Ansible Role: Filebeat for ELK Stack
An Ansible Role that installs [Filebeat] OSS version (https://www.elastic.co/products/beats/filebeat) on RedHat/CentOS or Debian/Ubuntu(Todo).
Requirements
None.
Role Variables
Available variables are listed below, along with default values (see defaults/main.yml
):
filebeat_version: 7.12.1
Controls the major version of Filebeat which is installed. Get all available versions here.
filebeat_package: 7.12.1
The specific package to be installed. You can specify a version of the package using the correct syntax for your platform and package manager by changing the package name. You can also control the package state (e.g. present, absent, or latest).
filebeat_create_config: true
Whether to create the Filebeat configuration file and handle the copying of SSL key and cert for filebeat. If you prefer to create a configuration file yourself you can set this to false
.
filebeat_inputs:
- type: log
paths:
- "/var/log/*.log"
Inputs that will be listed in the inputs
section of the Filebeat configuration. Read through the Filebeat Inputs configuration guide for more options.
filebeat_output_elasticsearch_enabled: false
filebeat_output_elasticsearch_hosts:
- "localhost:9200"
Whether to enable Elasticsearch output, and which hosts to send output to.
filebeat_output_logstash_enabled: true
filebeat_output_logstash_hosts:
- "localhost:5000"
Whether to enable Logstash output, and which hosts to send output to.
filebeat_enable_logging: false
filebeat_log_level: warning
filebeat_log_dir: /var/log/filebeat
filebeat_log_filename: filebeat.log
Filebeat logging.
filebeat_ssl_dir: /etc/pki/logstash
The path where certificates and keyfiles will be stored.
filebeat_ssl_certificate_file: ""
filebeat_ssl_key_file: ""
Local paths to the SSL certificate and key files, which will be copied into the filebeat_ssl_dir
.
For utmost security, you should use your own valid certificate and keyfile, and update the filebeat_ssl_*
variables in your playbook to use your certificate.
To generate a self-signed certificate/key pair, you can use use the command:
$ sudo openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout filebeat.key -out filebeat.crt
Note that filebeat and logstash may not work correctly with self-signed certificates unless you also have the full chain of trust (including the Certificate Authority for your self-signed cert) added on your server. See: elastic/logstash#4926 (comment)
filebeat_ssl_insecure: "false"
Set this to "true"
to allow the use of self-signed certificates (when a CA isn't available).
Overriding the filebeat template
If you can't customize via variables because an option isn't exposed, you can override the template used to generate the filebeat configuration.
filebeat_template: "filebeat.yml.j2"
You can either copy and modify the provided template, or you can, for example, point to a template file in your playbook directory that will be used instead of the managed template.
filebeat_template: "{{ playbook_dir }}/templates/filebeat.yml.j2"
Dependencies
None.
Example Playbook
- hosts: logs
- name: Set the java_packages variable (Debian/Ubuntu).
set_fact:
java_packages:
- openjdk-8-jdk
when: ansible_os_family == 'Debian'
roles:
- geerlingguy.java
- geerlingguy.elasticsearch
- geerlingguy.logstash
- soloradish.filebeat
License
MIT / BSD
Author Information
This role was created in 2016 by Jeff Geerling, author of Ansible for DevOps.