Merge pull request #36 from Fortiphyd/add-wazuh-siem

Add wazuh siem

Author: djformby

README.md

@@ -36,7 +36,7 @@ this is for you.
 * **End-to-end OT / ICS security lab** — PLCs, HMIs, engineering workstations, routers, and attacker tools
 * **3D process visualization** — watch tank levels and valves respond in real time
 * **Virtual Walkthroughs** — explore the warehouse in first person, observing physical layouts and security lapses 
-* **Built-in attack & defense tools** — Kali Linux, MITRE Caldera, and a custom firewall and Suricata IDS interface
+* **Built-in attack & defense tools** — Kali Linux, MITRE Caldera, a custom firewall and Suricata IDS interface, and an optional Wazuh SIEM
 * **Modular, containerized design** — launch everything with a single `docker compose up`
 * **Realistic networking** — segmented process and enterprise zones with controllable traffic flow
 
@@ -183,6 +183,23 @@ you should see the 3D chemical plant simulation come to life.
   docker compose start
   ```
 
+### Optional: Wazuh SIEM
+
+Wazuh is disabled by default (it adds ~3–4 GB and significant startup time). To include it:
+
+```bash
+docker compose --profile siem up -d
+```
+
+To stop it later, make sure to include the profile in the down command:
+
+```bash
+docker compose --profile siem down
+```
+
+Once running, the Wazuh dashboard is available at [http://localhost:5601](http://localhost:5601) (`admin` / `admin`).
+Agents installed on the router and ScadaLTS containers will automatically connect and begin forwarding logs.
+
 ---
 
 ## Core Containers & Access Points
@@ -196,6 +213,7 @@ you should see the 3D chemical plant simulation come to life.
 | **PLC (OpenPLC)**           | [http://localhost:8080](http://localhost:8080) or `192.168.95.2:8080`   | `openplc : openplc`   | Programmable logic controller             |
 | **HMI**                     | [http://localhost:6081](http://localhost:6081) or `192.168.90.107:8080` | `admin : admin`       | Operator interface                        |
 | **Router / Firewall UI**    | `192.168.90.200:5000` or `192.168.95.200:5000`                          | `admin : password`    | View or modify firewall rules             |
+| **Wazuh SIEM** *(optional)* | [http://localhost:5601](http://localhost:5601)                           | `admin : admin`       | SIEM dashboard — security events, alerts  |
 
 
 ---

docker-compose.yml

@@ -136,6 +136,28 @@ services:
       c-dmz-net:
         ipv4_address: 192.168.90.250
 
+  wazuh:
+    profiles: [siem]
+    image: fortiphyd/grfics-wazuh
+    container_name: wazuh
+    hostname: wazuh
+    build: ./wazuh
+    restart: unless-stopped
+    ports:
+      - "1514:1514"     # Wazuh agent enrollment
+      - "1515:1515"     # Wazuh agent communication
+      - "55000:55000"   # Wazuh REST API
+      - "5601:5601"     # Dashboard HTTP
+    cap_add:
+      - NET_ADMIN
+    volumes:
+      - wazuh_manager_data:/var/ossec
+      - wazuh_indexer_data:/var/lib/wazuh-indexer
+    networks:
+      a-grfics-admin:
+      c-dmz-net:
+        ipv4_address: 192.168.90.20
+
 networks:
   b-ics-net:
     driver: macvlan
@@ -166,3 +188,7 @@ volumes:
     name: plc_volume
   router_config:
     name: router_config
+  wazuh_manager_data:
+    name: wazuh_manager_data
+  wazuh_indexer_data:
+    name: wazuh_indexer_data

router/Dockerfile

@@ -18,6 +18,27 @@ RUN apt-get update && apt-get install -y supervisor suricata && \
 # Enable IP forwarding
 RUN echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
 
+# Fake systemctl so wazuh-agent postinstall doesn't fail
+RUN printf '#!/bin/bash\necho "[fake-systemctl] $@"\nexit 0\n' \
+    > /usr/local/bin/systemctl && chmod +x /usr/local/bin/systemctl
+
+# Install Wazuh agent
+RUN apt-get update && apt-get install -y --no-install-recommends gnupg \
+    && curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH \
+       | gpg --no-default-keyring \
+         --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import \
+    && chmod 644 /usr/share/keyrings/wazuh.gpg \
+    && echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] \
+       https://packages.wazuh.com/4.x/apt/ stable main" \
+       > /etc/apt/sources.list.d/wazuh.list \
+    && apt-get update \
+    && WAZUH_MANAGER=192.168.90.20 WAZUH_AGENT_NAME=router apt-get install -y wazuh-agent \
+    && rm -rf /var/lib/apt/lists/*
+
+# Tell the agent to monitor Suricata alerts-only EVE log
+RUN sed -i 's|</ossec_config>|<localfile>\n    <log_format>json</log_format>\n    <location>/var/log/suricata/alerts.json</location>\n  </localfile>\n</ossec_config>|' \
+    /var/ossec/etc/ossec.conf
+
 COPY entrypoint.sh /entrypoint.sh
 COPY app.py /opt/fwui/app.py
 COPY index.html /opt/fwui/templates/index.html
@@ -27,6 +48,10 @@ COPY ids.html /opt/fwui/templates/ids.html
 COPY base.html /opt/fwui/templates/base.html
 COPY router.conf /etc/supervisor/conf.d/router.conf
 COPY suricata.yaml /etc/suricata/suricata.yaml
+
+# Add DigitalBond Quickdraw ICS/SCADA detection rules
+RUN curl -fsSL https://raw.githubusercontent.com/digitalbond/Quickdraw-Snort/refs/heads/master/all-quickdraw.rules \
+    -o /etc/suricata/rules/quickdraw.rules
 COPY ulogd.conf /etc/ulogd.conf
 
 

router/entrypoint.sh

@@ -9,5 +9,11 @@ iptables -P FORWARD ACCEPT
 ip -c addr
 ip route show
 
+if getent hosts wazuh >/dev/null 2>&1; then
+    /var/ossec/bin/wazuh-control start || true
+else
+    echo "[router] Wazuh not in DNS, skipping agent start"
+fi
+
 # Keep container running and provide a shell via exec
 exec "$@"

router/suricata.yaml

@@ -83,6 +83,14 @@ outputs:
       append: yes
       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
 
+  # Alerts-only EVE log for Wazuh agent
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: alerts.json
+      types:
+        - alert
+
   # Extensible Event Format (nicknamed EVE) event log in JSON format
   - eve-log:
       enabled: yes

scadalts/Dockerfile

@@ -9,9 +9,14 @@ ENV SCADA_LTS_VERSION=2.7.8.1 \
     TOMCAT_USER=tcuser \
     TOMCAT_PASSWORD=tcuser
 
+# Fake systemctl so wazuh-agent postinstall doesn't fail
+RUN printf '#!/bin/bash\necho "[fake-systemctl] $@"\nexit 0\n' \
+    > /usr/local/bin/systemctl && chmod +x /usr/local/bin/systemctl
+
 # Install dependencies
 RUN apt-get update && \
-    apt-get install -y wget unzip supervisor mariadb-server libjaxb-api-java libjaxb-java libactivation-java && \
+    apt-get install -y wget unzip supervisor mariadb-server libjaxb-api-java libjaxb-java libactivation-java \
+    gnupg curl && \
     rm -rf /var/lib/apt/lists/*
 
 
@@ -39,9 +44,10 @@ RUN wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-8.3.0
     mv /tmp/mysql-connector-j-8.3.0/mysql-connector-j-8.3.0.jar $CATALINA_HOME/lib/ && \
     rm -rf /tmp/mysql-connector*
 
-# Prepare runtime dirs
-RUN mkdir -p /var/lib/mysql /run/mysqld /var/log/supervisor && \
-    chown -R mysql:mysql /var/lib/mysql /run/mysqld
+# Prepare runtime dirs and enable MariaDB error log
+RUN mkdir -p /var/lib/mysql /run/mysqld /var/log/supervisor /var/log/mysql && \
+    chown -R mysql:mysql /var/lib/mysql /run/mysqld /var/log/mysql && \
+    printf '[mysqld]\nlog_error=/var/log/mysql/error.log\n' > /etc/mysql/conf.d/logging.cnf
 VOLUME /var/lib/mysql
 
 # Add configs
@@ -66,6 +72,22 @@ RUN sed -i '/<\/Context>/i \
 COPY 1.png /usr/local/tomcat/static/uploads/1.png
 COPY seed_project_data.sql /seed_project_data.sql
 
+# Install Wazuh agent
+RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH \
+    | gpg --no-default-keyring \
+      --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import \
+    && chmod 644 /usr/share/keyrings/wazuh.gpg \
+    && echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] \
+       https://packages.wazuh.com/4.x/apt/ stable main" \
+       > /etc/apt/sources.list.d/wazuh.list \
+    && apt-get update \
+    && WAZUH_MANAGER=192.168.90.20 WAZUH_AGENT_NAME=scadalts apt-get install -y wazuh-agent \
+    && rm -rf /var/lib/apt/lists/*
+
+# Monitor Tomcat catalina log, access logs, and MariaDB error log
+RUN sed -i 's|</ossec_config>|<localfile>\n    <log_format>syslog</log_format>\n    <location>/usr/local/tomcat/logs/catalina.out</location>\n  </localfile>\n  <localfile>\n    <log_format>syslog</log_format>\n    <location>/usr/local/tomcat/logs/localhost_access_log*.txt</location>\n  </localfile>\n  <localfile>\n    <log_format>syslog</log_format>\n    <location>/var/log/mysql/error.log</location>\n  </localfile>\n</ossec_config>|' \
+    /var/ossec/etc/ossec.conf
+
 EXPOSE 8080 3306
 
 CMD ["/usr/bin/supervisord", "-n"]

scadalts/init.sh

@@ -31,15 +31,14 @@ PROC_EXISTS=$(mariadb -uscada -pscada scadalts -N -B -e \
    WHERE ROUTINE_SCHEMA='scadalts' AND ROUTINE_TYPE='PROCEDURE'
      AND ROUTINE_NAME='prc_alarms_notify';" 2>/dev/null || echo 0)
 
-echo "[*] Ensuring admin user exists..."
+echo "[*] Ensuring admin user is set up right"
 mariadb -uscada -pscada scadalts <<-EOSQL
   INSERT INTO users
-    (id, username, password, email, phone, disabled, admin, receiveAlarmEmails, receiveOwnAuditEvents)
+    (id, username, password, email, phone, disabled, admin, receiveAlarmEmails, receiveOwnAuditEvents, homeURL)
   SELECT
-    4, 'admin', '0DPiKuNIrrVmD8IUCuw1hQxNqZc=', 'admin@example.com', '', 'N', 'Y', 0, 0
+    4, 'admin', '0DPiKuNIrrVmD8IUCuw1hQxNqZc=', 'admin@example.com', '', 'N', 'Y', 0, 0, '/views.shtm#'
   WHERE NOT EXISTS (SELECT 1 FROM users WHERE username='admin');
 EOSQL
-
 # Seed project
 VIEW_COUNT=$(mariadb -uscada -pscada scadalts -N -B -e "SELECT COUNT(*) FROM mangoViews;" 2>/dev/null || echo 0)
 if [ "$VIEW_COUNT" -eq 0 ] && [ -f /seed_project_data.sql ]; then
@@ -52,4 +51,4 @@ fi
 
 ip route add 192.168.95.0/24 via 192.168.90.200 || true
 
-exit 0
+exit 0

scadalts/seed_project_data.sql

@@ -40,7 +40,7 @@ UNLOCK TABLES;
 LOCK TABLES `dataSources` WRITE;
 /*!40000 ALTER TABLE `dataSources` DISABLE KEYS */;
 INSERT INTO `dataSources` VALUES
-(1,'DS_939670','TenEast',3,'¬í\0sr\0=com.serotonin.mango.vo.dataSource.modbus.ModbusIpDataSourceVOÿÿÿÿÿÿÿÿ\0Z\0createSocketMonitorPointZ\0encapsulatedI\0portL\0hostt\0Ljava/lang/String;L\0\rtransportTypet\0MLcom/serotonin/mango/vo/dataSource/modbus/ModbusIpDataSourceVO$TransportType;xr\0;com.serotonin.mango.vo.dataSource.modbus.ModbusDataSourceVOÿÿÿÿÿÿÿÿ\0\nZ\0contiguousBatchesZ\0createSlaveMonitorPointsI\0maxReadBitCountI\0maxReadRegisterCountI\0maxWriteRegisterCountZ\0quantizeI\0retriesI\0timeoutI\0updatePeriodTypeI\0\rupdatePeriodsxr\0.com.serotonin.mango.vo.dataSource.DataSourceVOÿÿÿÿÿÿÿÿ\0Z\0enabledI\0idL\0alarmLevelst\0Ljava/util/Map;L\0nameq\0~\0
L\0statet\0!Lorg/scada_lts/ds/state/IStateDs;L\0xidq\0~\0
xpw\0\0\0
sr\0java.util.HashMapÚÁÃ`Ñ\0F\0\nloadFactorI\0	thresholdxp?@\0\0\0\0\0w\0\0\0\0\0\0sr\0java.lang.Integerâ ¤÷‡8\0
I\0valuexr\0java.lang.Number†¬•”à‹\0\0xp\0\0\0
sq\0~\0\n\0\0\0q\0~\0\rq\0~\0\rsq\0~\0\n\0\0\0q\0~\0\rxsr\00org.scada_lts.ds.state.ImportChangeEnableStateDs/›èt£}\0\0xpxw#\0\0\0\0\0\0
\0\0\0\0\0\0
ô\0\0\0\0\0\0\0Ð\0\0\0}\0\0\0xxw\0\0\0~r\0Kcom.serotonin.mango.vo.dataSource.modbus.ModbusIpDataSourceVO$TransportType\0\0\0\0\0\0\0\0\0\0xr\0java.lang.Enum\0\0\0\0\0\0\0\0\0\0xpt\0TCPw
\0192.168.95.2\0\0
ö\0\0x');
+(1,'DS_939670','TenEast',3,'¬í\0sr\0=com.serotonin.mango.vo.dataSource.modbus.ModbusIpDataSourceVOÿÿÿÿÿÿÿÿ\0Z\0createSocketMonitorPointZ\0encapsulatedI\0portL\0hostt\0Ljava/lang/String;L\0\rtransportTypet\0MLcom/serotonin/mango/vo/dataSource/modbus/ModbusIpDataSourceVO$TransportType;xr\0;com.serotonin.mango.vo.dataSource.modbus.ModbusDataSourceVOÿÿÿÿÿÿÿÿ\0\nZ\0contiguousBatchesZ\0createSlaveMonitorPointsI\0maxReadBitCountI\0maxReadRegisterCountI\0maxWriteRegisterCountZ\0quantizeI\0retriesI\0timeoutI\0updatePeriodTypeI\0\rupdatePeriodsxr\0.com.serotonin.mango.vo.dataSource.DataSourceVOÿÿÿÿÿÿÿÿ\0Z\0enabledI\0idL\0alarmLevelst\0Ljava/util/Map;L\0nameq\0~\0
L\0statet\0!Lorg/scada_lts/ds/state/IStateDs;L\0xidq\0~\0
xpw\0\0\0
sr\0java.util.HashMapÚÁÃ`Ñ\0F\0\nloadFactorI\0	thresholdxp?@\0\0\0\0\0w\0\0\0\0\0\0sr\0java.lang.Integerâ ¤÷‡8\0
I\0valuexr\0java.lang.Number†¬•”à‹\0\0xp\0\0\0
sq\0~\0\n\0\0\0q\0~\0\rq\0~\0\rsq\0~\0\n\0\0\0q\0~\0\rxsr\00org.scada_lts.ds.state.ImportChangeEnableStateDs/›èt£}\0\0xpxw#\0\0\0\0\0\0
\0\0\0\0\0\0
ô\0\0\0\0\0\0\0Ð\0\0\0}\0\0\0xxw\0\0\0~r\0Kcom.serotonin.mango.vo.dataSource.modbus.ModbusIpDataSourceVO$TransportType\0\0\0\0\0\0\0\0\0\0xr\0java.lang.Enum\0\0\0\0\0\0\0\0\0\0xpt\0TCP_KEEP_ALIVEw
\0192.168.95.2\0\0
ö\0\0x');
 /*!40000 ALTER TABLE `dataSources` ENABLE KEYS */;
 UNLOCK TABLES;
 
@@ -76,12 +76,12 @@ UNLOCK TABLES;
 
 LOCK TABLES `users` WRITE;
 /*!40000 ALTER TABLE `users` DISABLE KEYS */;
-INSERT INTO `users` VALUES
-(5,'admin','0DPiKuNIrrVmD8IUCuw1hQxNqZc=','admin@example.com','','Y','N',1759943951402,1,NULL,0,'0'),
+/*INSERT INTO `users` VALUES
+(5,'admin','0DPiKuNIrrVmD8IUCuw1hQxNqZc=','admin@example.com','','Y','N',1759943951402,1,'views.shtm#/',0,'0'),
 (6,'anonymous-user','CpL6syMBNMym6t2YmDJbmyrmeZg=','anonymous@mail.com','','N','Y',NULL,NULL,'',0,'N'),
 (7,'soap-services','2SkKRrabStlFmaoIfVmqeJ17zIs=','soap-services@mail.com','','N','Y',NULL,NULL,'',0,'N'),
 (8,'httpds-basic','hZvP2jlFXX95l2MGyfpJEBQwc3U=','null@null.com','','N','Y',NULL,NULL,'',0,'N'),
-(9,'anonymous-user','CpL6syMBNMym6t2YmDJbmyrmeZg=','anonymous@mail.com','','N','Y',NULL,NULL,'',0,'N');
+(9,'anonymous-user','CpL6syMBNMym6t2YmDJbmyrmeZg=','anonymous@mail.com','','N','Y',NULL,NULL,'',0,'N');*/
 /*!40000 ALTER TABLE `users` ENABLE KEYS */;
 UNLOCK TABLES;
 /*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

scadalts/supervisord.conf

@@ -22,3 +22,11 @@ command=/bin/bash -c "sleep 10 && /usr/local/tomcat/bin/catalina.sh run"
 autostart=true
 autorestart=true
 priority=10
+
+[program:wazuh-agent]
+command=/bin/bash -c "if getent hosts wazuh >/dev/null 2>&1; then /var/ossec/bin/wazuh-control start; else echo '[scadalts] Wazuh not in DNS, skipping agent start'; fi; sleep infinity"
+autostart=true
+autorestart=false
+priority=20
+stdout_logfile=/var/log/supervisor/wazuh-agent.log
+stderr_logfile=/var/log/supervisor/wazuh-agent.err

simulation/entrypoint.sh

@@ -7,6 +7,7 @@ IF=$(ip -o -4 addr show | awk '$4 ~ /^192\.168\.95\./ {print $2}' | head -n1)
 
 echo "[entrypoint] Adding IP aliases to $IF manually..."
 
+ip addr add 192.168.95.10/24 dev "$IF"
 ip addr add 192.168.95.11/24 dev "$IF"
 ip addr add 192.168.95.12/24 dev "$IF"
 ip addr add 192.168.95.13/24 dev "$IF"