Add arcsight ingestion into logstash

Logstash is able to handle arcsight events, this PR enables that capability. Change-Id: Id220c671cc5d7cb7ee33fb53e2ae4185d579fc2a Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2018-07-23 13:35:01 -05:00 · 2018-07-23 13:35:01 -05:00 · 7b2e56885b
commit 7b2e56885b
parent f09f055020
2 changed files with 68 additions and 0 deletions
--- a/elk_metrics_6x/installLogstash.yml
+++ b/elk_metrics_6x/installLogstash.yml
@ -251,6 +251,59 @@
        src: "templates/logrotate.j2"
        dest: "/etc/logrotate.d/logstash"

+    - name: Run arcsight output block
+      block:
+        - name: Initialise arcsight local facts
+          ini_file:
+            dest: "/etc/ansible/facts.d/logstash.fact"
+            section: arcsight
+            option: "initialise"
+            value: true
+
+        - name: refresh local facts
+          setup:
+            filter: ansible_local
+            gather_subset: "!all"
+          tags:
+            - nova-config
+
+        - name: Setup arcsight smart connector
+          shell: >-
+            /usr/local/bin/logstash --modules arcsight {{ (ansible_local['arcsight'][item.host] is defined) | ternary('', '--setup') }}
+              -M "arcsight.var.input.smartconnector.bootstrap_servers={{ item.host }}:{{ item.port }}"
+              -M "arcsight.var.elasticsearch.hosts=localhost:{{ elastic_port }}"
+              -M "arcsight.var.kibana.host={{ hostvars[groups['kibana'][0]]['ansible_host'] }}:{{ kibana_port }}"
+          with_items: "{{ logstash_arcsight_smart_connectors }}"
+          run_once: true
+          register: smart_connector
+          until: smart_connector is success
+          retries: 5
+          delay: 5
+
+        - name: Setup arcsight event broker
+          shell: >-
+            /usr/local/bin/logstash --modules arcsight {{ (ansible_local['arcsight'][item.host] is defined) | ternary('', '--setup') }}
+              -M "arcsight.var.input.eventbroker.bootstrap_servers={{ item.host }}:{{ item.port }}"
+              -M "arcsight.var.elasticsearch.hosts=localhost:{{ elastic_port }}"
+              -M "arcsight.var.kibana.host={{ hostvars[groups['kibana'][0]]['ansible_host'] }}:{{ kibana_port }}"
+          with_items: "{{ logstash_arcsight_event_brokers }}"
+          run_once: true
+          register: event_broker
+          until: event_broker is success
+          retries: 5
+          delay: 5
+
+        - name: Set arcsight local facts
+          ini_file:
+            dest: "/etc/ansible/facts.d/logstash.fact"
+            section: arcsight
+            option: "{{ item.host }}"
+            value: "{{ item.port }}"
+          with_items: "{{ logstash_arcsight_smart_connectors | union(logstash_arcsight_event_brokers) }}"
+      when:
+        - logstash_arcsight_smart_connectors or
+          logstash_arcsight_event_brokers
+
  handlers:
    - name: Enable and restart logstash
      systemd:
--- a/elk_metrics_6x/vars/variables.yml
+++ b/elk_metrics_6x/vars/variables.yml
@ -107,6 +107,21 @@ logstash_deploy_filters: true
 # logstash_kafka_ssl_keystore_location: "/root/kafka/keystore.jks"
 # logstash_kafka_ssl_truststore_location: "/root/kafka/truststore.jks"

+## Setup servers that read events from the Smart Connector directly. This
+## supports multiple entries in list format using the "host" and "port" for the
+## smart connector.
+# logstash_arcsight_smart_connectors:
+#   - host: 127.0.0.1
+#     port: 5000
+logstash_arcsight_smart_connectors: []
+
+## Setup servers to read events from the Eevnt Broker Stream. This
+## multiple entries in list format using the "host" and "port" for the
+## for the event brokers.
+# logstash_arcsight_event_brokers:
+#   - host: 127.0.0.1
+#     port: 5000
+logstash_arcsight_event_brokers: []

 # APM vars
 apm_interface: 0.0.0.0