Add Filebeat

6 files changed, 178 insertions, 0 deletions

diff --git a/roles/filebeat/README.md b/roles/filebeat/README.md
new file mode 100644
index 0000000..7b65e9a
--- /dev/null
+++ b/roles/filebeat/README.md
@@ -0,0 +1,3 @@
+# Role "filebeat"
+
+The filebeat role installs and configures the filebeat agent, used to ship logs to Elasticsearch.
diff --git a/roles/filebeat/handlers/main.yml b/roles/filebeat/handlers/main.yml
new file mode 100644
index 0000000..5580f47
--- /dev/null
+++ b/roles/filebeat/handlers/main.yml
@@ -0,0 +1,6 @@
+- name: restart filebeat
+  service:
+    state: restarted
+    name: filebeat
+  tags:
+    - role::filebeat
diff --git a/roles/filebeat/tasks/main.yml b/roles/filebeat/tasks/main.yml
new file mode 100644
index 0000000..ba3f8e9
--- /dev/null
+++ b/roles/filebeat/tasks/main.yml
@@ -0,0 +1,57 @@
+---
+- name: Install GPG
+  package:
+    name: gpg
+    state: present
+  tags:
+    - role::filebeat
+
+- name: Install Elasticsearch signing key
+  shell: >-
+    wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch |
+    gpg --yes --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
+  args:
+    creates: /usr/share/keyrings/elasticsearch-keyring.gpg
+  tags:
+    - role::filebeat
+
+- name: Add Elasticsearch repository to apt
+  copy:
+    content: >-
+      deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg]
+      https://artifacts.elastic.co/packages/8.x/apt stable main
+    dest: /etc/apt/sources.list.d/elastic-8.x.list
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - role::filebeat
+  register: add_filebeat_repo
+
+- name: Install Filebeat
+  apt:
+    pkg: filebeat
+    state: present
+    update_cache: "{{ add_filebeat_repo.changed }}"
+  tags:
+    - role::filebeat
+
+- name: Configure Filebeat
+  template:
+    src: filebeat.yml.j2
+    dest: /etc/filebeat/filebeat.yml
+    mode: 0644
+    owner: root
+    group: root
+  tags:
+    - role::filebeat
+  notify:
+    - restart filebeat
+
+- name: Start and enable Filebeat
+  service:
+    name: filebeat
+    state: started
+    enabled: true
+  tags:
+    - role::filebeat
diff --git a/roles/filebeat/templates/filebeat.yml.j2 b/roles/filebeat/templates/filebeat.yml.j2
new file mode 100644
index 0000000..c2b48f7
--- /dev/null
+++ b/roles/filebeat/templates/filebeat.yml.j2
@@ -0,0 +1,97 @@
+# For more available modules and options, please see the filebeat.reference.yml sample
+# configuration file.
+
+# ============================== Filebeat inputs ===============================
+
+filebeat.inputs:
+
+# Each - is an input. Most options can be set at the input level, so
+# you can use different inputs for various configurations.
+# Below are the input specific configurations.
+
+# filestream is an input for collecting log messages from files.
+- type: filestream
+
+  # Change to true to enable this input configuration.
+  enabled: false
+
+  # Paths that should be crawled and fetched. Glob based paths.
+  paths:
+    - /var/log/*.log
+
+  # Exclude lines. A list of regular expressions to match. It drops the lines that are
+  # matching any regular expression from the list.
+  #exclude_lines: ['^DBG']
+
+  # Include lines. A list of regular expressions to match. It exports the lines that are
+  # matching any regular expression from the list.
+  #include_lines: ['^ERR', '^WARN']
+
+  # Exclude files. A list of regular expressions to match. Filebeat drops the files that
+  # are matching any regular expression from the list. By default, no files are dropped.
+  #prospector.scanner.exclude_files: ['.gz$']
+
+  # Optional additional fields. These fields can be freely picked
+  # to add additional information to the crawled log files for filtering
+  #fields:
+  #  level: debug
+  #  review: 1
+
+# ============================== Filebeat modules ==============================
+
+filebeat.config.modules:
+  # Glob pattern for configuration loading
+  path: ${path.config}/modules.d/*.yml
+
+  # Set to true to enable config reloading
+  reload.enabled: false
+
+  # Period on which files under path should be checked for changes
+  #reload.period: 10s
+
+filebeat.modules:
+{% if "nginx" in group_names %}
+- module: nginx
+  access:
+    enabled: {{ 'nginx' in group_names }}
+  error:
+    enabled: {}
+{% endif %}
+{% if inventory_hostname == "lovelace" %}
+- module: postgresql
+  log:
+    enabled: {{ inventory_hostname == "lovelace" }}
+{% endif %}
+- module: system
+  auth:
+
+
+
+# ======================= Elasticsearch template setting =======================
+
+setup.template.settings:
+  index.number_of_shards: 1
+
+# ================================== Outputs ===================================
+
+# Configure what output to use when sending the data collected by the beat.
+
+# ---------------------------- Elasticsearch Output ----------------------------
+output.elasticsearch:
+  # Array of hosts to connect to.
+  hosts: ["{{ filebeat_elasticsearch_host }}"]
+
+  protocol: "https"
+  username: "{{ filebeat_elastic_username }}"
+  password: "{{ filebeat_elastic_password}}"
+
+  ssl:
+    enabled: true
+    ca_trusted_fingerprint: "{{ filebeat_elastic_fingerprint }}"
+
+processors:
+  - add_host_metadata:
+      when.not.contains.tags: forwarded
+  - add_cloud_metadata: ~
+  - add_docker_metadata: ~
+  - add_kubernetes_metadata: ~
diff --git a/roles/filebeat/vars/main/vars.yml b/roles/filebeat/vars/main/vars.yml
new file mode 100644
index 0000000..ec23785
--- /dev/null
+++ b/roles/filebeat/vars/main/vars.yml
@@ -0,0 +1,7 @@
+filebeat_kibana_host: "http://10.5.0.0:5601"
+filebeat_elasticsearch_host: "10.5.0.0:9200"
+
+filebeat_elastic_username: "pydis"
+filebeat_elastic_password: "{{ encrypted_filebeat_elastic_password }}"
+filebeat_elastic_fingerprint: >-
+  e75cfe8591cb5d30ce31f9a094053f4e0090ebd057a120ac9dcbbf5754fb5a73
diff --git a/roles/filebeat/vars/main/vault.yml b/roles/filebeat/vars/main/vault.yml
new file mode 100644
index 0000000..b2eca18
--- /dev/null
+++ b/roles/filebeat/vars/main/vault.yml
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+62373038653236313435346433326232383433306265326437303133636536393163373333666432
+3136356638363739653737326363663361653834633038350a356334313264653932333935386665
+39383738393839623937616231633430633465366537363032323133636133653963383036616234
+3433643532393937360a343938643730376330396537343133616462363339643066393631623137
+64616336666638623030343065633965306531303933646232383334333162336438643433623462
+31613039323033333063323736323262326638333765663930633532363531323462396264383966
+306636386335386565636633316235653332