Oddly · Oddly · Mar 4, 2026 · Mar 1, 2026 · Mar 4, 2026
diff --git a/molecule/elasticstack_default/converge.yml b/molecule/elasticstack_default/converge.yml
@@ -31,7 +31,7 @@
     - name: Enable Elastic installation on RHEL 9
       ansible.builtin.set_fact:
         elasticstack_rpm_workaround: true
-      when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version >= "9"
+      when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version | int >= 9
     - name: Include Elastic Repos
       ansible.builtin.include_role:
         name: oddly.elasticstack.repos

diff --git a/roles/beats/defaults/main.yml b/roles/beats/defaults/main.yml
@@ -41,6 +41,8 @@ beats_tls_key: "{{ beats_ca_dir }}/{{ inventory_hostname }}-beats.key"
 beats_tls_cert: "{{ beats_ca_dir }}/{{ inventory_hostname }}-beats.crt"
 # @var beats_tls_cacert:description: Path to the CA certificate for TLS verification
 beats_tls_cacert: "{{ beats_ca_dir }}/ca.crt"
+# @var beats_ssl_verification_mode:description: SSL verification mode for Beats output to Elasticsearch (full, certificate, none)
+beats_ssl_verification_mode: certificate
 # @var beats_tls_key_passphrase:description: Passphrase for the Beat TLS private key
 beats_tls_key_passphrase: BeatsChangeMe
 

diff --git a/roles/beats/templates/auditbeat.yml.j2 b/roles/beats/templates/auditbeat.yml.j2
@@ -43,7 +43,7 @@ output.elasticsearch:
   username: "elastic"
   password: "{{ beats_writer_password.stdout }}"
   ssl.enabled: true
-  ssl.verification_mode: none
+  ssl.verification_mode: {{ beats_ssl_verification_mode }}
   ssl.certificate_authorities: ["/etc/beats/certs/ca.crt"]
 {% else %}
 {% if elasticstack_full_stack | bool %}

diff --git a/roles/beats/templates/filebeat.yml.j2 b/roles/beats/templates/filebeat.yml.j2
@@ -154,7 +154,7 @@ output.elasticsearch:
   username: "elastic"
   password: "{{ beats_writer_password.stdout }}"
   ssl.enabled: true
-  ssl.verification_mode: none
+  ssl.verification_mode: {{ beats_ssl_verification_mode }}
   ssl.certificate_authorities: ["/etc/beats/certs/ca.crt"]
 {% else %}
 {% if elasticstack_full_stack | bool %}

diff --git a/roles/beats/templates/metricbeat.yml.j2 b/roles/beats/templates/metricbeat.yml.j2
@@ -20,7 +20,7 @@ output.elasticsearch:
   username: "elastic"
   password: "{{ beats_writer_password.stdout }}"
   ssl.enabled: true
-  ssl.verification_mode: none
+  ssl.verification_mode: {{ beats_ssl_verification_mode }}
   ssl.certificate_authorities: ["/etc/beats/certs/ca.crt"]
 {% else %}
 {% if elasticstack_full_stack | bool %}

diff --git a/roles/elasticsearch/defaults/main.yml b/roles/elasticsearch/defaults/main.yml
@@ -26,6 +26,8 @@ elasticsearch_logging_json_file: true
 elasticsearch_logging_slowlog: true
 # @var elasticsearch_logging_deprecation:description: Enable deprecation log appender
 elasticsearch_logging_deprecation: true
+# @var elasticsearch_logging_audit:description: Enable security audit log appender. Only meaningful when elasticsearch_security is true
+elasticsearch_logging_audit: true
 
 # @var elasticsearch_security:description: Enable Elasticsearch security features (TLS, authentication, RBAC)
 elasticsearch_security: true

diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml
@@ -266,7 +266,7 @@

    # Extract CA chain from the already-deployed transport cert on the node.
    # Uses copy+content for idempotency (only writes when content changes).
    - name: Read CA chain from PEM bundle (transport cert)
      ansible.builtin.shell:
        cmd: >-
          awk '/-----BEGIN CERTIFICATE-----/{n++} n>1'
@@ -300,7 +300,7 @@

    # -- Remove stale auto-generated P12 files from a previous elasticsearch_ca deployment --

    - name: Find stale auto-generated P12 certificate files
      ansible.builtin.find:
        paths: /etc/elasticsearch/certs
        patterns: "*.p12"
@@ -366,7 +366,7 @@
    # The CA backup removes the entire elasticstack_ca_dir, which also
    # contains Kibana encryption key files. If those are regenerated,
    # Kibana can't decrypt its existing saved objects and enters 503.
    - name: Check for Kibana encryption keys before CA backup
      ansible.builtin.stat:
        path: "{{ elasticstack_ca_dir }}/{{ item }}"
      loop:
@@ -784,14 +784,19 @@
      ansible.builtin.set_fact:
        elasticsearch_cluster_set_up: true

    - name: Create initial passwords
       ansible.builtin.shell: >
         set -o pipefail;
         /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto -b >
-        {{ elasticstack_initial_passwords }}
+        {{ elasticstack_initial_passwords }}.tmp &&
+        mv {{ elasticstack_initial_passwords }}.tmp {{ elasticstack_initial_passwords }}
       args:
         executable: /bin/bash
         creates: "{{ elasticstack_initial_passwords }}"
+      register: _setup_passwords_result
+      until: _setup_passwords_result.rc | default(1) == 0
+      retries: 10
+      delay: 15
       when: inventory_hostname == elasticstack_ca_host
       no_log: "{{ elasticstack_no_log }}"
 

diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml
@@ -141,7 +141,7 @@

 - name: Construct exact name of Elasticsearch package
  ansible.builtin.set_fact:
    elasticsearch_package: >-
      {{
      'elasticsearch' +
      ((elasticstack_versionseparator +
@@ -208,6 +208,7 @@
     - "hostvars[item].inventory_hostname == inventory_hostname"
     - elasticstack_version is defined
     - elasticstack_version != 'latest'
+    - ansible_facts.packages['elasticsearch'] is defined
     - ansible_facts.packages['elasticsearch'][0].version is defined
     - elasticstack_password.stdout is defined
     - elasticstack_version is version( ansible_facts.packages['elasticsearch'][0].version, '>')
@@ -251,7 +252,7 @@

 # Pre-detect external cert state so the template renders consistently
 # across first and subsequent runs (idempotency).
 - name: Detect existing external CA for template rendering
  ansible.builtin.stat:
    path: /etc/elasticsearch/certs/ca.crt
  register: _existing_ca_cert

diff --git a/roles/elasticsearch/templates/log4j2.properties.j2 b/roles/elasticsearch/templates/log4j2.properties.j2
@@ -170,6 +170,7 @@ logger.index_indexing_slowlog.additivity = false
 {% endif %}
 
 ######## Audit Log ############################################################
+{% if elasticsearch_logging_audit | bool and elasticsearch_security | bool %}
 
 appender.audit_rolling.type = RollingFile
 appender.audit_rolling.name = audit_rolling
@@ -203,3 +204,4 @@ logger.samlxml_decrypt.name = org.opensaml.xmlsec.encryption.support.Decrypter
 logger.samlxml_decrypt.level = fatal
 logger.saml2_decrypt.name = org.opensaml.saml.saml2.encryption.Decrypter
 logger.saml2_decrypt.level = fatal
+{% endif %}
diff --git a/roles/logstash/handlers/main.yml b/roles/logstash/handlers/main.yml
@@ -13,3 +13,4 @@
     - not ansible_check_mode
     - not logstash_config_autoreload
     - logstash_enable | bool
+    - not logstash_freshstart.changed | bool
diff --git a/roles/logstash/templates/90-output.conf.j2 b/roles/logstash/templates/90-output.conf.j2
@@ -1,13 +1,3 @@
-{% if logstash_ident | default(true) | bool %}
-filter {
-  mutate {
-    add_field => {
-      "{{ logstash_ident_field_name | default('[logstash][instance]') }}" => "{{ ansible_facts.hostname }}"
-    }
-  }
-}
-
-{% endif %}
 output {
 {% if logstash_output_elasticsearch | default(true) | bool %}
   elasticsearch {

diff --git a/roles/repos/tasks/redhat.yml b/roles/repos/tasks/redhat.yml
@@ -10,7 +10,7 @@
 
 - name: Workaround for EL > 8
   when:
-    - ansible_facts.distribution_major_version >= "9"
+    - ansible_facts.distribution_major_version | int >= 9
   block:
 
     - name: Show a warning