feat: elastic - activated syslog and authlog

- filebeat will now ship syslog {{ inventory_hostname }}-syslog-... - filebeat will now ship authlog {{ inventory_hostname }}-authlog-... - updated filebeat/logstash to "7.16.3"
4 years ago · 70af623ba4
parent dc7ab93632
commit 70af623ba4
4 changed files with 33 additions and 8 deletions
--- a/roles/filebeat/defaults/main.yaml
+++ b/roles/filebeat/defaults/main.yaml
@ -1,4 +1,4 @@
 ---
 filebeat_image_name: "docker.elastic.co/beats/filebeat"
-filebeat_image_version: "7.12.0"
+filebeat_image_version: "7.16.3"
--- a/roles/logstash/defaults/main.yaml
+++ b/roles/logstash/defaults/main.yaml
@ -1,4 +1,4 @@
 ---
 logstash_image_name: "docker.elastic.co/logstash/logstash"
-logstash_image_version: "7.16.1"
+logstash_image_version: "7.16.3"
--- a/templates/filebeat/config/filebeat.yml.j2
+++ b/templates/filebeat/config/filebeat.yml.j2
@ -1,3 +1,12 @@
 # https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html
 filebeat.modules:
 - module: system
  syslog:
    enabled: true
  auth:
    enabled: true
 filebeat.inputs:
 - type: container
  paths:
@ -19,6 +28,10 @@ filebeat.autodiscover:
              multiline.negate: true
              multiline.match: after
 fields:
  stage: {{ stage }}
  hostname: {{ inventory_hostname }}
 output.logstash:
  hosts: ["{{ shared_service_elastic_stack_logstash_01_hostname }}:5044"]
  ssl:
--- a/templates/logstash/config/logstash/pipeline/filebeat.conf.j2
+++ b/templates/logstash/config/logstash/pipeline/filebeat.conf.j2
@ -31,14 +31,14 @@ filter {
 }
 output {
-    if "audit" in [tags] {
+    if [fields][hostname] and [event][dataset] == "system.auth" {
        elasticsearch {
            hosts => ["https://{{ shared_service_elastic_stack_01_hostname }}:{{ service_port_elasticsearch }}"]
            cacert => "/usr/share/logstash/config/certificates/ca/ca.crt"
            user => "{{ elastic_admin_username }}"
            password => "{{ elastic_admin_password }}"
-            index => "auditlog-%{+YYYY.MM}"
+            index => "%{[fields][hostname]}-authlog-%{+YYYY.MM}"
            manage_template => false
       }
@ -50,7 +50,19 @@ output {
            user => "{{ elastic_admin_username }}"
            password => "{{ elastic_admin_password }}"
-            index => "authlog-%{+YYYY.MM}"
+            index => "uncategorized-authlog-%{+YYYY.MM}"
            manage_template => false
       }
    }
    else if [fields][hostname] and [event][dataset] == "system.syslog" {
        elasticsearch {
            hosts => ["https://{{ shared_service_elastic_stack_01_hostname }}:{{ service_port_elasticsearch }}"]
            cacert => "/usr/share/logstash/config/certificates/ca/ca.crt"
            user => "{{ elastic_admin_username }}"
            password => "{{ elastic_admin_password }}"
            index => "%{[fields][hostname]}-syslog-%{+YYYY.MM}"
            manage_template => false
       }
@ -62,7 +74,7 @@ output {
            user => "{{ elastic_admin_username }}"
            password => "{{ elastic_admin_password }}"
-            index => "syslog-%{+YYYY.MM}"
+            index => "uncategorized-syslog-%{+YYYY.MM}"
            manage_template => false
       }