diff --git a/bastion.yml b/bastion.yml index 90cf319b..bf2bb734 100644 --- a/bastion.yml +++ b/bastion.yml @@ -111,5 +111,15 @@ document_type: apache paths: - /var/log/apache/*.log + - name: ansible_runner + prospectors: + - input_type: log + document_type: ansible-runner + paths: + - "/var/www/html/cron-logs/*/*current.log" + multiline: + pattern: '^$' + negate: true + match: before - role: fail2ban # This should be last diff --git a/roles/logstash/files/etc/logstash/conf.d/16-ansible-runner.conf b/roles/logstash/files/etc/logstash/conf.d/16-ansible-runner.conf new file mode 100644 index 00000000..665b1705 --- /dev/null +++ b/roles/logstash/files/etc/logstash/conf.d/16-ansible-runner.conf @@ -0,0 +1,13 @@ +filter { + if [type] == "ansible-runner" { + grok { + add_field => { "received_at" => "%{@timestamp}" } + match => { "message" => [ + "(?m)PLAYBOOK: %{NOTSPACE:playbook} \*+%{GREEDYDATA:playbook_details}", + "(?m)PLAY RECAP \*+%{GREEDYDATA:play_recap}", + "(?m)PLAY \[%{DATA:play}\] \*+%{GREEDYDATA:play_details}", + "(?m)TASK \[%{DATA:task}\] \*+%{GREEDYDATA:task_details}" + ]} + } + } +}