/ansible-role-logstash-client

Ansible role for sending logs to Logstash/ELK server.

Primary LanguageRuby

Logstash client Ansible role

Ansible role for shipping logs and metrics to an ELK logserver. Uses filebeat and topbeat, not the deprecated logstash-forwarder. Intended for use with the freedomofpress.elk role.

Requirements

Role Variables

You'll need an SSL cert to encrypt logs in transit to the logserver. If you don't specify an SSL cert, SSL will be disabled. The freedomofpress.elk role will automatically generated a self-signed SSL cert and use that when configuring the filebeat and topbeat integrations.

# The libbeat packages to install. Options: filebeat, topbeat, packetbeat.
logstash_client_beats_packages:
  - filebeat
  - topbeat

logstash_client_ssl_certificate_base_directory: /etc/pki/tls/certs

# Set to a cert filepath in order to copy to host and enable TLS
# for shipping logs. TLS is disabled by default.
logstash_client_ssl_certificate: ""
logstash_client_ssl_certificate_fullpath: >-
  "{{ logstash_client_ssl_certificate_base_directory }}/{{ logstash_client_ssl_certificate | basename }}"

# Sane default of localhost. Override to set to the IP address of the Logstash server.
# You can also inspect group membership, e.g.:
# logstash_client_logserver_ip_address: "{{ hostvars[groups.logserver.0].ansible_default_ipv4.address }}"
logstash_client_logserver_ip_address: "127.0.0.1"

# Base logfiles that should be tracked on all hosts.
logstash_client_logfiles:
  - paths:
      - /var/log/syslog
      - /var/log/auth.log
    document_type: syslog

  - paths:
      - /var/log/dpkg.log
    document_type: dpkg

  - paths:
      - /var/log/tor/info.log
      - /var/log/tor/notice.log
      - /var/log/tor/log
    document_type: tor

  - paths:
      - /var/log/mysql/mysql.log
      - /var/log/mysql/error.log
    document_type: mysql

  - paths:
      - /var/www/redmine/log/production.log
    document_type: redmine

  - paths:
      - /var/log/apache2/*log
    document_type: apache

  - paths:
      - /var/log/ufw.log
    document_type: ufw

# To send additional logfiles, override the following list.
# Make sure each item has "path" and "type" attributes.
logstash_client_extra_logfiles: []

logstash_client_combined_logfiles: "{{ logstash_client_logfiles + logstash_client_extra_logfiles }}"

Example Playbook

- name: Configure Logstash clients.
  hosts: logclients
  roles:
    - role: freedomofpress.logstash-client
  tags: clients

Running the tests

This role uses Molecule and ServerSpec for testing. To use it:

pip install molecule
gem install serverspec
molecule test

You can also run selective commands:

molecule idempotence
molecule verify

See the Molecule docs for more info.

Contributions

The following resources were invaluable in creating this role.

License

MIT