From 3d523b26b8a2f742970f71080a883f99b1b9ce74 Mon Sep 17 00:00:00 2001 From: Alex Dworjan Date: Wed, 8 Nov 2023 15:13:15 -0500 Subject: [PATCH] modified for new server --- .ansible-sign/sha256sum.txt | 8 +- .ansible-sign/sha256sum.txt.sig | 22 ++-- MANIFEST.in | 3 +- Promgraf_collection.yml | 227 -------------------------------- collections/requirements.yml | 12 +- files/httpd.conf | 106 --------------- templates/prometheus.yml.j2 | 6 +- 7 files changed, 29 insertions(+), 355 deletions(-) delete mode 100644 Promgraf_collection.yml delete mode 100644 files/httpd.conf diff --git a/.ansible-sign/sha256sum.txt b/.ansible-sign/sha256sum.txt index 384e378..a4c7c70 100644 --- a/.ansible-sign/sha256sum.txt +++ b/.ansible-sign/sha256sum.txt @@ -3,15 +3,13 @@ d617f2ba228280d85aadf765d632795cc524fdbe647b342e66f8501e54cc2076 .config/ansibl ca3f84e14f6aa778003094fd160710543fae3594d76dbc4335d2d0b77245e8ce AnsibleSSP.code-workspace e81d36021af399b6ecafeecde71a8634aacbf718a56ecc5878dec71180d8b704 ELKBuild.yml c8066ae4c79ca812f0abde5b42d4a0bf954a60c88b3eab2149d75d98b567c931 Elastic_restart.yml -34f2b820ddd24642f57eb68f51ec9b990c762f6ac80eebc792cb2c9c42a2f061 MANIFEST.in +936cb966490bb452f91f2cb5b0821ef31c4bc8e62cf2c57a2c11640b60db7e18 MANIFEST.in 2e796c430ae2e8f0d061770ae1f58b19aaa8aec077388a73051dd71a316c4218 Nodeexporter.yml 5d7e02fa3a7a73509e6626d581883804627acec2859ded3b934418dce963f6be Promgraf.yml -bcd68581c4f313cac4d424b05d24925f2c98ce28d704df888540fedc04ba9852 Promgraf_collection.yml 798346886b7ec801a19ed365c33f092e2d5dfb564c034ae886bc51785c89b232 README.md -e7106815fb74fd3100fa110ffc0d90b0ea09ac3953af2c90b93e02756b02e637 collections/requirements.yml +88223aecf0ee1bfa38a215a481e1dd48054d043a7b52b9fd81243f9699d6142c collections/requirements.yml bcc7a97fdb676c3f94875a674a87d25cd286cabba5820a5bb0a3eb228951b568 email.yml b3465bdbfe9364aad6ada9dbcee1bac37468ad2d7977fd66e277a6af3f921cae eventautoprep.yml -1c554276812fa760a16c4988581a81a5093644000c3d9c8d4945a8deaac46a7c files/httpd.conf e0aa583a3faf802922a6cb66c3e2fa5906105a619a6d9821f47c6a068e728570 jenkins.yml 6bcc31ad73d759142e93649f183579ba3d9b07edb47a95456abb4f3b779f9830 kafkainstall.yml 563d171c990cfb653bf7da7cdf93f524e2ddaab60abb2f7d39fa98d358eea98b roles/elk_build/defaults/main.yml @@ -61,6 +59,6 @@ f15fd50d2ee1d7cd5043153a707948b5897de8b1a544b226b33d493f4fe98f95 snortbuildconf ff3bc0d052a72eb88bf093b9a2b9f31946032ab78dc7c4c742017f161f38763f templates/disk-rules.yml.j2 4efc90532be325e9b1533dafd61e5a199ad5a604350d262f0b40e2de79a7acde templates/exporter-rules.yml.j2 fef16c7d9970db7617d990e44f5cb58a277379aaeed44aaf7ca482268e75b0e1 templates/mem-rules.yml.j2 -d6c51a903d4a3b1a0b61a53757e59eb9f6e6c4c3dce675b45217b2a978e1b85a templates/prometheus.yml.j2 +08c16e7aca8cb6fc1f225a4e5235e9dc6c0c5dfb3af95a9ad4e6e1259eb02dbc templates/prometheus.yml.j2 02cdf458f30d546ce04c259a6651505887d877fe3154a90eb3d9093320f8b1f1 templates/selinux-rules.yml.j2 bb2b6aed7f5314cb3c8077f77f762b238a4fc32a93838ac32cc0f2caf07d2f79 winlogbeatinstall.yml diff --git a/.ansible-sign/sha256sum.txt.sig b/.ansible-sign/sha256sum.txt.sig index bc08b86..946dd7c 100644 --- a/.ansible-sign/sha256sum.txt.sig +++ b/.ansible-sign/sha256sum.txt.sig @@ -1,14 +1,14 @@ -----BEGIN PGP SIGNATURE----- -iQGzBAABCAAdFiEE/bJvyFHKKJdaZDOLTiIiIXrUDNEFAmVL080ACgkQTiIiIXrU -DNFHAAv7BxdpNfSC+w0WAHc4zQraCs9EgUym9C5K/dVg8pvQrAjgyEFiTBZqLSlQ -1JTIIWt2BGsNCRuaXnpfM2YyFh8e+NjeqS7nPVBtWidnbhGN7sC7qifBJjBxae4P -FuaiYDv9qsGWBwhXYk+FxqXvRvqXXp4avht+G5UMzD8bq+G0kq7hkZHJY/jASOsg -bzoP1DN9mFidmnO4pcgmnh0t8I8/qeCT0D2y+/JoAimJOe3uiT4jfayVNrD5Oavl -aLWcqjfSqJd7HmTz9ZcgRXDK9t5XUT3bK6nzu9BEbaTCjkujT3tXD90HxnZglNNv -pk2B503BBlsRF1Nqs2oqJLP4ihnA3Gy96k67EIQsVfe2bWEwSozEFGE6cmgnAVdA -EWUTDmT5PsKXkWOxkJoEvAg4Z4A94dSv12icwkkL9Q4G0rnIUOf1GXFasFZWlv/b -L7xsPaRWJJ7KgD12T25msR9E60T2qr5VBDTYqsqTP9NnRrvFobS/JpB7AkwFj3aJ -ISjZPIsd -=5HdC +iQGzBAABCAAdFiEE/bJvyFHKKJdaZDOLTiIiIXrUDNEFAmVL68MACgkQTiIiIXrU +DNGCXQwAhWF4N3WbSqlFcJgrQhlBTaYb/z6BM0ENL7CM8+JJg6tYvSWcM278heON +3rTvE4OcyOAljy/eRD31PwEzLOWt33/t2x6mRa/K1KVjSLQ0eeC0vvRNtPq+Gtz1 +gADyKiGfnP+dzK0Tr8kThEGWMU9TF24XYfBKeaDTwG9xSmY+PXjwTwrpFHzFAgcX +vWUG7rrLHkmgAtePVO9kNrZUdgWm/99TIDfk2JAyBuplRBGx127oO6FUb9FNXUv5 ++Ml1INecfLK4xfD9hfee3utZQhRvStxMnRreVHVXC16udLRSzffh8Cv4sljwq1uz +rUFpdK3HlhwS1y7/pnIoihG9kZZqGDJVS4KQqXynhNK96FxY+RjRvDhVJr43XxqV +eqhvqrWcF2+4XS069zXHROCdJuJ+XI/CywQPqPG5vu2W+QA1iMhMY/lo95CcPjwB +Q+i7lGql9OO/Nb9XZ8r2NaKEqh+cGhbKSdNcXV9dJvi6BKLkLWfeHDKodDaFoe// +BA2i7Dkw +=WaFR -----END PGP SIGNATURE----- diff --git a/MANIFEST.in b/MANIFEST.in index 5766126..91541de 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -6,5 +6,4 @@ include *.code-workspace recursive-exclude .git * recursive-include collections *.yml recursive-include roles * -recursive-include templates * -recursive-include files * \ No newline at end of file +recursive-include templates * \ No newline at end of file diff --git a/Promgraf_collection.yml b/Promgraf_collection.yml deleted file mode 100644 index 6c9f92f..0000000 --- a/Promgraf_collection.yml +++ /dev/null @@ -1,227 +0,0 @@ ---- -- name: Install Prometheus and Grafana - hosts: all - vars: - prometheus_alertmanager_config: - - static_configs: - - targets: ['grafprom.shadowman.dev:9093'] - prometheus_global: - scrape_interval: 5m - scrape_timeout: 10s - evaluation_interval: "{{ tower_scrape }}" - prometheus_scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['{{ inventory_hostname }}:9090'] - - job_name: 'tower metrics' - metrics_path: /api/v2/metrics/ - scrape_interval: '{{ tower_scrape }}' - scheme: https - bearer_token: "{{ bearer_token }}" - static_configs: - - targets: ['tower1.shadowman.dev:443]'] - - job_name: 'tower1.shadowman.dev' - scrape_interval: '{{ tower_scrape }}' - static_configs: - - targets: ['tower1.shadowman.dev:9100'] - - job_name: 'tower2.shadowman.dev' - scrape_interval: '{{ tower_scrape }}' - static_configs: - - targets: ['tower2.shadowman.dev:9100'] - - job_name: 'rhel8.shadowman.dev' - scrape_interval: '{{ tower_scrape }}' - static_configs: - - targets: ['rhel8.shadowman.dev:9100'] - prometheus_alert_rules: # noqa yaml[line-length] # noqa line-length - - groups: - - name: selinux-rules - rules: - - alert: SELinuxDisabled - expr: node_selinux_current_mode == 0 - for: '{{ tower_scrape }}' - labels: - severity: critical - annotations: - description: 'SELINUX Disabled for {% raw %}{{ $labels.job }}{% endraw %}.' - summary: 'SELINUX Disabled (instance: {% raw %}{{ $labels.job }}{% endraw %})' - - groups: - - name: memory-rules - rules: - - alert: HostOutOfMemory - expr: node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes * 100 < 10 - for: '{{ tower_scrape }}' - labels: - severity: warning - annotations: - summary: 'Host out of memory (instance: {% raw %}{{ $labels.job }}{% endraw %})' - description: 'Node memory is filling up (< 10% left) VALUE = {% raw %}{{ $value }}{% endraw %}' - - alert: HostTooMuchMemory - expr: node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes * 100 > 90 - for: '{{ tower_scrape }}' - labels: - severity: warning - annotations: - summary: 'Host too much free memory (instance: {% raw %}{{ $labels.job }}{% endraw %})' - description: 'Node memory is too free (> 90% left) VALUE = {% raw %}{{ $value }}{% endraw %}' - - groups: - - name: exporter-rules - rules: - - alert: ExporterDown - expr: up == 0 - for: '{{ tower_scrape }}' - labels: - severity: critical - annotations: - description: 'Metrics exporter service for {% raw %}{{ $labels.job }}{% endraw %} running on {% raw %}{{ $labels.instance }}{% endraw %} has been down for more than 5 minutes.' - summary: 'Exporter down (instance: {% raw %}{{ $labels.job }}{% endraw %})' - - groups: - - name: disk-rules - rules: - - alert: HostOutOfDiskSpace - expr: (node_filesystem_avail_bytes * 100) / node_filesystem_size_bytes < 10 - for: '{{ tower_scrape }}' - labels: - severity: warning - annotations: - summary: 'Host out of disk space (instance: {% raw %}{{ $labels.job }}{% endraw %})' - description: 'Disk is almost full (< 10% left) VALUE = {% raw %}{{ $value }}{% endraw %}' - - groups: - - name: cpu-rules - rules: - - alert: HostHighCpuLoad - expr: 100 - (avg by(instance,job) (rate(node_cpu_seconds_total{mode="idle"}[{{ rate_number }}])) * 100) > {{ cpuload }} - for: '{{ tower_scrape }}' - labels: - severity: critical - annotations: - summary: 'Host high CPU load (instance: {% raw %}{{ $labels.job }}{% endraw %})' - description: 'CPU load is > {{ cpuload }}% VALUE = {% raw %}{{ $value }}{% endraw %}' - - alert: HostLowCpuLoad - expr: 100 - (avg by(instance,job) (rate(node_cpu_seconds_total{mode="idle"}[{{ rate_number }}])) * 100) < .1 - for: '{{ tower_scrape }}' - labels: - severity: warning - annotations: - summary: 'Host low CPU load (instance: {% raw %}{{ $labels.job }}{% endraw %})' - description: 'CPU load is < .1% VALUE = {% raw %}{{ $value }}{% endraw %}' - alertmanager_receivers: - - name: snow - webhook_configs: - - url: "http://eda.shadowman.dev:8000/endpoint" - send_resolved: false - alertmanager_route: - group_by: ['instance', 'alert'] - group_wait: 5s - group_interval: 10s - repeat_interval: 3h - receiver: 'snow' - grafana_server: - protocol: https - cert_key: "/etc/grafana/shadowman_private.key" - cert_file: "/etc/grafana/shadowman_cert.cer" - enforce_domain: false - enable_gzip: false - static_root_path: public - router_logging: false - serve_from_sub_path: false - - pre_tasks: - - - name: Open Firewalld for grafana - ansible.posix.firewalld: - port: 3000/tcp - permanent: true - state: enabled - notify: restart_firewalld - - roles: - - prometheus.prometheus.prometheus - - prometheus.prometheus.alertmanager - - grafana.grafana.grafana - - tasks: - - name: Copy Cert for prometheus - ansible.builtin.copy: - src: /certs/shadowman_cert.cer - dest: /certs/shadowman_cert.cer - owner: root - group: root - mode: '0644' - - - name: Copy Key for prometheus - ansible.builtin.copy: - src: /certs/shadowman_private.key - dest: /certs/shadowman_private.key - owner: root - group: root - mode: '0644' - - - name: Copy Cert for grafana - ansible.builtin.copy: - src: /certs/shadowman_cert.cer - dest: /etc/grafana/shadowman_cert.cer - owner: grafana - group: grafana - mode: '0644' - notify: restart_grafana - - - name: Copy Key for grafana - ansible.builtin.copy: - src: /certs/shadowman_private.key - dest: /etc/grafana/shadowman_private.key - owner: grafana - group: grafana - mode: '0644' - - - name: Install httpd - ansible.builtin.package: - name: httpd - state: present - notify: HTTPD_running - - - name: Copy over httpd config - ansible.builtin.copy: - src: files/httpd.conf - dest: /etc/httpd/conf/httpd.conf - owner: root - group: root - mode: '0644' - - - name: Open Firewalld for prometheus - ansible.posix.firewalld: - port: 9090/tcp - permanent: true - state: enabled - notify: restart_firewalld - - - name: Open Firewalld for prometheus https - ansible.posix.firewalld: - port: 3000/tcp - permanent: true - state: enabled - notify: restart_firewalld - - - name: Open Firewalld for alertmanager - ansible.posix.firewalld: - port: 9093/tcp - permanent: true - state: enabled - notify: restart_firewalld - - handlers: - - name: restart_firewalld - ansible.builtin.service: - name: firewalld - state: restarted - - - name: HTTPD_running - ansible.builtin.service: - name: httpd - state: started - enabled: true - - - name: "Restart grafana" - ansible.builtin.service: - name: grafana-server - state: restarted - listen: "restart_grafana" diff --git a/collections/requirements.yml b/collections/requirements.yml index 1566042..6b6af97 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,5 +1,13 @@ collections: - - name: prometheus.prometheus + - name: ansible.posix - - name: grafana.grafana + - name: ansible.tower + + - name: ansible.netcommon + + - name: google.cloud + + - name: community.kubernetes + + - name: community.general diff --git a/files/httpd.conf b/files/httpd.conf deleted file mode 100644 index 0a9ba4f..0000000 --- a/files/httpd.conf +++ /dev/null @@ -1,106 +0,0 @@ -ServerRoot "/etc/httpd" -Listen 80 -Include conf.modules.d/*.conf -User apache -Group apache -ServerAdmin root@localhost - - AllowOverride none - Require all denied - -DocumentRoot "/var/www/html" - - AllowOverride None - # Allow open access: - Require all granted - - - - Options Indexes FollowSymLinks - AllowOverride None - Require all granted - - - - DirectoryIndex index.html - - - - Require all denied - - -ErrorLog "logs/error_log" - -LogLevel warn - - - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined - LogFormat "%h %l %u %t \"%r\" %>s %b" common - - - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio - - - #CustomLog "logs/access_log" common - - CustomLog "logs/access_log" combined - - - - ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" - - - - - AllowOverride None - Options None - Require all granted - - - - TypesConfig /etc/mime.types - - AddType application/x-compress .Z - AddType application/x-gzip .gz .tgz - - AddType text/html .shtml - AddOutputFilter INCLUDES .shtml - - -AddDefaultCharset UTF-8 - - - MIMEMagicFile conf/magic - - -EnableSendfile on - -IncludeOptional conf.d/*.conf - - - ProxyPass "http://localhost:9090" - ProxyPassReverse "http://localhost:9090" - - - - Redirect "/alerts" "/prometheus/alerts" - Redirect "/api" "/prometheus/api" - Redirect "/config" "/prometheus/config" - Redirect "/flags" "/prometheus/flags" - Redirect "/graph" "/prometheus/graph" - Redirect "/rules" "/prometheus/rules" - Redirect "/static" "/prometheus/static" - Redirect "/status" "/prometheus/status" - Redirect "/targets" "/prometheus/targets" - - -Listen 9200 - - ProxyPass /prometheus/ "http://localhost:9090" - ProxyPassReverse /prometheus/ "http://localhost:9090" - Redirect "/" "/prometheus/" - ServerName grafprom.shadowman.dev - SSLEngine on - SSLCertificateFile /certs/shadowman_cert.cer - SSLCertificateKeyFile /certs/shadowman_private.key - \ No newline at end of file diff --git a/templates/prometheus.yml.j2 b/templates/prometheus.yml.j2 index acd8298..e32a921 100644 --- a/templates/prometheus.yml.j2 +++ b/templates/prometheus.yml.j2 @@ -16,9 +16,10 @@ global: alerting: alertmanagers: - - static_configs: + - scheme: https + static_configs: - targets: - - promgraf.shadowman.dev:9093 + - grafprom.shadowman.dev:9093 rule_files: - "/etc/prometheus/rules/*.yml" @@ -27,6 +28,7 @@ scrape_configs: # Scrape job for prometheus - job_name: 'prometheus' + scheme: https static_configs: - targets: ['{{ inventory_hostname }}:9090']