#cloud-config
package_update: true
package_upgrade: true

packages:
  - openjdk-11-jdk
  - wget
  - gnupg
  - apt-transport-https

write_files:
  - path: /etc/elasticsearch/elasticsearch.yml
    content: |
      cluster.name: elk-cluster
      node.name: elk-node-1
      path.data: /var/lib/elasticsearch
      path.logs: /var/log/elasticsearch
      network.host: localhost
      http.port: 9200
      discovery.type: single-node
      xpack.security.enabled: false
      xpack.security.enrollment.enabled: false

  - path: /etc/logstash/conf.d/logstash.conf
    content: |
      input {
        beats {
          port => 5044
        }
        syslog {
          port => 5140
        }
      }
      
      filter {
        if [fileset][module] == "system" {
          if [fileset][name] == "auth" {
            grok {
              match => { "message" => ["%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{IPORHOST:[system][auth][hostname]} sshd(?:\\[%{POSINT:[system][auth][pid]}\\])?: %{DATA:[system][auth][ssh][event]} %{DATA:[system][auth][ssh][method]} for (invalid user )?%{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]} port %{INT:[system][auth][ssh][port]} ssh2"] }
            }
          }
        }
      }
      
      output {
        elasticsearch {
          hosts => ["localhost:9200"]
          manage_template => false
          index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
        }
      }

  - path: /etc/kibana/kibana.yml
    content: |
      server.port: 5601
      server.host: "localhost"
      elasticsearch.hosts: ["http://localhost:9200"]
      kibana.index: ".kibana"
      logging.dest: /var/log/kibana/kibana.log

runcmd:
  # Add Elastic repository
  - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
  - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
  
  # Install Elasticsearch, Logstash, and Kibana
  - apt-get update
  - apt-get install -y elasticsearch logstash kibana
  
  # Configure JVM settings
  - sed -i 's/-Xms1g/-Xms512m/g' /etc/elasticsearch/jvm.options
  - sed -i 's/-Xmx1g/-Xmx512m/g' /etc/elasticsearch/jvm.options
  
  # Enable and start services
  - systemctl enable elasticsearch
  - systemctl start elasticsearch
  - sleep 30
  - systemctl enable logstash
  - systemctl start logstash
  - systemctl enable kibana
  - systemctl start kibana
  
  # Configure firewall
  - ufw allow 5601/tcp
  - ufw allow 9200/tcp
  - ufw allow 5044/tcp
  
  - echo "Kibana available at http://localhost:5601"
  - echo "Elasticsearch available at http://localhost:9200"