x/browbeat
Code Issues Proposed changes
c30e8b950c
browbeat/ansible/install/roles/logstash/tasks/main.yml
Will Foster 5095ffad73 Fix firewall variables, remove minor lines 
* Apply @akrzos fix for firewall variabilization, make
  firewall register values a static string so port values
  are truly variablized.
* Remove one small, unneeded section doing an unecessary
  lookup for firewall method since we run this earlier on.

Change-Id: Ia29781072d1babc1d71b71345ceb798356c219f5
2016-09-09 17:15:33 +01:00

179 lines
5.4 KiB
YAML
Raw Blame History

---
#
# Install/run logstash for browbeat
#
- name: Copy logstash yum repo file
copy:
src=logstash.repo
dest=/etc/yum.repos.d/logstash.repo
owner=root
group=root
mode=0644
become: true
- name: Install logstash rpms
yum: name={{ item }} state=present
become: true
with_items:
- logstash
- name: Copy logstash input filters
copy:
src=01-lumberjack-input.conf
dest=/etc/logstash/conf.d/01-lumberjack-input.conf
owner=root
group=root
mode=0644
become: true
- name: Copy logstash output filters
copy:
src=30-elasticsearch-output.conf
dest=/etc/logstash/conf.d/30-lumberjack-output.conf
owner=root
group=root
mode=0644
become: true
- name: Copy logstash syslog filters
copy:
src=10-syslog.conf
dest=/etc/logstash/conf.d/10-syslog.conf
owner=root
group=root
mode=0644
become: true
- name: Copy logstash local syslog filter
copy:
src=10-syslog-filter.conf
dest=/etc/logstash/conf.d/10-syslog-filter.conf
owner=root
group=root
mode=0644
become: true
register: logstash_needs_restart
- name: Copy filebeat input filter
template:
src=02-beats-input.conf.j2
dest=/etc/logstash/conf.d/02-beats-input.conf
owner=root
group=root
mode=0644
become: true
- name: Load OpenSSL CA Extended Configuration
template:
src=openssl_extras.cnf.j2
dest=/etc/pki/tls/openssl_extras.cnf
owner=root
group=root
mode=0644
become: true
- name: Check OpenSSL SANs (SubjectAltName) entry for CA
shell: grep "{{ ansible_default_ipv4.address }}" /etc/pki/tls/openssl.cnf | wc -l
ignore_errors: true
register: subjectAltName_exists
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to understand if an entry exists
- skip_ansible_lint
- name: Add OpenSSL SANs (SubjectAltName) entry for CA
lineinfile:
dest: /etc/pki/tls/openssl.cnf
line: 'subjectAltName = "{{ ansible_default_ipv4.address }}"'
regexp: '^ Extensions for a typical CA'
insertbefore: '# Extensions for a typical CA'
backup: yes
when: subjectAltName_exists.stdout|int == 0
- name: Load filebeat JSON index template
uri:
url: http://localhost:9200/_template/filebeat?pretty
method: POST
body: "{{ lookup('file', 'filebeat-index-template.json') }}"
body_format: json
ignore_errors: true
become: true
- name: Enable logstash service
service: name=logstash state=started enabled=true
become: true
# we need TCP/80 and TCP/8080 open
# determine firewall status and take action
# 1) use firewall-cmd if firewalld is utilized
# 2) insert iptables rule if iptables is used
# Firewalld
- name: Determine if firewalld is in use
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
ignore_errors: true
register: firewalld_in_use
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Check if firewall is enabled
- skip_ansible_lint
- name: Determine if firewalld is active
shell: systemctl is-active firewalld.service | grep -vq inactive
ignore_errors: true
register: firewalld_is_active
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Check if firewall is active
- skip_ansible_lint
- name: Determine if TCP/{{logstash_syslog_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{logstash_syslog_port}}/tcp"
ignore_errors: true
register: firewalld_logstash_syslog_port_exists
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to validate if port already configured
- skip_ansible_lint
# add firewall rule via firewall-cmd
- name: Add firewall rule for TCP/{{logstash_syslog_port}} (firewalld)
command: "{{ item }}"
with_items:
- firewall-cmd --zone=public --add-port={{logstash_syslog_port}}/tcp --permanent
- firewall-cmd --reload
ignore_errors: true
become: true
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_logstash_syslog_port_exists.rc != 0
# iptables-services
- name: check firewall rules for TCP/{{logstash_syslog_port}} (iptables-services)
shell: grep "dport {{logstash_syslog_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
ignore_errors: true
register: iptables_logstash_syslog_port_exists
failed_when: iptables_logstash_syslog_port_exists == 127
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to validate if port already configured
- skip_ansible_lint
- name: Add firewall rule for TCP/{{logstash_syslog_port}} (iptables-services)
lineinfile:
dest: /etc/sysconfig/iptables
line: '-A INPUT -p tcp -m tcp --dport {{logstash_syslog_port}} -j ACCEPT'
regexp: '^INPUT -i lo -j ACCEPT'
insertbefore: '-A INPUT -i lo -j ACCEPT'
backup: yes
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_logstash_syslog_port_exists.stdout|int == 0
register: iptables_needs_restart
- name: Restart iptables-services for TCP/{{logstash_syslog_port}} (iptables-services)
shell: systemctl restart iptables.service
ignore_errors: true
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
tags:
# Skip ANSIBLE0013 Use shell only when shell functionality is required
# No systemctl module available in current stable release (Ansible 2.1)
- skip_ansible_lint
View Git Blame Copy Permalink