- Description
- Setup - The basics of getting started with beats
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
A Puppet module for managing and configuring official Elastic beats. Works best with RPM/DEB installs of Beats packages but tries to handle custom installations.
- Elastic stack repository files.
- Each Beats package.
- Each Beats configuration file.
- Each Beats service file.
- Metricbeat module configuration files.
- The stdlib Puppet library.
When using the repository management, the following module dependencies are required:
- Debian/Ubuntu: Puppetlabs/apt
- OpenSuSE/SLES: Darin/zypprepo
Include the beats
class and pass a list of individual Beats to manage with beats_manage
:
class { 'beats':
$beats_manage => ['metricbeat','auditbeat','heartbeat','packetbeat']
}
There is very few parameters you should need to customise. The most useful would be config_root
which allows you to control where this module expects the individual Beats configuration files to live:
class { 'beats':
beats_manage => ['metricbeat','auditbeat','heartbeat','packetbeat'],
config_root => '/opt/beats'
}
This module recommends using Hiera for configuration data. You can either specify your complete Beats configuration in Hiera or as a Puppet URL under beats::<beat_name>::settings
.
Configure in Hiera:
beats::auditbeat::settings:
auditbeat.modules:
- module: auditd
audit_rules: |
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
Or pass a Puppet URL that will be used as the source of configuration:
beats::auditbeat::settings: 'puppet:///somefileshare/auditbeat.yml'
This class can handle enabling/disabling Metricbeat modules for you.
To enable/disable a list of modules, ensure you manage Metricbeat with this class:
class { 'beats':
beats_manage => ['metricbeat'],
}
And then configure the modules you want to enable/disable in Hiera:
beats::metricbeat::modules:
'present':
- docker
- system
'absent':
- kafka
If you need to define custom settings for a particular module, add those in Hiera under beats::metricbeat::modules::settings
. For example:
beats::metricbeat::modules::settings:
- module: docker
metricsets: ["container", "cpu", "diskio", "healthcheck", "info", "memory", "network"]
hosts: ["unix:///var/run/docker.sock"]
period: 10s
- module: redis
period: 10s
TBD
TBD
Please see the CONTRIBUTING.md file for instructions regarding development environments and testing.