ELK stack installing and working. Test with a second VM pushing logs with filebeat.

2026-02-21 19:28:02 +00:00 · 2018-09-13 13:25:48 +01:00
parent 9497e40d4a
commit 07d76f13cc
11 changed files with 213 additions and 63 deletions
--- a/modules/utilities/unix/logging/elasticsearch/elasticsearch.pp
+++ b/modules/utilities/unix/logging/elasticsearch/elasticsearch.pp
@@ -1,8 +1,18 @@
 $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
-$ip_address = $secgen_parameters['IP_address'][0]  # TODO: Which IP address? how do we do this with two servers?
+$elasticsearch_ip = $secgen_parameters['elasticsearch_ip'][0]
+$elasticsearch_port = 0 + $secgen_parameters['elasticsearch_port'][0]

 include ::java

-class { 'elasticsearch': }
-elasticsearch::instance { 'es-01': }
+class { 'elasticsearch':
+  api_host => $elasticsearch_ip,
+  api_port => $elasticsearch_port,
+}
+
+elasticsearch::instance { 'es-01':
+  config => {
+    'network.host' => $elasticsearch_ip,
+    'http.port' => $elasticsearch_port,
+  },
+}

--- a/modules/utilities/unix/logging/elasticsearch/secgen_metadata.xml
+++ b/modules/utilities/unix/logging/elasticsearch/secgen_metadata.xml
@@ -12,6 +12,17 @@
  <type>log_tool</type>
  <platform>linux</platform>

+  <read_fact>elasticsearch_ip</read_fact>
+  <read_fact>elasticsearch_port</read_fact>
+
+  <default_input into="elasticsearch_ip">
+    <value>localhost</value>
+  </default_input>
+
+  <default_input into="elasticsearch_port">
+    <value>9200</value>
+  </default_input>
+
  <requires>
    <type>update</type>
  </requires>
--- a/modules/utilities/unix/logging/filebeat/filebeat.pp
+++ b/modules/utilities/unix/logging/filebeat/filebeat.pp
@@ -1 +1,22 @@
-include filebeat::setup
+$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+$logstash_ip = $secgen_parameters['logstash_ip'][0]
+$logstash_port = 0 + $secgen_parameters['logstash_port'][0]
+
+class { 'filebeat':
+  outputs => {
+    'logstash' => {
+      'hosts' => [
+        "$logstash_ip:$logstash_port",
+      ],
+      'index' => 'filebeat',
+    },
+  },
+}
+
+filebeat::prospector { 'syslogs':
+  paths    => [
+    '/var/log/auth.log',
+    '/var/log/syslog',
+  ],
+  doc_type => 'syslog-beat',
+}
--- a/modules/utilities/unix/logging/filebeat/manifests/setup.pp
+++ b/modules/utilities/unix/logging/filebeat/manifests/setup.pp
@@ -1,25 +0,0 @@
-class filebeat::setup {
-
-  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
-  $ip_address = $secgen_parameters['IP_address'][0]  # TODO: Which IP address? how do we do this with two servers?
-
-
-  class { 'filebeat':
-    outputs => {
-      'logstash' => {
-        'hosts' => [
-          "$ip_address:5043",
-        ],
-        'index' => 'filebeat',
-      },
-    },
-  }
-
-  filebeat::prospector { 'syslogs':
-    paths    => [
-      '/var/log/auth.log',
-      '/var/log/syslog',
-    ],
-    doc_type => 'syslog-beat',
-  }
-}
--- a/modules/utilities/unix/logging/filebeat/secgen_metadata.xml
+++ b/modules/utilities/unix/logging/filebeat/secgen_metadata.xml
@@ -12,6 +12,17 @@
  <type>log_tool</type>
  <platform>linux</platform>

+  <read_fact>logstash_ip</read_fact>
+  <read_fact>logstash_port</read_fact>
+
+  <default_input into="logstash_ip">
+    <value>localhost</value>
+  </default_input>
+
+  <default_input into="logstash_port">
+    <value>5044</value>
+  </default_input>
+
  <requires>
    <type>update</type>
  </requires>
--- a/modules/utilities/unix/logging/kibana/kibana.pp
+++ b/modules/utilities/unix/logging/kibana/kibana.pp
@@ -1,11 +1,15 @@
 $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
-$ip_address = $secgen_parameters['IP_address'][0]  # TODO: Which IP address? how do we do this with two servers?
+
+$kibana_ip = $secgen_parameters['kibana_ip'][0]
+$kibana_port = 0 + $secgen_parameters['kibana_port'][0]
+
+$elasticsearch_ip = $secgen_parameters['elasticsearch_ip'][0]  # TODO: Which IP address? how do we do this with two servers?
+$elasticsearch_port = 0 + $secgen_parameters['elasticsearch_port'][0]  # TODO: Which IP address? how do we do this with two servers?

 class { 'kibana':
  config => {
-    'server.host'       => $ip_address,
-    'elasticsearch.url' => "http://$ip_address:9200",
-    'server.port'       => '5601',
+    'server.host'       => $kibana_ip,
+    'elasticsearch.url' => "http://$elasticsearch_ip:$elasticsearch_port",
+    'server.port'       => $kibana_port,
  }
-}
-
+}
--- a/modules/utilities/unix/logging/kibana/secgen_metadata.xml
+++ b/modules/utilities/unix/logging/kibana/secgen_metadata.xml
@@ -12,6 +12,27 @@
  <type>log_tool</type>
  <platform>linux</platform>

+  <read_fact>kibana_ip</read_fact>
+  <read_fact>kibana_port</read_fact>
+  <read_fact>elasticsearch_ip</read_fact>
+  <read_fact>elasticsearch_port</read_fact>
+
+  <default_input into="kibana_ip">
+    <value>localhost</value>
+  </default_input>
+
+  <default_input into="kibana_port">
+    <value>5601</value>
+  </default_input>
+
+  <default_input into="elasticsearch_ip">
+    <value>localhost</value>
+  </default_input>
+
+  <default_input into="elasticsearch_port">
+    <value>9200</value>
+  </default_input>
+
  <requires>
    <type>update</type>
  </requires>
--- a/modules/utilities/unix/logging/logstash/logstash.pp
+++ b/modules/utilities/unix/logging/logstash/logstash.pp
@@ -1,21 +1,31 @@
 $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
-$ip_address = $secgen_parameters['ip_address'][0]  # TODO: Which IP address? how do we do this with two servers?
+$logstash_port = 0 + $secgen_parameters['logstash_port'][0]
+$elasticsearch_ip = $secgen_parameters['elasticsearch_ip'][0]
+$elasticsearch_port = 0 + $secgen_parameters['elasticsearch_port'][0]

-class { 'logstash':
-  settings => {
-    'http.host' => $ip_address,
-  }
+include logstash
+
+# You must provide a valid pipeline configuration for the service to start.
+logstash::configfile { 'my_ls_config':
+  content => template('logstash/configfile-template.erb'),
 }

-logstash::plugin { 'logstash-input-beats': }

-#  TODO : Find out what this does. It's likely a .conf file template, not sure why hes using this @(""/L) | "" instead of an erb
-#  TODO : ... unless it's just for the sake of the demonstration.
+# TODO: Delete this if its a problem
+#
+# class { 'logstash':
+#   settings => {
+#     'http.host' => $ip_address,
+#   }
+# }
+
+# logstash::plugin { 'logstash-input-beats': }
+

 #   $myconfig =  @("MYCONFIG"/L)
 # input {
 #   beats {
-#     port => 5043
+#     port => 5044
 #   }
 # }
 # output {
--- a/modules/utilities/unix/logging/logstash/secgen_metadata.xml
+++ b/modules/utilities/unix/logging/logstash/secgen_metadata.xml
@@ -12,6 +12,22 @@
  <type>log_tool</type>
  <platform>linux</platform>

+  <read_fact>logstash_port</read_fact>
+  <read_fact>elasticsearch_ip</read_fact>
+  <read_fact>elasticsearch_port</read_fact>
+
+  <default_input into="logstash_port">
+    <value>5044</value>
+  </default_input>
+
+  <default_input into="elasticsearch_ip">
+    <value>localhost</value>
+  </default_input>
+
+  <default_input into="elasticsearch_port">
+    <value>9200</value>
+  </default_input>
+
  <requires>
    <type>update</type>
  </requires>
--- a/modules/utilities/unix/logging/logstash/templates/configfile-template.erb
+++ b/modules/utilities/unix/logging/logstash/templates/configfile-template.erb
@@ -1 +1,14 @@
-# 2 + 2 equals <%= 2+2 -%>
+input {
+  beats {
+    port => <%= @logstash_port-%>
+  }
+}
+output {
+  elasticsearch {
+    hosts => "<%= @elasticsearch_ip-%>:<%= @elasticsearch_port-%>"
+    manage_template => false
+    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
+    document_type => "%{[@metadata][type]}"
+  }
+  stdout { codec => rubydebug }
+}
--- a/scenarios/examples/elkstack.xml
+++ b/scenarios/examples/elkstack.xml
@@ -6,42 +6,100 @@

 	<!-- an example single system containing a ELK stack instance
 		TODO : Configure a scenario where another system can use the logstash client + push to the ELK instance
-
-		Note: They do not support 32 bit elk! we need to create a new base box / template to accomodate this part of the research.
+		TODO : Can we set the memory per vm at scenario level? the elk stack requires 4gb of ram. Just use command line option for now
 	-->

 	<system>
 		<system_name>escalation</system_name>
 		<base platform="linux" type="server" distro=".*Ubuntu.*"/>

-		<!-- Define a static IP address for the logstash server -->
-		<input into_datastore="logstash_ip">
+		<input into_datastore="IP_address">
 			<value>172.16.0.2</value>
 		</input>

+		<input into_datastore="elasticsearch_port">
+			<value>9200</value>
+		</input>
+
+		<input into_datastore="logstash_port">
+			<value>5044</value>
+		</input>
+
+		<input into_datastore="kibana_port">
+			<value>5601</value>
+		</input>
+
 		<utility module_path=".*elasticsearch.*">
-			<input into="IP_address">
-				<datastore access="0">logstash_ip</datastore>
+			<input into="elasticsearch_ip">
+				<datastore access="0">IP_address</datastore>
+			</input>
+			<input into="elasticsearch_port">
+				<datastore access="0">elasticsearch_port</datastore>
 			</input>
 		</utility>

-		<!-- TODO -->
-		<!--<utility module_path=".*kibana.*">-->
-			<!--<input into="IP_address">-->
-				<!--<datastore access="0">logstash_ip</datastore>-->
-			<!--</input>-->
-		<!--</utility>-->
-		<!--<utility module_path=".*logstash.*">-->
-			<!--<input into="IP_address">-->
-				<!--<datastore access="0">logstash_ip</datastore>-->
-			<!--</input>-->
-		<!--</utility>-->
+		<utility module_path=".*logstash.*">
+			<input into="logstash_port">
+				<datastore access="0">logstash_port</datastore>
+			</input>
+			<input into="elasticsearch_ip">
+				<datastore access="0">IP_address</datastore>
+			</input>
+			<input into="elasticsearch_port">
+				<datastore access="0">elasticsearch_port</datastore>
+			</input>
+		</utility>
+
+		<utility module_path=".*kibana.*">
+			<input into="kibana_ip">
+				<datastore access="0">IP_address</datastore>
+			</input>
+			<input into="kibana_port">
+				<datastore access="0">kibana_port</datastore>
+			</input>
+			<input into="elasticsearch_ip">
+				<datastore access="0">IP_address</datastore>
+			</input>
+			<input into="elasticsearch_port">
+				<datastore access="0">elasticsearch_port</datastore>
+			</input>
+		</utility>
+
+		<utility module_path=".*filebeat.*">
+			<input into="logstash_ip">
+				<datastore access="0">IP_address</datastore>
+			</input>
+			<input into="logstash_port">
+				<datastore access="0">logstash_port</datastore>
+			</input>
+		</utility>

 		<network type="private_network" >
 			<input into="IP_address">
-				<datastore access="0">logstash_ip</datastore>
+				<datastore access="0">IP_address</datastore>
 			</input>
 		</network>
 	</system>

+	<!--TODO: Test this system afterwards. Save as another example.xml -->
+	<!--<system>-->
+		<!--<system_name>escalation</system_name>-->
+		<!--<base platform="linux" type="server" distro=".*Ubuntu.*"/>-->
+
+		<!--<input into_datastore="IP_address">-->
+			<!--<value>172.16.0.2</value>-->
+		<!--</input>-->
+
+		<!--<utility module_path=".*elasticsearch.*"/>-->
+		<!--<utility module_path=".*logstash.*"/>-->
+		<!--<utility module_path=".*kibana.*"/>-->
+		<!--<utility module_path=".*filebeat.*"/>-->
+
+		<!--<network type="private_network" >-->
+			<!--<input into="IP_address">-->
+				<!--<datastore access="0">IP_address</datastore>-->
+			<!--</input>-->
+		<!--</network>-->
+	<!--</system>-->
+
 </scenario>