x/browbeat
Code Issues Proposed changes
browbeat/ansible/install/roles/logstash/tasks/main.yml
Sai Sindhur Malleni 280ac8dbda Move away from yum 
Latest versions of CentOS and RHEL already have YUM deprecated and future versions
would drop support. This commit moves browbeat to use the package module instead of yum.
Package module will select DNF if it is available on the system rather than yum.

Change-Id: I5892fd6209e3be7f3cb69bcfe3df54726043354a
2018-10-11 19:28:35 +00:00

181 lines
5.4 KiB
YAML
Raw Blame History

---
#
# Install/run logstash for browbeat
#
- name: Copy logstash yum repo file
copy:
src=logstash.repo
dest=/etc/yum.repos.d/logstash.repo
owner=root
group=root
mode=0644
become: true
- name: Install logstash rpms
package:
name: "{{ item }}"
state: present
become: true
with_items:
- logstash
- name: Copy logstash input filters
copy:
src=01-lumberjack-input.conf
dest=/etc/logstash/conf.d/01-lumberjack-input.conf
owner=root
group=root
mode=0644
become: true
- name: Copy logstash output filters
copy:
src=30-elasticsearch-output.conf
dest=/etc/logstash/conf.d/30-lumberjack-output.conf
owner=root
group=root
mode=0644
become: true
- name: Copy logstash syslog filters
copy:
src=10-syslog.conf
dest=/etc/logstash/conf.d/10-syslog.conf
owner=root
group=root
mode=0644
become: true
- name: Copy logstash local syslog filter
copy:
src=10-syslog-filter.conf
dest=/etc/logstash/conf.d/10-syslog-filter.conf
owner=root
group=root
mode=0644
become: true
register: logstash_needs_restart
- name: Copy filebeat input filter
template:
src=02-beats-input.conf.j2
dest=/etc/logstash/conf.d/02-beats-input.conf
owner=root
group=root
mode=0644
become: true
- name: Load OpenSSL CA Extended Configuration
template:
src=openssl_extras.cnf.j2
dest=/etc/pki/tls/openssl_extras.cnf
owner=root
group=root
mode=0644
become: true
- name: Check OpenSSL SANs (SubjectAltName) entry for CA
shell: grep "{{ ansible_default_ipv4.address }}" /etc/pki/tls/openssl.cnf | wc -l
ignore_errors: true
register: subjectAltName_exists
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to understand if an entry exists
- skip_ansible_lint
- name: Add OpenSSL SANs (SubjectAltName) entry for CA
lineinfile:
dest: /etc/pki/tls/openssl.cnf
line: 'subjectAltName = "{{ ansible_default_ipv4.address }}"'
regexp: '^ Extensions for a typical CA'
insertbefore: '# Extensions for a typical CA'
backup: yes
when: subjectAltName_exists.stdout|int == 0
- name: Load filebeat JSON index template
uri:
url: http://localhost:9200/_template/filebeat?pretty
method: POST
body: "{{ lookup('file', 'filebeat-index-template.json') }}"
body_format: json
ignore_errors: true
become: true
- name: Enable logstash service
service: name=logstash state=started enabled=true
become: true
# we need TCP/80 and TCP/8080 open
# determine firewall status and take action
# 1) use firewall-cmd if firewalld is utilized
# 2) insert iptables rule if iptables is used
# Firewalld
- name: Determine if firewalld is in use
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
ignore_errors: true
register: firewalld_in_use
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Check if firewall is enabled
- skip_ansible_lint
- name: Determine if firewalld is active
shell: systemctl is-active firewalld.service | grep -vq inactive
ignore_errors: true
register: firewalld_is_active
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Check if firewall is active
- skip_ansible_lint
- name: Determine if TCP/{{logstash_syslog_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{logstash_syslog_port}}/tcp"
ignore_errors: true
register: firewalld_logstash_syslog_port_exists
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to validate if port already configured
- skip_ansible_lint
# add firewall rule via firewall-cmd
- name: Add firewall rule for TCP/{{logstash_syslog_port}} (firewalld)
command: "{{ item }}"
with_items:
- firewall-cmd --zone=public --add-port={{logstash_syslog_port}}/tcp --permanent
- firewall-cmd --reload
ignore_errors: true
become: true
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_logstash_syslog_port_exists.rc != 0
# iptables-services
- name: check firewall rules for TCP/{{logstash_syslog_port}} (iptables-services)
shell: grep "dport {{logstash_syslog_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
ignore_errors: true
register: iptables_logstash_syslog_port_exists
failed_when: iptables_logstash_syslog_port_exists == 127
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to validate if port already configured
- skip_ansible_lint
- name: Add firewall rule for TCP/{{logstash_syslog_port}} (iptables-services)
lineinfile:
dest: /etc/sysconfig/iptables
line: '-A INPUT -p tcp -m tcp --dport {{logstash_syslog_port}} -j ACCEPT'
regexp: '^INPUT -i lo -j ACCEPT'
insertbefore: '-A INPUT -i lo -j ACCEPT'
backup: yes
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_logstash_syslog_port_exists.stdout|int == 0
register: iptables_needs_restart
- name: Restart iptables-services for TCP/{{logstash_syslog_port}} (iptables-services)
shell: systemctl restart iptables.service
ignore_errors: true
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
tags:
# Skip ANSIBLE0013 Use shell only when shell functionality is required
# No systemctl module available in current stable release (Ansible 2.1)
- skip_ansible_lint
View Git Blame Copy Permalink