Bro + ELK Stack on OS X

ansible.cfg

[defaults]
inventory=inventory

bro-elk-mac.yml

---
- hosts: localhost

  vars:
    logstash_conf_url: "https://raw.githubusercontent.com/timmolter/logstash-dfir/master/conf_files/bro/"
    logstash_conf_files:
      - bro-conn_log.conf
      - bro-dns_log.conf
      - bro-files_log.conf
      - bro-http_log.conf
      - bro-notice_log.conf
      - bro-ssh_log.conf
      - bro-ssl_log.conf
      - bro-weird_log.conf
      - bro-x509_log.conf

  vars_prompt:
    - name: "bro_capture_interface"
      prompt: "Capture interface for Bro"
      default: "en0"

  tasks:
    - name: add homebrew cask tap
      homebrew_tap: name=caskroom/cask state=present

    - name: install JDK 8
      homebrew_cask: name=java state=present

    - name: install homebrew packages
      homebrew: name={{ item }} state=present
      with_items:
        - bro
        - elasticsearch
        - logstash
        - gnu-tar

    - name: set bro capture interface
      lineinfile: >
        dest=/usr/local/etc/node.cfg
        regexp="^interface=eth0$"
        line="interface={{ bro_capture_interface }}"
        state=present

    - name: create missing broctl directories
      file: path=/usr/local/opt/bro/{{ item }} state=directory
      with_items:
        - spool
        - spool/tmp
        - logs

    - name: create broctl-config.sh symlink
      file: >
        src=/usr/local/opt/bro/spool/broctl-config.sh
        path=/usr/local/opt/bro/share/broctl/scripts/broctl-config.sh
        state=link
        force=yes

    - name: create logstash config directory
      file: path=/usr/local/etc/logstash state=directory

    - name: download logstash config files
      get_url: url={{ logstash_conf_url}}{{ item }} dest=/usr/local/etc/logstash/
      with_items: "{{ logstash_conf_files }}"

    - name: replace paths in logstash config files
      replace: >
        dest=/usr/local/etc/logstash/{{ item }}
        regexp="/nsm/bro/logs/current/"
        replace="/usr/local/opt/bro/logs/current/"
      with_items: "{{ logstash_conf_files }}"

    - name: replace paths in logstash config files
      replace: >
        dest=/usr/local/etc/logstash/{{ item }}
        regexp="host => localhost"
        replace="host => localhost protocol => 'http' port => '9200'"
      with_items: "{{ logstash_conf_files }}"

    - name: install logstash translate plugin
      command: /usr/local/opt/logstash/libexec/bin/logstash-plugin install logstash-filter-translate

    - name: check if kibana exists
      stat: path=/usr/local/opt/kibana
      register: kibana_dir

    - name: download kibana
      get_url: >
        url=https://download.elastic.co/kibana/kibana/kibana-4.1.1-darwin-x64.tar.gz
        dest=/tmp
      when: not kibana_dir.stat.exists

    - name: decompress kibana tarball
      unarchive: >
        src=/tmp/kibana-4.1.1-darwin-x64.tar.gz
        dest=/usr/local/opt
        copy=no
      when: not kibana_dir.stat.exists

    - name: rename kibana directory
      command: mv /usr/local/opt/kibana-4.1.1-darwin-x64 /usr/local/opt/kibana
      args:
        removes: /usr/local/opt/kibana-4.1.1-darwin-x64
      when: not kibana_dir.stat.exists

    - name: copy startup plists
      copy: src={{ item }}.plist dest=~/Library/LaunchAgents/
      with_items:
        - co.elastic.logstash
        - co.elastic.kibana

    - name: create symlink for elasticsearch plist
      file: >
        src=/usr/local/opt/elasticsearch/homebrew.mxcl.elasticsearch.plist
        path=~/Library/LaunchAgents/homebrew.mxcl.elasticsearch.plist
        state=link

    - name: setup launch agents for services
      shell: launchctl load -w ~/Library/LaunchAgents/{{ item }}.plist
      with_items:
        - homebrew.mxcl.elasticsearch
        - co.elastic.logstash
        - co.elastic.kibana

co.elastic.kibana.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Label</key>
        <string>co.elastic.kibana</string>
        <key>ProgramArguments</key>
        <array>
            <string>/usr/local/opt/kibana/bin/kibana</string>
        </array>
        <key>KeepAlive</key>
        <true/>
    </dict>
</plist>

co.elastic.logstash.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Label</key>
        <string>co.elastic.logstash</string>
        <key>ProgramArguments</key>
        <array>
            <string>/usr/local/bin/logstash</string>
            <string>-f</string>
            <string>/usr/local/etc/logstash</string>
            <string>--log</string>
            <string>/usr/local/var/log/logstash.log</string>
        </array>
        <key>KeepAlive</key>
        <true/>
    </dict>
</plist>

inventory

localhost ansible_connection=local

uninstall-bro-elk.yml

---
- hosts: localhost

  tasks:
    - name: unload launch agents for services
      shell: launchctl unload -w ~/Library/LaunchAgents/{{ item }}.plist
      with_items:
        - homebrew.mxcl.elasticsearch
        - co.elastic.logstash
        - co.elastic.kibana

    - name: remove plist startup items
      file: name=~/Library/LaunchAgents/{{ item }}.plist state=absent
      with_items:
        - homebrew.mxcl.elasticsearch
        - co.elastic.logstash
        - co.elastic.kibana

    - name: remove kibana directory
      file: name=/usr/local/opt/kibana state=absent

    - name: uninstall homebrew packages
      homebrew: name={{ item }} state=absent
      become: yes
      with_items:
        - bro
        - elasticsearch
        - logstash