Ansible Role: Filebeat for ELK Stack

This Ansible Role installs Filebeat on RedHat/CentOS or Debian/Ubuntu.

Requirements

No special requirements.

Role Variables

Here are the available variables and their default values (check defaults/main.yml):

• filebeat_version: 7.x
  This controls which major version of Filebeat will be installed.

• filebeat_package: filebeat

• filebeat_package_state: present
  Specifies which package to install. You can change the package name for your platform and decide if it should be present, absent, or latest.

• filebeat_create_config: true
  Determines if a configuration file for Filebeat should be created and if SSL keys and certificates should be copied. Set to false if you're creating it manually.

• filebeat_inputs:

  • type: log
    paths:
    • "/var/log/*.log"
      These are the input log files for Filebeat. For more options, review the Filebeat Inputs configuration guide.

• filebeat_output_elasticsearch_enabled: false

• filebeat_output_elasticsearch_hosts:

  • "localhost:9200"
    These settings control if you send output to Elasticsearch and which hosts to use.

• filebeat_output_elasticsearch_auth:
  username: "admin"
  password: "S3CR3eeet"

  or, only for version 8+

  api_key: "xa-123a-f3ea012d-aaae1"
  Configures authentication for Elasticsearch output. Choose either username/password or API key (API keys are only available in version 8 and above).

• filebeat_output_logstash_enabled: true

• filebeat_output_logstash_hosts:

  • "localhost:5000"
    These settings control if you send output to Logstash and which hosts to use.

• filebeat_enable_logging: false

• filebeat_log_level: warning

• filebeat_log_dir: /var/log/filebeat

• filebeat_log_filename: filebeat.log
  Settings for Filebeat logging.

• filebeat_ssl_certs_dir: /etc/pki/logstash

• filebeat_ssl_private_dir: "{{ filebeat_ssl_certs_dir }}"
  The directory for storing SSL certificates and keys.

• filebeat_ssl_ca_file: ""

• filebeat_ssl_certificate_file: ""

• filebeat_ssl_key_file: ""
  Paths to local SSL certificate and key files.

• filebeat_ssl_copy_file: true
  Determines if SSL certificates and keys should be copied, or if existing ones should be used.

For security, use your own valid certificate and update the filebeat_ssl_* variables accordingly. To create a self-signed certificate, run:

$ sudo openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout filebeat.key -out filebeat.crt

Keep in mind that Filebeat and Logstash may have issues with self-signed certificates if the full chain of trust is not recognized on your server. For more details, check: https://github.com/elastic/logstash/issues/4926#issuecomment-203936891

• filebeat_ssl_insecure: "false"
  Change this to "true" to allow using self-signed certificates if a Certificate Authority (CA) isn't available.

Customizing the Filebeat Template

If you can't change an option via variables, you can override the configuration template.

• filebeat_template: "filebeat.yml.j2"
  You can modify the existing template or point to your custom template location.

filebeat_template: "{{ playbook_dir }}/templates/filebeat.yml.j2"

Dependencies

No dependencies.

Example Playbook

- hosts: logs

  - name: Set the java_packages variable (Debian/Ubuntu).
    set_fact:
      java_packages:
        - openjdk-8-jdk
    when: ansible_os_family == 'Debian'

    roles:
      - geerlingguy.java
      - geerlingguy.elasticsearch
      - geerlingguy.logstash
      - geerlingguy.filebeat

License

MIT / BSD

Author Information

This role was created by Jeff Geerling in 2016, the author of Ansible for DevOps.