[ { "path": ".ansible-lint", "content": "skip_list:\n - 'yaml'\n - 'role-name'\n" }, { "path": ".github/FUNDING.yml", "content": "# These are supported funding model platforms\n---\ngithub: geerlingguy\npatreon: geerlingguy\n" }, { "path": ".github/workflows/ci.yml", "content": "---\nname: CI\n'on':\n pull_request:\n push:\n branches:\n - master\n schedule:\n - cron: \"30 4 * * 3\"\n\ndefaults:\n run:\n working-directory: 'geerlingguy.logstash'\n\njobs:\n\n lint:\n name: Lint\n runs-on: ubuntu-latest\n steps:\n - name: Check out the codebase.\n uses: actions/checkout@v4\n with:\n path: 'geerlingguy.logstash'\n\n - name: Set up Python 3.\n uses: actions/setup-python@v5\n with:\n python-version: '3.13' # Can't go to 3.14+ until Ansible 13.x\n\n - name: Install test dependencies.\n run: pip3 install yamllint\n\n - name: Lint code.\n run: |\n yamllint .\n\n molecule:\n name: Molecule\n runs-on: ubuntu-latest\n strategy:\n matrix:\n distro:\n - rockylinux10\n - ubuntu2404\n\n steps:\n - name: Check out the codebase.\n uses: actions/checkout@v4\n with:\n path: 'geerlingguy.logstash'\n\n - name: Set up Python 3.\n uses: actions/setup-python@v5\n with:\n python-version: '3.13' # Can't go to 3.14+ until Ansible 13.x\n\n - name: Install test dependencies.\n run: pip3 install ansible molecule molecule-plugins[docker] docker\n\n - name: Run Molecule tests.\n run: molecule test\n env:\n PY_COLORS: '1'\n ANSIBLE_FORCE_COLOR: '1'\n MOLECULE_DISTRO: ${{ matrix.distro }}\n" }, { "path": ".github/workflows/release.yml", "content": "---\n# This workflow requires a GALAXY_API_KEY secret present in the GitHub\n# repository or organization.\n#\n# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy\n# See: https://github.com/ansible/galaxy/issues/46\n\nname: Release\n'on':\n push:\n tags:\n - '*'\n\ndefaults:\n run:\n working-directory: 'geerlingguy.logstash'\n\njobs:\n\n release:\n name: Release\n runs-on: ubuntu-latest\n steps:\n - name: Check out the codebase.\n uses: actions/checkout@v4\n with:\n path: 'geerlingguy.logstash'\n\n - name: Set up Python 3.\n uses: actions/setup-python@v5\n with:\n python-version: '3.13' # Can't go to 3.14+ until Ansible 13.x\n\n - name: Install Ansible.\n run: pip3 install ansible-core\n\n - name: Trigger a new import on Galaxy.\n run: >-\n ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }}\n $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)\n" }, { "path": ".github/workflows/stale.yml", "content": "---\nname: Close inactive issues\n'on':\n schedule:\n - cron: \"55 2 * * 0\" # semi-random time\n\njobs:\n close-issues:\n runs-on: ubuntu-latest\n permissions:\n issues: write\n pull-requests: write\n steps:\n - uses: actions/stale@v8\n with:\n days-before-stale: 120\n days-before-close: 60\n exempt-issue-labels: bug,pinned,security,planned\n exempt-pr-labels: bug,pinned,security,planned\n stale-issue-label: \"stale\"\n stale-pr-label: \"stale\"\n stale-issue-message: |\n This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!\n \n Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.\n close-issue-message: |\n This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.\n stale-pr-message: |\n This pr has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!\n \n Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.\n close-pr-message: |\n This pr has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.\n repo-token: ${{ secrets.GITHUB_TOKEN }}\n" }, { "path": ".gitignore", "content": "*.retry\n*/__pycache__\n*.pyc\n.cache\n\n" }, { "path": ".yamllint", "content": "---\nextends: default\n\nrules:\n line-length:\n max: 120\n level: warning\n\nignore: |\n .github/workflows/stale.yml\n" }, { "path": "LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2017 Jeff Geerling\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of\nthe Software, and to permit persons to whom the Software is furnished to do so,\nsubject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS\nFOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\nCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER\nIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN\nCONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n" }, { "path": "README.md", "content": "# Ansible Role: Logstash\n\n[![CI](https://github.com/geerlingguy/ansible-role-logstash/actions/workflows/ci.yml/badge.svg)](https://github.com/geerlingguy/ansible-role-logstash/actions/workflows/ci.yml)\n\nAn Ansible Role that installs Logstash on RedHat/CentOS Debian/Ubuntu.\n\nNote that this role installs a syslog grok pattern by default; if you want to add more filters, please add them inside the `/etc/logstash/conf.d/` directory. As an example, you could create a file named `13-myapp.conf` with the appropriate grok filter and restart logstash to start using it. Test your grok regex using the [Grok Debugger](http://grokdebug.herokuapp.com/).\n\n## Requirements\n\nThough other methods are possible, this role is made to work with Elasticsearch as a backend for storing log messages.\n\n## Role Variables\n\nAvailable variables are listed below, along with default values (see `defaults/main.yml`):\n\n logstash_version: '7.x'\n\nThe major version of Logstash to install.\n\n logstash_package: logstash\n\nThe specific package to be installed. You can specify a version of the package using the correct syntax for your platform and package manager by changing the package name.\n\n logstash_listen_port_beats: 5044\n\nThe port over which Logstash will listen for beats.\n\n logstash_elasticsearch_hosts:\n - http://localhost:9200\n\nThe hosts where Logstash should ship logs to Elasticsearch.\n\n logstash_dir: /usr/share/logstash\n\nThe directory inside which Logstash is installed.\n\n logstash_ssl_dir: /etc/pki/logstash\n logstash_ssl_certificate_file: logstash-forwarder-example.crt\n logstash_ssl_key_file: logstash-forwarder-example.key\n\nLocal paths to the SSL certificate and key files, which will be copied into the `logstash_ssl_dir`.\n\nSee [Generating a self-signed certificate](#generating-a-self-signed-certificate) for information about generating and using self-signed certs with Logstash and Filebeat.\n\n logstash_local_syslog_path: /var/log/syslog\n logstash_monitor_local_syslog: true\n\nWhether configuration for local syslog file (defined as `logstash_local_syslog_path`) should be added to logstash. Set this to `false` if you are monitoring the local syslog differently, or if you don't care about the local syslog file. Other local logs can be added by your own configuration files placed inside `/etc/logstash/conf.d`.\n\n logstash_enabled_on_boot: true\n\nSet this to `false` if you don't want logstash to run on system startup.\n\n logstash_install_plugins:\n - logstash-input-beats\n - logstash-filter-multiline\n\nA list of Logstash plugins that should be installed.\n\n logstash_setup_default_config: true\n\nSet this to `false` if you don't want to add the default config files shipped with this role (inside the `files/filters` directory). You can add your own configuration files inside `/etc/logstash/conf.d`.\n\n## Generating a Self-signed certificate\n\nFor utmost security, you should use your own valid certificate and keyfile, and update the `logstash_ssl_*` variables in your playbook to use your certificate.\n\nTo generate a self-signed certificate/key pair, you can use use the command:\n\n $ openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout logstash.key -out logstash.crt -subj '/CN=example.com'\n\nNote that Filebeat and Logstash may not work correctly with self-signed certificates unless you also have the full chain of trust (including the Certificate Authority for your self-signed cert) added on your server. See: https://github.com/elastic/logstash/issues/4926#issuecomment-203936891\n\nNewer versions of Filebeat and Logstash also require a pkcs8-formatted private key, which can be generated by converting the key generated earlier, e.g.:\n\n openssl pkcs8 -in logstash.key -topk8 -nocrypt -out logstash.p8\n\n## Other Notes\n\nIf you are seeing high CPU usage from one of the `logstash` processes, and you're using Logstash along with another application running on port 80 on a platform like Ubuntu with upstart, the `logstash-web` process may be stuck in a loop trying to start on port 80, failing, and trying to start again, due to the `restart` flag being present in `/etc/init/logstash-web.conf`. To avoid this problem, either change that line to add a `limit` to the respawn statement, or set the `logstash-web` service to `enabled=no` in your playbook, e.g.:\n\n - name: Ensure logstash-web process is stopped and disabled.\n service: name=logstash-web state=stopped enabled=no\n\n## Example Playbook\n\n - hosts: search\n \n pre_tasks:\n - name: Use Java 8 on Debian/Ubuntu.\n set_fact:\n java_packages:\n - openjdk-8-jdk\n when: ansible_facts.os_family == 'Debian'\n \n roles:\n - geerlingguy.java\n - geerlingguy.elasticsearch\n - geerlingguy.logstash\n\n## License\n\nMIT / BSD\n\n## Author Information\n\nThis role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).\n" }, { "path": "defaults/main.yml", "content": "---\nlogstash_version: '7.x'\n\nlogstash_package: logstash\n\nlogstash_listen_port_beats: 5044\n\nlogstash_elasticsearch_hosts:\n - http://localhost:9200\n\nlogstash_local_syslog_path: /var/log/syslog\nlogstash_monitor_local_syslog: true\n\nlogstash_dir: /usr/share/logstash\n\nlogstash_ssl_dir: /etc/pki/logstash\nlogstash_ssl_certificate_file: \"\"\nlogstash_ssl_key_file: \"\"\n\nlogstash_enabled_on_boot: true\n\nlogstash_install_plugins:\n - logstash-input-beats\n - logstash-filter-multiline\n\nlogstash_setup_default_config: true\n" }, { "path": "files/filters/10-syslog.conf", "content": "filter {\n if [type] == \"syslog\" {\n if [message] =~ /last message repeated [0-9]+ times/ {\n drop { }\n }\n grok {\n match => { \"message\" => \"%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\\[%{POSINT:syslog_pid}\\])?: %{GREEDYDATA:syslog_message}\" }\n add_field => [ \"received_at\", \"%{@timestamp}\" ]\n add_field => [ \"received_from\", \"%{host}\" ]\n }\n syslog_pri { }\n date {\n match => [ \"syslog_timestamp\", \"MMM d HH:mm:ss\", \"MMM dd HH:mm:ss\" ]\n }\n }\n}\n" }, { "path": "files/filters/11-nginx.conf", "content": "filter {\n if [type] == \"nginx\" {\n grok {\n match => { \"message\" => \"%{COMBINEDAPACHELOG}\" }\n }\n }\n}\n" }, { "path": "files/filters/12-apache.conf", "content": "filter {\n if [type] == \"apache\" {\n grok {\n match => { \"message\" => \"%{COMBINEDAPACHELOG}\"}\n }\n date {\n match => [ \"timestamp\", \"dd/MMM/yyyy:HH:mm:ss Z\" ]\n }\n }\n}\n" }, { "path": "files/filters/14-solr.conf", "content": "filter {\n if [type] == \"solr\" {\n if [message] =~ /org\\.apache\\.solr\\.core\\.SolrCore execute/ {\n drop { }\n }\n grok {\n match => { \"message\" => \"<%{POSINT:priority}>%{SYSLOGLINE}\"}\n }\n multiline {\n pattern => \"(([^\\s]+)Exception.+)|(at:.+)\"\n stream_identity => \"%{logsource}.%{@type}\"\n what => \"previous\"\n }\n }\n}\n" }, { "path": "files/filters/15-drupal.conf", "content": "filter {\n if [type] == \"drupal\" {\n grok {\n match => [\"message\", \"%{SYSLOGTIMESTAMP} %{HOSTNAME} %{WORD}: %{URI:drupal_vhost}\\|%{NUMBER:drupal_timestamp}\\|(?[^\\|]*)\\|%{IP:drupal_ip}\\|(?[^\\|]*)\\|(?[^\\|]*)\\|(?[^\\|]*)\\|(?[^\\|]*)\\|%{GREEDYDATA:drupal_message}\" ]\n }\n }\n}\n" }, { "path": "handlers/main.yml", "content": "---\n- name: restart logstash\n service: name=logstash state=restarted\n" }, { "path": "meta/main.yml", "content": "---\ndependencies: []\n\ngalaxy_info:\n role_name: logstash\n author: geerlingguy\n description: Logstash for Linux.\n company: \"Midwestern Mac, LLC\"\n license: \"license (BSD, MIT)\"\n min_ansible_version: 2.10\n platforms:\n - name: Debian\n versions:\n - all\n - name: Ubuntu\n versions:\n - all\n galaxy_tags:\n - web\n - system\n - monitoring\n - logging\n - logs\n - elk\n - logstash\n" }, { "path": "molecule/default/converge.yml", "content": "---\n- name: Converge\n hosts: all\n #become: true\n\n vars:\n logstash_enabled_on_boot: false\n\n pre_tasks:\n - name: Update apt cache.\n apt: update_cache=true cache_valid_time=600\n when: ansible_facts.os_family == 'Debian'\n\n - name: Use Java 8 on Debian/Ubuntu.\n set_fact:\n java_packages:\n - openjdk-8-jdk\n when: ansible_facts.os_family == 'Debian'\n\n roles:\n - geerlingguy.java\n - geerlingguy.elasticsearch\n - geerlingguy.logstash\n" }, { "path": "molecule/default/molecule.yml", "content": "---\nrole_name_check: 1\ndependency:\n name: galaxy\n options:\n ignore-errors: true\ndriver:\n name: docker\nplatforms:\n - name: instance\n image: \"geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux9}-ansible:latest\"\n command: ${MOLECULE_DOCKER_COMMAND:-\"\"}\n volumes:\n - /sys/fs/cgroup:/sys/fs/cgroup:rw\n cgroupns_mode: host\n privileged: true\n pre_build_image: true\nprovisioner:\n name: ansible\n playbooks:\n converge: ${MOLECULE_PLAYBOOK:-converge.yml}\n" }, { "path": "molecule/default/requirements.yml", "content": "---\n- src: geerlingguy.java\n- src: geerlingguy.elasticsearch\n" }, { "path": "tasks/config.yml", "content": "---\n- name: Create Logstash configuration files.\n template:\n src: \"{{ item }}.j2\"\n dest: \"/etc/logstash/conf.d/{{ item }}\"\n owner: root\n group: root\n mode: 0644\n with_items:\n - 01-beats-input.conf\n - 30-elasticsearch-output.conf\n when: logstash_setup_default_config\n notify: restart logstash\n\n- name: Create Logstash filters.\n copy:\n src: \"filters/{{ item }}\"\n dest: \"/etc/logstash/conf.d/{{ item }}\"\n owner: root\n group: root\n mode: 0644\n with_items:\n - 10-syslog.conf\n - 11-nginx.conf\n - 12-apache.conf\n - 14-solr.conf\n - 15-drupal.conf\n when: logstash_setup_default_config\n notify: restart logstash\n\n- name: Create Logstash configuration file for local syslog.\n template:\n src: 02-local-syslog-input.conf.j2\n dest: /etc/logstash/conf.d/02-local-syslog-input.conf\n owner: root\n group: root\n mode: 0644\n when: logstash_monitor_local_syslog\n notify: restart logstash\n\n- name: Ensure configuration for local syslog is absent if disabled.\n file:\n path: /etc/logstash/conf.d/02-local-syslog-input.conf\n state: absent\n when: not logstash_monitor_local_syslog\n notify: restart logstash\n" }, { "path": "tasks/main.yml", "content": "---\n- name: Include OS Specific setup tasks\n include_tasks: setup-{{ ansible_facts.os_family }}.yml\n\n- include_tasks: config.yml\n- include_tasks: ssl.yml\n- include_tasks: plugins.yml\n\n- name: Ensure Logstash is started and enabled on boot.\n service:\n name: logstash\n state: started\n enabled: \"{{ logstash_enabled_on_boot }}\"\n" }, { "path": "tasks/plugins.yml", "content": "---\n- name: Get list of installed plugins.\n command: >\n ./bin/logstash-plugin list\n chdir={{ logstash_dir }}\n register: logstash_plugins_list\n changed_when: false\n\n- name: Install configured plugins.\n command: >\n ./bin/logstash-plugin install {{ item }}\n chdir={{ logstash_dir }}\n with_items: \"{{ logstash_install_plugins }}\"\n when: \"item not in logstash_plugins_list.stdout\"\n notify: restart logstash\n" }, { "path": "tasks/setup-Debian.yml", "content": "---\n- name: Ensure required dependencies are installed.\n apt:\n name:\n - apt-transport-https\n - gnupg2\n state: present\n\n- name: Add Elasticsearch apt key.\n apt_key:\n url: https://artifacts.elastic.co/GPG-KEY-elasticsearch\n state: present\n\n- name: Add Logstash repository.\n apt_repository:\n repo: 'deb https://artifacts.elastic.co/packages/{{ logstash_version }}/apt stable main'\n state: present\n update_cache: true\n\n- name: Install Logstash.\n apt:\n name: '{{ logstash_package }}'\n state: present\n\n- name: Add Logstash user to adm group (Debian).\n user:\n name: logstash\n group: logstash\n groups: adm\n notify: restart logstash\n" }, { "path": "tasks/setup-RedHat.yml", "content": "---\n- name: Add Elasticsearch GPG key.\n rpm_key:\n key: https://artifacts.elastic.co/GPG-KEY-elasticsearch\n state: present\n\n- name: Add Logstash repository.\n template:\n src: logstash.repo.j2\n dest: /etc/yum.repos.d/logstash.repo\n mode: 0644\n\n- name: Install Logstash.\n package:\n name: '{{ logstash_package }}'\n state: present\n" }, { "path": "tasks/ssl.yml", "content": "---\n- name: Ensure Logstash SSL key pair directory exists.\n file:\n path: \"{{ logstash_ssl_dir }}\"\n state: directory\n mode: 0755\n when: logstash_ssl_key_file | length > 0\n\n- name: Copy SSL key and cert for logstash-forwarder.\n copy:\n src: \"{{ item }}\"\n dest: \"{{ logstash_ssl_dir }}/{{ item | basename }}\"\n mode: 0644\n with_items:\n - \"{{ logstash_ssl_key_file }}\"\n - \"{{ logstash_ssl_certificate_file }}\"\n notify: restart logstash\n when: logstash_ssl_key_file | length > 0\n" }, { "path": "templates/01-beats-input.conf.j2", "content": "input {\n beats {\n port => {{ logstash_listen_port_beats }}\n{% if logstash_ssl_certificate_file and logstash_ssl_key_file %}\n ssl => true\n ssl_certificate => \"{{ logstash_ssl_dir }}/{{ logstash_ssl_certificate_file | basename }}\"\n ssl_key => \"{{ logstash_ssl_dir }}/{{ logstash_ssl_key_file | basename }}\"\n ssl_verify_mode => \"peer\"\n ssl_certificate_authorities => \"{{ logstash_ssl_dir }}/{{ logstash_ssl_certificate_file | basename }}\"\n{% endif %}\n }\n}\n" }, { "path": "templates/02-local-syslog-input.conf.j2", "content": "input {\n file {\n path => \"{{ logstash_local_syslog_path }}\"\n }\n}\n" }, { "path": "templates/30-elasticsearch-output.conf.j2", "content": "output {\n elasticsearch {\n hosts => {{ logstash_elasticsearch_hosts | to_json }}\n index => \"%{[@metadata][beat]}-%{+YYYY.MM.dd}\"\n }\n}\n" }, { "path": "templates/logstash.repo.j2", "content": "[logstash-{{ logstash_version }}]\nname=Elastic repository for {{ logstash_version }} packages\nbaseurl=https://artifacts.elastic.co/packages/{{ logstash_version }}/yum\ngpgcheck=1\ngpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch\nenabled=1\nautorefresh=1\ntype=rpm-md" } ]