Update to 2021-12-01 19:13

roles/filebeat/defaults/main.yml

@@ -0,0 +1,12 @@
+---
+filebeat_output_type: logstash
+filebeat_output_hosts: []
+# filebeat_output_hosts:
+#   - graylog.example.org:5044
+filebeat_output_ssl:
+  enabled: True
+  # cert_authorities:
+  #   - /path/to/ca.crt
+  # client_cert: /etc/filebeat/ssl/cert.pem
+  # client_key: /etc/filebeat/ssl/key.pem
+  # client_key_passphrase: s3cr3t.

roles/filebeat/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: restart filebeat
+  service: name=filebeat state=restarted
+  when: filebeat_output_hosts | length > 0
+
+- name: restart journalbeat
+  service: name=journalbeat state=restarted
+  when:
+    - filebeat_output_hosts | length > 0
+    - ansible_service_mgr == 'systemd'

roles/filebeat/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: repo_filebeat

roles/filebeat/tasks/main.yml

@@ -0,0 +1,75 @@
+---
+
+- name: Install filebeatbeat
+  package:
+    name:
+      - filebeat
+  tags: logs
+
+- name: Install journalbeat
+  package:
+    name:
+      - journalbeat
+  when: ansible_service_mgr == 'systemd'
+  tags: logs
+
+# Not useful, and prevent fast completion for journalctl
+- name: Remove journalbeat shortcut
+  file: path={{ item }} state=absent
+  loop:
+    - /bin/journalbeat
+    - /usr/bin/journalbeat
+  when: ansible_service_mgr == 'systemd'
+  tags: logs
+
+- name: Create ansible module directories
+  file: path=/etc/filebeat/ansible_{{ item }}.d state=directory
+  loop:
+    - modules
+    - inputs
+  tags: logs
+
+- name: Deploy filebeat configuration
+  template: src={{ item }}.j2 dest=/etc/filebeat/{{ item }}
+  loop:
+    - filebeat.yml
+    - ansible_modules.d/system.yml
+    - ansible_modules.d/auditd.yml
+    - ansible_inputs.d/system_specific.yml
+  notify: restart filebeat
+  tags: logs
+
+- name: Deploy journalbeat configuration
+  template: src=journalbeat.yml.j2 dest=/etc/journalbeat/journalbeat.yml
+  notify: restart journalbeat
+  tags: logs
+
+- name: Override filebeat unit
+  template: src=filebeat.service.j2 dest=/etc/systemd/system/filebeat.service
+  register: filebeat_unit
+  tags: logs
+
+- name: Override journalbeat unit
+  template: src=journalbeat.service.j2 dest=/etc/systemd/system/journalbeat.service
+  register: filebeat_journalbeat_unit
+  when: ansible_service_mgr == 'systemd'
+  tags: logs
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: filebeat_unit.changed or (filebeat_journalbeat_unit is defined and filebeat_journalbeat_unit.changed)
+  tags: logs
+
+- name: Handle filebeat service
+  service:
+    name: filebeat
+    state: "{{ (filebeat_output_hosts | length > 0) | ternary('started','stopped') }}"
+    enabled: "{{ (filebeat_output_hosts | length > 0) | ternary(True,False) }}"
+  tags: logs
+
+- name: Handle journalbeat service
+  service:
+    name: journalbeat
+    state: "{{ (ansible_service_mgr == 'systemd' and filebeat_output_hosts | length > 0) | ternary('started','stopped') }}"
+    enabled: "{{ (ansible_service_mgr == 'systemd' and filebeat_output_hosts | length > 0) | ternary(True,False) }} "
+  tags: logs

roles/filebeat/templates/ansible_inputs.d/system_specific.yml.j2

@@ -0,0 +1,13 @@
+- type: log
+  enabled: True
+  paths:
+{% if ansible_os_family == 'RedHat' %}
+    - /var/log/yum.log
+{% elif ansible_os_family == 'Debian' %}
+    - /var/log/dpkg.log
+    - /var/log/apt/*.log
+    - /var/log/alternatives.log
+{% endif %}
+  exclude_files:
+    - '\.[gx]z$'
+    - '\d+$'

roles/filebeat/templates/ansible_modules.d/auditd.yml.j2

@@ -0,0 +1,7 @@
+- module: auditd
+  log:
+    enabled: True
+    input:
+      exclude_files:
+        - '\.[xg]z$'
+        - '\d+$'

roles/filebeat/templates/ansible_modules.d/system.yml.j2

@@ -0,0 +1,9 @@
+{% if ansible_service_mgr == 'systemd' %}
+# We use journalbeat on systemd based systems
+{% else %}
+- module: system
+  syslog:
+    enabled: True
+  auth:
+    enabled: True
+{% endif %}

roles/filebeat/templates/filebeat.service.j2

@@ -0,0 +1,14 @@
+[Unit]
+Description=Filebeat sends log files to Logstash or directly to Elasticsearch.
+Documentation=https://www.elastic.co/products/beats/filebeat
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Environment="BEAT_CONFIG_OPTS=-c /etc/filebeat/filebeat.yml"
+Environment="BEAT_PATH_OPTS=-path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat"
+ExecStart=/usr/share/filebeat/bin/filebeat $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/filebeat/templates/filebeat.yml.j2

@@ -0,0 +1,41 @@
+fields:
+  source: {{ inventory_hostname }}
+fields_under_root: True
+logging.files:
+  rotateeverybytes: 5242880
+  keepfiles: 2
+filebeat.config.inputs:
+  path: /etc/filebeat/ansible_inputs.d/*.yml
+  reload.enabled: True
+  reload.period: 30s
+filebeat.config.modules:
+  path: /etc/filebeat/ansible_modules.d/*.yml
+  reload.enabled: True
+  reload.period: 30s
+processors:
+  - add_host_metadata: ~
+  - add_cloud_metadata: ~
+output.{{ filebeat_output_type }}:
+  hosts:
+{% for host in filebeat_output_hosts %}
+    - {{ host }}
+{% endfor %}
+{% if filebeat_output_ssl is defined %}
+  ssl: 
+{% if filebeat_output_ssl.enabled is defined %}
+    enabled: {{ filebeat_output_ssl.enabled }}
+{% endif %}
+{% if filebeat_output_ssl.cert_authorities is defined %}
+    certificate_authorities:
+{% for ca in filebeat_output_ssl.cert_authorities %}
+      - {{ ca }}
+{% endfor %}
+{% endif %}
+{% if filebeat_output_ssl.client_cert is defined and filebeat_output_ssl.client_key is defined %}
+    certificate: {{ filebeat_output_ssl.client_cert }}
+    key: {{ filebeat_output_ssl.client_key }}
+{% endif %}
+{% if filebeat_output_ssl.client_key_passphrase is defined %}
+    key_passphrase: {{ filebeat_output_ssl.client_key_passphrase | quote }}
+{% endif %}
+{% endif %}

roles/filebeat/templates/journalbeat.service.j2

@@ -0,0 +1,14 @@
+[Unit]
+Description=Journalbeat ships systemd journal entries to Elasticsearch or Logstash.
+Documentation=https://www.elastic.co/products/beats/journalbeat
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Environment="BEAT_CONFIG_OPTS=-c /etc/journalbeat/journalbeat.yml"
+Environment="BEAT_PATH_OPTS=-path.home /usr/share/journalbeat -path.config /etc/journalbeat -path.data /var/lib/journalbeat -path.logs /var/log/journalbeat"
+ExecStart=/usr/share/journalbeat/bin/journalbeat $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/filebeat/templates/journalbeat.yml.j2

@@ -0,0 +1,34 @@
+fields:
+  source: {{ inventory_hostname }}
+fields_under_root: True
+logging.files:
+  rotateeverybytes: 5242880
+  keepfiles: 2
+journalbeat.inputs:
+  - paths: []
+    seek: cursor
+    cursor_seek_fallback: tail
+output.{{ filebeat_output_type }}:
+  hosts:
+{% for host in filebeat_output_hosts %}
+    - {{ host }}
+{% endfor %}
+{% if filebeat_output_ssl is defined %}
+  ssl:
+{% if filebeat_output_ssl.enabled is defined %}
+    enabled: {{ filebeat_output_ssl.enabled }}
+{% endif %}
+{% if filebeat_output_ssl.cert_authorities is defined %}
+    certificate_authorities:
+{% for ca in filebeat_output_ssl.cert_authorities %}
+      - {{ ca }}
+{% endfor %}
+{% endif %}
+{% if filebeat_output_ssl.client_cert is defined and filebeat_output_ssl.client_key is defined %}
+    certificate: {{ filebeat_output_ssl.client_cert }}
+    key: {{ filebeat_output_ssl.client_key }}
+{% endif %}
+{% if filebeat_output_ssl.client_key_passphrase is defined %}
+    key_passphrase: {{ filebeat_output_ssl.client_key_passphrase | quote }}
+{% endif %}
+{% endif %}