From a941a36d25b5990e1b59c21f3c674593f4c9952d Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Wed, 1 May 2019 16:05:54 -0700 Subject: [PATCH] Filebeat deploys to linux devices --- playbook/linux/elastic/install-filebeat.yml | 14 ++ roles/luther38.filebeat/defaults/main.yml | 15 +- roles/luther38.filebeat/tasks/ubuntu.yml | 24 +- roles/luther38.filebeat/templates/filebeat.j2 | 211 ++++++++++++++++++ 4 files changed, 244 insertions(+), 20 deletions(-) create mode 100644 playbook/linux/elastic/install-filebeat.yml create mode 100755 roles/luther38.filebeat/templates/filebeat.j2 diff --git a/playbook/linux/elastic/install-filebeat.yml b/playbook/linux/elastic/install-filebeat.yml new file mode 100644 index 0000000..79453a1 --- /dev/null +++ b/playbook/linux/elastic/install-filebeat.yml @@ -0,0 +1,14 @@ + +- name: Install Filebeat + hosts: elasticClients + + tasks: + - name: Install Filebeat + include_role: + name: luther38.filebeat + vars: + kibana_host: 172.20.0.142:5601 + elasticsearch_hosts: "'172.20.0.142:9200'" + systemd_enabled: true + systemd_restart: true + diff --git a/roles/luther38.filebeat/defaults/main.yml b/roles/luther38.filebeat/defaults/main.yml index ffc8407..d87f558 100644 --- a/roles/luther38.filebeat/defaults/main.yml +++ b/roles/luther38.filebeat/defaults/main.yml @@ -1,2 +1,15 @@ --- -# defaults file for luther38.filebeat \ No newline at end of file +# defaults file for luther38.filebeat + +# config file + +# Single value +kibana_host: 127.0.0.1 + +# Takes multiple values +# "'127.0.0.1:9200', '0.0.0.0:9200'" +elasticsearch_hosts: "'127.0.0.1:9200'" + +# Systemd +systemd_enable: false +systemd_restart: false diff --git a/roles/luther38.filebeat/tasks/ubuntu.yml b/roles/luther38.filebeat/tasks/ubuntu.yml index 6026c10..9f1f3e5 100644 --- a/roles/luther38.filebeat/tasks/ubuntu.yml +++ b/roles/luther38.filebeat/tasks/ubuntu.yml @@ -6,39 +6,25 @@ - name: Install ElasticSearch from apt become: true apt: - name: elasticsearch + name: filebeat - name: Update config become: true template: - src: elasticsearch.j2 - dest: /etc/elasticsearch/elasticsearch.yml + src: filebeat.j2 + dest: /etc/filebeat/filebeat.yml backup: yes -- name: UFW allow http_port - become: true - when: ufw_http_port == true - ufw: - rule: allow - port: "{{ http_port }}" - -- name: UFW allow transport_port - become: true - when: ufw_transport_port == true - ufw: - rule: allow - port: "{{ transport_port }}" - - name: systemd enable elasticsearch become: true when: systemd_enabled == true systemd: - name: elasticsearch + name: filebeat enabled: true - name: systemd restart elasticsearch become: true when: systemd_restart == true systemd: - name: elasticsearch + name: filebeat state: restarted diff --git a/roles/luther38.filebeat/templates/filebeat.j2 b/roles/luther38.filebeat/templates/filebeat.j2 new file mode 100755 index 0000000..0c091d6 --- /dev/null +++ b/roles/luther38.filebeat/templates/filebeat.j2 @@ -0,0 +1,211 @@ +###################### Filebeat Configuration Example ######################### + +# This file is an example configuration file highlighting only the most common +# options. The filebeat.reference.yml file from the same directory contains all the +# supported options with more comments. You can use it as a reference. +# +# You can find the full configuration reference here: +# https://www.elastic.co/guide/en/beats/filebeat/index.html + +# For more available modules and options, please see the filebeat.reference.yml sample +# configuration file. + +#=========================== Filebeat inputs ============================= + +filebeat.inputs: + +# Each - is an input. Most options can be set at the input level, so +# you can use different inputs for various configurations. +# Below are the input specific configurations. + +- type: log + + # Change to true to enable this input configuration. + enabled: false + + # Paths that should be crawled and fetched. Glob based paths. + paths: + - /var/log/*.log + #- c:\programdata\elasticsearch\logs\* + + # Exclude lines. A list of regular expressions to match. It drops the lines that are + # matching any regular expression from the list. + #exclude_lines: ['^DBG'] + + # Include lines. A list of regular expressions to match. It exports the lines that are + # matching any regular expression from the list. + #include_lines: ['^ERR', '^WARN'] + + # Exclude files. A list of regular expressions to match. Filebeat drops the files that + # are matching any regular expression from the list. By default, no files are dropped. + #exclude_files: ['.gz$'] + + # Optional additional fields. These fields can be freely picked + # to add additional information to the crawled log files for filtering + #fields: + # level: debug + # review: 1 + + ### Multiline options + + # Multiline can be used for log messages spanning multiple lines. This is common + # for Java Stack Traces or C-Line Continuation + + # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ + #multiline.pattern: ^\[ + + # Defines if the pattern set under pattern should be negated or not. Default is false. + #multiline.negate: false + + # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern + # that was (not) matched before or after or as long as a pattern is not matched based on negate. + # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash + #multiline.match: after + + +#============================= Filebeat modules =============================== + +filebeat.config.modules: + # Glob pattern for configuration loading + path: ${path.config}/modules.d/*.yml + + # Set to true to enable config reloading + reload.enabled: false + + # Period on which files under path should be checked for changes + #reload.period: 10s + +#==================== Elasticsearch template setting ========================== + +setup.template.settings: + index.number_of_shards: 1 + #index.codec: best_compression + #_source.enabled: false + +#================================ General ===================================== + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +#name: + +# The tags of the shipper are included in their own field with each +# transaction published. +#tags: ["service-X", "web-tier"] + +# Optional fields that you can specify to add additional information to the +# output. +#fields: +# env: staging + + +#============================== Dashboards ===================================== +# These settings control loading the sample dashboards to the Kibana index. Loading +# the dashboards is disabled by default and can be enabled either by setting the +# options here or by using the `setup` command. +#setup.dashboards.enabled: false + +# The URL from where to download the dashboards archive. By default this URL +# has a value which is computed based on the Beat name and version. For released +# versions, this URL points to the dashboard archive on the artifacts.elastic.co +# website. +#setup.dashboards.url: + +#============================== Kibana ===================================== + +# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. +# This requires a Kibana endpoint configuration. +setup.kibana: + + # Kibana Host + # Scheme and port can be left out and will be set to the default (http and 5601) + # In case you specify and additional path, the scheme is required: http://localhost:5601/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 + #host: "localhost:5601" + host: {{ kibana_host }} + + # Kibana Space ID + # ID of the Kibana Space into which the dashboards should be loaded. By default, + # the Default Space will be used. + #space.id: + +#============================= Elastic Cloud ================================== + +# These settings simplify using filebeat with the Elastic Cloud (https://cloud.elastic.co/). + +# The cloud.id setting overwrites the `output.elasticsearch.hosts` and +# `setup.kibana.host` options. +# You can find the `cloud.id` in the Elastic Cloud web UI. +#cloud.id: + +# The cloud.auth setting overwrites the `output.elasticsearch.username` and +# `output.elasticsearch.password` settings. The format is `:`. +#cloud.auth: + +#================================ Outputs ===================================== + +# Configure what output to use when sending the data collected by the beat. + +#-------------------------- Elasticsearch output ------------------------------ +output.elasticsearch: + # Array of hosts to connect to. + #hosts: ["localhost:9200"] + hosts: [{{ elasticsearch_hosts }}] + + # Optional protocol and basic auth credentials. + #protocol: "https" + #username: "elastic" + #password: "changeme" + +#----------------------------- Logstash output -------------------------------- +#output.logstash: + # The Logstash hosts + #hosts: ["localhost:5044"] + + # Optional SSL. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + +#================================ Processors ===================================== + +# Configure processors to enhance or manipulate events generated by the beat. + +processors: + - add_host_metadata: ~ + - add_cloud_metadata: ~ + +#================================ Logging ===================================== + +# Sets log level. The default log level is info. +# Available log levels are: error, warning, info, debug +#logging.level: debug + +# At debug level, you can selectively enable logging only for some components. +# To enable all selectors use ["*"]. Examples of other selectors are "beat", +# "publish", "service". +#logging.selectors: ["*"] + +#============================== Xpack Monitoring =============================== +# filebeat can export internal metrics to a central Elasticsearch monitoring +# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The +# reporting is disabled by default. + +# Set to true to enable the monitoring reporter. +#xpack.monitoring.enabled: false + +# Uncomment to send the metrics to Elasticsearch. Most settings from the +# Elasticsearch output are accepted here as well. Any setting that is not set is +# automatically inherited from the Elasticsearch output configuration, so if you +# have the Elasticsearch output configured, you can simply uncomment the +# following line. +#xpack.monitoring.elasticsearch: + +#================================= Migration ================================== + +# This allows to enable 6.7 migration aliases +#migration.6_to_7.enabled: true