Puppet Class: wazuh::filebeat_oss

Defined in:
manifests/filebeat_oss.pp

Overview

Copyright © 2015, Wazuh Inc. Setup for Filebeat_oss

Parameters:

  • filebeat_oss_indexer_ip (Any) (defaults to: '127.0.0.1')
  • filebeat_oss_indexer_port (Any) (defaults to: '9200')
  • indexer_server_ip (Any) (defaults to: "\"${filebeat_oss_indexer_ip}:${filebeat_oss_indexer_port}\"")
  • filebeat_oss_archives (Any) (defaults to: false)
  • filebeat_oss_package (Any) (defaults to: 'filebeat')
  • filebeat_oss_service (Any) (defaults to: 'filebeat')
  • filebeat_oss_elastic_user (Any) (defaults to: 'admin')
  • filebeat_oss_elastic_password (Any) (defaults to: 'admin')
  • filebeat_oss_version (Any) (defaults to: '7.10.2')
  • wazuh_app_version (Any) (defaults to: '4.14.4_7.10.2')
  • wazuh_extensions_version (Any) (defaults to: 'v4.14.4')
  • wazuh_filebeat_module (Any) (defaults to: 'wazuh-filebeat-0.5.tar.gz')
  • wazuh_node_name (Any) (defaults to: 'master')
  • filebeat_cert_source (Any) (defaults to: "puppet:///modules/archive/manager-${wazuh_node_name}.pem")
  • filebeat_certkey_source (Any) (defaults to: "puppet:///modules/archive/manager-${wazuh_node_name}-key.pem")
  • filebeat_node_rootca_source (Any) (defaults to: 'puppet:///modules/archive/root-ca.pem')
  • filebeat_fileuser (Any) (defaults to: 'root')
  • filebeat_filegroup (Any) (defaults to: 'root')
  • filebeat_path_certs (Any) (defaults to: '/etc/filebeat/certs') 


3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
 
# File 'manifests/filebeat_oss.pp', line 3

class wazuh::filebeat_oss (
  $filebeat_oss_indexer_ip = '127.0.0.1',
  $filebeat_oss_indexer_port = '9200',
  $indexer_server_ip = "\"${filebeat_oss_indexer_ip}:${filebeat_oss_indexer_port}\"",

  $filebeat_oss_archives = false,
  $filebeat_oss_package = 'filebeat',
  $filebeat_oss_service = 'filebeat',
  $filebeat_oss_elastic_user = 'admin',
  $filebeat_oss_elastic_password = 'admin',
  $filebeat_oss_version = '7.10.2',
  $wazuh_app_version = '4.14.4_7.10.2',
  $wazuh_extensions_version = 'v4.14.4',
  $wazuh_filebeat_module = 'wazuh-filebeat-0.5.tar.gz',
  $wazuh_node_name = 'master',
  $filebeat_cert_source = "puppet:///modules/archive/manager-${wazuh_node_name}.pem",
  $filebeat_certkey_source = "puppet:///modules/archive/manager-${wazuh_node_name}-key.pem",
  $filebeat_node_rootca_source = 'puppet:///modules/archive/root-ca.pem',

  $filebeat_fileuser = 'root',
  $filebeat_filegroup = 'root',
  $filebeat_path_certs = '/etc/filebeat/certs',
) {
  package { 'filebeat':
    ensure => $filebeat_oss_version,
    name   => $filebeat_oss_package,
  }

  file { '/etc/filebeat/filebeat.yml':
    owner   => 'root',
    group   => 'root',
    mode    => '0640',
    notify  => Service['filebeat'], ## Restarts the service
    content => template('wazuh/filebeat_oss_yml.erb'),
    require => Package['filebeat'],
  }

  # work around:
  #  Use cmp to compare the content of local and remote file. When they differ than rm the file to get it recreated by the file resource.
  #  Needed since GitHub can only ETAG and result in changes of the mtime everytime.
  # TODO: Include file into the wazuh/wazuh-puppet project or use file { checksum => '..' } for this instead of the exec construct.
  exec { 'cleanup /etc/filebeat/wazuh-template.json':
    path    => ['/usr/bin', '/bin', '/usr/sbin', '/sbin'],
    command => 'rm -f /etc/filebeat/wazuh-template.json',
    onlyif  => 'test -f /etc/filebeat/wazuh-template.json',
    unless  => "curl -s 'https://raw.githubusercontent.com/wazuh/wazuh/${wazuh_extensions_version}/extensions/elasticsearch/7.x/wazuh-template.json' | cmp -s '/etc/filebeat/wazuh-template.json'",
  }

  -> file { '/etc/filebeat/wazuh-template.json':
    owner   => 'root',
    group   => 'root',
    mode    => '0440',
    replace => false,  # only copy content when file not exist
    source  => "https://raw.githubusercontent.com/wazuh/wazuh/${wazuh_extensions_version}/extensions/elasticsearch/7.x/wazuh-template.json",
    notify  => Service['filebeat'],
    require => Package['filebeat'],
  }

  archive { "/tmp/${$wazuh_filebeat_module}":
    ensure       => present,
    source       => "https://packages.wazuh.com/4.x/filebeat/${$wazuh_filebeat_module}",
    extract      => true,
    extract_path => '/usr/share/filebeat/module',
    creates      => '/usr/share/filebeat/module/wazuh',
    cleanup      => true,
    notify       => Service['filebeat'],
    require      => Package['filebeat'],
  }

  file { '/usr/share/filebeat/module/wazuh':
    ensure  => 'directory',
    mode    => '0755',
    require => Package['filebeat'],
  }

  exec { "ensure full path of ${filebeat_path_certs}":
    path    => '/usr/bin:/bin',
    command => "mkdir -p ${filebeat_path_certs}",
    creates => $filebeat_path_certs,
    require => Package['filebeat'],
  }
  -> file { $filebeat_path_certs:
    ensure => directory,
    owner  => $filebeat_fileuser,
    group  => $filebeat_filegroup,
    mode   => '0500',
  }

  file { "${filebeat_path_certs}/filebeat.pem":
    ensure => file,
    owner  => $filebeat_fileuser,
    group  => $filebeat_filegroup,
    mode   => '0400',
    source => $filebeat_cert_source,
  }

  file { "${filebeat_path_certs}/filebeat-key.pem":
    ensure => file,
    owner  => $filebeat_fileuser,
    group  => $filebeat_filegroup,
    mode   => '0400',
    source => $filebeat_certkey_source,
  }

  file { "${filebeat_path_certs}/root-ca.pem":
    ensure => file,
    owner  => $filebeat_fileuser,
    group  => $filebeat_filegroup,
    mode   => '0400',
    source => $filebeat_node_rootca_source,
  }

  service { 'filebeat':
    ensure   => running,
    enable   => true,
    name     => $filebeat_oss_service,
    require  => Package['filebeat'],
    provider => 'systemd',
  }
}