From a941a36d25b5990e1b59c21f3c674593f4c9952d Mon Sep 17 00:00:00 2001
From: James Tombleson <luther38@gmail.com>
Date: Wed, 1 May 2019 16:05:54 -0700
Subject: [PATCH] Filebeat deploys to linux devices

---
 playbook/linux/elastic/install-filebeat.yml   |  14 ++
 roles/luther38.filebeat/defaults/main.yml     |  15 +-
 roles/luther38.filebeat/tasks/ubuntu.yml      |  24 +-
 roles/luther38.filebeat/templates/filebeat.j2 | 211 ++++++++++++++++++
 4 files changed, 244 insertions(+), 20 deletions(-)
 create mode 100644 playbook/linux/elastic/install-filebeat.yml
 create mode 100755 roles/luther38.filebeat/templates/filebeat.j2

diff --git a/playbook/linux/elastic/install-filebeat.yml b/playbook/linux/elastic/install-filebeat.yml
new file mode 100644
index 0000000..79453a1
--- /dev/null
+++ b/playbook/linux/elastic/install-filebeat.yml
@@ -0,0 +1,14 @@
+
+- name: Install Filebeat
+  hosts: elasticClients
+
+  tasks:
+        - name: Install Filebeat
+          include_role:
+                  name: luther38.filebeat
+          vars:
+                  kibana_host: 172.20.0.142:5601
+                  elasticsearch_hosts: "'172.20.0.142:9200'"
+                  systemd_enabled: true
+                  systemd_restart: true
+
diff --git a/roles/luther38.filebeat/defaults/main.yml b/roles/luther38.filebeat/defaults/main.yml
index ffc8407..d87f558 100644
--- a/roles/luther38.filebeat/defaults/main.yml
+++ b/roles/luther38.filebeat/defaults/main.yml
@@ -1,2 +1,15 @@
 ---
-# defaults file for luther38.filebeat
\ No newline at end of file
+# defaults file for luther38.filebeat
+
+# config file
+
+# Single value
+kibana_host: 127.0.0.1
+
+# Takes multiple values 
+# "'127.0.0.1:9200', '0.0.0.0:9200'"
+elasticsearch_hosts: "'127.0.0.1:9200'"
+
+# Systemd
+systemd_enable: false
+systemd_restart: false
diff --git a/roles/luther38.filebeat/tasks/ubuntu.yml b/roles/luther38.filebeat/tasks/ubuntu.yml
index 6026c10..9f1f3e5 100644
--- a/roles/luther38.filebeat/tasks/ubuntu.yml
+++ b/roles/luther38.filebeat/tasks/ubuntu.yml
@@ -6,39 +6,25 @@
 - name: Install ElasticSearch from apt
   become: true
   apt:
-    name: elasticsearch
+    name: filebeat
 
 - name: Update config
   become: true
   template:
-    src: elasticsearch.j2
-    dest: /etc/elasticsearch/elasticsearch.yml
+    src: filebeat.j2
+    dest: /etc/filebeat/filebeat.yml
     backup: yes
 
-- name: UFW allow http_port 
-  become: true
-  when: ufw_http_port == true
-  ufw:
-    rule: allow
-    port: "{{ http_port }}"
-
-- name: UFW allow transport_port
-  become: true
-  when: ufw_transport_port == true
-  ufw:
-    rule: allow
-    port: "{{ transport_port }}"
-
 - name: systemd enable elasticsearch
   become: true
   when: systemd_enabled == true
   systemd:
-    name: elasticsearch
+    name: filebeat
     enabled: true
 
 - name: systemd restart elasticsearch
   become: true
   when: systemd_restart == true
   systemd:
-    name: elasticsearch
+    name: filebeat
     state: restarted
diff --git a/roles/luther38.filebeat/templates/filebeat.j2 b/roles/luther38.filebeat/templates/filebeat.j2
new file mode 100755
index 0000000..0c091d6
--- /dev/null
+++ b/roles/luther38.filebeat/templates/filebeat.j2
@@ -0,0 +1,211 @@
+###################### Filebeat Configuration Example #########################
+
+# This file is an example configuration file highlighting only the most common
+# options. The filebeat.reference.yml file from the same directory contains all the
+# supported options with more comments. You can use it as a reference.
+#
+# You can find the full configuration reference here:
+# https://www.elastic.co/guide/en/beats/filebeat/index.html
+
+# For more available modules and options, please see the filebeat.reference.yml sample
+# configuration file.
+
+#=========================== Filebeat inputs =============================
+
+filebeat.inputs:
+
+# Each - is an input. Most options can be set at the input level, so
+# you can use different inputs for various configurations.
+# Below are the input specific configurations.
+
+- type: log
+
+  # Change to true to enable this input configuration.
+  enabled: false
+
+  # Paths that should be crawled and fetched. Glob based paths.
+  paths:
+    - /var/log/*.log
+    #- c:\programdata\elasticsearch\logs\*
+
+  # Exclude lines. A list of regular expressions to match. It drops the lines that are
+  # matching any regular expression from the list.
+  #exclude_lines: ['^DBG']
+
+  # Include lines. A list of regular expressions to match. It exports the lines that are
+  # matching any regular expression from the list.
+  #include_lines: ['^ERR', '^WARN']
+
+  # Exclude files. A list of regular expressions to match. Filebeat drops the files that
+  # are matching any regular expression from the list. By default, no files are dropped.
+  #exclude_files: ['.gz$']
+
+  # Optional additional fields. These fields can be freely picked
+  # to add additional information to the crawled log files for filtering
+  #fields:
+  #  level: debug
+  #  review: 1
+
+  ### Multiline options
+
+  # Multiline can be used for log messages spanning multiple lines. This is common
+  # for Java Stack Traces or C-Line Continuation
+
+  # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
+  #multiline.pattern: ^\[
+
+  # Defines if the pattern set under pattern should be negated or not. Default is false.
+  #multiline.negate: false
+
+  # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern
+  # that was (not) matched before or after or as long as a pattern is not matched based on negate.
+  # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
+  #multiline.match: after
+
+
+#============================= Filebeat modules ===============================
+
+filebeat.config.modules:
+  # Glob pattern for configuration loading
+  path: ${path.config}/modules.d/*.yml
+
+  # Set to true to enable config reloading
+  reload.enabled: false
+
+  # Period on which files under path should be checked for changes
+  #reload.period: 10s
+
+#==================== Elasticsearch template setting ==========================
+
+setup.template.settings:
+  index.number_of_shards: 1
+  #index.codec: best_compression
+  #_source.enabled: false
+
+#================================ General =====================================
+
+# The name of the shipper that publishes the network data. It can be used to group
+# all the transactions sent by a single shipper in the web interface.
+#name:
+
+# The tags of the shipper are included in their own field with each
+# transaction published.
+#tags: ["service-X", "web-tier"]
+
+# Optional fields that you can specify to add additional information to the
+# output.
+#fields:
+#  env: staging
+
+
+#============================== Dashboards =====================================
+# These settings control loading the sample dashboards to the Kibana index. Loading
+# the dashboards is disabled by default and can be enabled either by setting the
+# options here or by using the `setup` command.
+#setup.dashboards.enabled: false
+
+# The URL from where to download the dashboards archive. By default this URL
+# has a value which is computed based on the Beat name and version. For released
+# versions, this URL points to the dashboard archive on the artifacts.elastic.co
+# website.
+#setup.dashboards.url:
+
+#============================== Kibana =====================================
+
+# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
+# This requires a Kibana endpoint configuration.
+setup.kibana:
+
+  # Kibana Host
+  # Scheme and port can be left out and will be set to the default (http and 5601)
+  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
+  #host: "localhost:5601"
+  host: {{ kibana_host }}
+
+  # Kibana Space ID
+  # ID of the Kibana Space into which the dashboards should be loaded. By default,
+  # the Default Space will be used.
+  #space.id:
+
+#============================= Elastic Cloud ==================================
+
+# These settings simplify using filebeat with the Elastic Cloud (https://cloud.elastic.co/).
+
+# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
+# `setup.kibana.host` options.
+# You can find the `cloud.id` in the Elastic Cloud web UI.
+#cloud.id:
+
+# The cloud.auth setting overwrites the `output.elasticsearch.username` and
+# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#cloud.auth:
+
+#================================ Outputs =====================================
+
+# Configure what output to use when sending the data collected by the beat.
+
+#-------------------------- Elasticsearch output ------------------------------
+output.elasticsearch:
+  # Array of hosts to connect to.
+  #hosts: ["localhost:9200"]
+  hosts: [{{ elasticsearch_hosts }}]
+
+  # Optional protocol and basic auth credentials.
+  #protocol: "https"
+  #username: "elastic"
+  #password: "changeme"
+
+#----------------------------- Logstash output --------------------------------
+#output.logstash:
+  # The Logstash hosts
+  #hosts: ["localhost:5044"]
+
+  # Optional SSL. By default is off.
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client Certificate Key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+#================================ Processors =====================================
+
+# Configure processors to enhance or manipulate events generated by the beat.
+
+processors:
+  - add_host_metadata: ~
+  - add_cloud_metadata: ~
+
+#================================ Logging =====================================
+
+# Sets log level. The default log level is info.
+# Available log levels are: error, warning, info, debug
+#logging.level: debug
+
+# At debug level, you can selectively enable logging only for some components.
+# To enable all selectors use ["*"]. Examples of other selectors are "beat",
+# "publish", "service".
+#logging.selectors: ["*"]
+
+#============================== Xpack Monitoring ===============================
+# filebeat can export internal metrics to a central Elasticsearch monitoring
+# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
+# reporting is disabled by default.
+
+# Set to true to enable the monitoring reporter.
+#xpack.monitoring.enabled: false
+
+# Uncomment to send the metrics to Elasticsearch. Most settings from the
+# Elasticsearch output are accepted here as well. Any setting that is not set is
+# automatically inherited from the Elasticsearch output configuration, so if you
+# have the Elasticsearch output configured, you can simply uncomment the
+# following line.
+#xpack.monitoring.elasticsearch:
+
+#================================= Migration ==================================
+
+# This allows to enable 6.7 migration aliases
+#migration.6_to_7.enabled: true