Selective silencing of users for SSH login alerts

[ageis]

Users in the logstash_alert_ssh_silenced_users list will not trigger Riemann events / Slack alerts upon successful SSH authentication.

[ageis]

When template copies the file, the validate option / Logstash configtest returns bizarro syntax errors for 21-ssh-logins.conf. Been looking at it with a fine-tooth comb though and I don't see where the problem is, I'm stumped.

[msheiny]

Hey @ageis -- thanks for the 3 PRs! We are currently doing a revamp of the entire elk playbook so I'm going to hold off merging these until that is finished and pushed.

If you'd like to assist with that effort, currently we need a lot more love around automated testing on logstash filters to ensure they don't regress on new additions. Aiming for rspec here but if that doesn't work we are going to have to spin out something custom. Got a few other enhancements in the pipeline that are showing :banana: fruition :cherries: :pear: as well.

[conorsch]

Hmm, can't see myself using this, but the new option is off by default, and is quite a clean implementation. Same comment as in https://github.com/freedomofpress/ansible-role-elk/pull/54#issuecomment-262608886, though: can you prefix the new vars with elk_? That will help to prevent unintended clobbering at the site level.

[ageis]

@conorsch Consider it done.

[conorsch]

Hm, this will break as-is because the variable interpolation is added to a file, rather than a template, so logstash is going to choke. We'd have to convert some or all of the configs to templates rather than files for this to work as intended. Blocking for a bit on that, pending an overhaul of the role to use multiple roles for each service (more appropriate when you're farming the config out over multiple machines anyway).

[ageis]

@conorsch Are you sure that's correct my friend? In this role, the Logstash filters are all templates... https://github.com/freedomofpress/ansible-role-elk/blob/master/tasks/logstash.yml#L53