From c7b734515463bf04bbb20dbd16dc5b58be7cad2a Mon Sep 17 00:00:00 2001
From: Will Foster <wfoster@redhat.com>
Date: Fri, 17 Jun 2016 10:47:19 +0100
Subject: [PATCH] Add fluentd support to ELK as optional replacement for
 logstash.

This adds the ability to substitute fluentd for logstash for ELK stack
deployments.  This is a seamless substitution, but logstash is still
the default if no options are changed.  Rsyslog will be utilized
instead of the official Filebeat logstash forwarder.

To use fluentd instead of logstash change the following parameter
in install/group_vars/all.yml:

logging_backend: fluentd

In addition, the following enhancements were made:

* All service ports are now configurable
* Firewall ports are now configurable

Documentation updates can be viewed here:
http://rst.ninjs.org/?n=aa3ea354e28f4ef11d2a03344d8c34be&theme=basic

Patchset #2: clean up commit message character length.
Patchset #3: explicitly state logstash is the default
Patchset #4: clean up browbeat install instructions
Patchset #5: add /etc/rsyslog.d/openstack-logs.conf that will
pickup common openstack logs in /var/log/*

Change-Id: Ife928c1f6699e0c675d44e857ccb6aaff165752d
---
 ansible/README.rst                            |  31 ++-
 ansible/install/elk.yml                       |   5 +-
 ansible/install/group_vars/all.yml            |  16 ++
 ansible/install/roles/filebeat/tasks/main.yml |  46 ++++-
 .../roles/filebeat/templates/filebeat.yml.j2  |   2 +-
 .../templates/rsyslog-openstack.conf.j2       | 153 +++++++++++++++
 .../files/filebeat-index-template.json        |  49 +++++
 .../install/roles/fluentd/files/fluentd.repo  |   5 +
 ansible/install/roles/fluentd/tasks/main.yml  | 183 ++++++++++++++++++
 .../roles/fluentd/templates/td-agent.conf.j2  |  86 ++++++++
 .../kibana/files/filebeat-dashboards.zip      | Bin 1230159 -> 1230983 bytes
 ansible/install/roles/kibana/tasks/main.yml   |  30 ++-
 ansible/install/roles/logstash/tasks/main.yml |  34 ++--
 .../02-beats-input.conf.j2}                   |   2 +-
 ansible/install/roles/nginx/tasks/main.yml    |   8 -
 15 files changed, 601 insertions(+), 49 deletions(-)
 create mode 100644 ansible/install/roles/filebeat/templates/rsyslog-openstack.conf.j2
 create mode 100644 ansible/install/roles/fluentd/files/filebeat-index-template.json
 create mode 100644 ansible/install/roles/fluentd/files/fluentd.repo
 create mode 100644 ansible/install/roles/fluentd/tasks/main.yml
 create mode 100644 ansible/install/roles/fluentd/templates/td-agent.conf.j2
 rename ansible/install/roles/logstash/{files/02-beats-input.conf => templates/02-beats-input.conf.j2} (82%)

diff --git a/ansible/README.rst b/ansible/README.rst
index 77833eb82..dda9de001 100644
--- a/ansible/README.rst
+++ b/ansible/README.rst
@@ -52,7 +52,12 @@ Image upload requires Ansible 2.0
 
 ::
 
-    # vi install/group_vars/all.yml  # Edit ansible vars file (Installation parameters)
+    # vi install/group_vars/all.yml
+
+Edit ansible vars file (Installation parameters)
+
+::
+
     # ansible-playbook -i hosts install/browbeat.yml
 
 Install Collectd Agent (Requires a Graphite Server)
@@ -79,6 +84,10 @@ Requires Ansible 2.0
 
 Install Generic ELK Stack
 '''''''''''''''''''''''''
+Listening ports and other options can be changed in ``install/group_vars/all.yml``
+as needed.  You can also change the logging backend to use fluentd via the
+``logging_backend:`` variable.  For most uses leaving the defaults in place is
+accceptable.  If left unchanged the default is to use logstash.
 
 ::
 
@@ -86,25 +95,36 @@ Install Generic ELK Stack
 
 Install ELK Stack (on an OpenStack Undercloud)
 ''''''''''''''''''''''''''''''''''''''''''''''
+Triple-O based OpenStack deployments have a lot of ports already listening on
+the Undercloud node.  You'll need to change the default listening ports for ELK
+to be deployed without conflict.
 
 ::
 
     sed -i 's/nginx_kibana_port: 80/nginx_kibana_port: 8888/' install/group_vars/all.yml
     sed -i 's/elk_server_ssl_cert_port: 8080/elk_server_ssl_cert_port: 9999/' install/group_vars/all.yml
 
+Now you can proceed with deployment.
+
 ::
 
     ansible-playbook -i hosts install/elk.yml
 
 Install Generic ELK Clients
 '''''''''''''''''''''''''''
+Filebeat (official Logstash forwarder) is used here unless you chose the
+optional fluentd ``logging_backend`` option in ``install/group_vars/all.yml``.  In this case
+a simple rsyslog setup will be implemented.
 
 ::
 
     ansible-playbook -i hosts install/elk-client.yml --extra-vars 'elk_server=X.X.X.X'
 
--  elk\_server variable will be generated after the ELK stack playbook
-   runs
+The ``elk_server`` variable will be generated after the ELK stack playbook runs,
+but it's generally wherever you installed ELK.  If you have an existing ELK
+stack you can point new clients to it as well, but you'll want to place a new
+client SSL certificate at the location of
+``http://{{elk_server}}:{{elk_server_ssl_cert_port}}/filebeat-forwarder.crt``
 
 Install ELK Clients for OpenStack nodes
 '''''''''''''''''''''''''''''''''''''''
@@ -113,9 +133,6 @@ Install ELK Clients for OpenStack nodes
 
     ansible-playbook -i hosts install/elk-openstack-client.yml --extra-vars 'elk_server=X.X.X.X'
 
--  elk\_server variable will be generated after the ELK stack playbook
-   runs
-
 Install graphite service
 ''''''''''''''''''''''''
 
@@ -139,7 +156,7 @@ Prior to installing graphite as a docker container, please review
 install/group\_vars/all.yml file and ensure the docker related settings
 will work with your target host. This playbook is ideal when installing
 services on director/rdo-manager undercloud host(s).
-   
+
 ::
 
     # ansible-playbook -i hosts install/graphite-docker.yml
diff --git a/ansible/install/elk.yml b/ansible/install/elk.yml
index 51ff02e6c..7028832fe 100644
--- a/ansible/install/elk.yml
+++ b/ansible/install/elk.yml
@@ -1,12 +1,13 @@
 ---
 #
-# Playbook to install the ELK stack
+# Playbook to install the ELK stack for browbeat
 #
 
 - hosts: elk
   remote_user: root
   roles:
     - { role: elasticsearch }
-    - { role: logstash }
+    - { role: fluentd, when: (logging_backend == 'fluentd') }
+    - { role: logstash, when: ((logging_backend is none) or (logging_backend == 'logstash')) }
     - { role: nginx }
     - { role: kibana }
diff --git a/ansible/install/group_vars/all.yml b/ansible/install/group_vars/all.yml
index 11c5368ec..314952c93 100644
--- a/ansible/install/group_vars/all.yml
+++ b/ansible/install/group_vars/all.yml
@@ -135,3 +135,19 @@ nginx_kibana_port: 80
 # usage: port filebeat client grabs the client SSL certificate
 # e.g. 9999
 elk_server_ssl_cert_port: 8080
+#
+### logging backend ###
+# you can pick between logstash or fluentd
+# if left empty logstash will be used
+### accepted options ###
+# logging_backend:
+# logging_backend: logstash
+# logging_backend: fluentd
+logging_backend:
+#
+### logstash options ###
+logstash_syslog_port: 5044
+### fluentd options ###
+fluentd_syslog_port: 42185
+fluentd_http_port: 9919
+fluentd_debug_port: 24230
diff --git a/ansible/install/roles/filebeat/tasks/main.yml b/ansible/install/roles/filebeat/tasks/main.yml
index bed52487b..06afa034d 100644
--- a/ansible/install/roles/filebeat/tasks/main.yml
+++ b/ansible/install/roles/filebeat/tasks/main.yml
@@ -10,18 +10,20 @@
     owner=root
     group=root
     mode=0644
+  when: (logging_backend != 'fluentd')
   become: true
 
 - name: Import Filebeat GPG Key
   rpm_key: key=http://packages.elastic.co/GPG-KEY-elasticsearch
     state=present
-  become: true
+  when: (logging_backend != 'fluentd')
 
 - name: Install filebeat rpms
   yum: name={{ item }} state=present
   become: true
   with_items:
     - filebeat
+  when: (logging_backend != 'fluentd')
 
 - name: Generate filebeat configuration template
   template:
@@ -31,30 +33,56 @@
     group=root
     mode=0644
   become: true
+  when: (logging_backend != 'fluentd')
   register: filebeat_needs_restart
 
 - name: Check ELK server SSL client certificate
   stat: path=/etc/pki/tls/certs/filebeat-forwarder.crt
   ignore_errors: true
   register: elk_client_ssl_cert_exists
-
-# Set standard nginx ports if we're not pointing towards an undercloud
-- name: Assign ELK nginx port value for SSL client certificate
-  set_fact:
-    elk_server_ssl_cert_port: 8080
-  when: elk_server_ssl_cert_port is none
+  when: (logging_backend != 'fluentd')
 
 - name: Install ELK server SSL client certificate
   shell: curl http://"{{ elk_server }}":{{ elk_server_ssl_cert_port }}/filebeat-forwarder.crt > /etc/pki/tls/certs/filebeat-forwarder.crt
   become: true
-  when: elk_client_ssl_cert_exists != 0
+  when: ((elk_client_ssl_cert_exists != 0) and (logging_backend != 'fluentd'))
 
 - name: Start filebeat service
   command: systemctl start filebeat.service
   ignore_errors: true
   become: true
-  when: filebeat_needs_restart != 0
+  when: ((filebeat_needs_restart != 0) and (logging_backend != 'fluentd'))
 
 - name: Setup filebeat service
   service: name=filebeat state=started enabled=true
   become: true
+  when: (logging_backend != 'fluentd')
+
+- name: Install rsyslogd for fluentd
+  yum: name={{ item }} state=present
+  become: true
+  with_items:
+    - rsyslog
+  when: (logging_backend == 'fluentd')
+
+- name: Setup rsyslogd for fluentd
+  lineinfile: dest=/etc/rsyslog.conf \
+          line="*.* @{{ elk_server }}:{{ fluentd_syslog_port }}"
+  when: (logging_backend == 'fluentd')
+  register: rsyslog_updated
+
+- name: Setup common OpenStack rsyslog logging
+  template:
+    src=rsyslog-openstack.conf.j2
+    dest=/etc/rsyslog.d/openstack-logs.conf
+    owner=root
+    group=root
+    mode=0644
+  become: true
+  register: rsyslog_updated
+  when: (logging_backend == 'fluentd')
+
+- name: Restarting rsyslog for fluentd
+  command: systemctl restart rsyslog.service
+  ignore_errors: true
+  when: rsyslog_updated != 0
diff --git a/ansible/install/roles/filebeat/templates/filebeat.yml.j2 b/ansible/install/roles/filebeat/templates/filebeat.yml.j2
index cf1647fc1..1aa17e5d0 100644
--- a/ansible/install/roles/filebeat/templates/filebeat.yml.j2
+++ b/ansible/install/roles/filebeat/templates/filebeat.yml.j2
@@ -169,7 +169,7 @@ output:
     # Scheme and port can be left out and will be set to the default (http and 9200)
     # In case you specify and additional path, the scheme is required: http://localhost:9200/path
     # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
-    hosts: ["{{ elk_server }}:5044"]
+    hosts: ["{{ elk_server }}:{{ logstash_syslog_port }}"]
     bulk_max_size: 1024
     # Optional protocol and basic auth credentials. These are deprecated.
     #protocol: "https"
diff --git a/ansible/install/roles/filebeat/templates/rsyslog-openstack.conf.j2 b/ansible/install/roles/filebeat/templates/rsyslog-openstack.conf.j2
new file mode 100644
index 000000000..25ea84350
--- /dev/null
+++ b/ansible/install/roles/filebeat/templates/rsyslog-openstack.conf.j2
@@ -0,0 +1,153 @@
+# aggregate common openstack logs via rsyslog
+
+$ModLoad imfile
+
+# Neutron
+$InputFileName /var/log/neutron/server.log
+$InputFileTag neutron-server-errors
+$InputFileStateFile neutron-server-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+# Nova
+$InputFileName /var/log/nova/nova-api.log
+$InputFileTag nova-api-errors
+$InputFileStateFile nova-api-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+$InputFileName /var/log/nova/nova-cert.log
+$InputFileTag nova-cert-errors
+$InputFileStateFile nova-cert-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+$InputFileName /var/log/nova/nova-conductor.log
+$InputFileTag nova-conductor-errors
+$InputFileStateFile nova-conductor-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+$InputFileName /var/log/nova/nova-consoleauth.log
+$InputFileTag nova-consoleauth-errors
+$InputFileStateFile nova-consoleauth-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+$InputFileName /var/log/nova/nova-manage.log
+$InputFileTag nova-manage-errors
+$InputFileStateFile nova-manage-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+$InputFileName /var/log/nova/nova-novncproxy.log
+$InputFileTag nova-novncproxy-errors
+$InputFileStateFile nova-novncproxy-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+$InputFileName /var/log/nova/nova-scheduler.log
+$InputFileTag nova-scheduler-errors
+$InputFileStateFile nova-scheduler-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+# cinder
+$InputFileName /var/log/cinder/api.log
+$InputFileTag cinder-api-errors
+$InputFileStateFile cinder-api-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+$InputFileName /var/log/cinder/backup.log
+$InputFileTag cinder-backup-errors
+$InputFileStateFile cinder-backup-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+$InputFileName /var/log/cinder/scheduler.log
+$InputFileTag cinder-scheduler-errors
+$InputFileStateFile cinder-scheduler-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+$InputFileName /var/log/cinder/volume.log
+$InputFileTag cinder-volume-errors
+$InputFileStateFile cinder-volume-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+# glance
+$InputFileName /var/log/glance/api.log
+$InputFileTag glance-api-errors
+$InputFileStateFile glance-api-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+$InputFileName /var/log/glance/registry.log
+$InputFileTag glance-registry-errors
+$InputFileStateFile glance-registry-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+$InputFileName /var/log/glance/scrubber.log
+$InputFileTag glance-scrubber-errors
+$InputFileStateFile glance-scrubber-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+# keystone
+$InputFileName /var/log/keystone/keystone.log
+$InputFileTag keystone-errors
+$InputFileStateFile keystone-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+# horizon
+$InputFileName /var/log/horizon/horizon.log
+$InputFileTag horizon-errors
+$InputFileStateFile horizon-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+$InputFileName /var/log/httpd/horizon_error.log
+$InputFileTag horizon-httpd-errors
+$InputFileStateFile horizon-httpd-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+$InputFileName /var/log/httpd/horizon_ssl_error.log
+$InputFileTag horizon-httpd_ssl-errors
+$InputFileStateFile horizon-httpd_ssl-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+# mariadb
+$InputFileName /var/log/mariadb/mariadb.log
+$InputFileTag mariadb-errors
+$InputFileStateFile mariadb-errors
+$InputFileSeverity error
+$InputFileFacility local7
+$InputRunFileMonitor
+
+# send to elk_server
+*.* @{{ elk_server }}:{{ fluentd_syslog_port }}
diff --git a/ansible/install/roles/fluentd/files/filebeat-index-template.json b/ansible/install/roles/fluentd/files/filebeat-index-template.json
new file mode 100644
index 000000000..f927d9d5c
--- /dev/null
+++ b/ansible/install/roles/fluentd/files/filebeat-index-template.json
@@ -0,0 +1,49 @@
+{
+  "mappings": {
+    "_default_": {
+      "_all": {
+        "enabled": true,
+        "norms": {
+          "enabled": false
+        }
+      },
+      "dynamic_templates": [
+        {
+          "template1": {
+            "mapping": {
+              "doc_values": true,
+              "ignore_above": 1024,
+              "index": "not_analyzed",
+              "type": "{dynamic_type}"
+            },
+            "match": "*"
+          }
+        }
+      ],
+      "properties": {
+        "@timestamp": {
+          "type": "date"
+        },
+        "message": {
+          "type": "string",
+          "index": "analyzed"
+        },
+        "offset": {
+          "type": "long",
+          "doc_values": "true"
+        },
+        "geoip"  : {
+          "type" : "object",
+          "dynamic": true,
+          "properties" : {
+            "location" : { "type" : "geo_point" }
+          }
+        }
+      }
+    }
+  },
+  "settings": {
+    "index.refresh_interval": "5s"
+  },
+  "template": "filebeat-*"
+}
diff --git a/ansible/install/roles/fluentd/files/fluentd.repo b/ansible/install/roles/fluentd/files/fluentd.repo
new file mode 100644
index 000000000..abecf7e2c
--- /dev/null
+++ b/ansible/install/roles/fluentd/files/fluentd.repo
@@ -0,0 +1,5 @@
+[treasuredata]
+name=TreasureData
+baseurl=http://packages.treasuredata.com/2/redhat/\$releasever/\$basearch
+gpgcheck=1
+gpgkey=https://packages.treasuredata.com/GPG-KEY-td-agent
diff --git a/ansible/install/roles/fluentd/tasks/main.yml b/ansible/install/roles/fluentd/tasks/main.yml
new file mode 100644
index 000000000..4fbdd510e
--- /dev/null
+++ b/ansible/install/roles/fluentd/tasks/main.yml
@@ -0,0 +1,183 @@
+---
+#
+# Install/run fluentd for browbeat
+#
+
+- name: Copy fluentd yum repo file
+  copy:
+    src=fluentd.repo
+    dest=/etc/yum.repos.d/fluentd.repo
+    owner=root
+    group=root
+    mode=0644
+  become: true
+
+- name: Import fluentd GPG Key
+  rpm_key: key=https://packages.treasuredata.com/GPG-KEY-td-agent
+    state=present
+
+- name: Install fluentd
+  yum: name={{ item }} state=present
+  become: true
+  with_items:
+    - td-agent
+
+- name: Setup fluentd configuration files
+  template:
+    src=td-agent.conf.j2
+    dest=/etc/td-agent/td-agent.conf
+    owner=root
+    group=root
+    mode=0644
+  become: true
+  register: fluentd_needs_restart
+
+### begin firewall settings here ###
+# we need TCP/42185 and TCP/9919 open
+# determine firewall status and take action
+# 1) use firewall-cmd if firewalld is utilized
+# 2) insert iptables rule if iptables is used
+
+# Firewalld
+- name: Determine if firewalld is in use
+  shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
+  ignore_errors: true
+  register: firewalld_in_use
+
+- name: Determine if firewalld is active
+  shell: systemctl is-active firewalld.service | grep -vq inactive
+  ignore_errors: true
+  register: firewalld_is_active
+
+- name: Determine if TCP/{{fluentd_syslog_port}} is already active
+  shell: firewall-cmd --list-ports | egrep -q "^{{fluentd_syslog_port}}/tcp"
+  ignore_errors: true
+  register: firewalld_tcp42185_exists
+
+# add firewall rule via firewall-cmd
+- name: Add firewall rule for TCP/{{fluentd_syslog_port}} (firewalld)
+  command: "{{ item }}"
+  with_items:
+    - firewall-cmd --zone=public --add-port={{fluentd_syslog_port}}/tcp --permanent
+    - firewall-cmd --reload
+  ignore_errors: true
+  become: true
+  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp42185_exists.rc != 0
+
+# iptables-services
+- name: check firewall rules for TCP/{{fluentd_syslog_port}} (iptables-services)
+  shell: grep "dport {{fluentd_syslog_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
+  ignore_errors: true
+  register: iptables_tcp42185_exists
+  failed_when: iptables_tcp42185_exists == 127
+
+- name: Add firewall rule for TCP/{{fluentd_syslog_port}} (iptables-services)
+  lineinfile:
+    dest: /etc/sysconfig/iptables
+    line: '-A INPUT -p tcp -m tcp --dport {{fluentd_syslog_port}} -j ACCEPT'
+    regexp: '^INPUT -i lo -j ACCEPT'
+    insertbefore: '-A INPUT -i lo -j ACCEPT'
+    backup: yes
+  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp42185_exists.stdout|int == 0
+  register: iptables_needs_restart
+
+- name: Restart iptables-services for TCP/{{fluentd_syslog_port}} (iptables-services)
+  shell: systemctl restart iptables.service
+  ignore_errors: true
+  when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
+
+# Firewalld
+- name: Determine if firewalld is in use
+  shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
+  ignore_errors: true
+  register: firewalld_in_use
+
+- name: Determine if firewalld is active
+  shell: systemctl is-active firewalld.service | grep -vq inactive
+  ignore_errors: true
+  register: firewalld_is_active
+
+- name: Determine if TCP/{{fluentd_http_port}} is already active
+  shell: firewall-cmd --list-ports | egrep -q "^{{fluentd_http_port}}/tcp"
+  ignore_errors: true
+  register: firewalld_tcp9919_exists
+
+# add firewall rule via firewall-cmd
+- name: Add firewall rule for TCP/{{fluentd_http_port}} (firewalld)
+  command: "{{ item }}"
+  with_items:
+    - firewall-cmd --zone=public --add-port={{fluentd_http_port}}/tcp --permanent
+    - firewall-cmd --reload
+  ignore_errors: true
+  become: true
+  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp9919_exists.rc != 0
+
+# iptables-services
+- name: check firewall rules for TCP/{{fluentd_http_port}} (iptables-services)
+  shell: grep "dport {{fluentd_http_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
+  ignore_errors: true
+  register: iptables_tcp9919_exists
+  failed_when: iptables_tcp9919_exists == 127
+
+- name: Add firewall rule for TCP/{{fluentd_http_port}} (iptables-services)
+  lineinfile:
+    dest: /etc/sysconfig/iptables
+    line: '-A INPUT -p tcp -m tcp --dport {{fluentd_http_port}} -j ACCEPT'
+    regexp: '^INPUT -i lo -j ACCEPT'
+    insertbefore: '-A INPUT -i lo -j ACCEPT'
+    backup: yes
+  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp9919_exists.stdout|int == 0
+  register: iptables_needs_restart
+
+- name: Restart iptables-services for TCP/{{fluentd_http_port}} (iptables-services)
+  shell: systemctl restart iptables.service
+  ignore_errors: true
+  when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
+
+### end firewall settings ###
+
+- name: Install fluentd elasticsearch plugin
+  gem:
+    name=fluent-plugin-elasticsearch
+    state=latest
+    include_dependencies=yes
+    user_install=no
+    executable=/usr/sbin/td-agent-gem
+  become: true
+  ignore_errors: false
+
+- name: Install fluentd beats plugin
+  gem:
+    name=fluent-plugin-beats
+    state=latest
+    include_dependencies=yes
+    user_install=no
+    executable=/usr/sbin/td-agent-gem
+  become: true
+  ignore_errors: false
+
+- name: Stage filebeat JSON index template
+  copy:
+    src=filebeat-index-template.json
+    dest=/tmp/filebeat-index-template.json
+    owner=root
+    group=root
+    mode=0644
+  become: true
+
+# note: we can't currently use the Ansible uri module here, curl is a workaround
+# https://github.com/ansible/ansible-modules-core/issues/265
+# http://stackoverflow.com/questions/28997007/translate-curl-put-into-ansible-uri-module
+- name: Load filebeat JSON index template
+  command: curl -XPOST 'http://localhost:9200/_template/filebeat?pretty' -d@/tmp/filebeat-index-template.json
+  ignore_errors: true
+  become: true
+
+- name: Start fluentd service
+  command: systemctl start td-agent.service
+  ignore_errors: true
+  when: fluentd_needs_restart != 0
+
+- name: Setup fluentd service
+  service: name=td-agent state=started enabled=true
+  become: true
diff --git a/ansible/install/roles/fluentd/templates/td-agent.conf.j2 b/ansible/install/roles/fluentd/templates/td-agent.conf.j2
new file mode 100644
index 000000000..35daa4dad
--- /dev/null
+++ b/ansible/install/roles/fluentd/templates/td-agent.conf.j2
@@ -0,0 +1,86 @@
+####
+## Output descriptions:
+##
+
+# Treasure Data (http://www.treasure-data.com/) provides cloud based data
+# analytics platform, which easily stores and processes data from td-agent.
+# FREE plan is also provided.
+# @see http://docs.fluentd.org/articles/http-to-td
+#
+# This section matches events whose tag is td.DATABASE.TABLE
+<match td.*.*>
+  type tdlog
+  apikey YOUR_API_KEY
+
+  auto_create_table
+  buffer_type file
+  buffer_path /var/log/td-agent/buffer/td
+
+  <secondary>
+    type file
+    path /var/log/td-agent/failed_records
+  </secondary>
+</match>
+
+## match tag=debug.** and dump to console
+<match debug.**>
+  type stdout
+</match>
+
+####
+## Source descriptions:
+##
+
+## built-in TCP input
+## @see http://docs.fluentd.org/articles/in_forward
+<source>
+  type forward
+</source>
+
+## built-in UNIX socket input
+#<source>
+#  type unix
+#</source>
+
+# HTTP input
+# POST http://localhost:8888/<tag>?json=<json>
+# POST http://localhost:8888/td.myapp.login?json={"user"%3A"me"}
+# @see http://docs.fluentd.org/articles/in_http
+<source>
+  type http
+  port {{ fluentd_http_port }}
+</source>
+
+## live debugging agent
+<source>
+  type debug_agent
+  bind 127.0.0.1
+  port {{ fluentd_debug_port }}
+</source>
+
+
+# collect the dmesg output
+<source>
+  type syslog
+  port {{ fluentd_syslog_port }}
+  tag syslog
+</source>
+
+<match syslog.**>
+  type elasticsearch
+  logstash_format true  #Kibana understands only logstash format
+  flush_interval 10s    # for testing
+</match>
+
+<source>
+  @type beats
+  metadata_as_tag
+</source>
+
+# Forward all events from beats to each index on elasticsearch
+<match *beat>
+  @type elasticsearch_dynamic
+  logstash_format true
+  logstash_prefix ${tag_parts[0]}
+  type_name ${record['type']}
+</match>
diff --git a/ansible/install/roles/kibana/files/filebeat-dashboards.zip b/ansible/install/roles/kibana/files/filebeat-dashboards.zip
index ac36cca4bb72d37da09b4942f14cb4778441e695..7508d54109fff7d3e0527e6eb3e49a7356f56bdc 100644
GIT binary patch
delta 12013
zcmai42RK*l`~TW|olr;!nJIgRQd#j$C`nc+G8=f`%1A;|bm$n7A|ymI%9bM84UyT9
zO2%7hNd2F49;t7?)AiSNx-R$meD3@6+|NAsqvND`WV|^S)trHmor3=uF`)5WN@6Dm
z1h)P(vf@UQXRQfg+5q4U9!ZpsQDnQ4>u#5WZoWS59(!zUm?(5ON5RCR-EyU=*(SxV
zN2?5rZg#62u$H*wC%Dx#n9i8>?y!7E>-~FH9UbAUnNt;^t<TOjKI3#es>MP184N10
z&|(1I;v=OPa6N@O_;1B;t?Br1C7Uv)qILomKHyn_D+w{(vc-12lg;`~R0|`U^$TLS
zT8jA?BsiJ6zU6%uFq~-Bub`t7cIGzMJj>c&&GxA+`0l|a25(d!25U*5yxiSO4KiyA
z@L`)QrIsq2^xZsC5`Kzr!^hEe`(vY;oU}g)xnVXRQ~!x?%D=ffBIhm7PsOYhTqJ5p
zua2uM38IgpBMc0T8n^+~V{9jW=VH<%02`Tx83}_tyEY#HEaaJJI(m?O9gUU9KHAK_
zgCNUrR6*~foLdQlA=e#fVC8Wq4E{VH=-BWyN#DD0r4tnsT!+1nLPUsn9ehtAxL}bT
zVPNLxr6;rq3GN~cp@NSg!hXqa!cf1Y78=5Z?Fqw>@CY3j?q9j0yefc>LTNxdYvnPg
z7(|wMzg#p760(<VBx%U^Wi|xNR*Z*^8+XGxnQ)4OfkJ7OLF1`%*y>n>8@(dVAA)D5
zZF}4Pr{cUdujKS}0(Qh&>A!fm#pfM|jVN<wVjDkQSmGj?=YgwO?-l1aKDfKAz_M&H
zr`YWKcS_xF2VCQA5u4W~v+HNxmNu(hyVyJtlRr4SF){qW-D2UYSE=Gof<hDCDZ^c+
z)gHSW)P%$R1ZobCWUZII-EmTZ$4DyV5L-t9qvIl`9S2H7gj(fdoplR^rv`4^{*QlC
zU!vFH`~Kz?)l@`H#e+>bVOSYECnu?8mKjOaa86QJaZN(nCZ1YMW$o?S)Ml;4)y4Ql
zxZj3KDbJSrkkG{3pY9jZy}G!6y3dL^Lx7tvKg=yXINqaPGO(GN9xkihV8d$>@|>|X
zS~B0?q?u#o?iA+wVj;N*X<aU(^Xxx_)~@<u+{_qw$Ng5uob1soSMwx<b)Yf)>7mrF
zu?8a(@nv#y38gVR&J43-<7R7I+sCM_;qv^S8ny3)m2Wt_Bs@vOc#CJMC?+F_8W~A^
zxqp_r?y->3fWpVo<Y@o)^X@Bh|4j+WEbS?_J0ES=hXn7_L$K+zL(S&L$|w4gWm*Qm
z9^Unxy7KWkMHXqtsXThV$Jur!7x?6^mMXpbTy|s`y}d|g=-cRo&2sP6S`MojZ%F$#
z+WGdZC!J_da6S{eZ^negsmEbg*IHkWjWs(_OYL5_=X6l-@ByxiZ$_T+WbD~HwX`?n
zLzjxdHcfv_VY^>IYNTb4_*6rM$ibAYhFb4qKQ0R!R7Fm9w#2!`rSLXHQAb@w_pDc{
zux`D-xMd&W_~raJcTM@{$!e498H>GLT(-I{sj6Rjm47I$=QS$H$K6sj>Z+j5tJ%9z
zYw|<lgC=jr>k`$Kx)DZweKT6Z`wwXqd4?FU=%@#LJLvhJb23wo)eqL;z%sp>!jH~7
z+NN2`r%MZZiqU=+`wx9JmU7o`?@vfFNKfDnR0-Z+_MItG%Ts%~)_|ql$>k0!w@ync
z@^8Imqf=A+$<#5>W3A$?L9yB$e2$$h%I!ZUJFiaUu6y&XQ8;o}f9~hVy~7vkdoFno
zDJ@@G@^X2b;iJ=8N-GEXL*~v7h)#T`|F!1eOOBu97Gf^lmGojD=F+*QR~M*YO0MMm
zHJ1Wq_zBQy83#Bo$7Kyk=B2(ITu(4LZ3ufH4=1X;f-^M4D#B>b70sbRS;?009Ia#m
z4G&jQ34_e)6liEvh7@6yGH7_9>O&xm)ov1ovl?(w*`a~KMT?_tLy0%)WTcMOokf^2
z%d?0eL7-{{(Xryog;fNl0`)i0z~2+E&^iPD5>=gJFhGSaTqhUn%^S|^!<Fu%{y~WF
zGT2ObtTQ+V4faN`<t0V|(4e@^nm~lDYlQ~tdf3q1^}5h7x&ivo+1LdQ+@_G?W||BQ
zKg_lfKDL|x3k^LM(4ewuURb#$bjo8jFYE*rDjlLGKuUnM3E`vOIvyIbm#Lv~QQU$H
z8yxL$D6nxM@O-v|aHE_#Uf1;)3<nuT3dI0bKBI<C+OT2bDF{1(Gut`>{VLh-Bn)Tl
zPeH>n2bjg94kB=SNOg1|5MLZC;HsU#80<L?T>CJh)Lu>0U>7s`&1ngNS?v4?df{`0
z4f1r2gN8XbxJ4}>oZVds${qK1h&Z>`n=mkY%qO<b6Q)glpFc!g@!C%ymU%ydh8Z7E
z!r<oX1`YT8U=$Vq0(xRrRJ`NnmZ7Imsu<C(T1`wb1L5UT@;u<{^D~bnMh8`3I|Bk7
z31^Q3jzedTK`^KFLGywV|Aianf}!&WRH$%t7*e=HVDh{}x?wkj4!(Hx9^^^^bi)?V
z4H{@h6f=4%OpFLs81^0Vu7z(W44lV#pqOPR_7R3tC)yxlN0b*~xF5w15l>F~5eD-Z
zA!yhWyN57z#ahAn^iG}s`a0A*)(o4<Mi%4m(5_g)lFTz&(B)tpRIeR>4({srN5WWd
z1F`qek!M<{csw&IjPemamC*T4`jG&0;+DusPn<OF`Ia~CKrO5E2>dM!E;wD-9vDM6
z8OqK}4ul4&RM_p&sngJKG!1$jN%Mg!jCGxho&gna&^W3*Hk^knCnQ|G@D37EFFFy1
zxr^JNVOu6VuGD2dga+&~9MhjK*Fi&NjvGOd$PI#q^H-pOJ}(dk?UwyicLW5Dz=NVi
zSC<oKkXUPT-(!ZnHM0uM|9Xf-zkcMlFD3hmSxhvGM=M3r=Z@p8O6UBM+Q6XbY)=a<
z#i4ydqfY}BV|MSTWahjcc4uapYJcNcaahycxM@~Stierxd4OqzuVKNun+2VW{9bA!
zvu?+127G$LoMZ29T+Pt2=tFB{#?~4}f#89VL$faLyL}^OjQpJ(+{YX?gmv=rU$|tI
zcJ0BH2eKP=KRq8XqprN%7s@(iv%PzUZ{YLNE1R;W@_M6{k~Uf!@Be)8WuKW}yRM^L
zjoM7k`y;(O_qA6vt(w>^5+AVt^VQM_JC($HT(h~hKh7D^sVcb&4a9Y^pK;q}nHDB1
zFRc0_<kErGQlqfEd}?}0y6r&~V^P_3evVb1_L;lYV?LE7tE2y2Z}6Siwc~Ncy?e41
zEkXIA>Yt24IfPCu`XR!gx|YFsGFoc8WUlke78@q-q^4kNo65ZBFa0mZK3ks0+Y%F4
zTk+&SEzZ3rYh%rdd;0Wd48s?rtN!t#CYHQ9RoJS_`_HT2PTBa5XIgN8=)~Fr2{^ai
zx^`Y+27OjRN6hWHLPVGVtS#b$y=+%}f-npf&kvoB5;)@JZ_JPQO}npjH2@dQ_=v|+
zir_RU5i6UYb(7_AaBivKfRoJS797u=w+_J=CRK38=Tx~v18)tS%HB10&~UdFBBbl)
zH=UY#IDo|)=A%sAhO3r+;{!-pbr%|v?iNFXMKjz?FE#r^gJ263_HWAuINA9kj|A(W
zOIwUlu2y2Mm&mlPhgjb>=<P|HDKtoRKyUwcWI%&x7u*H|yPiSAjt6ipta>oNo7+Ev
zJ{lg)H^QL@uGaT^<|p?0US}fNxxE(9$EQAD!r<|=5E_IB;D#SCa2gs|hF~%ShURzQ
z$zixS*o=fiM9(uwQGM<S4H+-sBFFx68=Sa2)QMY}#A<QzvKCfXjWDAHqr~B$WFc_i
z80_}$u^i~-$Qvkr{0%2G%)SjIv>qDog@(-&u+xerVxVEolm>waoEl{$zC?SfOBPRq
zRsAeCg(8N3iDJTa2q&>@6xexNJ=fy>KH;Ri?~+3PUWTz6ud9WHhMx+zJM&Qo%<kt^
zL_hs(@=i8j`;+b;!EQNOY%5*u%f#esPl<KBZw*@EF!}9b-1oTGQE@BB_GygPO+Jx|
zzUlLf9ozD`Uw8ccA?E6m=My~v1^x;rEUwc{jQ3=WG@Xp#(yJ*A5niWn?iO{*G^NJ3
zLL=62Q;Hb(%uH}Qd!U+CSi~ZU)D#vuO@qVK=D4By?xtG<H>wJkb4!R7D{8FX?SI!O
zwr==Y!sTOJZiAue{2Pk4eH-?>cAfvBg<z%d^7Q@P`mcBF{CHZaGA$-Er0@Q$n?RA4
zb>E9`r@t<ic}JO(6nHci(k*GmU72>Zz6&d{s;>1v)SS$guryj(TFNv+Exh%v^I?`z
z#!!}c`hIPrXYE704C*$DTpyJzBHHtBx3WsBuNGR{zQ*P56hFpmdDG2J`Q_PzZrQP{
zYI{6*N3u06n5&GUI1VqGd|#%#sAAV5?uSn^b#HbLRy7<cme4!XaQJ<Q$~z_rC*)Nc
z)3uFLp&@#fe)N7my*iWQh($%K@MHNhJ3GUDH}-3rNE&*J_ysu~w;od;T53Eh-nlWd
zt0^pVmw;K)W7WhHtF4>GZ@-m(mU(<Xr>vdrC5xvo*JZCCj?<AoEG?o`a6NWR$J%~r
zLtOYMn|bnx)=idCXL<nzwx=PN!aO$Km+wwv*T0f(v?uA5AZy^djoY?0DAD`OmE14&
z)TnD6Eqa;Tn@}5PQOTX1vgvKh*0r%7#v{+gSQx|C#2B}Zh>Uiwi3s%0;IAncw~?wF
zr}q_$A7EOa@6y!f*r;%(RaaJ{v01`yMo#b8(>ng_8O$KfCnfI&Th7`_YKYzKnAgS%
zd(3!>P9Bos9A9iMxtY^p<yloZ>q6tpA-&a4>gtqgA5S;w1zoKz)Z6TEAtSx=ZCil>
z$1O{bL>p<##JsZhf~vXgr&F)bl;6q8)t6RE9bWoyu<xIsS{*z8npM7+y#-nxX-{#F
z-JhBj2r9HUJSeq+ncE~+N~ST|K19sL%WS}Pvvs%NwQZMd{K8Aeq6cCRdkTIp8q(EX
zwqvK`hxVf03|o(y&Kk`#FB`<l^Y2f%hTiva33(p0M*FzDYg<^#j6?clj}NP7HPeNp
zD0PwP%g+s_9<t|-2ePGm8o1Q2)GT9qtnl35d{#1F{EL_R^|u?Ozho_W@+dj3I7C<>
z`I^n1C-z;Y`}-^RUSnT&FMRK8-lpnDCsxMoo8vwdZ2c~GF7NZ!%jJr;$p;6rUe}nY
z1tX^-qOV_^lb!x&r{9scCkw9?PAk7sEu7;CL41A0q%|I0do`zUWUZCbryif+mvkYk
zT}+QD&Q*<X&W$Y9cC<`conxAZqzl)VriN^2c)@Vsg5OfAh1;4@ImdDOwEt|}F8K~N
zImO0Zeegbv>qE|<X^*?8eC@Wucd4c-&5^M`)EanG?`bsLyu16sr}krtTfXEU=<^=p
zcaj<GU$#B8<fg>cJzth|?T-F5Ix~DJxz;T8)}x0<8oxwkULWGv<7E4F{YC8bs>$PT
zpC$K%to!_yZH=B@LQL49H6h<#?`lijwA}XVN0HJzXZ`r`M8sy`U(4wJ3$OT}7?%fW
z`(|w)u8JLPNgLYO^|AWv^-1rnd+z1b+t+e5W*+VHJRbc;-P=0p%pr~bncA*_$u(;>
z--_|xo0IrSY^jpxnOk1gSzqHTtY2>3b;bI#y2p1GD(COTMD+F-Rg%w5malsFQi^W)
z3X5ZlXN`!Z)nV2QZnC*^>j=QaoDfl<V*jo~;>Py76+z4Se!dHbVH-N>%yCO(LMI(~
z=)uDP9>(&7PNul)1VkpBnb`UwkA^dYho$^zIP0lO;uWU>8{w~frvclm%Y@0~B^&Wk
zTb}xo?L{UJ{t3D~=R?Q%3uX#?C<{8gN))4pGjn1gjj+ZR`6!wlJRIQR1P>Q@xWU6y
z{wSLF(+k37hYug|wHPVo%U3Sti>L|^=IzH3Jqf((MKz}bUn_VymZb8El^;jsmy=Xp
zf3b)<B6j6CB0}Fl!Qzt;VQly~!n2yx_Y?m+8^PA;4<brY*g#AQ1^fzrr05`3I|AV&
zrP7pPX{crN1a-w<%Cf(d679nrBY;vD27-fn&~uVTlRVNgb{oht1nR_TqDe79rXnNP
zB9bOz>?eSGC1wcHVB-G6J&`RFqRI3BNzS{cP<VmGoC9Y{FZubg_*?hDL|5Vd6Cny4
zibUASps=OlkpTMo7gPWXj6@cZs!jt?Iu=Yh3eiPZas4S84h)S0$d1<_A19e86e>+l
z<ai0uxEuk@D+&=Mjd32-h3TV_-=KJ<m=r1z4WRA(zd?hd5w1T{2~|l=tzo?nRBZsN
zENN8fEdGr@2|SX95<Lk*{VN2aPA3s%(kMa>S24V{v6`7eSw|BkOJpGmJ2nZNkw=LE
zQC^77M*+p_KTxo52a*7)NerU!(zH6sFo4ar%T<2E2n4wTL2GCPiHZN>qlRJ#X?uQ^
z!NC}(p+`ylMhBJgKZL@OHE{|E{VKJ96eA7tt3LQ=kXqRVDmMyBhJOTs+31Z0K?3A)
zq~hNPxz1@kXAp%3$t@*Sf{i^FwguU80qYKJwj31+|0uVD5Gm8Xzp)ix1l9tkK24$)
zD-lf0?+mi!5B)Gnsb_$)%2m+6my$3kh%XL+b}B;<&uRfu5sHU7q^|-IRp8=+R)nQ0
zWd2ZIvWjFiGLc=>$6pATYXEZ_jeJM!VmxAmZHY(7J5Mk$?cOQCWCKjv5r0w>HryZ{
z;YY1B*h$;<BObIXR2w1}imRlp!)vTDAW{s7q)VgGR(F9fNE+q!SrBEdK15wZ5f1db
zt{`a;<U1>~2MCe{`jK|PuP|7klh54&6a<+uBv5FM0l5;Z1OR%z7P?AGK*-18hitCS
zdZ5A`e8uU}G_}kaQh5`R#iUKuNdy7<Hb50I>&Zt`5f1V*fv&zJB7&rYB0OeO>uI1O
z86=!mMG{tg4pBp?ro5y{{O3l@C0{@s1xZ{>BR|>##vDBNm&KnO1Ik=1A!;jzh>`|y
zQq>8<d+8wvU_cYVhzhBl7((9kIS_!37mG_mR$?2#I!fB|wQsDvPXPZjz`qKOe+uT3
zjI2P#<yf%lB;?Pn{kP?L$QIk2hN%91WfqnY`|$w8cn`8`P7_1Zj-Z0FIQf*LDWKCZ
zk8JzNgavid5u%?0Qe3eeBK_=_l7gymQ0@*0a&{okrFJUFr8L%+im0Q5j!Q_p>Q_mg
zLNTKeyT%22pRdxBvip$Ff)OA|pFu~^PRCTY1vYl-Ji<-dih}c?6_LAtBBe-UxN$2h
z<F(~{&=D3i3g7I(nOjJQNJRC8+Pi?&1Xx>XSmKyVI!H+GUU|}RTx#!o-2pKbG>LX{
z?DE3HsiC6#1V~#`lMY&=>O+7qo(sq-Qq<-P02S&7+pOjL=LrJtIsG_j%YFicUp<g#
z=GPSkI5*L>(d*Cxl~<JJ*5bE=C=4~60YXuNAb$15zZ`saf*16!{+UNzLInOluK-Uc
zhJ{^13^Bb+2>D`e@%CQQBamu2u#D2CdVBCfBu;eMQS!ZM@Dk9J6iOgbY6$rpaL5Fp
z)?+_GtoRKIX}_P<|1Qf2`aBbeF{VkTcEkc3)6YV9NxRiK3&hEdgh=NTa-^Vf95foe
z;111>T22c5=Q04gp86fggAHH)%bvoX4bao42{g7n8<7?wJ3|ncIv8&@B0ygdw}9m)
zu6RgA2<HH|d(T1<;_>8txN!3W<{9nzVn@PHCUF}?8iFeqgor-(3%D^+h!l7R2YyTX
z1qAm+q(IIq0C*<_0*@xklY)|QP~mw3guT9kh?An0<^dGT1?Z|aO^g(jj)VF$psR^I
zgr9UZ(tm6<x(ST*QZT?wX$F@xR(usPLf>2@->N^NH^1Ej#K$1LRy4$CSy0%(MJ_Za
zll(Lzk`Kg5<Un!z@)7dABn3yUzXIJ2USUO<a>+YkSpfj9xcU<)K{}5X?!$m$+AV>(
z05WT?l6Rd@A#ne?5UK@tGQ4PNfdpyN3vgt3@dA>3>dRjPsF~{vD0b}lHAIKhVHXbd
zEyYHP5N&kv4e}{&Rs_~GH*B~F(ZMo`{!-s?<-Gis0(v<PEF-kXhBG&D_tvCIyR7cn
z;t9I>JYd?<bTeHQAqqQR{FhCjOz5_W1EAIeD(xmPRt?(|S4Ez0>UGfQqFNlJhHj}L
zKd;`$LGJZ1i6SM4Fsc5e_alt>ZCD-XblUN~^EN>}+dzI&l&M|6u^A9k0FkyB5qAg1
zyl?~I!4z*I<a@5w4Ir<hX#q;UQEnM;O2hZ`SrCQx!)yE=K}AnD^N|h=vr<F^dsT|)
zqs}el32Frhdbc*HAiWG>#jnvweOZ=)@xy~nmm%udg)&5vG?QE7j`Al0sV)B_wXqXQ
zb?+dTYFZA2RChy=Qx|!@>T%GwhnW9OL=B6p0DmmAqyixy9tITv`sMKglw5C?)5R_?
zpf?>1KiYHF?2`p5D<*amSx&k#K25$7Yy|kb0iX8#`4XGH3CdWfdl!=?YT^10B+8y<
z%3%F?U>(%(=?YS2rT#{na1in!VA5_`w+3;hCh9yuUS1oz1yYhTOn|VuN`wPjQ~8$z
zlNWeFf9BZ&lzi!(#8H7SU{ulP<WW7U0LX9@x~i^1$k)Va9K|$-qcqUGQSuesuNr_B
zzk#5tG4gn?anRCn9Hfrcy^$kLqEe@SK|4rd2S}m|P5M*c{bVv?Z8d*61@qK`7}Jw*
z);QJv<zw&^jvAcCKN*G5JyX9bhl?406}oAzQ-4$PE{yVtU=r7>f6PeuC8%8o{A+%L
zD8D*{{G1t!qYgt9y80`5(%#^pm^mobaQ4qq5{ze256b;ZDRiijk`VC3ghkc=&$<SY
zML04TB8jU4)ZjbQA8ml=ca8>ty!RUtvuyZFIuGN}Tirx>c>hq-fCws+9Tt@r<qL&X
z(o@u{=@(W^Sm;iTV8-R+eDcGU!)=g>P$MipntcV9e)}(4?&GMcS2#)r<7xa0N)Nvu
znTcWl84=!?kmjKPhpzMI`vsk9L`2uZ#xa5NDyVpae@BhL9}S;CD6$kcRrTFknwl;u
k+U{Cf>dG$etF@KgTvS%Os4J_hXsBsu?$&nKR8d#{KXsc~8vp<R

delta 11777
zcmai42|QKL`@Yw{F9%smRI<xX$S&Cvk|+{N*}ht|Ate!ogOgBH$Xb$amPloZ6j~)q
zDJ>M*7x9~OMs#)h|MfZKz0dQ$&%879&Y2l8N!EActhpVm8JRdJ_?MPObP~5Re`PJ>
zYI@^c9Y$b8Ij9R60R~m2F2#Q@52QL$2}2;GCSk~9JPZx0%vuD)pZN{}&|}di0NYvm
znFxa`r>^8*aV!ZHQ{R-(BzYN>SBL}c=VYeS#D)t+zi_$}E}gk*U`#=t)r29CrvVzY
z_<RY&DZWosc0jRQbn8?>J8COziuNJm#7Do7Ziwv`bRi5HLVOH_z~#al2}7yyLx_kG
z^&t!+qIJ+vCccI+a7#RchOxO&k;A<G&@k+*fqKs8nd9ulOrieSTG#@``A&p`1M_*Q
zJh(pnn&`6A3>3;UNi<u^Is#|3t!X=&v4pR7WR;mjkw!~FjKSwiv@gt7KDxe^#bVuC
zc)KnZ)$9r2>PkGjxx$Pq|De|e!@*Y>qT^pKxNgj4a{e|PlJqOARlQB2xx7igNNlp$
zr9U&Im|^6*Rx`HiP=YPTysZ1(E;2SHs%(#*)d}0V9h7!YbKk`#T@b<ft;eeU!OClz
ztJ{W*@|Q%tt1PVF=^yh_?!+a9t}kf=M}zm|EZnrQ6WJhpZNSPcFTP(kVV+4>l-I-N
z!(LVzKULK0(TnDfgsk6am<hZP4_;+VeVQJ%#PQ^oVD4uVXE$%C97sLIWuzb>{g~3^
zTqRu|wfuczjy~(k;DZJ8k3WfEKQ6G`bs#ZO*sVoFGs;_Cjl()zEJ{acLi^yl5BpQt
zpT&LNw&Ex4L(&N)FOK<K0=$8J0T$kztT~ZkXU{r3R92f;e>id2ZP|u9uN`h5kQe-V
zQ?p?|&0^0LCe?tryiP4WWqU=L1N%+JFy@@-V)dxqE^m9(1zu$`x7j#+)>s}fbl&^C
zjzG~RrSUsq3j+uAMiOaEBljxQRZ_}7KWZM&SzD~QhTH0LzYn`~v28$Nt+eBgEgoHC
z0YCMbE~;8k9|?$_aT<Ji`h5qV==QOU8^zZC%-h_5S}Qo1F@EOqy2Rry6ek}Ln4+d{
zvVu2D?|BnTT_<1FJmqle?n5khlWZeSDSbS!9Sas!jVk{su{6QBKRRURagF6hI!6+0
z4;V>`vYU(eG^<+LvOSA(Xs-FFzE=6D-!1z_XNkHH@w+LE>--v8_B(Tb{Gj=q{o?T_
zSNT5<U$AkDQuu72`)Taui-}vUpYv75N?(dtc=Qy$*mbf58~P?NCr+U!ZfI!FDW)DB
zrDzfUM<abZ9;N#6WH}Fr8=AL<^PW6ru}{+UsMxtDda>05<KMoo`V#z&@prj^1Dkcx
zDq>)JEZWLQOs3niaCR+{TMK8#0eK^mDScla&R}H)T?q46gfpaG(GwaLDnrk^m93$n
zS;d(MHGhdEG;C3IAPlvtC!k@iI;51TUxo&M%|HUttyu{Tm^PfqAGI-PNYI5kUg?HW
z`SFQqA5FP(gi4_tVWd#>KwVP8B2y6-Y$6rmBV1k9OM^^%16Tq|4Wi(bMkd%;HUs8a
z1~8@Nu>Leenqb5mZi5U)<CTPAweggTQ4<*4%5(>G@hOkHy&kymWkN4lEkP&Dgb9L(
z`EBUol?6<J;c`7_*k=h{c35^mL#~x0LHS{o4h?BGu7qLCW;Zkh+CjrDyC`U|bAV3s
z9Hw;6b%b5G!!ZRSxScEsAFfVG&@k-0T;i`HXDKEnIe8DL|Hz2uq-kUJSqM9N%w-Ni
zJ?GL3sj;pw+B4UwQrh6QjzGw)jfY9dkKFWy50u6sMwH4Wht7B5LBG0-5g0)aaR#E7
zSl@-Rmw-^2pqI>1YMchTZM`S~NnC#g2D0|@Bn+iqU!mcgH*6MlV<HTc!W8a544ecq
zq5O}uvD#Az3;NV&9zE-;-v+|qzUdBhqvRhz7_$7QQXaAuCiM2!5Qs1e{Et9X1U`U<
zgkXQd@FUn88a)4l%hj#_O5hT-YdaiFkGHEq19zAQK?w*u2*oPOS_C!%u~+cq>Yzb;
z1ySqW90bO7_mmRFy>KC$Hu!}@Y1hO1p_jhf3@S~)%RQJ|&%L}@U_Qc%jzl7aE2jOO
zP+?cpX2M{8U;-K}qTL9?nP^_9up(v)VOVgu4f;;*6}UbLd<QY1b^Y2{Kt95T8pOdl
zupy2EvV!7+3D)y?QD~Sr>PHwh9kYjlsuH1LVUit{4WE%OBjd)={S^i%Eg6ob_T;Jg
zvpEIM=7yB1zDY~-BAoq5<AUDV(_vmWrTamV;?(nXTY<<-23#a6m?2LPj5Bt^=+&99
zyXR+(K?2+6V_e>VU``BbG&r9Lbvp&$D8fz!LeiUTII>J~-oYYb@X&tH7LY2yFkXQg
z7wMp3XW;NmIpYdBBWK||#_HVr(4d?T=fSc3Yw#6DT7aQD0M#urLo*8?`AR_;#Hts0
z6SC8bc0!fyo)sLvAmCC)y!PO829qyC1c~>G1V`(jC?mewp9;<Y6(lr%dRwMxd(SDi
z;VkQ;<5Y{MahzEmOHxMrs%xTHZ7p>a`;N>VRIo^EP|I=W7VCPtf!WXPHJffm=;bJz
zgW2Yax)~zU_G05)+c=(EACNH$c41K|Wj}K<pqn~*@QG=A=$+hMmxs9I1j4!uZVyMS
zp}c+FU{qf$Y$rTdCs3*H^_mk#@}osX=YBq<wKcwRZ+-e}`~q^;)W$DySugED=bO|^
zt-%{|O|RD*+l4LOB-*-Uojz}k-GbWGa@}N|*Ke?oYKnyq`Yhe9Rxw5tt~{!%(3U5~
zRb&vfb5Mdkcct`$BP!NfWrZ@#=k_8iQe7ib3(SX1oJaPZa+49-KGxgwxlnmM=52NQ
zM0`Gr4m<C{D~VngzJ#|wvcB*6`g-Ca7q%CYJvxi(cn5~H&08{jA2wa>T)6S^d>NIN
z$>0e7mHip%+=X%tD}n}wJGj=_hVvy^6#A*8f8VGpKS`xq7%jC0yjtd<<E5}zY&|ap
z2V`Oy9FQYr{IDw-%MTG<8DIVm8unHYa~5q+7AzmCn5xmiG&s_4)7l^^vyvF;7ppj-
zU!Iz+gqwXe+u`WBEPBIoEy|m&k2=(_pa!*q#K%sxzL0;l4o+vWYc6mE-9J_@fUkS1
zurly9^P-pQ;jrthpPFx5ZmcJ~wB49ek<|d}7)#?l==Nz7G?+J+LBsc3a7ngr34w7A
zH+EL&;q!?BUnJ0VciB+x+i;m%eA@z&g4^IUzTajJ4H9>u+vvM1prNB3x?S9n4Gk@w
za4B7Q?>RKEKY#^v^Mk3E1C~e7N6@3G*06QKz6tBv31@A0dO^4`kmdtstrfngU>;XN
zZPe?A@|?SEpzE_wgNQWD=_!SVre4@P3;K>i!=--M8w;N8fQHQHu&huABB|VXQOiBp
ze`7s}m5g@u>SKHA5COtv{|kReupNX|kT&QF3A_&PtIhzzTlB7*4z}wWA~CIj*id{k
zT=q5-eBKM{l#LwP{+u8Cd2PyT#M^x6Rc;tIIenN58qU4jNw|@I-vtd5BXE3rj2?l8
zp)oB2vGBtn6S4I62;9z`%S54E;G$3@(GCXjh^;|h8<j&hO>cclT)gbXb@_h1U$3fJ
z#95H+Ve~cESl1&vNm>4-{QN4b+|zeT(a&XNt1oLCnNIvnxOz*b`-Pd@3&sz-hhOaq
zI@vUQHP*t!Vu7!t$rsN}j}J1|`Q6hW$UC6!ey9IN|Jj|r)uNeoBN6YluCG<yklYjD
z`QifAD@88t;FWzr28VX!s9Tn_>8;#YS>{!om$h>_E2|-mW5J;<p0}Kuk3K6K{Nkt0
zkv_V|b@1^H<EA0`mx-gQ3Tm9{X+jeBMHKDs9G|l_WsHx-(Y0P}EbGPrd5v>=Ys|UN
zx`%ce4tcEOwp00e^~k-ts@9L{Lgk9ijcMZ%b}_<!Jt7|$Xg+wYw!q4=H2RWu^s3!;
z?4b<T2Arr3R9(}kW#^eV)f{aW=P|2$abP0lCMy_iWE?KuPOoqu5M+?A3y}78PY!R4
z7b<&Z(<H}|;G;GuB~@E9S6}vVQ(Wk+Jc&)gMj5%M>uVZ=%g%5q>_6~b<|?yP#H(d`
zti2I-&-f=t6`Ob??T?<nd&jmurB!-cks7Uq{pFmJRY$jTobzH^%<FvXU{_0<so*?@
z&`%<!5@A+$IhmrN`P&%0qq#Wr*GVt4l3g6R;lU#L_>5&<7B}Y=(8|``YVXc}92@B9
zypcU#N93e>n_|;3R?m4dF6qe^R7@@j_c$eKZTS>&_J`!QLwTV_BDVTo&)9x)eEZJZ
zyK1}kwXBbY1DhVl8+zrX#S~O;Ui;mxpu<9N;@i8!o*g5ONg>~&<}E!tn#Y-P{gJn&
zU~Gp6pM>;9!|Xy$jbF6$VeizKmpdE98*EUr^J0F_u}W!s-G>jKDqN}<C8Ni3i!tGM
zW?S}Xm3q#N7+UA5Q=Hd$T5O&qn!LiNl3V^p>qG+&OW=>n*z<cwJNNDrKV8aeTy3L$
zyn64PZ5f?UoWwKzd$weB`+lpG*jf4I!P`}zPjV|)_v_!Ue;6KC-Roi<E*q4)2T2(T
z<&)^hf5y9I^y!7;$DQJpB$CWl*fsyGH{ZEWcg3#kJ&c()5kryHx7S`>(<~Vzvt6af
z(5g?ZgyW6g`lh;MmQw|>7dET@$Ln*mwUs|Xr#$cKGMVc?1fQCXgfFgtD#|7qdH2+z
z)voU)d5&GS3m-i6+PCF{#2Sm2Lb>gBVxd*zudihey1jH?Tc0p#6RpJhMe3DKwyf@{
zU|V6OZ1qy^IX*ijA|kj=o+>Qa(bm#>s7fVm@$#S>5ednzeCvxp_BMroUHe&wC6u<A
z8s4UTaYsX;Wh;-s?Vd*Sd<}Dt_{9~jG8b<~4z*~$W14XH8U1$UjU0Bf(^T*HgWcnt
z><=%jYb-zcaHyk1V%(%q=uYdV(tEoM;%Zl4#;*Ri*mlQGPVT)S)sIb%oG%d48hCWc
z)N7e)!zRNYCTrI(sFA-ET~f5m{fnZ6vY3L$4mrokrVS-6=bIh#M~`$SPEvlamc&sM
zYBsJ;vPnEVu8-Fqv}qh3Egk=5Ow^*MzpRK=FIA3eiW^dcsG|7hGxZ2{>ECWrA5!gc
z6it>&&FsK&SW_p}8aKrV-J^ns0X+EsnP@`ym=iA&kaN*2#1a!T5zPV~R@y`~TYNR~
zQGzi$bl7Li{wkL+-Fn4N>_ur3ui0OmAxw<%9E2&xC7uI3oZ#UC4>x#tz{5*(iRb(J
zf`B@N@DsbXnA{M4T5brUE<~8S4<Y(eKqWY#qk<)A`ryuT5$6^SQE+yKKhl^^3?h%!
z#2`EZ^jKnpj`hSK;?x{08~i}ssQgPvFqR2@6W05{+F=W#NK)8|Q#tS}_)=%Ua$*oM
z?Dk=Vi`4zlVc`A?RtA2cZp_@I?z<Qs@jL)41_M|zr0CpJn4$Y!v45#2#szjF77=Hd
z%YpI7A&WGp7ns@kAf!%xQ<@4uq3{8VA3@b1mGxFgCA$nXvx=EQv7nPx&4G;_L6)M1
zTmq!b>N`G9ssQsYXp}J>vx^HdJ$T4_!}bVB*H3IL4$(s+_~w#&Cyp+GcMG7)j?Vj9
ze%!k=X-BMy2bsziAi`r8;t_6AR6CC1ngc~93X78p$jXuxxda5f1<kXk6JR3(neCzy
zr0%;DfcqU{cz3CwBjV)lRj<%$b^!O+!QP!d@0TSYQ)S+~S;C0XKzC-WIwcJDbNW1D
zh~P)CA|%5EPKBk%fV#11<osDN2+$t~vlNOEUE|&6PshL}k0FAjbQ&73;sqMkszad|
z(9yjYOw-X7i}*?NcOnrelwC{!ljWpmVc?YDPXd@eSptIvry#6k^8&Ud?1(47GRX8|
zFt6#y=@PjaKFX^=-kWdnNR9G;AafN(XK8|&U7rk)k&1sH*DH&V=4ZUWOV$8LS_C8+
z(&cBN@(dl5KoK$0NGnhfsYzu9isq>bks_;bBu#Z1$%~#;=OaZbr{L{WpGGbvMP0>F
zA2p{@;#m7hgoCt^oNX560icnO|H}It?P)$6dP`TFG}8H05UE!859CQb@-|AP0c4RL
zM1liH1Wh%VL+bM+jyz^Cjg%%8?w6+hY5MS!u6NcOPE*-XLt`OQdYnQ>_ZHH2+ZfZ)
znX!i$LN0U?141QD|A0@L%^{6;!}FfX5)e)1uc2gW4(a&pz^acUVx)Wn+NdsmqUH<A
zoE}|cyDVn-=oL$Hp>F9wD0Rgj$bKtf(%iS<$PZR@NLFm_352{|Us8q2b^=`&LAy-o
zbhX&b_`r^xK<1K$t2+V0723@}(O3ua4D8)sTNw)?iGYGdU+Z=`%+Rs$41|237K0C{
zo3WJ{h!Se)G<)&?|7y0S6UKiMQU7<n-j@j)l1-pAFo!H~oCr>nNt-;0BVW4U{s<&O
z+TnK%V=wIo&6NbrwWLd|)Ea_{vaKawvSyB?XD?a&YjLJ6sj85ZK-EzXqLujhG%4sE
z4$5Cofbb(|4ixheBt-_E0!XF}(@63KXy#CxLUEvL<f!*Fl{n`n4YD;G1X<+^H3#{#
zqDGs@b&ue{*iFBI3Z&ll<p5BdKaAU!^N#^9E%`OC1@y}`&@b+Ek~6nLs>Nw!32A`X
z(;&c`Kuq-vqJ#CGMi!8E{P!>WmGR5gG4Mu3pOczkoVuFScg7ju`#~rUFhyIplb3o?
zf32IlfObBheL0=>%{yRj?8C^%)XafCg<?&|bO^(Y&mkJW&-h83^e3DCCGqg?-)t$;
zW@Y7qX5HBP8^pO(**`QW@Lw-YmNPd7vxh!40{5YZ-yM)jjO=~!>LW;v0;sR6=o+ZG
zA2Ji8Sx~tH<l}2@K9G6(z;7TQX$a%@eL>ejh-#31XSxvlhX^J%nvY14QfF=}C=?eu
zs{LV{>Oq>kvU5OHYa9-+LYw1-Mai~P_wNk)nqln)h!BHY0uI$gCla}^>;i;*eP}5F
zPUjr^ja(o?<`lmL!FbA%ISd_%m{&3IS(!{;Ct3@EyM|;4DoG(<s+0E?)!>`TM9?|(
zqwhlsWIjooOWL|yLA0Ch7=Hz5oeu_~w&~<Ado!0UvvaJRjx)(~+))hl3uj;<C5Se*
zs05K9?Z26Onb{2p&cdmVDr8wS)APLW91NJZV8GC?c;;Ae38I6l<dDB3+Li)QM{@{K
z_+<|1=xD=1)@L9{Ggp#S_-apA=L#U<Ado=63dQBZHs_y5$n#0u2mz`-pxV-n+0uL%
z^mqaJp0ev(wI6=%^*8fa0SsDr0U@W(TrJH`Sx^y9)xZ?W5CPJBtSkfh&@UlSsP6eC
zr1|jfSXaOTq+J0I{dVx-`QJ=l-T%8t8N?QQ;oXX#O9#^>W(7vQh%7_x%gJBr*~@{#
z>*cUggNqVueK|s2YHWQ9I`C4{403Nu7vgfoG#$M{Bj4DK<8hwTW`Hj$$%jz*B>;4)
z`VEvP%`0aG0O{5I1`*dgq`6&kVv&Y55d9X+bTc~9jJ1$GSw}w9X0C%~_ey0QWLDIZ
z@6aMI194^b1PE)tO#YIZMgyRM8xZ6`Ll%<C|Mff~H4n(Aft=H?+tQ8GR9;l6nS6J|
za|Hx3Y{sN2!603K<sTh8b0Iamkg&JlR6YEDinJ2)$LtMXiXFa!IAZRVh%jlvIkYge
zdl_hg4d?;-CTzgwS0egYZzV#$`{u3!>V@w@_3Nq-^18GiNAYzKD3tpi`HJuz2if1l
z>T5wF>}$ZEvp7`$<NPA+<%lJ|162Ae<u(td`D|Ew^*^=*6W{{|yGPSd@&O!Q15i3$
zI7%DquldJbpZh96y?sKU(6>+JNasQp4&v^CAnrc$1G}7;pV#0UQ!UUc`o;c7FU~Z<
zcGM!|uW2?BBLUk1brf`<4c!!a-j7pPk#_s^_1<6Aq6NEF3*J@n8$Z(a<kW%opf8B_
zV4v#{@|QTdYXIdsh@-Tyz1I*?()lxUCpdd2>Hiv1@hd`78B+BiK+szprHKX%ljr_C
z4thTXLBsFVNk#aJ+WAF-1d4)G(ARgf_pp)}jgoIq-(Ref>IM~En1@1{PnUYtQS8}u
zWbt%7VMhFL93Fbn-B13(dbfYoXPhM|_QzG_tdnFc<OXQb<?qC)G#W5Y{?7k+&(%#g
zKs<b2%lr|6Liqui*!T^Ed?0R+-B@M_M$&Sy6H%a}a{Pox;cIUGwfMu0^bvE43P=P6
ze|{fw0|DSG;}@h>-~8*O<L^EA!l|h6-1OHJb+nVpm3ocJJe^T^-2gMXpfYScse?i(
zzel0yPSf$omJ={CPRBT@RPuhLyo(o$zQ{yLeaJ-7q~q(hV>vew@iZ!x6C3ZOl5g%M
z8^K@jiXC9V${G<FtT&p4{5?gb<JF0$xfBXl!EBY2%g{1TF^mxTu<@@P!A5R3`^w*S
z2K?P$KKLsdI+1!WXXq2J*vZR;bpEHi!!KAU9FeTE=-Xqlq$b2zmF#ttVy`MIBSfX#
z2S=j%bV08N@?%~N$RbR(8JTMWxy&qh&JTlsjYeRtI*3qYDeAsj8fv;eKB^nNH+pMp
es(Y!bZPZZp@z(VA(e+aE_SN+9)zwz>-S|I;=tk}U

diff --git a/ansible/install/roles/kibana/tasks/main.yml b/ansible/install/roles/kibana/tasks/main.yml
index 9fe802c21..63176f17a 100644
--- a/ansible/install/roles/kibana/tasks/main.yml
+++ b/ansible/install/roles/kibana/tasks/main.yml
@@ -20,10 +20,29 @@
     return_content=yes
   register: elasticsearch_index
 
-# Populate with our own logs
-- name: Populate elasticsearch index with local logs
+# Populate elasticsearch with local logs if using logstash
+- name: Populate elasticsearch index with local logs via logstash
   shell: cat /var/log/messages | /opt/logstash/bin/logstash -f /etc/logstash/conf.d/10-syslog.conf
   when: "'logstash-' not in elasticsearch_index.content"
+  ignore_errors: true
+
+- name: Install local rsyslogd for fluentd
+  yum: name={{ item }} state=present
+  become: true
+  with_items:
+    - rsyslog
+  when: (logging_backend == 'fluentd')
+
+- name: Setup local rsyslogd for fluentd
+  lineinfile: dest=/etc/rsyslog.conf \
+          line="*.* @localhost:{{ fluentd_syslog_port }}"
+  when: (logging_backend == 'fluentd')
+  register: rsyslog_updated
+
+- name: Populate elasticsearch index with local logs via fluentd
+  command: systemctl restart rsyslog.service
+  ignore_errors: true
+  when: rsyslog_updated != 0
 
 - name: Install kibana rpms
   yum: name={{ item }} state=present
@@ -96,10 +115,17 @@
 - name: Refresh logstash service
   command: systemctl restart logstash.service
   ignore_errors: true
+  when: (logging_backend != 'fluentd')
+  become: true
+
+- name: Refresh fluentd service
+  command: systemctl restart td-agent.service
+  when: (logging_backend == 'fluentd')
   become: true
 
 - name: Print SSL post-setup information
   debug: msg="Filebeat SSL Certificate available at http://{{ ansible_hostname }}:{{ elk_server_ssl_cert_port }}/filebeat-forwarder.crt"
+  when: (logging_backend != 'fluentd')
 
 - name: Print post-setup URL
   debug: msg="*** ELK Services available at http://{{ ansible_hostname }}:{{ nginx_kibana_port }} ***"
diff --git a/ansible/install/roles/logstash/tasks/main.yml b/ansible/install/roles/logstash/tasks/main.yml
index 120a067f1..afcc1bd1c 100644
--- a/ansible/install/roles/logstash/tasks/main.yml
+++ b/ansible/install/roles/logstash/tasks/main.yml
@@ -56,8 +56,8 @@
   register: logstash_needs_restart
 
 - name: Copy filebeat input filter
-  copy:
-    src=02-beats-input.conf
+  template:
+    src=02-beats-input.conf.j2
     dest=/etc/logstash/conf.d/02-beats-input.conf
     owner=root
     group=root
@@ -104,7 +104,7 @@
   ignore_errors: true
   become: true
 
-- name: Setup logstash service
+- name: Enable logstash service
   service: name=logstash state=started enabled=true
   become: true
 
@@ -118,49 +118,45 @@
   shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
   ignore_errors: true
   register: firewalld_in_use
-  no_log: True
 
 - name: Determine if firewalld is active
   shell: systemctl is-active firewalld.service | grep -vq inactive
   ignore_errors: true
   register: firewalld_is_active
-  no_log: True
 
-- name: Determine if TCP/5044 is already active
-  shell: firewall-cmd --list-ports | egrep -q "^5044/tcp"
+- name: Determine if TCP/{{logstash_syslog_port}} is already active
+  shell: firewall-cmd --list-ports | egrep -q "^{{logstash_syslog_port}}/tcp"
   ignore_errors: true
-  register: firewalld_tcp5044_exists
-  no_log: True
+  register: firewalld_tcp{{logstash_syslog_port}}_exists
 
 # add firewall rule via firewall-cmd
-- name: Add firewall rule for TCP/5044 (firewalld)
+- name: Add firewall rule for TCP/{{logstash_syslog_port}} (firewalld)
   command: "{{ item }}"
   with_items:
-    - firewall-cmd --zone=public --add-port=5044/tcp --permanent
+    - firewall-cmd --zone=public --add-port={{logstash_syslog_port}}/tcp --permanent
     - firewall-cmd --reload
   ignore_errors: true
   become: true
-  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp5044_exists.rc != 0
+  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{logstash_syslog_port}}_exists.rc != 0
 
 # iptables-services
-- name: check firewall rules for TCP/5044 (iptables-services)
-  shell: grep "dport 5044 \-j ACCEPT" /etc/sysconfig/iptables | wc -l
+- name: check firewall rules for TCP/{{logstash_syslog_port}} (iptables-services)
+  shell: grep "dport {{logstash_syslog_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
   ignore_errors: true
   register: iptables_tcp5044_exists
-  failed_when: iptables_tcp5044_exists == 127
-  no_log: True
+  failed_when: iptables_tcp{{logstash_syslog_port}}_exists == 127
 
-- name: Add firewall rule for TCP/5044 (iptables-services)
+- name: Add firewall rule for TCP/{{logstash_syslog_port}} (iptables-services)
   lineinfile:
     dest: /etc/sysconfig/iptables
-    line: '-A INPUT -p tcp -m tcp --dport 5044 -j ACCEPT'
+    line: '-A INPUT -p tcp -m tcp --dport {{logstash_syslog_port}} -j ACCEPT'
     regexp: '^INPUT -i lo -j ACCEPT'
     insertbefore: '-A INPUT -i lo -j ACCEPT'
     backup: yes
   when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp5044_exists.stdout|int == 0
   register: iptables_needs_restart
 
-- name: Restart iptables-services for TCP/5044 (iptables-services)
+- name: Restart iptables-services for TCP/{{logstash_syslog_port}} (iptables-services)
   shell: systemctl restart iptables.service
   ignore_errors: true
   when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
diff --git a/ansible/install/roles/logstash/files/02-beats-input.conf b/ansible/install/roles/logstash/templates/02-beats-input.conf.j2
similarity index 82%
rename from ansible/install/roles/logstash/files/02-beats-input.conf
rename to ansible/install/roles/logstash/templates/02-beats-input.conf.j2
index 6bf5f258e..2aa03fa46 100644
--- a/ansible/install/roles/logstash/files/02-beats-input.conf
+++ b/ansible/install/roles/logstash/templates/02-beats-input.conf.j2
@@ -1,6 +1,6 @@
     input {
       beats {
-        port => 5044
+        port => {{logstash_syslog_port}}
         ssl => true
         ssl_certificate => "/etc/pki/tls/certs/filebeat-forwarder.crt"
         ssl_key => "/etc/pki/tls/private/filebeat-forwarder.key"
diff --git a/ansible/install/roles/nginx/tasks/main.yml b/ansible/install/roles/nginx/tasks/main.yml
index 7a3fe9932..aa70437cf 100644
--- a/ansible/install/roles/nginx/tasks/main.yml
+++ b/ansible/install/roles/nginx/tasks/main.yml
@@ -65,19 +65,16 @@
   shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
   ignore_errors: true
   register: firewalld_in_use
-  no_log: True
 
 - name: Determine if firewalld is active
   shell: systemctl is-active firewalld.service | grep -vq inactive
   ignore_errors: true
   register: firewalld_is_active
-  no_log: True
 
 - name: Determine if TCP/{{nginx_kibana_port}} is already active
   shell: firewall-cmd --list-ports | egrep -q "^{{nginx_kibana_port}}/tcp"
   ignore_errors: true
   register: firewalld_tcp80_exists
-  no_log: True
 
 # add firewall rule via firewall-cmd
 - name: Add firewall rule for TCP/{{nginx_kibana_port}} (firewalld)
@@ -95,7 +92,6 @@
   ignore_errors: true
   register: iptables_tcp80_exists
   failed_when: iptables_tcp80_exists == 127
-  no_log: True
 
 - name: Add firewall rule for TCP/{{nginx_kibana_port}} (iptables-services)
   lineinfile:
@@ -117,19 +113,16 @@
   shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
   ignore_errors: true
   register: firewalld_in_use
-  no_log: True
 
 - name: Determine if firewalld is active
   shell: systemctl is-active firewalld.service | grep -vq inactive
   ignore_errors: true
   register: firewalld_is_active
-  no_log: True
 
 - name: Determine if TCP/{{elk_server_ssl_cert_port}} is already active
   shell: firewall-cmd --list-ports | egrep -q "^{{elk_server_ssl_cert_port}}/tcp"
   ignore_errors: true
   register: firewalld_tcp8080_exists
-  no_log: True
 
 # add firewall rule via firewall-cmd
 - name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (firewalld)
@@ -147,7 +140,6 @@
   ignore_errors: true
   register: iptables_tcp8080_exists
   failed_when: iptables_tcp8080_exists == 127
-  no_log: True
 
 - name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
   lineinfile: