From: Tom Hughes Date: Wed, 4 Jul 2018 19:55:44 +0000 (+0100) Subject: Enable beats input plugin to logstash X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/21055bd108fecc2b7309c60358f86ae3afecfcfa Enable beats input plugin to logstash --- diff --git a/cookbooks/logstash/files/default/beats.crt b/cookbooks/logstash/files/default/beats.crt new file mode 100644 index 000000000..a1db9f8e8 --- /dev/null +++ b/cookbooks/logstash/files/default/beats.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDoTCCAomgAwIBAgIJAOWS1wQ8fa1RMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV +BAYTAkdCMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg +Q29tcGFueSBMdGQxIzAhBgNVBAMMGmxvZ3N0YXNoLm9wZW5zdHJlZXRtYXAub3Jn +MB4XDTE1MDgyODA3NDYzNloXDTI1MDgyNTA3NDYzNlowZzELMAkGA1UEBhMCR0Ix +FTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55 +IEx0ZDEjMCEGA1UEAwwabG9nc3Rhc2gub3BlbnN0cmVldG1hcC5vcmcwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxU5CoykubpFaYdJMJOGFmq8a3bMLx +KG9wlkDfYH65fxh8W+XAHR0oyi3kwqy9P1OmicdMJkFRpFsIDmg0EuirZCX2A4nw +ADJxXa/mqbFTNCHmVjhFqMdAaMW/O0WkcXxLc/9D/WLFEqTNMkZwZ1wo6JwAo26f +Dxn75TggFy0rTBYsOp87nK3fYEp8cY43tGWkqMbTdU2GB511+FeUbm7NTyQakHq8 +9/LtmJPzmsO30wJzF++NOJkis/xNTvPPybkljwSshoo53ed/kmxy/KiVgPqD/fR7 +8bkOfqknycyqV5zskMUtrN9PsWQx3bzY7dhYo1nNMd8oNLVKpSluvga5AgMBAAGj +UDBOMB0GA1UdDgQWBBS5qcKaMediosEUc6SHDGgTfGnpRzAfBgNVHSMEGDAWgBS5 +qcKaMediosEUc6SHDGgTfGnpRzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA +A4IBAQA1G0BJ6rxyyuvY4iLtyah0p7hawt7jkQ35Y6gNoGGwHgMGslQ8URhx29zr +HpJPtCdrHagC58FmL74/SS8czNdt+V3xcYAAZxm3ZwlJr/GyxSlCD/3zpD/eWHTV +lMFqvGqLGxJfo9Q1iuyV35jEfi84toXT+zps/4voX6fYutNaouQDk5V/up9lPPCp +x2xq0vVDV+BhZ3Y7QxsZHEcAqPg9wGMT4UiJFSsatwnmSwSv429tdZeETEb3yCZv +kautRvtRRMB2QqNQRFGXmJLt4sMFuAjo5jcz4GvBWZTjPOoFrgnhlmWkCvqWrxJU +/CA3EQf+gGw2loeKZrxbKXdSuIPs +-----END CERTIFICATE----- diff --git a/cookbooks/logstash/recipes/default.rb b/cookbooks/logstash/recipes/default.rb index cc28afab8..df54a7280 100644 --- a/cookbooks/logstash/recipes/default.rb +++ b/cookbooks/logstash/recipes/default.rb @@ -42,6 +42,22 @@ file "/var/lib/logstash/lumberjack.key" do notifies :restart, "service[logstash]" end +cookbook_file "/var/lib/logstash/beats.crt" do + source "beats.crt" + user "root" + group "logstash" + mode 0o644 + notifies :restart, "service[logstash]" +end + +file "/var/lib/logstash/beats.key" do + content keys["beats"].join("\n") + user "root" + group "logstash" + mode 0o640 + notifies :restart, "service[logstash]" +end + template "/etc/logstash/conf.d/chef.conf" do source "logstash.conf.erb" user "root" @@ -79,6 +95,16 @@ forwarders.sort_by { |n| n[:fqdn] }.each do |forwarder| dest_ports "5043" source_ports "1024:" end + + firewall_rule "accept-beats-#{forwarder}" do + action :accept + family interface[:family] + source "#{interface[:zone]}:#{interface[:address]}" + dest "fw" + proto "tcp:syn" + dest_ports "5044" + source_ports "1024:" + end end end @@ -95,5 +121,15 @@ gateways.sort_by { |n| n[:fqdn] }.each do |gateway| dest_ports "5043" source_ports "1024:" end + + firewall_rule "accept-beats-#{gateway}" do + action :accept + family interface[:family] + source "#{interface[:zone]}:#{interface[:address]}" + dest "fw" + proto "tcp:syn" + dest_ports "5044" + source_ports "1024:" + end end end diff --git a/cookbooks/logstash/templates/default/logstash.conf.erb b/cookbooks/logstash/templates/default/logstash.conf.erb index 6610cd414..87260524d 100644 --- a/cookbooks/logstash/templates/default/logstash.conf.erb +++ b/cookbooks/logstash/templates/default/logstash.conf.erb @@ -4,6 +4,12 @@ input { ssl_certificate => "/var/lib/logstash/lumberjack.crt" ssl_key => "/var/lib/logstash/lumberjack.key" } + + beats { + port => 5044 + ssl_certificate => "/var/lib/logstash/beats.crt" + ssl_key => "/var/lib/logstash/beats.key" + } } filter {