elasticsearch datastream configuration and normalize indexes and elastalert detection

Author: codeyourweb

config/docker-config/backend-entrypoint.sh

@@ -30,7 +30,6 @@ setup_symfony() {
     
     rm -rf /var/www/html/var/cache
     rm -rf /var/www/html/public/bundles
-    rm -rf /detection-rules/elastalert/*
     
 
     if ! check_composer_changes || [ ! -d "/var/www/html/vendor" ] || [ ! -f "/var/www/html/vendor/autoload.php" ]; then

config/elastalert/defaults.yml

@@ -1,50 +1,43 @@
 # Default shared configuration for all Elastalert rules
 # This file can be imported in other rules with "import:" 
 
-# Elasticsearch connection parameters
-es_conn_timeout: 30
-max_query_size: 1000
-
-# Timing parameters
-buffer_time:
-  minutes: 1
-realert:
-  minutes: 1
-
 # Index parameters
 use_strftime_index: false
 timestamp_field: '@timestamp'
-
+aggregation:
+    minutes: 1
+aggregation_key: '@timestamp'
 # Alert parameters
-priority: 1
+priority: 4
 type: any
+index: 'sentinelkit*'
 
 # Fields to include in alerts
 include:
   - _index
   - _id
   - '@timestamp'
-  - source
-  - message
 
-# Default alert template
+# Default alert template with reliable metadata  
 alert_text: |
-  🚨 Sentinel-Kit Alert
-  =====================
-  Rule: {rule_name}
+  Sentinel-Kit Security Alert
+  ==============================
   Index: {0}
   Document ID: {1}
-  Timestamp: {2}
-  Source: {3}
-  Message: {4}
   
 alert_text_args:
   - _index
   - _id
   - '@timestamp'
-  - source
-  - message
 
-# Configuration for debug alerts
+# Configuration for debug alerter with full metadata display
 alert:
-  - debug
+  - debug
+
+include_rule_params_in_matches:
+  - name
+  - description
+  - filter
+  - priority
+
+alert_subject: "Sentinel-Kit Alert: {0}"

config/elastalert/elastalert_config.yml

@@ -14,47 +14,7 @@ alert_time_limit:
   days: 2
 prometheus_port: 9091
 prometheus_host: 0.0.0.0
-
 es_conn_timeout: 60
 max_query_size: 10000
-max_aggregation: 10000
+max_aggregation: 1000
 scroll_keepalive: 1m
-
-# Default configuration for all rules
-global_defaults:
-  # Elasticsearch connection
-  es_conn_timeout: 30
-  max_query_size: 1000
-  
-  # Timing
-  buffer_time:
-    minutes: 1
-  realert:
-    minutes: 1
-    
-  # Index settings
-  use_strftime_index: false
-  timestamp_field: '@timestamp'
-  
-  # Alert settings
-  priority: 1
-  type: any
-  
-  # Fields to include in alerts
-  include:
-    - _index
-    - _id
-    - '@timestamp'
-    
-  # Default alert template
-  alert_text: |
-    Sentinel-Kit Alert
-    Rule: {rule_name}
-    Index: {0}
-    Document ID: {1}
-    Timestamp: {2}
-    
-  alert_text_args:
-    - _index
-    - _id
-    - '@timestamp'

config/elasticsearch/ca-setup.sh config/elasticsearch/es-setup.shconfig/elasticsearch/ca-setup.sh renamed to config/elasticsearch/es-setup.sh

@@ -51,4 +51,40 @@ echo "Waiting for Elasticsearch availability";
 until curl -s --cacert config/certs/ca/ca.crt https://sentinel-kit-db-elasticsearch-es01:9200 | grep -q "missing authentication credentials"; do sleep 30; done;
 echo "Setting kibana_system password";
 until curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:${ELASTICSEARCH_PASSWORD}" -H "Content-Type: application/json" https://sentinel-kit-db-elasticsearch-es01:9200/_security/user/kibana_system/_password -d "{\"password\":\"s3nt1n3lkit_k1b4n4_syst3m_p4sswd\"}" | grep -q "^{}"; do sleep 10; done;
+
+echo "Creating sentinelkit-logs index template with higher priority";
+curl -s -X PUT --cacert config/certs/ca/ca.crt -u "elastic:${ELASTICSEARCH_PASSWORD}" \
+  -H "Content-Type: application/json" \
+  https://sentinel-kit-db-elasticsearch-es01:9200/_index_template/sentinelkit-logs \
+  -d '{
+    "index_patterns": ["sentinelkit-*"],
+    "priority": 300,
+    "data_stream": {},
+    "template": {
+      "settings": {
+        "index.lifecycle.name": "logs"
+      }
+    },
+    "composed_of": ["logs@settings", "logs@mappings", "ecs@mappings"]
+  }';
+
+echo "Sentinelkit logs template created successfully";
+
+echo "Waiting for Kibana availability";
+until curl -s http://sentinel-kit-utils-kibana:5601/api/status | grep -q '"level":"available"'; do sleep 10; done;
+
+echo "Creating Kibana data view for sentinelkit-* logs";
+curl -s -X POST "http://sentinel-kit-utils-kibana:5601/api/data_views/data_view" \
+  -H "Content-Type: application/json" \
+  -H "kbn-xsrf: true" \
+  -u "elastic:${ELASTICSEARCH_PASSWORD}" \
+  -d '{
+    "data_view": {
+      "title": "sentinelkit-*",
+      "name": "Sentinel-Kit Logs",
+      "timeFieldName": "@timestamp"
+    }
+  }';
+
+echo "Kibana data view created successfully";
 echo "All done!"

config/fluentbit_server/logs-auditd.conf

@@ -22,7 +22,7 @@
     Port         9200
     Buffer_Size   5M
     Logstash_Format     On
-    Logstash_Prefix     ingest-auditd
+    Logstash_Prefix     sentinelkit-ingest-auditd
     Logstash_DateFormat %Y.%m.%d
     Type         _doc
     Time_Key     @timestamp

config/fluentbit_server/logs-csv.conf

@@ -33,7 +33,7 @@
     Port         9200
     Buffer_Size   5M
     Logstash_Format     On
-    Logstash_Prefix     ingest-csv
+    Logstash_Prefix     sentinelkit-ingest-csv
     Logstash_DateFormat %Y.%m.%d
     Type         _doc
     Time_Key     @timestamp

config/fluentbit_server/logs-evtx.conf

@@ -33,7 +33,7 @@
     Port         9200
     Buffer_Size   5M
     Logstash_Format     On
-    Logstash_Prefix     ingest-evtx
+    Logstash_Prefix     sentinelkit-ingest-evtx
     Logstash_DateFormat %Y.%m.%d
     Type         _doc
     Time_Key     @timestamp

config/fluentbit_server/set_target_index.lua

@@ -2,7 +2,7 @@ function set_target_index(tag, timestamp, record)
     local exit_code = 0
 
     if record["target_index"] == nil then
-        record["target_index"] = "undefined-index"
+        record["target_index"] = "sentinelkit-undefined-index"
         exit_code = 1
     end
 

docker-compose.yml

@@ -228,9 +228,9 @@ services:
     restart: on-failure
     volumes:
       -  sentinel-kit_certificates_elasticsearch:/usr/share/elasticsearch/config/certs
-      - ./config/elasticsearch/ca-setup.sh:/usr/share/elasticsearch/ca-setup.sh:ro
+      - ./config/elasticsearch/es-setup.sh:/usr/share/elasticsearch/es-setup.sh:ro
     user: "0"
-    command: 'sh -c "/usr/share/elasticsearch/ca-setup.sh"'
+    command: 'sh -c "/usr/share/elasticsearch/es-setup.sh"'
     environment:
       - ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_PASSWORD}
       - ELASTICSEARCH_CLUSTER_MODE=${ELASTICSEARCH_CLUSTER_MODE}

launcher.ps1

@@ -301,9 +301,14 @@ switch ($Command.ToLower()) {
         $serviceMap = @{
             'backend' = 'sentinel-kit-app-backend'
             'frontend' = 'sentinel-kit-app-frontend'
-            'mysql' = 'sentinel-kit-mysql'
-            'elasticsearch' = 'sentinel-kit-elasticsearch'
-            'kibana' = 'sentinel-kit-kibana'
+            'mysql' = 'sentinel-kit-db-mysql'
+            'elasticsearch' = 'sentinel-kit-db-elasticsearch-es01'
+            'kibana' = 'sentinel-kit-utils-kibana'
+            'scanner' = 'sentinel-kit-server-rules-scanner'
+            'forwarder' = 'sentinel-kit-server-fluentbit'
+            'caddy' = 'sentinel-kit-server-caddy'
+            'grafana' = 'sentinel-kit-utils-grafana'
+            'prometheus' = 'sentinel-kit-utils-prometheus'
         }
 
         if ($ServiceName) {