adding in lme-2-docs content (#506)

* adding in lme-2-docs content

* add includes.txt for building AND all the new pngs

* adding the new includes.txt and removing space named file

* adding main readme from lme-2-docs, add .gitignore

.gitignore

@@ -1,4 +1,5 @@
 *.pdf
+*.docx
 .DS_Store
 /.idea/
 /.vscode/

build/Readme.md

@@ -23,7 +23,14 @@ Other operating systems adn their respecitve latex/pandoc packages have not been
 ## Compiling: 
 This command below will compile the markdown docs on macos from the homebrew install pandoc/mactex packages:
 ```bash
-$ pandoc --from gfm --pdf-engine=lualatex -H ./build/setup.tex -V geometry:margin=1in --highlight-style pygments -o docs.pdf -V colorlinks=true -V linkcolor=blue --lua-filter=./build/emoji-filter.lua --lua-filter=./build/makerelativepaths.lua --lua-filter=./build/parse_breaks.lua --table-of-contents --number-sections --wrap=preserve --quiet -s $(cat ./build/includes.txt)
+pandoc --from gfm --pdf-engine=lualatex -H ./build/setup.tex -V geometry:margin=1in --highlight-style pygments -o docs.pdf -V colorlinks=true -V linkcolor=blue --lua-filter=./build/emoji-filter.lua --lua-filter=./build/makerelativepaths.lua --lua-filter=./build/parse_breaks.lua --table-of-contents --number-sections --wrap=preserve --quiet -s $(cat ./build/includes.txt)
 ```
 
 On a successful compilation it will output the `docs.pdf` file, a pdf of all the docs. There is a small bug where the `troubleshooting.md` table does not display as expected, so if you want the notes in the table offline, we suggest you record the information manually, OR submit a pull request that fixes this bug :smile:.
+
+### Compiling .docx:
+.docx doesn't support emojis, so thats removed from the command
+```bash
+pandoc --from gfm --pdf-engine=lualatex -H ./build/setup.tex -V geometry:margin=1in --highlight-style pygments -o docs.docx -V colorlinks=true -V linkcolor=blue  --lua-filter=./build/makerelativepaths.lua --lua-filter=./build/parse_breaks.lua --table-of-contents --number-sections --wrap=preserve --quiet -s $(cat ./build/includes.txt)
+```
+

build/includes.txt

@@ -1,15 +1,23 @@
 Readme.md
 ./docs/markdown/prerequisites.md
-./docs/markdown/chapter1/chapter1.md
-./docs/markdown/chapter1/guide_to_ous.md
-./docs/markdown/chapter3/chapter3.md
-./docs/markdown/chapter3/resilience.md
-./docs/markdown/chapter4.md
+./docs/markdown/logging-guidance/cloud.md
+./docs/markdown/logging-guidance/filtering.md
 ./docs/markdown/logging-guidance/retention.md
-./docs/markdown/logging-guidance/other-logging.md
+./docs/markdown/reference/dashboard-descriptions.md
+./docs/markdown/reference/faq.md
+./docs/markdown/reference/security-model.md
+./docs/markdown/reference/troubleshooting.md
 ./docs/markdown/maintenance/backups.md
 ./docs/markdown/maintenance/certificates.md
+./docs/markdown/maintenance/elastalert-rules.md
+./docs/markdown/maintenance/Encryption_at_rest_option_for_users.md
+./docs/markdown/maintenance/index-management.md
 ./docs/markdown/maintenance/upgrading.md
-./docs/markdown/reference/troubleshooting.md
-./docs/markdown/reference/faq.md
-
+./docs/markdown/maintenance/volume-management.md
+./docs/markdown/maintenance/vulnerability-scan-setup.md
+./docs/markdown/maintenance/wazuh-configuration.md
+./docs/markdown/agents/elastic-agent-mangement.md
+./docs/markdown/agents/wazuh-active-response.md
+./docs/markdown/agents/wazuh-agent-mangement.md
+./docs/markdown/endpoint-tools/install-auditd.md
+./docs/markdown/endpoint-tools/install-sysmon.md

dashboards/Readme.md

@@ -2,16 +2,14 @@
 
 ## Wazuh Dashboards: 
 For more info on these dashboards see wazuh's documentation: [LINK](https://documentation.wazuh.com/current/integrations-guide/elastic-stack/index.html)
-This is the dashboard URL that inspired the current Wazuh dashboards: 
+This is the dashboard URL: 
 ```bash
 https://packages.wazuh.com/integrations/elastic/4.x-8.x/dashboards/wz-es-4.x-8.x-dashboards.ndjson
 ```
 
 ## How to update dashboards 
 Currently you need to run `ansible-playbook post_install_local.yml` to upload the current LME dashboards.
 
-If you need to reupload them, you can delete the `INSTALLED` file in the appropriate `/opt/lme/dashboards` directory and re-run the `post install` script. 
-
 ## Updating to new dashboards and removing old ones (Starting with 1.1.0)
 Browse to `Kibana->Stack Management` then select `Saved Objects`.
 On the Saved Objects page, you can filter by dashboards.
@@ -32,24 +30,16 @@ on your initial install.
 ##### The files will be exported to `./exported`
 
 #### Running on Ubuntu
-To get your password you can run: 
-```bash
-cd ~/LME #OR YOUR CLONE DIRECTORY
-source ./scripts/extract_secrets
-```
 
-Then you can use the following command to export dashboards:
-```bash
-./export_dashboards.py -u elastic -p "$elastic"
+```
+./export_dashboards.py -u elastic -p YOURUNIQUEPASS
 ```
 
 The modules should already be installed on Ubuntu, but If the script complains about missing modules:
-```bash
+```
 pip install -r requirements.txt 
 ```
 
-The dashboards will be exported to: `~/LME/dashboards/exported`
-
 #### Running on Windows
 You must have python and the modules installed. (You can install python 3 from the Microsoft Store). Then install the requirements: 
 ```

docs/markdown/agents/elastic-agent-mangement.md

@@ -1,6 +1,6 @@
-# LME Agent Enrollment Guide
+# Elastic Agent Management - Enrollment Guide
 
-This guide will walk you through the process of enrolling an agent in the LME system.
+This guide will walk you through the process of enrolling an Elastic agent.
 
 ## Steps to Enroll an Agent
 
@@ -22,14 +22,14 @@ This guide will walk you through the process of enrolling an agent in the LME sy
    - Select the appropriate option based on your endpoint:
      - Linux Tar
      - Mac
-     - Windows (ensure you run this in a powershell prompt with administrator privileges)
+     - Windows (ensure you run this in a PowerShell prompt with administrator privileges)
 
 6. **Installation Command**
    - You will be presented with an installation command for the selected platform
    - Note: If you haven't added the LME certificates to your trusted store, you'll need to modify the command
 
-7. **Modify the Command (If necessary. You will need to do this if you haven't add certificates to the trusted store)**
-   - Add `--insecure` at the end of the `./elastic-agent install` command
+7. **Modify the Command If necessary(e.g.,if certificates have not been added to the trusted store)**
+   - Add `--insecure` at the end of the ./elastic-agent install` command
    - This is similar to clicking "continue to website" in a browser when you get a certificate warning
    - Example:
      ```
@@ -84,12 +84,21 @@ This guide will walk you through the process of adding a Windows integration to
 
 ## Important Considerations
 
-- **Sysmon Integration**: If you're using Sysmon for enhanced logging, make sure to enable the Sysmon Operational log collection
-- **Performance Impact**: Be mindful that collecting more logs and metrics may impact endpoint performance. Balance your monitoring needs with system resources
-- **Regulatory Compliance**: Consider any regulatory requirements you may have when selecting which logs and metrics to collect
-- **Storage Considerations**: More data collection means more storage usage. Ensure your LME system has adequate storage capacity
-- **Review Regularly**: Periodically review your integration settings to ensure they still meet your needs and adjust as necessary
+- **Sysmon Integration**: If you're using Sysmon for enhanced logging, make sure to enable the Sysmon Operational log collection.
+- **Performance Impact**: Be mindful that collecting more logs and metrics may impact endpoint performance. Balance your monitoring needs with system resources.
+- **Regulatory Compliance**: Consider any regulatory requirements you may have when selecting which logs and metrics to collect.
+- **Storage Considerations**: More data collection means more storage usage. Ensure your LME system has adequate storage capacity.
+- **Review Regularly**: Periodically review your integration settings to ensure they still meet your needs and adjust as necessary.
 
 By following these steps, you can effectively add and configure the Windows integration to your chosen agent policy in the LME system, allowing for comprehensive logging of your Windows endpoints.
 
 Apply these same steps to future integrations such as Auditd for Linux.
+
+## Troubleshooting Agent Setup:
+The Elastic agent has multiple debugging commands that can be run to troubleshoot installs. Please see the link [HERE](https://www.elastic.co/guide/en/fleet/current/elastic-agent-cmd-options.html). 
+
+In addition, you can use this [link](https://www.elastic.co/guide/en/fleet/current/installation-layout.html) to navigate/find the directories for where Elastic agent is installed on the operating system.
+
+If there are issues with running the command involving a pipe file, the elastic endpoint service (a windows service started by the agent) is in a failed state, and retarting the machine will most likely fix it, check out this [link](https://discuss.elastic.co/t/windows-pipe-elastic-agent-system-access-is-denied/316344) However, this isn't required if the agent is showing as healthy, only if you want to run other cli agent debugging commands.
+
+

docs/markdown/agents/wazuh-active-response.md

@@ -23,7 +23,7 @@ Wazuh can automatically block IP addresses attempting SSH brute-force attacks us
    </command>
    ```
 
-3. **Set Up Active Response**: Looks for the section that says "active-reponse options here" in the .conf file. Copy and paste the entire configuration below that commented out line. You can continue to add more active reponse configs below that line.
+3. **Set Up Active Response**: Looks for the section that says "active-response options here" in the .conf file. Copy and paste the entire configuration below that commented out line. You can continue to add more active response configs below that line.
    ```xml
    <active-response>
      <command>firewall-drop</command>
@@ -52,7 +52,7 @@ Wazuh can automatically block IP addresses attempting SSH brute-force attacks us
 
 ## Testing
 
-1. Use a tool like Hydra to simulate a brute-force attack, or you can just attemp to SSH into the machine multiple times until it triggers. You will need 8 failed SSH attemps in order to trigger Brute Force. (This can be adjusted in the ruleset manually)
+1. Use a tool like Hydra to simulate a brute-force attack, or you can attempt to SSH into the machine multiple times until it triggers. You will need eight failed SSH attempts to trigger Brute Force. (This can be adjusted in the ruleset manually)
 2. Verify that the attacker's IP is blocked by attempting to ping the target machine.
 
 ## Custom Responses

docs/markdown/agents/wazuh-agent-mangement.md

@@ -1,12 +1,12 @@
 # LME Wazuh Agent Enrollment Guide
 
-- See Official Wazuh Doumentation [Wazuh agent install documentation](https://documentation.wazuh.com/4.7/installation-guide/wazuh-agent/index.html).
+- See Official Wazuh Documentation [Wazuh agent install documentation](https://documentation.wazuh.com/4.7/installation-guide/wazuh-agent/index.html).
 
-This guide will walk you through the process of enrolling a Wazuh agent in the LME (Logging Made Easy) system.
+This guide will walk you through the process of enrolling a Wazuh agent in the LME system.
 
 ## Important Note
 
-Before proceeding, ensure that the Wazuh agent version you're installing is not newer than the version of the Wazuh manager you're running. Using an agent version that is more recent than the manager version can lead to compatibility issues.
+Ensure the Wazuh agent version you're installing is not newer than your Wazuh manager version, as this can cause compatibility issues.
 
 ## Variables
 
@@ -26,7 +26,7 @@ Output should look similar to this:
   "error": 0,
   "data": [
     {
-      "WAZUH_VERSION": "v4.9.1"
+      "WAZUH_VERSION": "v4.7.5"
     },
     {
       "WAZUH_REVISION": "40720"
@@ -37,7 +37,8 @@ Output should look similar to this:
   ]
 }
 ```
-drop the v, and use `4.9.1`
+drop the v, and use `4.7.5-1`. You need to add a "-1" like wazuh expects.
+You can confirm the version is accurate with a list from wazuh's versions [HERE](https://documentation.wazuh.com/current/installation-guide/packages-list.html)
 
 ## Steps to Enroll a Wazuh Agent (***Windows***)
 
@@ -50,10 +51,10 @@ drop the v, and use `4.9.1`
    - You can also use the below powershell command: 
 ```powershell
 # Replace the values with the values you have above
-# where {WAZUH_AGENT_VERSION}=4.9.1
+# where {WAZUH_AGENT_VERSION}=4.7.5
 # where {WAZUH_MANAGER_IP}=10.1.0.5
-Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.1-1.msi -OutFile wazuh-agent-4.9.1-1.msi;`
-Start-Process msiexec.exe -ArgumentList '/i wazuh-agent-4.9.1-1.msi /q WAZUH_MANAGER="10.1.0.5"' -Wait -NoNewWindow
+Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.5-1.msi -OutFile wazuh-agent-4.7.5-1.msi;`
+Start-Process msiexec.exe -ArgumentList '/i wazuh-agent-4.7.5-1.msi /q WAZUH_MANAGER="10.1.0.5"' -Wait -NoNewWindow`
 ```
 
 2. **Install the Wazuh Agent**
@@ -69,7 +70,7 @@ Start-Process msiexec.exe -ArgumentList '/i wazuh-agent-4.9.1-1.msi /q WAZUH_MAN
 3. **Verify Installation**
    - After installation, the Wazuh agent service should start automatically.
    - You can verify the service status in the Windows Services manager.
-   - ensure the service starts if it doesn't start automatically. Run this in a powershell terminal:
+   - Ensure the service starts if it doesn't start automatically. Run this in a powershell terminal:
    ```powershell
    NET START Wazuh
    ```
@@ -92,9 +93,14 @@ Start-Process msiexec.exe -ArgumentList '/i wazuh-agent-4.9.1-1.msi /q WAZUH_MAN
    apt-get update
    ```
 
-4. **Install Wazuh agent**
+4. **Install Wazuh agent and configure Wazuh Manager IP variable**
    ```bash
-   WAZUH_MANAGER="{WAZUH_MANAGER_IP}" apt-get install wazuh-agent={WAZUH_AGENT_VERSION}
+   WAZUH_MANAGER="{WAZUH_MANAGER_IP}" apt-get install wazuh-agent={WAZUH_AGENT_VERSION} && sed -i 's/MANAGER_IP/10.0.0.15/i' /var/ossec/etc/ossec.conf
+   ```
+
+   For example: 
+   ```bash
+   WAZUH_MANAGER=10.0.0.15 apt-get install wazuh-agent=4.7.5-1 && sed -i 's/MANAGER_IP/10.0.0.15/i' /var/ossec/etc/ossec.conf
    ```
 
 ## Verifying Installation
@@ -129,7 +135,7 @@ This guide provides steps to check the status of Wazuh agents in the LME setup.
 To get an overview of all registered agents and their current status:
 
 ```bash
-podman exec lme-wazuh-manager /var/ossec/bin/agent_control -l
+sudo -i podman exec lme-wazuh-manager /var/ossec/bin/agent_control -l
 ```
 
 This command will display a list of all agents, including their ID, name, IP address, and current status (active, disconnected, never connected, etc.).
@@ -139,7 +145,7 @@ This command will display a list of all agents, including their ID, name, IP add
 To check the detailed status of a specific agent:
 
 ```bash
-podman exec lme-wazuh-manager /var/ossec/bin/agent_control -i [agent_id]
+sudo -i podman exec lme-wazuh-manager /var/ossec/bin/agent_control -i [agent_id]
 ```
 
 Replace `[agent_id]` with the ID of the agent you want to check. This will provide more detailed information about the agent, including its last keep alive time, version, and operating system.

docs/markdown/endpoint-tools/install-auditd.md

@@ -9,7 +9,7 @@ This guide will walk you through the process of installing auditd on Linux syste
 
 ## Step 1: Install Auditd
 
-The installation process may vary depending on your Linux distribution. Here are instructions for some common distributions:
+The installation process may vary depending on your Linux distribution. Here are instructions for common distributions:
 
 ### For Ubuntu/Debian:
 

docs/markdown/endpoint-tools/install-sysmon.md

@@ -1,66 +1,56 @@
 # Installing Sysmon on Windows Machines
 
-This guide will walk you through the process of installing Sysmon (System Monitor) on your Windows machines using the SwiftOnSecurity configuration.
+This guide will walk you through the process of installing Sysmon (System Monitor) on your Windows machine(s) using the SwiftOnSecurity configuration.
 
 ## Prerequisites
-
 - Administrative access to the Windows machine
 - Internet connection to download necessary files
 
 ## Step 1: Download Sysmon
-
 1. Visit the official Microsoft Sysinternals Sysmon page: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
-2. Click on the "Download Sysmon" link to download the ZIP file.
-3. Extract the contents of the ZIP file to a folder on your computer (e.g., `C:\Sysmon`).
+2. Click on the "Download Sysmon" link to download the ZIP file
+3. Extract the contents of the ZIP file to a folder on your computer (e.g., `C:\Sysmon`)
 
 ## Step 2: Download SwiftOnSecurity Configuration
-
 1. Open a web browser and go to: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
-2. Click the button to download raw content.
-3. Save the file into the Symon directory.
+2. Click the button to download raw content
+3. Save the file into the Sysmon directory
 
 ## Step 3: Install Sysmon
-
-1. Open an elevated Command Prompt (Run as Administrator).
+1. Open an elevated Command Prompt (Run as Administrator)
 2. Navigate to the folder where you extracted Sysmon:
    ```
    cd C:\Sysmon
    ```
 3. Run the following command to install Sysmon with the SwiftOnSecurity configuration:
    ```
-   sysmon64.exe -accepteula -i sysmonconfig-export.xml
+   sysmon.exe -accepteula -i sysmonconfig-export.xml
    ```
 
 ## Step 4: Verify Installation
-
-1. Open Event Viewer (you can search for it in the Start menu).
-2. Navigate to "Applications and Services Logs" > "Microsoft" > "Windows" > "Sysmon" > "Operational".
-3. You should see events being logged by Sysmon.
+1. Open Event Viewer (you can search for it in the Start menu)
+2. Navigate to "Applications and Services Logs" > "Microsoft" > "Windows" > "Sysmon" > "Operational"
+3. You should see events being logged by Sysmon
 
 ## Updating Sysmon Configuration
-
 To update the Sysmon configuration in the future:
-
-1. Download the latest `sysmonconfig-export.xml` from the SwiftOnSecurity GitHub repository.
-2. Open an elevated Command Prompt.
-3. Navigate to the Sysmon folder.
+1. Download the latest `sysmonconfig-export.xml` from the SwiftOnSecurity GitHub repository
+2. Open an elevated Command Prompt
+3. Navigate to the Sysmon folder
 4. Run the following command:
    ```
-   sysmon64.exe -c sysmonconfig-export.xml
+   sysmon.exe -c sysmonconfig-export.xml
    ```
 
 ## Uninstalling Sysmon
-
 If you need to uninstall Sysmon:
-
-1. Open an elevated Command Prompt.
-2. Navigate to the Sysmon folder.
+1. Open an elevated Command Prompt
+2. Navigate to the Sysmon folder
 3. Run the following command:
    ```
-   sysmon64.exe -u
+   sysmon.exe -u
    ```
 
 ## Additional Notes
-
-- You can now enable sysmon log collection from the Windows elastic agent integration.
-- Use a shared folder, SCCM, GPO's, or other tools to install are large quantities of machines.
+- You can now enable sysmon log collection from the Windows elastic agent integration
+- Use a shared folder, SCCM, GPO's, or other tools to install on large quantities of machines