Variables references
Elasticseach
- elasticsearch_cluster_name
Name of the Elasticsearch cluster
Default wazuh
- elasticsearch_node_name
Name of the Elasticsearch node
Default node-1
- elasticsearch_http_port
ElasticSearch listening port
Default 9200
- elasticsearch_network_host
ElasticSearch, listening ip address
Default 127.0.0.1
- elasticsearch_jvm_xms
JVM heap size
Default null
- elastic_stack_version
Version of Elasticsearch to install
Default 6.2.2
- elasticsearch_shards
Set number of shards for indices
Default 5
- elasticsearch_replicas
Set number of shards for indices
Default 1
- elasticsearch_install_java
When it's present will install Oracle Java.
Default yes
Kibana
- elasticsearch_http_port
Elasticsearch node port.
Default 9200
- elasticsearch_network_host
IP address or hostname of Elasticsearch node.
Default 127.0.0.1
- kibana_server_host
Listening IP address of Kibana.
Default 0.0.0.0
- kibana_server_port
Listening port of Kibana.
Default 5601
- elastic_stack_version
Version of Kibana to install
Default 6.2.2
- wazuh_version
Wazuh APP compatible version to install
Default 3.2.0
Logstash
- logstash_create_config
Generate or not Logstash config.
Defaults true
- logstash_input_beats
When is set to true, it will configure Logstash to use Filebeat input. Otherwise it will use File input.
Defaults false
- elasticsearch_network_host
Ip address or hostname of Elasticsearch node.
Default 127.0.0.1
- elasticsearch_http_port
Port of Elasticsearch node.
Default 9200
- elasticsearch_shards
Set number of shards for indices
Default 5
- elasticsearch_replicas
Set number of shards for indices
Default 1
- elastic_stack_version
Version of Logstash to install
Default 6.2.2
- logstash_ssl
Using ssl between filebeat and logstash
Default false
- logstash_ssl_dir
Folder where the SSL key and cert will be stored.
Default /etc/pki/logstash
- logstash_ssl_certificate_file
SSL certificate file to be copied from Ansible server to logstash server.
Default null
- logstash_ssl_key_file
SSL key file to be copied from Ansible server to logstash server.
Default null
- logstash_install_java
When it's present will install Oracle Java.
Default yes
Filebeat
- filebeat_create_config:
Generate or not Filebeat config.
Default true
- filebeat_prospectors:
Set filebeat propectors to fetch data.
Example:
filebeat_prospectors: - input_type: log paths: - "/var/ossec/logs/alerts/alerts.json" document_type: json json.message_key: log json.keys_under_root: true json.overwrite_keys: true
- filebeat_output_elasticsearch_enabled:
Send output to Elasticsearch node(s).
Default false
- filebeat_output_elasticsearch_hosts:
Elasticsearch node(s) to send output.
Example:
filebeat_output_elasticsearch_hosts: - "localhost:9200" - "10.1.1.10:9200"
- filebeat_output_logstash_enabled:
Send output to Logstash node(s).
Default true
- filebeat_output_logstash_hosts:
Logstash node(s) to send output.
Example:
filebeat_output_logstash_hosts: - "10.1.1.10:5000" - "10.1.1.11:5000"
- filebeat_enable_logging:
Enable/disable logging.
Default true
- filebeat_log_level:
Set filebeat log level.
Default debug
- filebeat_log_dir:
Set filebeat log directory.
Default: /var/log/mybeat
- filebeat_log_filename:
Set filebeat log filename.
Default mybeat.log
- filebeat_ssl_dir:
Set the folder containing SSL certs.
Default /etc/pki/logstash
- filebeat_ssl_certificate_file:
Set certificate filename.
Default null
- filebeat_ssl_key_file:
Set certificate key filename.
Default null
- filebeat_ssl_insecure:
Verify validity of the server certificate hostname.
Default false
Wazuh Manager
- wazuh_manager_fqdn:
Set Wazuh Manager fqdn hostname.
Default wazuh-server
- wazuh_manager_config:
This store the Wazuh Manager configuration.
Example:
wazuh_manager_config: json_output: 'yes' alerts_log: 'yes' logall: 'no' log_format: 'plain' cluster: disable: 'yes' name: 'wazuh' node_name: 'manager_01' node_type: 'master' key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' interval: '2m' port: '1516' bind_addr: '0.0.0.0' nodes: - '172.17.0.2' - '172.17.0.3' - '172.17.0.4' hidden: 'no' connection: - type: 'secure' port: '1514' protocol: 'tcp' authd: enable: true port: 1515 use_source_ip: 'yes' force_insert: 'yes' force_time: 0 purge: 'no' use_password: 'no' ssl_agent_ca: null ssl_verify_host: 'no' ssl_manager_cert: '/var/ossec/etc/sslmanager.cert' ssl_manager_key: '/var/ossec/etc/sslmanager.key' ssl_auto_negotiate: 'no' email_notification: 'no' mail_to: - 'admin@example.net' mail_smtp_server: localhost mail_from: wazuh-server@example.com extra_emails: - enable: false mail_to: 'admin@example.net' format: full level: 7 event_location: null group: null do_not_delay: false do_not_group: false rule_id: null reports: - enable: false category: 'syscheck' title: 'Daily report: File changes' email_to: 'admin@example.net' location: null group: null rule: null level: null srcip: null user: null showlogs: null syscheck: frequency: 43200 scan_on_start: 'yes' auto_ignore: 'no' alert_new_files: 'yes' ignore: - /etc/mtab - /etc/mnttab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/random.seed - /etc/adjtime - /etc/httpd/logs - /etc/utmpx - /etc/wtmpx - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile no_diff: - /etc/ssl/private.key directories: - dirs: /etc,/usr/bin,/usr/sbin checks: 'check_all="yes"' - dirs: /bin,/sbin checks: 'check_all="yes"' rootcheck: frequency: 43200 openscap: disable: 'no' timeout: 1800 interval: '1d' scan_on_start: 'yes' cis_cat: disable: 'yes' install_java: 'yes' timeout: 1800 interval: '1d' scan_on_start: 'yes' java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin' ciscat_path: '/var/ossec/wodles/ciscat' content: - type: 'xccdf' path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml' profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server' vuls: disable: 'yes' interval: '1d' run_on_start: 'yes' args: - 'mincvss 5' - 'antiquity-limit 20' - 'updatenvd' - 'nvd-year 2016' - 'autoupdate' log_level: 1 email_level: 12 localfiles: - format: 'syslog' location: '/var/log/messages' - format: 'syslog' location: '/var/log/secure' - format: 'command' command: 'df -P' frequency: '360' - format: 'full_command' command: 'netstat -tln | grep -v 127.0.0.1 | sort' frequency: '360' - format: 'full_command' command: 'last -n 20' frequency: '360' globals: - '127.0.0.1' - '192.168.2.1' commands: - name: 'disable-account' executable: 'disable-account.sh' expect: 'user' timeout_allowed: 'yes' - name: 'restart-ossec' executable: 'restart-ossec.sh' expect: '' timeout_allowed: 'no' - name: 'win_restart-ossec' executable: 'restart-ossec.cmd' expect: '' timeout_allowed: 'no' - name: 'firewall-drop' executable: 'firewall-drop.sh' expect: 'srcip' timeout_allowed: 'yes' - name: 'host-deny' executable: 'host-deny.sh' expect: 'srcip' timeout_allowed: 'yes' - name: 'route-null' executable: 'route-null.sh' expect: 'srcip' timeout_allowed: 'yes' - name: 'win_route-null' executable: 'route-null.cmd' expect: 'srcip' timeout_allowed: 'yes' active_responses: - command: 'restart-ossec' location: 'local' rules_id: '100002' - command: 'win_restart-ossec' location: 'local' rules_id: '100003' - command: 'host-deny' location: 'local' level: 6 timeout: 600 syslog_outputs: - server: null port: null format: null
- wazuh_agent_configs:
This store the different settings and profiles for centralized agent configuration via Wazuh Manager.
Example:
- type: os type_value: Linux syscheck: frequency: 43200 scan_on_start: 'yes' auto_ignore: 'no' alert_new_files: 'yes' ignore: - /etc/mtab - /etc/mnttab - /etc/hosts.deny - /etc/mail/statistics - /etc/svc/volatile no_diff: - /etc/ssl/private.key directories: - dirs: /etc,/usr/bin,/usr/sbin checks: 'check_all="yes"' - dirs: /bin,/sbin checks: 'check_all="yes"' rootcheck: frequency: 43200 cis_distribution_filename: null localfiles: - format: 'syslog' location: '/var/log/messages' - format: 'syslog' location: '/var/log/secure' - format: 'syslog' location: '/var/log/maillog' - format: 'apache' location: '/var/log/httpd/error_log' - format: 'apache' location: '/var/log/httpd/access_log' - format: 'apache' location: '/var/ossec/logs/active-responses.log' - type: os type_value: Windows syscheck: frequency: 43200 scan_on_start: 'yes' auto_ignore: 'no' alert_new_files: 'yes' windows_registry: - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' arch: 'both' - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' localfiles: - format: 'Security' location: 'eventchannel' - format: 'System' location: 'eventlog'
- cdb_lists:
Configure CDB lists used by the Wazuh Manager (located at
ansible-wazuh-manager/vars/cdb_lists.yml
).Example:
cdb_lists: - name: 'audit-keys' content: | audit-wazuh-w:write audit-wazuh-r:read audit-wazuh-a:attribute audit-wazuh-x:execute audit-wazuh-c:command
Warning
We recommend the use of Ansible Vault to protect Wazuh, agentless and authd credentials.
- agentless_creeds:
Credentials and host(s) to be used by agentless feature.
Example:
agentless_creeds: - type: ssh_integrity_check_linux frequency: 3600 host: root@example.net state: periodic arguments: '/bin /etc/ /sbin' passwd: qwerty
Warning
We recommend the use of Ansible Vault to protect Wazuh, agentless and authd credentials.
- wazuh_api_user:
Wazuh API credentials.
Example:
wazuh_api_user: - foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/ - bar:$apr1$hXE97ag.$8m0koHByattiGKUKPUgcZ1
Warning
We recommend the use of Ansible Vault to protect Wazuh, agentless and authd credentials.
- authd_pass:
Wazuh authd service password.
Example:
authd_pass: foobar
Wazuh Agent
- wazuh_managers:
Set Wazuh Manager servers IP address, protocol, and port to be used by the agent.
Example:
wazuh_managers: - address: 172.16.24.56 protocol: udp - address: 192.168.10.15 port: 1514 protocol: tcp
- wazuh_profile:
Configure what profiles this agent will have.
Default null
Multiple profiles can be included, separated by a comma and a space, for example:
wazuh_profile: "centos7, centos7-web"
- wazuh_agent_authd:
Set the agent-authd facility. This will enable or not the automatic agent registration, you could set various options in accordance of the authd service configured in the Wazuh Manager. Be aware that this Ansible role will use the first Wazuh Manager address defined on wazuh_managers as the authd registration server.
wazuh_agent_authd: enable: false port: 1515 ssl_agent_ca: null ssl_agent_cert: null ssl_agent_key: null ssl_auto_negotiate: 'no'
- wazuh_notify_time
Set the <notify_time> option in the agent.
Default null
- wazuh_time_reconnect
Set <time-reconnect> option in the agent.
Default null
- wazuh_winagent_config
Set the Wazuh Agent installation regarding Windows hosts.
install_dir: 'C:\wazuh-agent\' version: '2.1.1' revision: '2' repo: https://packages.wazuh.com/windows/ md5: fd9a3ce30cd6f9f553a1bc71e74a6c9f
- wazuh_agent_config:
Wazuh Agent related configuration.
Example:
log_format: 'plain' syscheck: frequency: 43200 scan_on_start: 'yes' auto_ignore: 'no' alert_new_files: 'yes' ignore: - /etc/mtab - /etc/mnttab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/random.seed - /etc/adjtime - /etc/httpd/logs - /etc/utmpx - /etc/wtmpx - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile no_diff: - /etc/ssl/private.key directories: - dirs: /etc,/usr/bin,/usr/sbin checks: 'check_all="yes"' - dirs: /bin,/sbin checks: 'check_all="yes"' windows_registry: - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' arch: 'both' - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' rootcheck: frequency: 43200 openscap: disable: 'yes' timeout: 1800 interval: '1d' scan_on_start: 'yes' cis_cat: disable: 'yes' install_java: 'yes' timeout: 1800 interval: '1d' scan_on_start: 'yes' java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin' ciscat_path: '/var/ossec/wodles/ciscat' content: - type: 'xccdf' path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml' profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server' vuls: disable: 'yes' interval: '1d' run_on_start: 'yes' args: - 'mincvss 5' - 'antiquity-limit 20' - 'updatenvd' - 'nvd-year 2016' - 'autoupdate' localfiles: - format: 'syslog' location: '/var/log/messages' - format: 'syslog' location: '/var/log/secure' - format: 'command' command: 'df -P' frequency: '360' - format: 'full_command' command: 'netstat -tln | grep -v 127.0.0.1 | sort' frequency: '360' - format: 'full_command' command: 'last -n 20' frequency: '360'
Warning
We recommend the use of Ansible Vault to protect authd credentials.
- authd_pass:
Wazuh authd credentials for agent registration.
Example:
authd_pass: foobar