add osquery
* install osquery * add filebeat integration Change-Id: Ia93595482512460ebdd287cf091cb5fe51b00de4
This commit is contained in:
parent
861f4e7030
commit
d98fec1a54
@ -122,6 +122,11 @@
|
|||||||
path: /var/log/designate
|
path: /var/log/designate
|
||||||
register: designate
|
register: designate
|
||||||
|
|
||||||
|
- name: Check for osquery
|
||||||
|
stat:
|
||||||
|
path: /var/log/osquery/osqueryd.results.log
|
||||||
|
register: osquery
|
||||||
|
|
||||||
- name: Set discovery facts
|
- name: Set discovery facts
|
||||||
set_fact:
|
set_fact:
|
||||||
apache_enabled: "{{ (apache2.stat.exists | bool) or (httpd.stat.exists | bool) }}"
|
apache_enabled: "{{ (apache2.stat.exists | bool) or (httpd.stat.exists | bool) }}"
|
||||||
@ -140,6 +145,7 @@
|
|||||||
swift_enabled: "{{ (swift.stat.exists | bool) or (inventory_hostname in groups['swift_all'] | default([])) or (((groups[inventory_hostname + '-host_containers'] | default([])) | select('match', '.*swift.*') | list | length) > 0) }}"
|
swift_enabled: "{{ (swift.stat.exists | bool) or (inventory_hostname in groups['swift_all'] | default([])) or (((groups[inventory_hostname + '-host_containers'] | default([])) | select('match', '.*swift.*') | list | length) > 0) }}"
|
||||||
rabbitmq_enabled: "{{ (rabbitmq.stat.exists | bool) or (inventory_hostname in groups['rabbitmq_all'] | default([])) or (((groups[inventory_hostname + '-host_containers'] | default([])) | select('match', '.*rabbit.*') | list | length) > 0) }}"
|
rabbitmq_enabled: "{{ (rabbitmq.stat.exists | bool) or (inventory_hostname in groups['rabbitmq_all'] | default([])) or (((groups[inventory_hostname + '-host_containers'] | default([])) | select('match', '.*rabbit.*') | list | length) > 0) }}"
|
||||||
designate_enabled: "{{ (designate.stat.exists | bool) or (inventory_hostname in groups['designate_all'] | default([])) or (((groups[inventory_hostname + '-host_containers'] | default([])) | select('match', '.*designate.*') | list | length) > 0) }}"
|
designate_enabled: "{{ (designate.stat.exists | bool) or (inventory_hostname in groups['designate_all'] | default([])) or (((groups[inventory_hostname + '-host_containers'] | default([])) | select('match', '.*designate.*') | list | length) > 0) }}"
|
||||||
|
osquery_enabled: "{{ osquery.stat.exists | bool }}"
|
||||||
|
|
||||||
|
|
||||||
post_tasks:
|
post_tasks:
|
||||||
|
@ -249,7 +249,7 @@ filebeat.modules:
|
|||||||
#------------------------------- Osquery Module ------------------------------
|
#------------------------------- Osquery Module ------------------------------
|
||||||
- module: osquery
|
- module: osquery
|
||||||
result:
|
result:
|
||||||
enabled: true
|
enabled: {{ osquery_enabled | bool }}
|
||||||
|
|
||||||
# Set custom paths for the log files. If left empty,
|
# Set custom paths for the log files. If left empty,
|
||||||
# Filebeat will choose the paths depending on your OS.
|
# Filebeat will choose the paths depending on your OS.
|
||||||
|
21
osquery/installOsquery.yml
Normal file
21
osquery/installOsquery.yml
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
---
|
||||||
|
# Copyright 2016, Rackspace US, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
- name: Install osquery
|
||||||
|
hosts: osquery_hosts
|
||||||
|
become: true
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- osquery
|
5
osquery/inventory.example.yml
Normal file
5
osquery/inventory.example.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
# This is the location where osquery(s) will live
|
||||||
|
osquery_hosts:
|
||||||
|
hosts:
|
||||||
|
all:
|
42
osquery/readme.rst
Normal file
42
osquery/readme.rst
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
Install OSQuery
|
||||||
|
###############
|
||||||
|
:tags: openstack, ansible
|
||||||
|
|
||||||
|
About this repository
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
This set of playbooks will deploy osquery. If this is being deployed as part of
|
||||||
|
an OpenStack all of the inventory needs will be provided for.
|
||||||
|
|
||||||
|
There multiple ways to aggregate the data. At this point this repo does not provide
|
||||||
|
one of said methods. It is currently intended to be utilized with the `elk_metrics_6x`.
|
||||||
|
|
||||||
|
It is the intention that at a later point to the ability to configure osquery to report
|
||||||
|
to a centralized place like (kolide/fleet)[https://github.com/kolide/fleet], (zentral)[https://github.com/zentralopensource/zentral],
|
||||||
|
etc.
|
||||||
|
|
||||||
|
**These playbooks require Ansible 2.4+.**
|
||||||
|
|
||||||
|
Deployment Process
|
||||||
|
------------------
|
||||||
|
|
||||||
|
Clone the osa ops repo
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
cd /opt
|
||||||
|
git clone https://github.com/openstack/openstack-ansible-ops
|
||||||
|
|
||||||
|
Clone the osquery role
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
cd /opt
|
||||||
|
git clone https://github.com/devx/ansible-osquery.git /etc/ansible/roles/osquery
|
||||||
|
|
||||||
|
install osquery
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
cd /opt/openstack-ansible-ops/osquery
|
||||||
|
openstack-ansible installOsquery.yml
|
Loading…
Reference in New Issue
Block a user