From a7cf7a2f772413a2e4922bb3dcd6401cebbced0b Mon Sep 17 00:00:00 2001
From: Jimmy Herrera <jherrera@imail.ag>
Date: Wed, 26 Sep 2018 12:03:48 -0600
Subject: [PATCH] Change configuration for logstash output and beats default
 listen port

---
 defaults/main.yml                         |  4 ++--
 files/filters/nginx.conf                  | 25 -----------------------
 templates/03-elasticsearch-output.conf.j2 |  2 +-
 3 files changed, 3 insertions(+), 28 deletions(-)
 delete mode 100644 files/filters/nginx.conf

diff --git a/defaults/main.yml b/defaults/main.yml
index 064bf96..448b9fe 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -2,12 +2,12 @@
 logstash_major_ver: 6.x
 logstash_repo_key: https://artifacts.elastic.co/GPG-KEY-elasticsearch
 logstash_deb_repo: "deb https://artifacts.elastic.co/packages/{{ logstash_major_ver }}/apt stable main"
-logstash_listen_port_beats: 5044
+logstash_listen_port_beats: 5043
 logstash_local_syslog_path: /var/log/syslog
 logstash_monitor_local_syslog: true
 logstash_enabled_on_boot: yes
 logstash_min_memory_required: 2048
-logstash_elasticsearch_hosts: "{{ groups['elasticsearch'] | map('extract', hostvars, ['ansible_host']) | list }}"
 logstash_elasticsearch_inventory_group_name: elasticsearch
+logstash_elasticsearch_hosts: "{{ groups[logstash_elasticsearch_inventory_group_name] | map('extract', hostvars, ['ansible_host']) | list }}"
 logstash_install_plugins:
   - logstash-input-beats
\ No newline at end of file
diff --git a/files/filters/nginx.conf b/files/filters/nginx.conf
deleted file mode 100644
index 331b631..0000000
--- a/files/filters/nginx.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-filter {
-  if [type] == "nginx-access" {
-    grok {
-      match => [
-        "message", "%{IPORHOST:http_host} %{IPORHOST:clientip} \[%{HTTPDATE:httptimestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} %{NUMBER:request_time:float} %{NUMBER:upstream_time:float} \"(%{NUMBER:user_id:int}|-)?\" \"(%{UUID:request_id}|-)?\"",
-        "message", "%{IPORHOST:http_host} %{IPORHOST:clientip} \[%{HTTPDATE:httptimestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} %{NUMBER:request_time:float} %{NUMBER:upstream_time:float}",
-        "message", "%{IPORHOST:http_host} %{IPORHOST:clientip} \[%{HTTPDATE:httptimestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} %{NUMBER:request_time:float}"
-      ]
-      add_field => [ "received_at", "%{@timestamp}" ]
-    }
-    date {
-      match => [ "httptimestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
-    }
-    geoip {
-      source => "clientip"
-    }
-    mutate {
-      remove_field => [ "httptimestamp", "agent", "bytes", "httpversion", "message", "upstream_time", "timestamp" ]
-    }
-  }
-
-  if "_grokparsefailure" in [tags] {
-    drop { }
-  }
-}
\ No newline at end of file
diff --git a/templates/03-elasticsearch-output.conf.j2 b/templates/03-elasticsearch-output.conf.j2
index 3faf767..1eb9651 100644
--- a/templates/03-elasticsearch-output.conf.j2
+++ b/templates/03-elasticsearch-output.conf.j2
@@ -2,7 +2,7 @@ output {
   elasticsearch {
     hosts => {{ logstash_elasticsearch_hosts | to_json }}
     index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
-    document_type => "%{[@metadata][type]}"
+    document_type => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
     flush_size => '100'
   }
 }
\ No newline at end of file