customize ilm policy

Author: anapsix

README.md

@@ -35,13 +35,24 @@ After launching local environment, access Kibana via http://localhost:5601/app/k
 #### With Docker Compose
 
 ```sh
+# (re)build
+docker-compose build
+
 # launch Elasticsearch, Kibana, and get-logs container instances
 docker-compose up -d
 
 # keep an eye on the logs
 docker-compose logs -f get-logs
 ```
 
+After launching local environment, access Kibana via http://localhost:5601/app/kibana#/discover.
+
+> NOTE: since log collection is running on schedule, data will not appear in ES
+> immediately. Keen an eye on the logs, and `./logs` directory. ES index will
+> receive data shortly after you see new file appearing, and / or
+> `Harvester started for file:...` log message in the logs. Create an index
+> pattern while you are waiting.
+
 #### Launch manually
 
 ```sh
@@ -67,7 +78,7 @@ docker run -it --rm \
   -e SAMPLE_RATE="0.01" \
   -e ES_HOST="http://elasticsearch:9200" \
   -e ES_INDEX="cloudflare-test" \
-  -e ES_INDEX_SHARD=6 \
+  -e ES_INDEX_SHARD=5 \
   -e ES_INDEX_REPLICAS=0 \
   -e ES_INDEX_REFRESH=10s \
   --link es:elasticsearch \
@@ -82,7 +93,8 @@ Open-sourced software licensed under the MIT license.
 
 ## Acknowledgments
 
-This repo includes and relies on [go-tasks][go-tasks], created by [Martin Fabrizzio Vilche][mvilche]
+This repo includes and relies on [go-tasks][go-tasks], created by
+[Martin Fabrizzio Vilche][mvilche]. Thank you 🙏, Martin.
 
 [link reference]::
 [logpull]: https://developers.cloudflare.com/logs/logpull-api/

config/filebeat.yml

@@ -50,28 +50,27 @@ setup.dashboard:
   enabled: false
 
 setup.ilm:
+  enabled: false  # ES_ILM_ENABLED in startup script
   check_exists: true
-  enabled: false
-  overwrite: false
+  overwrite: false  # ES_ILM_OVERWRITE in startup script
   pattern: '{now/M{YYYY.MM}}-000001'
   policy_name: '${ES_INDEX:cloudflare-test}'
-  # policy_file: ${ES_ILM_POLICY_FILE}
+  # policy_file: ${ES_ILM_POLICY_FILE} in startup script
   rollover_alias: '${ES_INDEX:cloudflare-test}'
 
 setup.kibana:
   enabled: false
 
 setup.template:
-  enabled: false
+  enabled: false  # ES_TEMPLATE_ENABLED in startup script
   name: '${ES_INDEX:cloudflare-test}'
-  overwrite: false
+  overwrite: false  # ES_TEMPLATE_OVERWRITE in startup script
   pattern: '${ES_INDEX:cloudflare-test}-*'
   # fields: "fields.yml"
-  json.enabled: true
-  json.path: '/opt/filebeat/index-template.json'
+  json.enabled: false  # ES_TEMPLATE_JSON_ENABLED in startup script
   json.name: '${ES_INDEX:cloudflare-test}'
+  json.path: '${ES_TEMPLATE_JSON_FILE:/opt/filebeat/index-template.json}'
   settings:
-    # _source.enabled: false
-    index.number_of_shards: ${ES_INDEX_SHARDS:6}
-    index.number_of_replicas: ${ES_INDEX_REPLICAS:0}
-    index.refresh_interval: ${ES_INDEX_REFRESH:5s}
+    index.number_of_shards: ${ES_TEMPLATE_INDEX_SHARDS:5}
+    index.number_of_replicas: ${ES_TEMPLATE_INDEX_REPLICAS:0}
+    index.refresh_interval: ${ES_TEMPLATE_INDEX_REFRESH:10s}

config/templates/ilm-default-policy.json

@@ -1,6 +1,6 @@
 {
-  "policy" : {
-    "phases" : {
+  "policy": {
+    "phases": {
       "hot": {
         "min_age": "0ms",
         "actions": {
@@ -10,15 +10,15 @@
           }
         }
       },
-      "warm" : {
+      "warm": {
         "min_age": "0ms",
         "actions": {
           "forcemerge": {
-            "max_num_segments" : 1
+            "max_num_segments": 1
           }
         }
       },
-      "delete" : {
+      "delete": {
         "min_age": "7d",
         "actions": {
           "delete": { }

docker-compose.yaml

@@ -15,11 +15,13 @@ services:
     - SAMPLE_RATE=0.01
     - ES_HOST=http://elasticsearch:9200
     - ES_INDEX=cloudflare-test
-    - ES_INDEX_SHARDS=1
-    - ES_INDEX_REPLICAS=0
-    - ES_INDEX_REFRESH=10s
+    - ES_TEMPLATE_ENABLED=true
+    - ES_TEMPLATE_INDEX_SHARDS=1
+    - ES_TEMPLATE_INDEX_REPLICAS=0
+    - ES_TEMPLATE_INDEX_REFRESH=10s
+    - ES_ILM_ENABLED=true
     - ES_ILM_DEFAULT_POLICY_ENABLED=true
-    - ES_INDEX_DEFAULT_PIPELINE_ENABLED=true
+    - ES_PIPELINE_DEFAULT_ENABLED=true
     healthcheck:
       test: 'pgrep filebeat || exit 1'
       interval: 30s

helm/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: get-cloudflare-logs
-description: Helm chart installing
+description: Helm chart to retrieve Cloudflare Logs via LogPull API
 
 # A chart can be either an 'application' or a 'library' chart.
 #
@@ -14,8 +14,8 @@ type: application
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.3.0
+version: 0.4.0-rc1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: 0.4.0  # assessed as .Chart.AppVersion
+appVersion: 0.5.0-rc1  # assessed as .Chart.AppVersion

helm/README.md

@@ -55,8 +55,54 @@ $ helm delete my-release
 `config.elasticsearch.username` | Elasticsearch connection username      | `nil`
 `config.elasticsearch.password` | Elasticsearch connection password      | `nil`
 `config.elasticsearch.index.name`     | Elasticsearch dst index          | `cloudflare-access`
-`config.elasticsearch.index.shards`   | Elasticsearch dst index shards   | `5`
-`config.elasticsearch.index.replicas` | Elasticsearch dst index replicas | `0`
-`config.elasticsearch.index.refreshInterval` | Elasticsearch dst index refresh interval | `5s`
-`config.elasticsearch.ilm.default`      | Enables use of default ILM policy | `true`
+`config.elasticsearch.index.template.shards`   | Elasticsearch dst index shards   | `5`
+`config.elasticsearch.index.template.replicas` | Elasticsearch dst index replicas | `0`
+`config.elasticsearch.index.template.refreshInterval` | Elasticsearch dst index refresh interval | `10s`
+`config.elasticsearch.ilm.enabled`      | Enables ILM use | `true`
+`config.elasticsearch.ilm.policyYAML`   | Specifies policy via YAML | see [`values.yaml`][values]
+`config.elasticsearch.ilm.policyJSON`   | Specifies policy via literal JSON | see [`values.yaml`][values]
+`config.elasticsearch.ilm.policyFile`   | Specifies a file on local filesystem to use as ILM policy | `files/ilm-default-policy.json`
+`config.elasticsearch.pipeline.enabled` | Enables Ingest Pipeline | `true` (at the moment, has no effect)
 `config.elasticsearch.pipeline.default` | Enables use of default Ingest Pipeline | `true`
+
+
+## Advanced Configuration
+
+### ILM Policy
+
+By default, ILM policy setup is enabled, and policy defined with
+`config.elasticsearch.ilm.policyYAML` (same as one included in Docker image)
+will be used.
+To customize ILM policy, change `config.elasticsearch.ilm.policyYAML`.
+
+> ILM policy is stored as ConfigMap, and passed to the pods via read-only mount.
+
+ILM policy can be defined using any of the following attributes, listed in the
+order of precedence.
+- `config.elasticsearch.ilm.policyYAML` - inline, convenient for tweaking individual phases
+- `config.elasticsearch.ilm.policyJSON` - inline, convenient when copying from ES
+- `config.elasticsearch.ilm.policyFile` - from local file, convenient when copying from ES
+
+If `policyYAML` is unset, or evaluates to `false`, `policyJSON` will be used.
+If both `policyYAML`, and `policyJSON` are unset, or evaluate to `false`,
+`policyFile` will be used
+
+Read more about ILM and ILM policy in [Elasticsearch docs][ilm-docs].
+
+### Ingest Pipeline
+
+By default, Ingest Pipeline included in Docker image is created, and enabled as
+["default pipeline"][index-docs]. Read more about Pipelines and pipeline
+processors in [Elasticsearch docs][pipeline-docs].
+
+Default pipeline is configured with following processors:
+- `user_agent` - to process `cloudflare.ClientRequestUserAgent`
+- `geoip` - to process `cloudflare.ClientIP`
+
+
+
+[ link reference ]::
+[ilm-docs]: https://www.elastic.co/guide/en/elasticsearch/reference/current/index-lifecycle-management.html
+[pipeline-docs]: https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline.html
+[index-docs]: https://www.elastic.co/guide/en/elasticsearch/reference/current/index-modules.html#dynamic-index-settings
+[values]: ./values.yaml

helm/files/ilm-default-policy.json

@@ -0,0 +1,29 @@
+{
+  "policy": {
+    "phases": {
+      "hot": {
+        "min_age": "0ms",
+        "actions": {
+          "rollover": {
+            "max_size": "60gb",
+            "max_age": "1d"
+          }
+        }
+      },
+      "warm": {
+        "min_age": "0ms",
+        "actions": {
+          "forcemerge": {
+            "max_num_segments": 1
+          }
+        }
+      },
+      "delete": {
+        "min_age": "7d",
+        "actions": {
+          "delete": { }
+        }
+      }
+    }
+  }
+}

helm/templates/configmap-ilm-policy.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.config.elasticsearch.ilm.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-ilm-policy
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "get-cloudflare-logs.labels" . | nindent 4 }}
+data:
+  ilm-policy.json: |-
+{{- if .Values.config.elasticsearch.ilm.policyYAML }}
+    {
+      "policy": {{- toJson .Values.config.elasticsearch.ilm.policyYAML | nindent 6 }}
+    }
+{{ else if .Values.config.elasticsearch.ilm.policyJSON }}
+{{ .Values.config.elasticsearch.ilm.policyJSON | indent 4 }}
+{{ else }}
+{{ .Files.Get .Values.config.elasticsearch.ilm.policyFile | indent 4 }}
+{{ end -}}
+{{- end -}}

helm/templates/deployment.yaml

@@ -31,47 +31,64 @@ spec:
           image: "{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
-          - name: CF_ZONE_ID
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "get-cloudflare-logs.fullname" . }}
-                key: CF_ZONE_ID
-          - name: CF_AUTH_EMAIL
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "get-cloudflare-logs.fullname" . }}
-                key: CF_AUTH_EMAIL
-          - name: CF_AUTH_KEY
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "get-cloudflare-logs.fullname" . }}
-                key: CF_AUTH_KEY
-          - name: SAMPLE_RATE
-            value: {{ .Values.config.cloudflare.sampleRate | quote }}
-          - name: ES_HOST
-            value: {{ .Values.config.elasticsearch.host | quote }}
-          - name: ES_USERNAME
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "get-cloudflare-logs.fullname" . }}
-                key: ES_USERNAME
-          - name: ES_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "get-cloudflare-logs.fullname" . }}
-                key: ES_PASSWORD
-          - name: ES_INDEX
-            value: {{ .Values.config.elasticsearch.index.name | quote }}
-          - name: ES_INDEX_SHARDS
-            value: {{ .Values.config.elasticsearch.index.shards | quote }}
-          - name: ES_INDEX_REPLICAS
-            value: {{ .Values.config.elasticsearch.index.replicas | quote }}
-          - name: ES_INDEX_REFRESH
-            value: {{ .Values.config.elasticsearch.index.refreshInterval | quote }}
-          - name: ES_INDEX_DEFAULT_PIPELINE_ENABLED
-            value: {{ default "false" .Values.config.elasticsearch.pipeline.default | quote }}
-          - name: ES_ILM_DEFAULT_POLICY_ENABLED
-            value: {{ default "false" .Values.config.elasticsearch.ilm.default | quote }}
+            - name: CF_ZONE_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "get-cloudflare-logs.fullname" . }}
+                  key: CF_ZONE_ID
+            - name: CF_AUTH_EMAIL
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "get-cloudflare-logs.fullname" . }}
+                  key: CF_AUTH_EMAIL
+            - name: CF_AUTH_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "get-cloudflare-logs.fullname" . }}
+                  key: CF_AUTH_KEY
+            - name: SAMPLE_RATE
+              value: {{ .Values.config.cloudflare.sampleRate | quote }}
+            - name: ES_HOST
+              value: {{ .Values.config.elasticsearch.host | quote }}
+            - name: ES_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "get-cloudflare-logs.fullname" . }}
+                  key: ES_USERNAME
+            - name: ES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "get-cloudflare-logs.fullname" . }}
+                  key: ES_PASSWORD
+            - name: ES_INDEX
+              value: {{ .Values.config.elasticsearch.index.name | quote }}
+            - name: ES_TEMPLATE_ENABLED
+              value: {{ default "false" .Values.config.elasticsearch.index.template.enabled | quote }}
+            - name: ES_TEMPLATE_INDEX_SHARDS
+              value: {{ .Values.config.elasticsearch.index.template.shards | quote }}
+            - name: ES_TEMPLATE_INDEX_REPLICAS
+              value: {{ .Values.config.elasticsearch.index.template.replicas | quote }}
+            - name: ES_TEMPLATE_INDEX_REFRESH
+              value: {{ .Values.config.elasticsearch.index.template.refreshInterval | quote }}
+            - name: ES_PIPELINE_ENABLED
+              value: {{ default "false" .Values.config.elasticsearch.pipeline.enabled | quote }}
+            - name: ES_PIPELINE_DEFAULT_ENABLED
+              value: {{ default "false" .Values.config.elasticsearch.pipeline.default | quote }}
+            - name: ES_ILM_ENABLED
+              value: {{ .Values.config.elasticsearch.ilm.enabled | quote }}
+            {{- if .Values.config.elasticsearch.ilm.enabled }}
+            - name: ES_ILM_DEFAULT_POLICY_ENABLED
+              value: "false"
+            - name: ES_ILM_POLICY_FILE
+              value: "/opt/filebeat/ilm-policy.json"
+            {{- end }}
+          {{- if .Values.config.elasticsearch.ilm.enabled }}
+          volumeMounts:
+            - name: ilm-policy
+              mountPath: /opt/filebeat/ilm-policy.json
+              subPath: ilm-policy.json
+              readOnly: true
+          {{- end }}
           livenessProbe:
             exec:
               command:
@@ -88,6 +105,12 @@ spec:
             periodSeconds: 5
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+      {{- if .Values.config.elasticsearch.ilm.enabled }}
+      volumes:
+        - name: ilm-policy
+          configMap:
+            name: {{ .Release.Name }}-ilm-policy
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

helm/templates/secrets.yaml

@@ -10,5 +10,10 @@ data:
   CF_ZONE_ID: {{ .Values.config.cloudflare.zoneId | b64enc }}
   CF_AUTH_EMAIL: {{ .Values.config.cloudflare.authEmail | b64enc }}
   CF_AUTH_KEY: {{ .Values.config.cloudflare.authKey | b64enc }}
-  ES_USERNAME: {{ default "" .Values.config.elasticsearch.username | b64enc }}
-  ES_PASSWORD: {{ default "" .Values.config.elasticsearch.password | b64enc }}
+  {{- if .Values.config.elasticsearch.username }}
+  ES_USERNAME: {{ .Values.config.elasticsearch.username | b64enc }}
+  {{- end -}}
+  {{ if .Values.config.elasticsearch.password }}
+  ES_PASSWORD: {{ .Values.config.elasticsearch.password | b64enc }}
+  {{ end -}}
+

helm/values.yaml

@@ -4,24 +4,110 @@
 
 # application config
 config:
+
   cloudflare:
     zoneId: "51e241f08e014feb95d1b2760228d12a"
     authEmail: "admin@example.com"
     authKey: "51e241f08e014feb95d1b2760228d12a2df50"
-    sampleRate: "0.01"
+    sampleRate: "0.01" # sample percent of logs, 0.01 = 1%
+
+
   elasticsearch:
     host: "http://elasticsearch:9200"  # make sure to always include port!
     username: ~  # for password protected Elasticsearch instances
     password: ~  # set username and password
+
     index:
       name: "cloudflare-access"
-      shards: "5"
-      replicas: "0"
-      refreshInterval: "5s"
+      template:
+        enabled: true            # enables template setup
+        shards: "5"              # sets number of index shards
+        replicas: "0"            # sets number of index replicas
+        refreshInterval: "10s"   # sets index refresh interval
+
+    # ingest pipeline is using processors to extract helpful info, and more
     pipeline:
-      default: true  # enabled use of default pipeline
+      enabled: true  # enables pipeline (unless true, UserAgent, and Lat/Lon
+                     # will not be available)
+      default: true  # enables use of default pipeline, customization is not
+                     # supported at the moment, and it's unlikely you'll want to
+                     # change it anyways
+      # default pipeline is configured with following processors:
+      # user_agent - to process cloudflare.ClientRequestUserAgent
+      # geoip - to process cloudflare.ClientIP
+
     ilm:
-      default: true  # enables use of default ilm policy
+      # When ILM is enabled, and ilm.default is set to "true"
+      #   default policy from the image will be used
+      # Custom ILM policy can be used by setting ilm.default to "false"
+      #   and specifying policyFile location as local filepath of JSON file.
+      # See example ILM policy in ./files/ilm-default-policy.json
+      # To learn more about Elasticsearch ILM see Elasticsearch docs
+      #   https://www.elastic.co/guide/en/elasticsearch/reference/current/index-lifecycle-management.html
+      enabled: true  # enables setup of ilm on start
+
+      # ILM policy can be defined via either of these,
+      # listed in the order of priority
+      # - policyYAML
+      # - policyJSON
+      # - policyFile
+      #
+      # all default policies are identical
+
+      # takes precedence
+      policyYAML:
+        phases:
+          hot:
+            min_age: 0ms
+            actions:
+              rollover:
+                max_size: 60gb
+                max_age: 1d
+          warm:
+            min_age: 0ms
+            actions:
+              forcemerge:
+                max_num_segments: 1
+          delete:
+            min_age: 7d
+            actions:
+              delete: {}
+
+      # used if policyYAML is unset, empty or nil
+      policyJSON: |
+        {
+          "policy": {
+            "phases": {
+              "hot": {
+                "min_age": "0ms",
+                "actions": {
+                  "rollover": {
+                    "max_size": "60gb",
+                    "max_age": "1d"
+                  }
+                }
+              },
+              "warm": {
+                "min_age": "0ms",
+                "actions": {
+                  "forcemerge": {
+                    "max_num_segments" : 1
+                  }
+                }
+              },
+              "delete": {
+                "min_age": "7d",
+                "actions": {
+                  "delete": { }
+                }
+              }
+            }
+          }
+        }
+
+      # used if both policyYAML and policyJSON are unset, empty or nil
+      policyFile: "files/ilm-default-policy.json"
+
 
 # k8s objects config
 terminationGracePeriodSeconds: 15

scripts/docker-entrypoint.sh

@@ -19,21 +19,30 @@ set -o pipefail
 : ${ES_PASSWORD:='_unset_'}
 
 : ${ES_INDEX:='cloudflare-test'}
-: ${ES_INDEX_SHARDS:=6}
-: ${ES_INDEX_REPLICAS:=0}
-: ${ES_INDEX_REFRESH:='5s'}
-: ${ES_INDEX_JSON_ENABLED:='true'}
 
+: ${ES_TEMPLATE_ENABLED:='true'}
+: ${ES_TEMPLATE_OVERWRITE:='true'}
+: ${ES_TEMPLATE_INDEX_SHARDS:=6}
+: ${ES_TEMPLATE_INDEX_REPLICAS:=0}
+: ${ES_TEMPLATE_INDEX_REFRESH:='10s'}
+
+: ${ES_TEMPLATE_JSON_ENABLED:='true'}
+: ${ES_TEMPLATE_JSON_FILE:='/opt/filebeat/index-template.json'}
+
+: ${ES_ILM_ENABLED:='true'}
+: ${ES_ILM_OVERWRITE:='true'}
+: ${ES_ILM_POLICY_FILE:='_unset_'}
 : ${ES_ILM_DEFAULT_POLICY_FILE:='/opt/filebeat/ilm-default-policy.json'}
 : ${ES_ILM_DEFAULT_POLICY_ENABLED:='true'}
 
-: ${ES_INDEX_DEFAULT_PIPELINE:='cloudflare'}
-: ${ES_INDEX_DEFAULT_PIPELINE_FILE:='/opt/filebeat/ingest-default-pipeline.json'}
-: ${ES_INDEX_DEFAULT_PIPELINE_ENABLED:='true'}
+: ${ES_PIPELINE_ENABLED:='true'}
+: ${ES_PIPELINE_DEFAULT:='cloudflare'}
+: ${ES_PIPELINE_DEFAULT_FILE:='/opt/filebeat/ingest-default-pipeline.json'}
+: ${ES_PIPELINE_DEFAULT_ENABLED:='true'}
 
 export TZ='UTC'
 export CF_AUTH_EMAIL CF_AUTH_KEY CF_ZONE_ID CF_LOGS_DIRECTORY
-export FILEBEAT_CONFIG ES_INDEX_JSON_ENABLED
+export FILEBEAT_CONFIG
 export ES_INDEX ES_INDEX_SHARDS ES_INDEX_REPLICAS ES_INDEX_REFRESH
 
 rawurlencode() {
@@ -55,31 +64,31 @@ rawurlencode() {
 
 install_pipeline() {
   local ES_CREDENTIALS
-  if [[ ! -r "${ES_INDEX_DEFAULT_PIPELINE_FILE}" ]]; then
-    echo >&2 "ERROR: default index pipeline cannot be read at \"${ES_INDEX_DEFAULT_PIPELINE_FILE}\""
+  if [[ ! -r "${ES_PIPELINE_DEFAULT_FILE}" ]]; then
+    echo >&2 "ERROR: default index pipeline cannot be read at \"${ES_PIPELINE_DEFAULT_FILE}\""
     exit 1
   fi
   if [[ "${ES_USERNAME}" != "_unset_" ]] && [[ "${ES_PASSWORD}" != "_unset_" ]]; then
     ES_CREDENTIALS="$(rawurlencode "${ES_USERNAME}"):$(rawurlencode "${ES_PASSWORD}")@"
   fi
-  local ES_URL="${ES_HOST%%/*}//${ES_CREDENTIALS:-}${ES_HOST##*/}/_ingest/pipeline/${ES_INDEX_DEFAULT_PIPELINE}"
+  local ES_URL="${ES_HOST%%/*}//${ES_CREDENTIALS:-}${ES_HOST##*/}/_ingest/pipeline/${ES_PIPELINE_DEFAULT}"
   curl \
     -sS \
     -X PUT \
     -H "Content-Type: application/json" \
-    -d @"${ES_INDEX_DEFAULT_PIPELINE_FILE}" \
+    -d @"${ES_PIPELINE_DEFAULT_FILE}" \
     "${ES_URL}"
 }
 
 generate_index_template() {
   jq \
     --arg idx "${ES_INDEX}" \
     --arg ip "${ES_INDEX}-*" \
-    --arg shards "${ES_INDEX_SHARDS}" \
-    --arg replicas "${ES_INDEX_REPLICAS}" \
-    --arg refresh_interval "${ES_INDEX_REFRESH}" \
-    --arg default_pipeline "${ES_INDEX_DEFAULT_PIPELINE}" \
-    --arg default_pipeline_enabled "${ES_INDEX_DEFAULT_PIPELINE_ENABLED}" \
+    --arg shards "${ES_TEMPLATE_INDEX_SHARDS}" \
+    --arg replicas "${ES_TEMPLATE_INDEX_REPLICAS}" \
+    --arg refresh_interval "${ES_TEMPLATE_INDEX_REFRESH}" \
+    --arg default_pipeline "${ES_PIPELINE_DEFAULT}" \
+    --arg default_pipeline_enabled "${ES_PIPELINE_DEFAULT_ENABLED}" \
     '
     .index_patterns = $ip |
     .settings.index.lifecycle.name = $idx |
@@ -93,7 +102,7 @@ generate_index_template() {
       .
     end' \
     "${INDEX_TEMPLATE_FILE}" \
-    > /opt/filebeat/index-template.json
+    > "${ES_TEMPLATE_JSON_FILE}"
 }
 
 init_message() {
@@ -138,9 +147,9 @@ cat <<EOM
   "EdgeResponseStatus": 200,
   "EdgeServerIP": "127.0.0.1",
   "EdgeStartTimestamp": 0000000010000000000,
-  "FirewallMatchesActions": [],
-  "FirewallMatchesRuleIDs": [],
-  "FirewallMatchesSources": [],
+  "FirewallMatchesActions": [ "simulate", "challenge" ],
+  "FirewallMatchesRuleIDs": [ "47b718f2f84149e4a2973d6271c4aa6a", "1cb257e2891d4c108c0a9b527ab2a76d" ],
+  "FirewallMatchesSources": [ "firewallRules", "firewallRules" ],
   "OriginIP": "127.0.0.1",
   "OriginResponseBytes": 0,
   "OriginResponseHTTPExpires": "Thu, 01 Jan 1970 01:00:00 GMT",
@@ -215,34 +224,66 @@ else
   echo >&2
   setup_cron
 
-  if [[ "${ES_ILM_DEFAULT_POLICY_ENABLED}" == "true" ]]; then
-    echo >&2 '### using default ilm policy'
+  if [[ "${ES_ILM_ENABLED}" == "true" ]]; then
+    echo >&2 '## ilm setup enabled'
     echo >&2
-    ilm_policy_file_arg="-E setup.ilm.policy_file='${ES_ILM_DEFAULT_POLICY_FILE}'"
+    if [[ "${ES_ILM_DEFAULT_POLICY_ENABLED}" == "true" ]]; then
+      echo >&2 '### using default ilm policy'
+      echo >&2
+      ilm_policy_file_arg="-E setup.ilm.policy_file='${ES_ILM_DEFAULT_POLICY_FILE}'"
+    elif [[ "${ES_ILM_POLICY_FILE}" != "_unset_" ]]; then
+      echo >&2 "### using custom ilm policy from \"${ES_ILM_POLICY_FILE}\""
+      echo >&2
+      if [[ ! -r "{ES_ILM_POLICY_FILE}" ]]; then
+        echo >&2 "ERROR: unable to read policy file \"${ES_ILM_POLICY_FILE}\""
+        exit 1
+      fi
+      ilm_policy_file_arg="-E setup.ilm.policy_file='${ES_ILM_POLICY_FILE}'"
+    else
+      echo >&2 '### ilm policy is not specified'
+      echo >&2
+    fi
+  else
+    echo >&2 '## ilm setup disabled'
   fi
 
-  if [[ "${ES_INDEX_DEFAULT_PIPELINE_ENABLED}" == "true" ]]; then
-    echo >&2 '## installing default pipeline'
+  if [[ "${ES_PIPELINE_ENABLED}" ]]; then
+    echo >&2 '## ingest pipeline enabled'
     echo >&2
-    install_pipeline
+    if [[ "${ES_PIPELINE_DEFAULT_ENABLED}" == "true" ]]; then
+      echo >&2 '### installing default pipeline'
+      echo >&2
+      install_pipeline
+    else
+      echo >&2 '### custom ingest pipeline is not supported at the moment'
+      echo >&2 '### though you could overwrite $ES_PIPELINE_DEFAULT_FILE value'
+      exit 1
+    fi
   fi
 
-  if [[ "${ES_INDEX_JSON_ENABLED}" == "true" ]]; then
-    echo >&2 '## generating index template'
+  if [[ "${ES_TEMPLATE_ENABLED}" == "true" ]]; then
+    echo >&2 '## template setup enabled'
+    echo >&2
+    if [[ "${ES_TEMPLATE_JSON_ENABLED}" == "true" ]]; then
+      echo >&2 '### generating index template'
+      echo >&2
+      generate_index_template
+    fi
+  else
+    echo >&2 '## template setup disabled'
     echo >&2
-    generate_index_template
   fi
 
   echo >&2 '## running Filebeat setup'
   echo >&2
   filebeat \
     -c "${FILEBEAT_CONFIG}" \
-    -E setup.ilm.enabled=true \
-    -E setup.ilm.overwrite=true \
+    -E setup.ilm.enabled=${ES_ILM_ENABLED} \
+    -E setup.ilm.overwrite=${ES_ILM_OVERWRITE} \
     ${ilm_policy_file_arg:-} \
-    -E setup.template.enabled=true \
-    -E setup.template.overwrite=true \
-    -E setup.template.json.enabled=${ES_INDEX_JSON_ENABLED} \
+    -E setup.template.enabled=${ES_TEMPLATE_ENABLED} \
+    -E setup.template.overwrite=${ES_TEMPLATE_OVERWRITE} \
+    -E setup.template.json.enabled=${ES_TEMPLATE_JSON_ENABLED} \
     setup --index-management
 
   echo >&2

scripts/get_asn/get_asn.py

@@ -14,5 +14,8 @@
   for line in data_file:
     ip = line.strip()
     obj = IPWhois(ip)
-    results = obj.lookup_rdap(depth=0,inc_raw=False,inc_nir=False,asn_methods=['dns'])
-    print('%s %s' % (ip, results['asn']))
+    try:
+      results = obj.lookup_rdap(depth=0,inc_raw=False,inc_nir=False,asn_methods=['dns'])
+      print('%s %s' % (ip, results['asn']))
+    except:
+      print('%s %s' % (ip, 'unknown'))