feat: elastic - activated syslog and authlog

- filebeat will now ship syslog {{ inventory_hostname }}-syslog-... - filebeat will now ship authlog {{ inventory_hostname }}-authlog-... - updated filebeat/logstash to "7.16.3"
4 years ago · 70af623ba4
parent dc7ab93632
commit 70af623ba4
4 changed files with 33 additions and 8 deletions
--- a/roles/filebeat/defaults/main.yaml
+++ b/roles/filebeat/defaults/main.yaml
@ -1,4 +1,4 @@
 ---

 filebeat_image_name: "docker.elastic.co/beats/filebeat"
-filebeat_image_version: "7.12.0"
+filebeat_image_version: "7.16.3"
--- a/roles/logstash/defaults/main.yaml
+++ b/roles/logstash/defaults/main.yaml
@ -1,4 +1,4 @@
 ---

 logstash_image_name: "docker.elastic.co/logstash/logstash"
-logstash_image_version: "7.16.1"
+logstash_image_version: "7.16.3"
--- a/templates/filebeat/config/filebeat.yml.j2
+++ b/templates/filebeat/config/filebeat.yml.j2
@ -1,3 +1,12 @@
+# https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html
+
+filebeat.modules:
+- module: system
+  syslog:
+    enabled: true
+  auth:
+    enabled: true
+
 filebeat.inputs:
 - type: container
  paths:
@ -19,6 +28,10 @@ filebeat.autodiscover:
              multiline.negate: true
              multiline.match: after

+fields:
+  stage: {{ stage }}
+  hostname: {{ inventory_hostname }}
+
 output.logstash:
  hosts: ["{{ shared_service_elastic_stack_logstash_01_hostname }}:5044"]
  ssl:
--- a/templates/logstash/config/logstash/pipeline/filebeat.conf.j2
+++ b/templates/logstash/config/logstash/pipeline/filebeat.conf.j2
@ -31,14 +31,14 @@ filter {
 }

 output {
-    if "audit" in [tags] {
+    if [fields][hostname] and [event][dataset] == "system.auth" {
        elasticsearch {
            hosts => ["https://{{ shared_service_elastic_stack_01_hostname }}:{{ service_port_elasticsearch }}"]
            cacert => "/usr/share/logstash/config/certificates/ca/ca.crt"
            user => "{{ elastic_admin_username }}"
            password => "{{ elastic_admin_password }}"

-            index => "auditlog-%{+YYYY.MM}"
+            index => "%{[fields][hostname]}-authlog-%{+YYYY.MM}"

            manage_template => false
       }
@ -50,10 +50,22 @@ output {
            user => "{{ elastic_admin_username }}"
            password => "{{ elastic_admin_password }}"

-            index => "authlog-%{+YYYY.MM}"
+            index => "uncategorized-authlog-%{+YYYY.MM}"

            manage_template => false
-        }
+       }
+    }
+    else if [fields][hostname] and [event][dataset] == "system.syslog" {
+        elasticsearch {
+            hosts => ["https://{{ shared_service_elastic_stack_01_hostname }}:{{ service_port_elasticsearch }}"]
+            cacert => "/usr/share/logstash/config/certificates/ca/ca.crt"
+            user => "{{ elastic_admin_username }}"
+            password => "{{ elastic_admin_password }}"
+
+            index => "%{[fields][hostname]}-syslog-%{+YYYY.MM}"
+
+            manage_template => false
+       }
    }
    else if [event][dataset] == "system.syslog" {
        elasticsearch {
@ -62,10 +74,10 @@ output {
            user => "{{ elastic_admin_username }}"
            password => "{{ elastic_admin_password }}"

-            index => "syslog-%{+YYYY.MM}"
+            index => "uncategorized-syslog-%{+YYYY.MM}"

            manage_template => false
-        }
+       }
    }
    else if [container][name] and [@metadata][beat] {
        elasticsearch {