From 56229b26abd082b1f048d34031ffa1cb767d842f Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Wed, 1 Feb 2023 17:44:21 +0100 Subject: [PATCH 1/5] Use version dependent API paths fixes #10 --- roles/logstash/tasks/logstash-security.yml | 44 ++++++++++++++++++++-- 1 file changed, 40 insertions(+), 4 deletions(-) diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml index 1c6410fe..fc225c75 100644 --- a/roles/logstash/tasks/logstash-security.yml +++ b/roles/logstash/tasks/logstash-security.yml @@ -220,7 +220,11 @@ register: logstash_writer_role_present run_once: true -- name: Put logstash_writer role into Elasticsearch +# we doubled the task and didn't use a more sophisticated way to just change +# the URI because we expect this task to be removed when ES 7 is out of +# support + +- name: Put logstash_writer role into Elasticsearch < 8 command: > curl -T /root/logstash_writer_role --header 'Content-Type: application/json' --cacert {{ elastic_ca_dir }}/ca.crt @@ -228,7 +232,21 @@ https://{{ elasticsearch_ca }}:9200/_xpack/security/role/logstash_writer delegate_to: "{{ elasticsearch_ca }}" run_once: true - when: logstash_writer_role_present.rc > 0 + when: + - logstash_writer_role_present.rc > 0 + - elastic_release < 8 + +- name: Put logstash_writer role into Elasticsearch > 7 + command: > + curl -T /root/logstash_writer_role --header 'Content-Type: application/json' + --cacert {{ elastic_ca_dir }}/ca.crt + -u elastic:{{ elastic_password_logstash.stdout }} + https://{{ elasticsearch_ca }}:9200/_security/role/logstash_writer + delegate_to: "{{ elasticsearch_ca }}" + run_once: true + when: + - logstash_writer_role_present.rc > 0 + - elastic_release > 7 - name: Check for logstash_writer user shell: > @@ -242,7 +260,11 @@ register: logstash_writer_user_present run_once: true -- name: Put logstash_writer user into Elasticsearch +# we doubled the task and didn't use a more sophisticated way to just change +# the URI because we expect this task to be removed when ES 7 is out of +# support + +- name: Put logstash_writer user into Elasticsearch < 8 command: > curl -T /root/logstash_writer_user --header 'Content-Type: application/json' --cacert {{ elastic_ca_dir }}/ca.crt @@ -250,4 +272,18 @@ https://{{ elasticsearch_ca }}:9200/_xpack/security/user/{{ logstash_user }} delegate_to: "{{ elasticsearch_ca }}" run_once: true - when: logstash_writer_user_present.rc > 0 + when: + - logstash_writer_user_present.rc > 0 + - elastic_release < 8 + +- name: Put logstash_writer user into Elasticsearch > 7 + command: > + curl -T /root/logstash_writer_user --header 'Content-Type: application/json' + --cacert {{ elastic_ca_dir }}/ca.crt + -u elastic:{{ elastic_password_logstash.stdout }} + https://{{ elasticsearch_ca }}:9200/_security/user/{{ logstash_user }} + delegate_to: "{{ elasticsearch_ca }}" + run_once: true + when: + - logstash_writer_user_present.rc > 0 + - elastic_release > 7 From 6e2c678508479827b9401f73c5e541e5527c7088 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Wed, 1 Feb 2023 18:19:47 +0100 Subject: [PATCH 2/5] Add new index names to new names --- roles/logstash/templates/logstash_writer_role.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/logstash/templates/logstash_writer_role.j2 b/roles/logstash/templates/logstash_writer_role.j2 index 09d13089..10d3789e 100644 --- a/roles/logstash/templates/logstash_writer_role.j2 +++ b/roles/logstash/templates/logstash_writer_role.j2 @@ -3,9 +3,9 @@ "indices": [ { {% if logstash_global_ecs is defined and logstash_global_ecs != "disabled" %} - "names": [ "ecs-logstash*", "logstash*" ], + "names": [ "ecs-logstash*", "logstash*", "logs*" ], {% else %} - "names": [ "logstash*" ], + "names": [ "logstash*", "logs*", "logs*" ], {% endif %} "privileges": ["write","create","delete","create_index","manage","manage_ilm"] } From 8d9a09ade190e061b176d679c42b6840eeec68b3 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Wed, 1 Feb 2023 18:36:14 +0100 Subject: [PATCH 3/5] Remove redundant configuration --- roles/logstash/templates/logstash_writer_role.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/logstash/templates/logstash_writer_role.j2 b/roles/logstash/templates/logstash_writer_role.j2 index 10d3789e..eebe520d 100644 --- a/roles/logstash/templates/logstash_writer_role.j2 +++ b/roles/logstash/templates/logstash_writer_role.j2 @@ -5,7 +5,7 @@ {% if logstash_global_ecs is defined and logstash_global_ecs != "disabled" %} "names": [ "ecs-logstash*", "logstash*", "logs*" ], {% else %} - "names": [ "logstash*", "logs*", "logs*" ], + "names": [ "logstash*", "logs*" ], {% endif %} "privileges": ["write","create","delete","create_index","manage","manage_ilm"] } From e658cfd075e0395b63b40fffb33b4f27d7e5956a Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Wed, 1 Feb 2023 20:50:29 +0100 Subject: [PATCH 4/5] Handle resetting of Logstash role * Change indices `logstash_writer` has access to to variable * Optionally reset role with every run * Add information to docs fixes #13 --- docs/role-logstash.md | 7 +++++++ roles/logstash/defaults/main.yml | 2 ++ roles/logstash/tasks/logstash-security.yml | 4 ++-- roles/logstash/templates/logstash_writer_role.j2 | 6 +----- 4 files changed, 12 insertions(+), 7 deletions(-) diff --git a/docs/role-logstash.md b/docs/role-logstash.md index 6805f2b8..6275cbb2 100644 --- a/docs/role-logstash.md +++ b/docs/role-logstash.md @@ -59,6 +59,13 @@ Aside from `logstash.yml` we can manage Logstashs pipelines. * *logstash_tls_key_passphrase*: Passphrase for Logstash certificates (default: `ChangeMe`) * *logstash_elasticsearch*: Address of Elasticsearch instance for default output (default: list of Elasticsearch nodes from `elasticsearch` role or `localhost` when used standalone) * *logstash_security*: Enable X-Security (No default set, but will be activated when in full stack mode) +* *logstash_user*: Name of the user to connect to Elasticsearch (Default: `logstash_writer`) +* *logstash_password*: Password of Elasticsearch user (Default: `password`) +* *logstash_user_indices*: Indices the user has access to (Default: `'"ecs-logstash*", "logstash*", "logs*"'`) +* *logstash_reset_writer_role*: Reset user and role with every run: (Default: `true`) + + + * *logstash_legacy_monitoring*: Enables legacy monitoring - ignored when `elastic_stack_full_stack` is not set. (default: `true`) The following variables configure Log4j for Logstash. All default to `true` as this is the default after the installation. diff --git a/roles/logstash/defaults/main.yml b/roles/logstash/defaults/main.yml index f28e8927..0b0308ac 100644 --- a/roles/logstash/defaults/main.yml +++ b/roles/logstash/defaults/main.yml @@ -40,6 +40,8 @@ logstash_beats_tls_encryptkey: true # logstash security logstash_user: logstash_writer logstash_password: password +logstash_user_indices: '"ecs-logstash*", "logstash*", "logs*"' +logstash_reset_writer_role: true logstash_tls_key_passphrase: ChangeMe logstash_certs_dir: /etc/logstash/certs diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml index fc225c75..a61a5a65 100644 --- a/roles/logstash/tasks/logstash-security.yml +++ b/roles/logstash/tasks/logstash-security.yml @@ -233,7 +233,7 @@ delegate_to: "{{ elasticsearch_ca }}" run_once: true when: - - logstash_writer_role_present.rc > 0 + - logstash_writer_role_present.rc > 0 or logstash_reset_writer_role | bool - elastic_release < 8 - name: Put logstash_writer role into Elasticsearch > 7 @@ -245,7 +245,7 @@ delegate_to: "{{ elasticsearch_ca }}" run_once: true when: - - logstash_writer_role_present.rc > 0 + - logstash_writer_role_present.rc > 0 or logstash_reset_writer_role | bool - elastic_release > 7 - name: Check for logstash_writer user diff --git a/roles/logstash/templates/logstash_writer_role.j2 b/roles/logstash/templates/logstash_writer_role.j2 index eebe520d..fc990cbe 100644 --- a/roles/logstash/templates/logstash_writer_role.j2 +++ b/roles/logstash/templates/logstash_writer_role.j2 @@ -2,11 +2,7 @@ "cluster": ["manage_index_templates", "monitor", "manage_ilm"], "indices": [ { -{% if logstash_global_ecs is defined and logstash_global_ecs != "disabled" %} - "names": [ "ecs-logstash*", "logstash*", "logs*" ], -{% else %} - "names": [ "logstash*", "logs*" ], -{% endif %} + "names": [ {{ logstash_user_indices }} ], "privileges": ["write","create","delete","create_index","manage","manage_ilm"] } ] From 1ee5daf43b823dc0ef4c717b492a1664cd60f667 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Thu, 2 Feb 2023 10:28:44 +0100 Subject: [PATCH 5/5] Explicitly cast elastic_release for molecule When fetching data from ENV for molecule, we need to explicitly cast it to int before comparing --- roles/logstash/tasks/logstash-security.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml index a61a5a65..0df7078e 100644 --- a/roles/logstash/tasks/logstash-security.yml +++ b/roles/logstash/tasks/logstash-security.yml @@ -234,7 +234,7 @@ run_once: true when: - logstash_writer_role_present.rc > 0 or logstash_reset_writer_role | bool - - elastic_release < 8 + - elastic_release | int < 8 - name: Put logstash_writer role into Elasticsearch > 7 command: > @@ -246,7 +246,7 @@ run_once: true when: - logstash_writer_role_present.rc > 0 or logstash_reset_writer_role | bool - - elastic_release > 7 + - elastic_release | int > 7 - name: Check for logstash_writer user shell: > @@ -274,7 +274,7 @@ run_once: true when: - logstash_writer_user_present.rc > 0 - - elastic_release < 8 + - elastic_release | int < 8 - name: Put logstash_writer user into Elasticsearch > 7 command: > @@ -286,4 +286,4 @@ run_once: true when: - logstash_writer_user_present.rc > 0 - - elastic_release > 7 + - elastic_release | int > 7