From e6c26964c6a5220c49e26fe0a9578681855f0190 Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Wed, 12 Jul 2017 19:16:21 -0400 Subject: [PATCH] Filebeat role: Updating README.md --- ansible-role-filebeat/README.md | 104 ++++++++++++++------------------ 1 file changed, 45 insertions(+), 59 deletions(-) diff --git a/ansible-role-filebeat/README.md b/ansible-role-filebeat/README.md index b05b0493..61913ed2 100644 --- a/ansible-role-filebeat/README.md +++ b/ansible-role-filebeat/README.md @@ -1,77 +1,63 @@ -# Ansible Role: Filebeat for ELK Stack +Ansible Role: Filebeat for ELK Stack +------------------------------------ -An Ansible Role that installs [Filebeat](https://www.elastic.co/products/beats/filebeat) on RedHat/CentOS or Debian/Ubuntu. +An Ansible Role that installs [Filebeat](https://www.elastic.co/products/beats/filebeat), this can be used in conjunction with [ansible-wazuh-manager](https://github.com/wazuh/wazuh-ansible/ansible-wazuh-server). -## Requirements +Requirements +------------ -None. +This role will work on: + * Red Hat + * CentOS + * Fedora + * Debian + * Ubuntu -## Role Variables +Role Variables +-------------- Available variables are listed below, along with default values (see `defaults/main.yml`): - filebeat_create_config: true +``` + filebeat_create_config: true -Whether to create the Filebeat configuration file and handle the copying of SSL key and cert for filebeat. If you prefer to create a configuration file yourself you can set this to `false`. + filebeat_prospectors: + - input_type: log + paths: + - "/var/ossec/logs/alerts/alerts.json" + document_type: json + json.message_key: log + json.keys_under_root: true + json.overwrite_keys: true - filebeat_prospectors: - - input_type: log - paths: - - "/var/log/*.log" + filebeat_output_elasticsearch_enabled: false + filebeat_output_elasticsearch_hosts: + - "localhost:9200" -Prospectors that will be listed in the `prospectors` section of the Filebeat configuration. Read through the [Filebeat Prospectors configuration guide](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html) for more options. + filebeat_output_logstash_enabled: true + filebeat_output_logstash_hosts: + - "192.168.212.158:5000" - filebeat_output_elasticsearch_enabled: false - filebeat_output_elasticsearch_hosts: - - "localhost:9200" + filebeat_enable_logging: true + filebeat_log_level: debug + filebeat_log_dir: /var/log/mybeat + filebeat_log_filename: mybeat.log -Whether to enable Elasticsearch output, and which hosts to send output to. + filebeat_ssl_dir: /etc/pki/logstash + filebeat_ssl_certificate_file: "" + filebeat_ssl_key_file: "" + filebeat_ssl_insecure: "false" +``` - filebeat_output_logstash_enabled: true - filebeat_output_logstash_hosts: - - "localhost:5000" +License and copyright +--------------------- -Whether to enable Logstash output, and which hosts to send output to. +WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3) - filebeat_enable_logging: false - filebeat_log_level: warning - filebeat_log_dir: /var/log/filebeat - filebeat_log_filename: filebeat.log +### Based on previous work from geerlingguy -Filebeat logging. + - https://github.com/geerlingguy/ansible-role-filebeat - filebeat_ssl_dir: /etc/pki/logstash +### Modified by Wazuh -The path where certificates and keyfiles will be stored. - - filebeat_ssl_certificate_file: "" - filebeat_ssl_key_file: "" - -Local paths to the SSL certificate and key files, which will be copied into the `filebeat_ssl_dir`. - -For utmost security, you should use your own valid certificate and keyfile, and update the `filebeat_ssl_*` variables in your playbook to use your certificate. - -To generate a self-signed certificate/key pair, you can use use the command: - - $ sudo openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout filebeat.key -out filebeat.crt - -Note that filebeat and logstash may not work correctly with self-signed certificates unless you also have the full chain of trust (including the Certificate Authority for your self-signed cert) added on your server. See: https://github.com/elastic/logstash/issues/4926#issuecomment-203936891 - - filebeat_ssl_insecure: "false" - -Set this to `"true"` to allow the use of self-signed certificates (when a CA isn't available). - -## Dependencies - -None. - -## License - -MIT / BSD - -## Author Information - -This role was created in 2016 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/). - -## Modified -The playbooks have been modified by Wazuh, Inc, including some specific requirements, templates and configuration for integrating Elastic Stack and Wazuh ecosystem. +The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.