diff --git a/elk_metrics_6x/installFilebeat.yml b/elk_metrics_6x/installFilebeat.yml index fc9fcf7b..77fb707e 100644 --- a/elk_metrics_6x/installFilebeat.yml +++ b/elk_metrics_6x/installFilebeat.yml @@ -122,6 +122,11 @@ path: /var/log/designate register: designate + - name: Check for osquery + stat: + path: /var/log/osquery/osqueryd.results.log + register: osquery + - name: Set discovery facts set_fact: apache_enabled: "{{ (apache2.stat.exists | bool) or (httpd.stat.exists | bool) }}" @@ -140,6 +145,7 @@ swift_enabled: "{{ (swift.stat.exists | bool) or (inventory_hostname in groups['swift_all'] | default([])) or (((groups[inventory_hostname + '-host_containers'] | default([])) | select('match', '.*swift.*') | list | length) > 0) }}" rabbitmq_enabled: "{{ (rabbitmq.stat.exists | bool) or (inventory_hostname in groups['rabbitmq_all'] | default([])) or (((groups[inventory_hostname + '-host_containers'] | default([])) | select('match', '.*rabbit.*') | list | length) > 0) }}" designate_enabled: "{{ (designate.stat.exists | bool) or (inventory_hostname in groups['designate_all'] | default([])) or (((groups[inventory_hostname + '-host_containers'] | default([])) | select('match', '.*designate.*') | list | length) > 0) }}" + osquery_enabled: "{{ osquery.stat.exists | bool }}" post_tasks: diff --git a/elk_metrics_6x/templates/filebeat.yml.j2 b/elk_metrics_6x/templates/filebeat.yml.j2 index f6c95430..c9dd7ccb 100644 --- a/elk_metrics_6x/templates/filebeat.yml.j2 +++ b/elk_metrics_6x/templates/filebeat.yml.j2 @@ -249,7 +249,7 @@ filebeat.modules: #------------------------------- Osquery Module ------------------------------ - module: osquery result: - enabled: true + enabled: {{ osquery_enabled | bool }} # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/osquery/installOsquery.yml b/osquery/installOsquery.yml new file mode 100644 index 00000000..ef0ae3a1 --- /dev/null +++ b/osquery/installOsquery.yml @@ -0,0 +1,21 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Install osquery + hosts: osquery_hosts + become: true + + roles: + - osquery diff --git a/osquery/inventory.example.yml b/osquery/inventory.example.yml new file mode 100644 index 00000000..7b3006e7 --- /dev/null +++ b/osquery/inventory.example.yml @@ -0,0 +1,5 @@ +--- +# This is the location where osquery(s) will live +osquery_hosts: + hosts: + all: diff --git a/osquery/readme.rst b/osquery/readme.rst new file mode 100644 index 00000000..6da9d8df --- /dev/null +++ b/osquery/readme.rst @@ -0,0 +1,42 @@ +Install OSQuery +############### +:tags: openstack, ansible + +About this repository +--------------------- + +This set of playbooks will deploy osquery. If this is being deployed as part of +an OpenStack all of the inventory needs will be provided for. + +There multiple ways to aggregate the data. At this point this repo does not provide +one of said methods. It is currently intended to be utilized with the `elk_metrics_6x`. + +It is the intention that at a later point to the ability to configure osquery to report +to a centralized place like (kolide/fleet)[https://github.com/kolide/fleet], (zentral)[https://github.com/zentralopensource/zentral], +etc. + +**These playbooks require Ansible 2.4+.** + +Deployment Process +------------------ + +Clone the osa ops repo + +.. code-block:: bash + + cd /opt + git clone https://github.com/openstack/openstack-ansible-ops + +Clone the osquery role + +.. code-block:: bash + + cd /opt + git clone https://github.com/devx/ansible-osquery.git /etc/ansible/roles/osquery + +install osquery + +.. code-block:: bash + + cd /opt/openstack-ansible-ops/osquery + openstack-ansible installOsquery.yml