nixos/packetbeat: Add basic module for packetbeat #94862
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,185 @@ | ||
| { config, lib, pkgs, ... }: | ||
|
|
||
| with lib; | ||
|
|
||
| let | ||
| cfg = config.services.packetbeat; | ||
|
|
||
| packetbeatYml = pkgs.writeText "packetbeat.yml" '' | ||
| name: ${cfg.name} | ||
| tags: ${builtins.toJSON cfg.tags} | ||
|
|
||
| ${cfg.configFlows} | ||
| ${cfg.configProtocols} | ||
| ${cfg.extraConfig} | ||
| ''; | ||
|
|
||
| in | ||
| { | ||
| options = { | ||
|
|
||
| services.packetbeat = { | ||
|
|
||
| enable = mkEnableOption "packetbeat"; | ||
|
|
||
| package = mkOption { | ||
| type = types.package; | ||
| default = pkgs.packetbeat; | ||
| defaultText = "pkgs.packetbeat"; | ||
| example = literalExample "pkgs.packetbeat7"; | ||
| description = '' | ||
| The packetbeat package to use | ||
| ''; | ||
| }; | ||
|
|
||
| name = mkOption { | ||
| type = types.str; | ||
| default = "packetbeat"; | ||
| description = "Name of the beat"; | ||
| }; | ||
|
|
||
| tags = mkOption { | ||
| type = types.listOf types.str; | ||
| default = []; | ||
| description = "Tags to place on the shipped log messages"; | ||
| }; | ||
|
|
||
| stateDir = mkOption { | ||
lejonet marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| type = types.str; | ||
| default = "packetbeat"; | ||
| description = '' | ||
| Directory below <literal>/var/lib/</literal> to store packetbeat's | ||
| own logs and other data. This directory will be created automatically | ||
| using systemd's StateDirectory mechanism. | ||
| ''; | ||
| }; | ||
|
|
||
| configFlows = mkOption { | ||
|
There was a problem hiding this comment. If this is just There was a problem hiding this comment. It is just yaml, this was a quick way of getting the module usable. My plan was to first get something usable, then refactor it to be smart too. |
||
| type = types.lines; | ||
| default = '' | ||
| packebeat.flows: | ||
| timeout: 30s | ||
| period: 10s | ||
| ''; | ||
| description = '' | ||
| Configuration of how packetbeat should handle flows. See | ||
| <link xlink:href='https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-flows.html'/> | ||
| for all available configuration options. | ||
| ''; | ||
| }; | ||
|
|
||
| configProtocols = mkOption { | ||
|
There was a problem hiding this comment. Would this benefit from a structured type? Maybe There was a problem hiding this comment. Not impossible, its purely yaml it needs to generate, so a structured type would probably fit. As said in other comments, this was a quick way to getting it usable. |
||
| type = types.lines; | ||
| default = '' | ||
| packetbeat.protocols: | ||
| - type: icmp | ||
| enabled: true | ||
| - type: amqp | ||
| ports: [5672] | ||
| - type: cassandra | ||
| ports: [9042] | ||
| - type: dhcpv4 | ||
| ports: [67, 68] | ||
| - type: dns | ||
| ports: [53] | ||
| - type: http | ||
| ports: [80, 8080, 8000, 5000, 8002] | ||
| - type: memcache | ||
| ports: [11211] | ||
| - type: mysql | ||
| ports: [3306,3307] | ||
| - type: pgsql | ||
| ports: [5432] | ||
| - type: redis | ||
| ports: [6379] | ||
| - type: thrift | ||
| ports: [9090] | ||
| - type: mongodb | ||
| ports: [27017] | ||
| - type: nfs | ||
| ports: [2049] | ||
| - type: tls | ||
| ports: | ||
| - 443 # HTTPS | ||
| - 993 # IMAPS | ||
| - 995 # POP3S | ||
| - 5223 # XMPP over SSL | ||
| - 8443 | ||
| - 8883 # Secure MQTT | ||
| - 9243 # Elasticsearch | ||
|
|
||
| ''; | ||
| description = '' | ||
| Configuration of what protocols packetbeat should gather info about. | ||
| See <link xlink:href='https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-protocols.html'/> | ||
| for the configuration options available. | ||
| ''; | ||
| }; | ||
|
|
||
| extraConfig = mkOption { | ||
| type = types.lines; | ||
| default = '' | ||
| packetbeat.interfaces.device: any | ||
|
|
||
| setup.template.settings: | ||
| index.number_of_shards: 1 | ||
|
|
||
| setup.kibana: | ||
| host: "localhost:5601" | ||
|
|
||
| output.elasticsearch: | ||
| hosts: ["localhost:9200"] | ||
|
|
||
| processors: | ||
| - # Add forwarded to tags when processing data from a network tap or mirror. | ||
| if.contains.tags: forwarded | ||
| then: | ||
| - drop_fields: | ||
| fields: [host] | ||
| else: | ||
| - add_host_metadata: ~ | ||
| - add_cloud_metadata: ~ | ||
| - add_docker_metadata: ~ | ||
| ''; | ||
| description = "Any other configuration options you want to add"; | ||
| }; | ||
|
|
||
| }; | ||
| }; | ||
|
|
||
| config = mkIf cfg.enable { | ||
|
|
||
| assertions = [ | ||
| { | ||
| assertion = !hasPrefix "/" cfg.stateDir; | ||
| message = | ||
| "The option services.packetbeat.stateDir shouldn't be an absolute directory." + | ||
| " It should be a directory relative to /var/lib/."; | ||
| } | ||
| { | ||
| assertion = cfg.configProtocols != "" || cfg.configFlows != ""; | ||
| message = | ||
| "The options services.packetbeat.configProtocols and/or services.packetbeat.configFlows should" + | ||
| " be set or else packetbeat won't do anything useful and error out."; | ||
| } | ||
| ]; | ||
|
|
||
| systemd.services.packetbeat = { | ||
| description = "Packetbeat log shipper"; | ||
| wantedBy = [ "multi-user.target" ]; | ||
| preStart = '' | ||
| mkdir -p ${cfg.stateDir}/data | ||
| mkdir -p ${cfg.stateDir}/logs | ||
|
There was a problem hiding this comment. Is it possible to log to There was a problem hiding this comment. There is an option to log to stderr (-e) that could be used in ExecStart There was a problem hiding this comment. There is an option to log to stderr that should make it possible for journald to pick it up (-e). |
||
| ''; | ||
| serviceConfig = { | ||
|
There was a problem hiding this comment. Please do not run as There was a problem hiding this comment. This is completely copied from the official unit, packetbeat needs to run as root because it captures packets from interfaces. I dunno if CAP_NET_ADMIN might be enough instead of having root, but this is how the official systemd unit does it. |
||
| StateDirectory = cfg.stateDir; | ||
| ExecStart = '' | ||
| ${cfg.package}/bin/packetbeat \ | ||
| -c ${packetbeatYml} \ | ||
| -path.data /var/lib/${cfg.stateDir}/data \ | ||
| -path.logs /var/lib/${cfg.stateDir}/logs''; | ||
| Restart = "always"; | ||
| }; | ||
| }; | ||
| }; | ||
| } | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See comment below about a
settingsoption which could replace this.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will look into that RFC, I've added the configFile option, that short-circuits the config options in the module, and lets the user handle the configuration file as they please.