From c3869386fb6c0d0817b7495c5a805810212620c9 Mon Sep 17 00:00:00 2001 From: Matthew Wagoner Date: Wed, 26 Apr 2017 10:51:02 -0400 Subject: [PATCH 1/4] WIP: Add ansible runner logs to ELK --- bastion.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/bastion.yml b/bastion.yml index 90cf319b..f03d605c 100644 --- a/bastion.yml +++ b/bastion.yml @@ -111,5 +111,11 @@ document_type: apache paths: - /var/log/apache/*.log + - name: ansible_runner + prospectors: + - input_type: log + document_type: ansible_runner + paths: + - "/var/www/html/cron-logs/$env/*.log" - role: fail2ban # This should be last From f49f706b2c16e00a6f1b67b5f8fb4ea8cbbb82d2 Mon Sep 17 00:00:00 2001 From: Matthew Wagoner Date: Thu, 27 Apr 2017 10:21:38 -0400 Subject: [PATCH 2/4] Add ansible runner logs to ELK --- bastion.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bastion.yml b/bastion.yml index f03d605c..9246bad5 100644 --- a/bastion.yml +++ b/bastion.yml @@ -116,6 +116,7 @@ - input_type: log document_type: ansible_runner paths: - - "/var/www/html/cron-logs/$env/*.log" + - "/var/www/html/cron-logs/*/current.log" + - "/var/www/html/cron-logs/*/latest.log" - role: fail2ban # This should be last From ed17083560084171cb7f1bad276cb225cbb785a5 Mon Sep 17 00:00:00 2001 From: Matthew Wagoner Date: Thu, 27 Apr 2017 12:36:19 -0400 Subject: [PATCH 3/4] Add filter for ansible runner type --- .../files/etc/logstash/conf.d/16-ansible-runner.conf | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 roles/logstash/files/etc/logstash/conf.d/16-ansible-runner.conf diff --git a/roles/logstash/files/etc/logstash/conf.d/16-ansible-runner.conf b/roles/logstash/files/etc/logstash/conf.d/16-ansible-runner.conf new file mode 100644 index 00000000..a4e33c4a --- /dev/null +++ b/roles/logstash/files/etc/logstash/conf.d/16-ansible-runner.conf @@ -0,0 +1,10 @@ +filter { + if [type] == "ansible-runner" { + grok { + match => { "message" => "%{SUPERAWESOMEANSIBLELOG}"} + } + date { + match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ssZ" ] + } + } +} From 2836f764ff5c487b0442d85d19408801e41bdcef Mon Sep 17 00:00:00 2001 From: K Jonathan Harker Date: Wed, 3 May 2017 14:28:41 -0700 Subject: [PATCH 4/4] Better ansible grokking Make the filebeat document-type match the logstash filter type. Remove the date filter since we don't have timestamps to parse, which means we have to rely on logstash received time for event timestamps. Create multiline events split by empty lines in the log file. Add multiple grok patterns for the various types of output we get from ansible-playbook. Signed-off-by: K Jonathan Harker --- bastion.yml | 9 ++++++--- .../files/etc/logstash/conf.d/16-ansible-runner.conf | 11 +++++++---- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/bastion.yml b/bastion.yml index 9246bad5..bf2bb734 100644 --- a/bastion.yml +++ b/bastion.yml @@ -114,9 +114,12 @@ - name: ansible_runner prospectors: - input_type: log - document_type: ansible_runner + document_type: ansible-runner paths: - - "/var/www/html/cron-logs/*/current.log" - - "/var/www/html/cron-logs/*/latest.log" + - "/var/www/html/cron-logs/*/*current.log" + multiline: + pattern: '^$' + negate: true + match: before - role: fail2ban # This should be last diff --git a/roles/logstash/files/etc/logstash/conf.d/16-ansible-runner.conf b/roles/logstash/files/etc/logstash/conf.d/16-ansible-runner.conf index a4e33c4a..665b1705 100644 --- a/roles/logstash/files/etc/logstash/conf.d/16-ansible-runner.conf +++ b/roles/logstash/files/etc/logstash/conf.d/16-ansible-runner.conf @@ -1,10 +1,13 @@ filter { if [type] == "ansible-runner" { grok { - match => { "message" => "%{SUPERAWESOMEANSIBLELOG}"} - } - date { - match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ssZ" ] + add_field => { "received_at" => "%{@timestamp}" } + match => { "message" => [ + "(?m)PLAYBOOK: %{NOTSPACE:playbook} \*+%{GREEDYDATA:playbook_details}", + "(?m)PLAY RECAP \*+%{GREEDYDATA:play_recap}", + "(?m)PLAY \[%{DATA:play}\] \*+%{GREEDYDATA:play_details}", + "(?m)TASK \[%{DATA:task}\] \*+%{GREEDYDATA:task_details}" + ]} } } }