From bdba44c56d45b306b43e0e05a4715abff22a0883 Mon Sep 17 00:00:00 2001
From: James Tombleson <luther38@gmail.com>
Date: Wed, 24 Apr 2019 15:53:43 -0700
Subject: [PATCH] win-metricbeat now checks service status

not finished with winlogbeat but config template is stored for now.
Checking the status of the service to know what order to issue
---
 .../linux/elastic/config-win-metricbeat.yml   |  21 ++-
 playbook/linux/elastic/config-winlogbeat.yml  |  39 +++++
 playbook/linux/elastic/install-win-client.yml |   4 +-
 playbook/linux/elastic/winlogbeat.j2          | 158 ++++++++++++++++++
 4 files changed, 219 insertions(+), 3 deletions(-)
 create mode 100644 playbook/linux/elastic/config-winlogbeat.yml
 create mode 100644 playbook/linux/elastic/winlogbeat.j2

diff --git a/playbook/linux/elastic/config-win-metricbeat.yml b/playbook/linux/elastic/config-win-metricbeat.yml
index 68c6254..54f6b0f 100644
--- a/playbook/linux/elastic/config-win-metricbeat.yml
+++ b/playbook/linux/elastic/config-win-metricbeat.yml
@@ -23,17 +23,34 @@
         src: metricbeat.j2
         dest: C:\Program Files\Metricbeat\metricbeat.yml
 
+- name: Check if metricbeat service is installed
+  register: service_metricbeat
+  win_service:
+          name: metricbeat
+
+- debug: var=service_metricbeat
+
 - name: Install Metricbeat service
   win_command: powershell.exe -ExecutionPolicy ByPass -File install-service-metricbeat.ps1
   args:
         chdir: C:\program files\metricbeat\
+  when: service_metricbeat.exists == false
 
-- name: stop service
+- name: check status of metricbeat service
+  register: service_metricbeat
+  win_service:
+          name: metricbeat
+
+- debug: var=service_metricbeat
+
+- name: restart service
   win_service:
         name: metricbeat
-        state: stopped
+        state: restarted
+  when: service_metricbeat.state == 'started'
                         
 - name: start service
   win_service:
         name: metricbeat
         state: started
+  when: service_metricbeat.state == 'stopped'
diff --git a/playbook/linux/elastic/config-winlogbeat.yml b/playbook/linux/elastic/config-winlogbeat.yml
new file mode 100644
index 0000000..7e5b560
--- /dev/null
+++ b/playbook/linux/elastic/config-winlogbeat.yml
@@ -0,0 +1,39 @@
+---
+# This will install all the client parts needed for elastic to monitor client computers
+
+- name: download winlogbeat
+  win_get_url:
+        url: '{{ url_winlogbeat }}'
+        dest: 'C:\temp\winlogbeat-{{ elastic_version }}.zip'
+        force: no
+
+- name: unzip winlogbeat
+  win_unzip:
+        src: c:\temp\winlogbeat-{{ elastic_version }}.zip
+        dest: C:\temp\winlogbeat-{{ elastic_version }}\
+        creates: C:\temp\winlogbeat-{{ elastic_version }}\
+
+- name: Copy winlogbeat-{{ elastic_version }} folder
+  win_command: powershell.exe copy-item -Path 'c:\temp\winlogbeat-{{ elastic_version }}\metricbeat-{{ elastic_version }}-windows-x86_64\' -Filter * -Recurse -Destination 'C:\Program Files\winlogbeat\'
+  args:
+        creates: C:\Program Files\winlogbeat\
+
+- name: Update template
+  win_template:
+        src: winlogbeat.j2
+        dest: C:\Program Files\winlogbeat\winlogbeat.yml
+
+- name: Install winlogbeat service
+  win_command: powershell.exe -ExecutionPolicy ByPass -File install-service-winlogbeat.ps1
+  args:
+        chdir: C:\program files\winlogbeat\
+
+- name: restart service
+  win_service:
+        name: winlogbeat
+        state: restarted
+                        
+- name: start service
+  win_service:
+        name: winlogbeat
+        state: started
diff --git a/playbook/linux/elastic/install-win-client.yml b/playbook/linux/elastic/install-win-client.yml
index 8be6258..bd4e251 100644
--- a/playbook/linux/elastic/install-win-client.yml
+++ b/playbook/linux/elastic/install-win-client.yml
@@ -7,6 +7,7 @@
           elastic_version: '7.0.0'
           url_heartbeat: 'https://artifacts.elastic.co/downloads/beats/heartbeat/heartbeat-{{elastic_version}}-windows-x86_64.zip'
           url_metricbeat: 'https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-7.0.0-windows-x86_64.zip'
+          url_winlogbeat: 'https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.0.0-windows-x86_64.zip'
           temp: 'c:\temp\'
           program_files: 'c:\program files\'
           kibana_host: '192.168.0.173:5601'
@@ -22,4 +23,5 @@
         - name: Install Metricbeat
           include: config-win-metricbeat.yml
 
-
+        - name: Install WinLogbeat
+          include: config-winlogbeat.yml
diff --git a/playbook/linux/elastic/winlogbeat.j2 b/playbook/linux/elastic/winlogbeat.j2
new file mode 100644
index 0000000..3cc7fc4
--- /dev/null
+++ b/playbook/linux/elastic/winlogbeat.j2
@@ -0,0 +1,158 @@
+###################### Winlogbeat Configuration Example ##########################
+
+# This file is an example configuration file highlighting only the most common
+# options. The winlogbeat.reference.yml file from the same directory contains all the
+# supported options with more comments. You can use it as a reference.
+#
+# You can find the full configuration reference here:
+# https://www.elastic.co/guide/en/beats/winlogbeat/index.html
+
+#======================= Winlogbeat specific options ==========================
+
+# event_logs specifies a list of event logs to monitor as well as any
+# accompanying options. The YAML data type of event_logs is a list of
+# dictionaries.
+#
+# The supported keys are name (required), tags, fields, fields_under_root,
+# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
+# visit the documentation for the complete details of each option.
+# https://go.es.io/WinlogbeatConfig
+winlogbeat.event_logs:
+  - name: Application
+    ignore_older: 72h
+  - name: Security
+  - name: System
+
+#==================== Elasticsearch template setting ==========================
+
+setup.template.settings:
+  index.number_of_shards: 1
+  #index.codec: best_compression
+  #_source.enabled: false
+
+#================================ General =====================================
+
+# The name of the shipper that publishes the network data. It can be used to group
+# all the transactions sent by a single shipper in the web interface.
+#name:
+
+# The tags of the shipper are included in their own field with each
+# transaction published.
+#tags: ["service-X", "web-tier"]
+
+# Optional fields that you can specify to add additional information to the
+# output.
+#fields:
+#  env: staging
+
+
+#============================== Dashboards =====================================
+# These settings control loading the sample dashboards to the Kibana index. Loading
+# the dashboards is disabled by default and can be enabled either by setting the
+# options here or by using the `setup` command.
+#setup.dashboards.enabled: false
+
+# The URL from where to download the dashboards archive. By default this URL
+# has a value which is computed based on the Beat name and version. For released
+# versions, this URL points to the dashboard archive on the artifacts.elastic.co
+# website.
+#setup.dashboards.url:
+
+#============================== Kibana =====================================
+
+# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
+# This requires a Kibana endpoint configuration.
+setup.kibana:
+
+  # Kibana Host
+  # Scheme and port can be left out and will be set to the default (http and 5601)
+  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
+  #host: "localhost:5601"
+
+  # Kibana Space ID
+  # ID of the Kibana Space into which the dashboards should be loaded. By default,
+  # the Default Space will be used.
+  #space.id:
+
+#============================= Elastic Cloud ==================================
+
+# These settings simplify using winlogbeat with the Elastic Cloud (https://cloud.elastic.co/).
+
+# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
+# `setup.kibana.host` options.
+# You can find the `cloud.id` in the Elastic Cloud web UI.
+#cloud.id:
+
+# The cloud.auth setting overwrites the `output.elasticsearch.username` and
+# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#cloud.auth:
+
+#================================ Outputs =====================================
+
+# Configure what output to use when sending the data collected by the beat.
+
+#-------------------------- Elasticsearch output ------------------------------
+output.elasticsearch:
+  # Array of hosts to connect to.
+  hosts: ["localhost:9200"]
+
+  # Optional protocol and basic auth credentials.
+  #protocol: "https"
+  #username: "elastic"
+  #password: "changeme"
+
+#----------------------------- Logstash output --------------------------------
+#output.logstash:
+  # The Logstash hosts
+  #hosts: ["localhost:5044"]
+
+  # Optional SSL. By default is off.
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client Certificate Key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+#================================ Processors =====================================
+
+# Configure processors to enhance or manipulate events generated by the beat.
+
+processors:
+  - add_host_metadata: ~
+  - add_cloud_metadata: ~
+
+#================================ Logging =====================================
+
+# Sets log level. The default log level is info.
+# Available log levels are: error, warning, info, debug
+#logging.level: debug
+
+# At debug level, you can selectively enable logging only for some components.
+# To enable all selectors use ["*"]. Examples of other selectors are "beat",
+# "publish", "service".
+#logging.selectors: ["*"]
+
+#============================== Xpack Monitoring ===============================
+# winlogbeat can export internal metrics to a central Elasticsearch monitoring
+# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
+# reporting is disabled by default.
+
+# Set to true to enable the monitoring reporter.
+#xpack.monitoring.enabled: false
+
+# Uncomment to send the metrics to Elasticsearch. Most settings from the
+# Elasticsearch output are accepted here as well. Any setting that is not set is
+# automatically inherited from the Elasticsearch output configuration, so if you
+# have the Elasticsearch output configured, you can simply uncomment the
+# following line.
+#xpack.monitoring.elasticsearch:
+
+#================================= Migration ==================================
+
+# This allows to enable 6.7 migration aliases
+#migration.6_to_7.enabled: true
+