Filebeat Wazuh module can not be updated automatically

[poloz-lab]

The archive resource that unpack the Filebeat Wazuh module is not able to manage the update of the module.

The creates parameter doesn't handle any version information. So if a new version of the module is specified, it will not be downloaded unless the actual module is manually removed.

I'm working on a PR to manage that case with Puppet.

[cruelsmith]

Agree valid (edge-)case.

One solution would be a compare of the current filebeat wazuh module version and the wanted version. That could be done via a fact (to collect the version) or an exec resource that also then can remove the directory.
Current problem is that only a url is currently maintained in the puppet project for that filebeat wazuh module:

wazuh-puppet/manifests/filebeat_oss.pp

Line 16 in 1a5be33

$wazuh_filebeat_module = 'wazuh-filebeat-0.2.tar.gz',

Edit: 😒 as far as i could found there exist no versioning of the filebeat module at all. The wazuh module has module_version set in the wazuh/alerts and wazuh/archives but they point to 0.1. Found also no reference about this module_version in the elastic documentation. When i missed it please correct me here.

[poloz-lab]

Hi @cruelsmith ,

I've also found the reference to the 0.1 in the 0.2 version 🙃.

As we have only the URL, I've implemented the following strategy :

1. the archive is unpacked in a directory named with the version (wazuh-filebeat-0.2.tar.gz)(in my code I chose /opt/filebeat_wazuh_modules/wazuh-filebeat-0.2.tar.gz) ;
2. a link /usr/share/filebeat/module/wazuh points to the directory in step 1 ;
3. when we define a new version for $wazuh_filebeat_module, the archive resource detect that the directory in the creates parameter isn't good ;
4. the new module is unpacked, the link is changed, filebeat is restarted.

It seems to work with my first tests.

[cruelsmith]

Hi @poloz-lab,

is that setup not again more complicated than the exec we had before here?

wazuh-puppet/manifests/filebeat_oss.pp

Lines 61 to 73 in c064588

	# TODO: use archive from puppet-archive module for this task
	file { "/tmp/${$wazuh_filebeat_module}":
	owner => 'root',
	group => 'root',
	mode => '0440',
	source => "https://packages.wazuh.com/4.x/filebeat/${$wazuh_filebeat_module}",
	}
	~> exec { "Unpackaging /tmp/${$wazuh_filebeat_module}":
	command => "/bin/tar -xzvf /tmp/${$wazuh_filebeat_module} -C /usr/share/filebeat/module",
	notify => Service['filebeat'],
	require => Package['filebeat'],
	refreshonly => true,
	}

With this code we will always get the latest version of the tar that has been set via the parameters and it will be extracted when a new version has been downloaded.

[poloz-lab]

Hi @cruelsmith ,

Yes the exec strategy is more simple.

The only drawbacks is that we can't cleanup the archive or it will be downloaded again, and restart the service.
It's not a big deal.
/tmp/ is not the appropriate place to me, because I don't wan't to download the module everytime I start the machine, but it can be changed.

I've submitted my code so everyone can compare.