Add fileset for system module

docs/role-beats.md

@@ -59,10 +59,11 @@ filebeat_journald_inputs:
   everything:
     id: everything
 ```
-* *filebeat_docker*: Enable collection of Docker logs (default: `false`)
+* *filebeat_docker*: Enable collection of Docker logs (default: `false`) **ONLY WORKS ON RELEASE 7 SO FAR**
 * *filebeat_docker_ids*: IDs of containers to collect. (default: `*`)
 
 * *filebeat_loadbalance*: Enable loadbalancing for Filebeats Logstash output (default: `true`)
+* *filebeat_modules*: **EXPERIMENTAL**: Give a list of modules to enable. (default: none)
 
 * *beats_auditbeat*: Install and manage filebeat (Default: `false`)
 * *beats_auditbeat_version*: Install specific version (Default: none. Possible values: e.g. `-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems or `latest`)

molecule/beats_peculiar/converge.yml

@@ -20,6 +20,7 @@
           match: after
     elasticsearch_jna_workaround: true
     elasticsearch_disable_systemcallfilterchecks: true
+    elastic_stack_full_stack: false
     filebeat_mysql_slowlog_input: true
     beats_auditbeat: true
     beats_auditbeat_version: latest
@@ -32,18 +33,21 @@
           - _SYSTEMD_UNIT=vault.service
     beats_metricbeat: true
     metricbeat_output: logstash
-    filebeat_docker: true
+    #filebeat_docker: true
     elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}"
   tasks:
-    - name: Set Filebeat version on RedHat
-      set_fact:
-        beats_filebeat_version: "-7.16.1"
-      when: ansible_os_family == "RedHat"
+    # Looks like Elastic isn't providing all old releases
+    # anymore
+    #
+    #- name: Set Filebeat version on RedHat
+    #  set_fact:
+    #    beats_filebeat_version: "-7.16.1"
+    #  when: ansible_os_family == "RedHat"
 
-    - name: Set Filebeat version on Debian
-      set_fact:
-        beats_filebeat_version: "=7.16.1"
-      when: ansible_os_family == "Debian"
+    #- name: Set Filebeat version on Debian
+    #  set_fact:
+    #    beats_filebeat_version: "=7.16.1"
+    #  when: ansible_os_family == "Debian"
 
     - name: "Include Elastics repos role"
       include_role:

roles/beats/tasks/filebeat.yml

@@ -37,28 +37,40 @@
     - filebeat_configuration
     - beats_configuration
 
-- name: Enable modules
-  command: "filebeat modules enable {{ item }}"
-  args:
-    creates: "/etc/filebeat/modules.d/{{ item }}.yml"
-  with_items: "{{ filebeat_modules }}"
+- name: Configure modules
   when: filebeat_modules is defined
   tags:
     - configuration
     - filebeat_configuration
     - beats_configuration
+  block:
 
-- name: Enable Ingest Pipelines
-  command: >
-    /usr/bin/filebeat setup --pipelines --modules {{ item }} &&
-    /usr/bin/filebeat version > /etc/filebeat/{{ item }}_pipeline_created
-  args:
-    creates: "/etc/filebeat/{{ item }}_pipeline_created"
-  notify:
-    - Restart Filebeat
-  changed_when: false
-  with_items: "{{ filebeat_modules }}"
-  when: filebeat_modules is defined
+    - name: Enable modules
+      command: "filebeat modules enable {{ item }}"
+      args:
+        creates: "/etc/filebeat/modules.d/{{ item }}.yml"
+      with_items: "{{ filebeat_modules }}"
+
+    - name: Enable System module
+      template:
+        src: filebeat-system.yml.j2
+        dest: /etc/filebeat/modules.d/system.yml
+        owner: root
+        group: root
+        mode: 0644
+      when:
+        - elastic_release | int > 7
+
+    - name: Enable Ingest Pipelines
+      command: >
+        /usr/bin/filebeat setup --pipelines &&
+        /usr/bin/filebeat version > /etc/filebeat/{{ item }}_pipeline_created
+      args:
+        creates: "/etc/filebeat/{{ item }}_pipeline_created"
+      with_items: "{{ filebeat_modules }}"
+      notify:
+        - Restart Filebeat
+      changed_when: false
 
 - name: Start Filebeat
   service:

roles/beats/templates/filebeat-system.yml.j2

@@ -0,0 +1,6 @@
+- module: system
+  syslog:
+    enabled: true
+    var.paths:
+      - /var/log/syslog
+      - /var/log/messages