/usr/bin,/usr/sbin checks: 'check_all="yes"' - dirs: /bin,/sbin checks: 'check_all="yes"' rootcheck: frequency: 43200 openscap: timeout: 1800 interval: '1d' scan_on_start: 'yes' log_level: 1 email_level: 12 localfiles: - format: 'syslog' location: '/var/log/messages' - format: 'syslog' location: '/var/log/secure' - format: 'command' command: 'df -P' frequency: '360' - format: 'full_command' command: 'netstat -tln | grep -v 127.0.0.1 | sort' frequency: '360' - format: 'full_command' command: 'last -n 20' frequency: '360' globals: - '127.0.0.1' - '192.168.2.1' commands: - name: 'disable-account' executable: 'disable-account.sh' expect: 'user' timeout_allowed: 'yes' - name: 'restart-ossec' executable: 'restart-ossec.sh' expect: '' timeout_allowed: 'no' - name: 'win_restart-ossec' executable: 'restart-ossec.cmd' expect: '' timeout_allowed: 'no' - name: 'firewall-drop' executable: 'firewall-drop.sh' expect: 'srcip' timeout_allowed: 'yes' - name: 'host-deny' executable: 'host-deny.sh' expect: 'srcip' timeout_allowed: 'yes' - name: 'route-null' executable: 'route-null.sh' expect: 'srcip' timeout_allowed: 'yes' - name: 'win_route-null' executable: 'route-null.cmd' expect: 'srcip' timeout_allowed: 'yes' active_responses: - command: 'restart-ossec' location: 'local' rules_id: '100002' - command: 'win_restart-ossec' location: 'local' rules_id: '100003' - command: 'host-deny' location: 'local' level: 6 timeout: 600 syslog_outputs: - server: null port: null format: null
- wazuh_agent_configs:
This store the different settings and profiles for centralized agent configuration via Wazuh Manager.
Example:
- type: os type_value: Linux syscheck: frequency: 43200 scan_on_start: 'yes' auto_ignore: 'no' alert_new_files: 'yes' ignore: - /etc/mtab - /etc/mnttab - /etc/hosts.deny - /etc/mail/statistics - /etc/svc/volatile no_diff: - /etc/ssl/private.key directories: - dirs: /etc,/usr/bin,/usr/sbin checks: 'check_all="yes"' - dirs: /bin,/sbin checks: 'check_all="yes"' rootcheck: frequency: 43200 cis_distribution_filename: null localfiles: - format: 'syslog' location: '/var/log/messages' - format: 'syslog' location: '/var/log/secure' - format: 'syslog' location: '/var/log/maillog' - format: 'apache' location: '/var/log/httpd/error_log' - format: 'apache' location: '/var/log/httpd/access_log' - format: 'apache' location: '/var/ossec/logs/active-responses.log' - type: os type_value: Windows syscheck: frequency: 43200 scan_on_start: 'yes' auto_ignore: 'no' alert_new_files: 'yes' windows_registry: - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' arch: 'both' - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' localfiles: - format: 'Security' location: 'eventchannel' - format: 'System' location: 'eventlog'
- cdb_lists:
Configure CDB lists used by the Wazuh Manager (located at
ansible-wazuh-manager/vars/cdb_lists.yml
).Example:
cdb_lists: - name: 'audit-keys' content: | audit-wazuh-w:write audit-wazuh-r:read audit-wazuh-a:attribute audit-wazuh-x:execute audit-wazuh-c:command
Warning
We recommend the use of Ansible Vault to protect Wazuh, agentless and authd credentials.
- agentless_creeds:
Credentials and host(s) to be used by agentless feature.
Example:
agentless_creeds: - type: ssh_integrity_check_linux frequency: 3600 host: root@example.net state: periodic arguments: '/bin /etc/ /sbin' passwd: qwerty
Warning
We recommend the use of Ansible Vault to protect Wazuh, agentless and authd credentials.
- wazuh_api_user:
Wazuh API credentials.
Example:
wazuh_api_user: - foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/ - bar:$apr1$hXE97ag.$8m0koHByattiGKUKPUgcZ1
Warning
We recommend the use of Ansible Vault to protect Wazuh, agentless and authd credentials.
- authd_pass:
Wazuh authd service password.
Example:
authd_pass: foobar
Wazuh Agent
- wazuh_manager_ip:
Set Wazuh Manager server IP address to be used by the agent.
Default null
- wazuh_profile:
Configure what profiles this agent will have.
Default null
Multiple profiles can be included, separated by a comma and a space, for example:
wazuh_profile: "centos7, centos7-web"
- wazuh_agent_authd:
Set the agent-authd facility. This will enable or not the automatic agent registration, you could set various options in accordance of the authd service configured in the Wazuh Manager.
wazuh_agent_authd: enable: false port: 1515 ssl_agent_ca: null ssl_agent_cert: null ssl_agent_key: null ssl_auto_negotiate: 'no'
- wazuh_notify_time
Set the <notify_time> option in the agent.
Default null
- wazuh_time_reconnect
Set <time-reconnect> option in the agent.
Default null
- wazuh_winagent_config
Set the Wazuh Agent installation regarding Windows hosts.
install_dir: 'C:\wazuh-agent\' version: '2.1.1' revision: '2' repo: https://packages.wazuh.com/windows/ md5: fd9a3ce30cd6f9f553a1bc71e74a6c9f
- wazuh_agent_config:
Wazuh Agent related configuration.
Example:
log_format: 'plain' syscheck: frequency: 43200 scan_on_start: 'yes' auto_ignore: 'no' alert_new_files: 'yes' ignore: - /etc/mtab - /etc/mnttab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/random.seed - /etc/adjtime - /etc/httpd/logs - /etc/utmpx - /etc/wtmpx - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile no_diff: - /etc/ssl/private.key directories: - dirs: /etc,/usr/bin,/usr/sbin checks: 'check_all="yes"' - dirs: /bin,/sbin checks: 'check_all="yes"' windows_registry: - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' arch: 'both' - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' rootcheck: frequency: 43200 openscap: disable: 'yes' timeout: 1800 interval: '1d' scan_on_start: 'yes' localfiles: - format: 'syslog' location: '/var/log/messages' - format: 'syslog' location: '/var/log/secure' - format: 'command' command: 'df -P' frequency: '360' - format: 'full_command' command: 'netstat -tln | grep -v 127.0.0.1 | sort' frequency: '360' - format: 'full_command' command: 'last -n 20' frequency: '360'
Warning
We recommend the use of Ansible Vault to protect authd credentials.
- authd_pass:
Wazuh authd credentials for agent registration.
Example:
authd_pass: foobar