add osquery

* install osquery
   * add filebeat integration

Change-Id: Ia93595482512460ebdd287cf091cb5fe51b00de4

elk_metrics_6x/installFilebeat.yml

@@ -122,6 +122,11 @@
         path: /var/log/designate
       register: designate
 
+    - name: Check for osquery
+      stat:
+        path: /var/log/osquery/osqueryd.results.log
+      register: osquery
+
     - name: Set discovery facts
       set_fact:
         apache_enabled: "{{ (apache2.stat.exists | bool) or (httpd.stat.exists | bool) }}"
@@ -140,6 +145,7 @@
         swift_enabled: "{{ (swift.stat.exists | bool) or (inventory_hostname in groups['swift_all'] | default([])) or (((groups[inventory_hostname + '-host_containers'] | default([])) | select('match', '.*swift.*') | list | length) > 0) }}"
         rabbitmq_enabled: "{{ (rabbitmq.stat.exists | bool) or (inventory_hostname in groups['rabbitmq_all'] | default([])) or (((groups[inventory_hostname + '-host_containers'] | default([])) | select('match', '.*rabbit.*') | list | length) > 0) }}"
         designate_enabled: "{{ (designate.stat.exists | bool) or (inventory_hostname in groups['designate_all'] | default([])) or (((groups[inventory_hostname + '-host_containers'] | default([])) | select('match', '.*designate.*') | list | length) > 0) }}"
+        osquery_enabled: "{{ osquery.stat.exists | bool }}"
 
 
   post_tasks:

elk_metrics_6x/templates/filebeat.yml.j2

@@ -249,7 +249,7 @@ filebeat.modules:
 #------------------------------- Osquery Module ------------------------------
 - module: osquery
   result:
-    enabled: true
+  enabled: {{ osquery_enabled | bool }}
 
     # Set custom paths for the log files. If left empty,
     # Filebeat will choose the paths depending on your OS.

osquery/installOsquery.yml

@@ -0,0 +1,21 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Install osquery
+  hosts: osquery_hosts
+  become: true
+
+  roles:
+    - osquery

osquery/inventory.example.yml

@@ -0,0 +1,5 @@
+---
+# This is the location where osquery(s) will live
+osquery_hosts:
+  hosts:
+    all:

osquery/readme.rst

@@ -0,0 +1,42 @@
+Install OSQuery
+###############
+:tags: openstack, ansible
+
+About this repository
+---------------------
+
+This set of playbooks will deploy osquery. If this is being deployed as part of
+an OpenStack all of the inventory needs will be provided for.
+
+There multiple ways to aggregate the data. At this point this repo does not provide
+one of said methods.  It is currently intended to be utilized with the `elk_metrics_6x`.
+
+It is the intention that at a later point to the ability to configure osquery to report
+to a centralized place like (kolide/fleet)[https://github.com/kolide/fleet], (zentral)[https://github.com/zentralopensource/zentral],
+etc.
+
+**These playbooks require Ansible 2.4+.**
+
+Deployment Process
+------------------
+
+Clone the osa ops repo
+
+.. code-block:: bash
+
+    cd /opt
+    git clone https://github.com/openstack/openstack-ansible-ops
+
+Clone the osquery role
+
+.. code-block:: bash
+
+    cd /opt
+    git clone https://github.com/devx/ansible-osquery.git /etc/ansible/roles/osquery
+
+install osquery
+
+.. code-block:: bash
+
+    cd /opt/openstack-ansible-ops/osquery
+    openstack-ansible installOsquery.yml