From bdba44c56d45b306b43e0e05a4715abff22a0883 Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Wed, 24 Apr 2019 15:53:43 -0700 Subject: [PATCH] win-metricbeat now checks service status not finished with winlogbeat but config template is stored for now. Checking the status of the service to know what order to issue --- .../linux/elastic/config-win-metricbeat.yml | 21 ++- playbook/linux/elastic/config-winlogbeat.yml | 39 +++++ playbook/linux/elastic/install-win-client.yml | 4 +- playbook/linux/elastic/winlogbeat.j2 | 158 ++++++++++++++++++ 4 files changed, 219 insertions(+), 3 deletions(-) create mode 100644 playbook/linux/elastic/config-winlogbeat.yml create mode 100644 playbook/linux/elastic/winlogbeat.j2 diff --git a/playbook/linux/elastic/config-win-metricbeat.yml b/playbook/linux/elastic/config-win-metricbeat.yml index 68c6254..54f6b0f 100644 --- a/playbook/linux/elastic/config-win-metricbeat.yml +++ b/playbook/linux/elastic/config-win-metricbeat.yml @@ -23,17 +23,34 @@ src: metricbeat.j2 dest: C:\Program Files\Metricbeat\metricbeat.yml +- name: Check if metricbeat service is installed + register: service_metricbeat + win_service: + name: metricbeat + +- debug: var=service_metricbeat + - name: Install Metricbeat service win_command: powershell.exe -ExecutionPolicy ByPass -File install-service-metricbeat.ps1 args: chdir: C:\program files\metricbeat\ + when: service_metricbeat.exists == false -- name: stop service +- name: check status of metricbeat service + register: service_metricbeat + win_service: + name: metricbeat + +- debug: var=service_metricbeat + +- name: restart service win_service: name: metricbeat - state: stopped + state: restarted + when: service_metricbeat.state == 'started' - name: start service win_service: name: metricbeat state: started + when: service_metricbeat.state == 'stopped' diff --git a/playbook/linux/elastic/config-winlogbeat.yml b/playbook/linux/elastic/config-winlogbeat.yml new file mode 100644 index 0000000..7e5b560 --- /dev/null +++ b/playbook/linux/elastic/config-winlogbeat.yml @@ -0,0 +1,39 @@ +--- +# This will install all the client parts needed for elastic to monitor client computers + +- name: download winlogbeat + win_get_url: + url: '{{ url_winlogbeat }}' + dest: 'C:\temp\winlogbeat-{{ elastic_version }}.zip' + force: no + +- name: unzip winlogbeat + win_unzip: + src: c:\temp\winlogbeat-{{ elastic_version }}.zip + dest: C:\temp\winlogbeat-{{ elastic_version }}\ + creates: C:\temp\winlogbeat-{{ elastic_version }}\ + +- name: Copy winlogbeat-{{ elastic_version }} folder + win_command: powershell.exe copy-item -Path 'c:\temp\winlogbeat-{{ elastic_version }}\metricbeat-{{ elastic_version }}-windows-x86_64\' -Filter * -Recurse -Destination 'C:\Program Files\winlogbeat\' + args: + creates: C:\Program Files\winlogbeat\ + +- name: Update template + win_template: + src: winlogbeat.j2 + dest: C:\Program Files\winlogbeat\winlogbeat.yml + +- name: Install winlogbeat service + win_command: powershell.exe -ExecutionPolicy ByPass -File install-service-winlogbeat.ps1 + args: + chdir: C:\program files\winlogbeat\ + +- name: restart service + win_service: + name: winlogbeat + state: restarted + +- name: start service + win_service: + name: winlogbeat + state: started diff --git a/playbook/linux/elastic/install-win-client.yml b/playbook/linux/elastic/install-win-client.yml index 8be6258..bd4e251 100644 --- a/playbook/linux/elastic/install-win-client.yml +++ b/playbook/linux/elastic/install-win-client.yml @@ -7,6 +7,7 @@ elastic_version: '7.0.0' url_heartbeat: 'https://artifacts.elastic.co/downloads/beats/heartbeat/heartbeat-{{elastic_version}}-windows-x86_64.zip' url_metricbeat: 'https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-7.0.0-windows-x86_64.zip' + url_winlogbeat: 'https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.0.0-windows-x86_64.zip' temp: 'c:\temp\' program_files: 'c:\program files\' kibana_host: '192.168.0.173:5601' @@ -22,4 +23,5 @@ - name: Install Metricbeat include: config-win-metricbeat.yml - + - name: Install WinLogbeat + include: config-winlogbeat.yml diff --git a/playbook/linux/elastic/winlogbeat.j2 b/playbook/linux/elastic/winlogbeat.j2 new file mode 100644 index 0000000..3cc7fc4 --- /dev/null +++ b/playbook/linux/elastic/winlogbeat.j2 @@ -0,0 +1,158 @@ +###################### Winlogbeat Configuration Example ########################## + +# This file is an example configuration file highlighting only the most common +# options. The winlogbeat.reference.yml file from the same directory contains all the +# supported options with more comments. You can use it as a reference. +# +# You can find the full configuration reference here: +# https://www.elastic.co/guide/en/beats/winlogbeat/index.html + +#======================= Winlogbeat specific options ========================== + +# event_logs specifies a list of event logs to monitor as well as any +# accompanying options. The YAML data type of event_logs is a list of +# dictionaries. +# +# The supported keys are name (required), tags, fields, fields_under_root, +# forwarded, ignore_older, level, event_id, provider, and include_xml. Please +# visit the documentation for the complete details of each option. +# https://go.es.io/WinlogbeatConfig +winlogbeat.event_logs: + - name: Application + ignore_older: 72h + - name: Security + - name: System + +#==================== Elasticsearch template setting ========================== + +setup.template.settings: + index.number_of_shards: 1 + #index.codec: best_compression + #_source.enabled: false + +#================================ General ===================================== + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +#name: + +# The tags of the shipper are included in their own field with each +# transaction published. +#tags: ["service-X", "web-tier"] + +# Optional fields that you can specify to add additional information to the +# output. +#fields: +# env: staging + + +#============================== Dashboards ===================================== +# These settings control loading the sample dashboards to the Kibana index. Loading +# the dashboards is disabled by default and can be enabled either by setting the +# options here or by using the `setup` command. +#setup.dashboards.enabled: false + +# The URL from where to download the dashboards archive. By default this URL +# has a value which is computed based on the Beat name and version. For released +# versions, this URL points to the dashboard archive on the artifacts.elastic.co +# website. +#setup.dashboards.url: + +#============================== Kibana ===================================== + +# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. +# This requires a Kibana endpoint configuration. +setup.kibana: + + # Kibana Host + # Scheme and port can be left out and will be set to the default (http and 5601) + # In case you specify and additional path, the scheme is required: http://localhost:5601/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 + #host: "localhost:5601" + + # Kibana Space ID + # ID of the Kibana Space into which the dashboards should be loaded. By default, + # the Default Space will be used. + #space.id: + +#============================= Elastic Cloud ================================== + +# These settings simplify using winlogbeat with the Elastic Cloud (https://cloud.elastic.co/). + +# The cloud.id setting overwrites the `output.elasticsearch.hosts` and +# `setup.kibana.host` options. +# You can find the `cloud.id` in the Elastic Cloud web UI. +#cloud.id: + +# The cloud.auth setting overwrites the `output.elasticsearch.username` and +# `output.elasticsearch.password` settings. The format is `:`. +#cloud.auth: + +#================================ Outputs ===================================== + +# Configure what output to use when sending the data collected by the beat. + +#-------------------------- Elasticsearch output ------------------------------ +output.elasticsearch: + # Array of hosts to connect to. + hosts: ["localhost:9200"] + + # Optional protocol and basic auth credentials. + #protocol: "https" + #username: "elastic" + #password: "changeme" + +#----------------------------- Logstash output -------------------------------- +#output.logstash: + # The Logstash hosts + #hosts: ["localhost:5044"] + + # Optional SSL. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + +#================================ Processors ===================================== + +# Configure processors to enhance or manipulate events generated by the beat. + +processors: + - add_host_metadata: ~ + - add_cloud_metadata: ~ + +#================================ Logging ===================================== + +# Sets log level. The default log level is info. +# Available log levels are: error, warning, info, debug +#logging.level: debug + +# At debug level, you can selectively enable logging only for some components. +# To enable all selectors use ["*"]. Examples of other selectors are "beat", +# "publish", "service". +#logging.selectors: ["*"] + +#============================== Xpack Monitoring =============================== +# winlogbeat can export internal metrics to a central Elasticsearch monitoring +# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The +# reporting is disabled by default. + +# Set to true to enable the monitoring reporter. +#xpack.monitoring.enabled: false + +# Uncomment to send the metrics to Elasticsearch. Most settings from the +# Elasticsearch output are accepted here as well. Any setting that is not set is +# automatically inherited from the Elasticsearch output configuration, so if you +# have the Elasticsearch output configured, you can simply uncomment the +# following line. +#xpack.monitoring.elasticsearch: + +#================================= Migration ================================== + +# This allows to enable 6.7 migration aliases +#migration.6_to_7.enabled: true +