Powershell install of filebeat for IIS in EC2

Filebeat-IIS-Setup.ps1

function PostToSlack {
    Param([string]$message)
    $wc = New-Object net.webclient
    $wc.UploadString("https://hooks.slack.com/services/random/moreRandom", (ConvertTo-Json @{ text = ("$message") }))
}
###################################
### Modules ###
Import-Module WebAdministration

###################################
### Variables ###
# Get some EC2 tags
$instanceIdentity = (New-Object net.webclient).DownloadString('http://169.254.169.254/latest/dynamic/instance-identity/document') | ConvertFrom-Json
$instanceId = $instanceIdentity.instanceId
$enviro = (Get-EC2Tag -Region $instanceIdentity.region | ? { $_.ResourceID -eq $instanceIdentity.instanceId -and $_.Key -eq 'environment'}).Value
# Filebeat vars
$filebeatVersion = "5.2.0"
$filebeatFile = "filebeat-$filebeatVersion-windows-x86_64.zip" #filebeat-5.2.0-windows-x86_64.zip
$filebeatRootDir = "C:\Filebeat"
$filebeatFilePath = "$filebeatRootDir\$filebeatFile"
$filebeatExeDir = "$filebeatRootDir\filebeat-$filebeatVersion-windows-x86_64"
$filebeatUrl = "https://artifacts.elastic.co/downloads/beats/filebeat/$filebeatFile" #https://artifacts.elastic.co/downloads/beats/filebeat/
# Config vars
$elkUrl = "logstash.elk.domain.com:5044" #port is for beats traffic only
$hostname = hostname
# The following would have to change if we were making this script do something other than IIS filebeat
$serviceName = "Filebeat-IIS"
$prospectorTags = "IIS" # or...something more useful
###################################


###################################
### BEGIN INSTALL SECTION ###
# There is no actual 'install' of filebeat - just files downloaded and extracted somewhere
Try {
    if (Get-Service $serviceName -ErrorAction SilentlyContinue) {
        #$filter is not indented because @""@ can't do indented lines
$filter = @"
name='$($serviceName)'
"@
        $service = Get-WmiObject -Class Win32_Service -Filter $filter
        #$service.delete()
        Stop-Service $serviceName
        Remove-WmiObject -InputObject $service
    }
    
    if (Test-Path $filebeatRootDir) {
        Remove-Item -Force -Recurse -Path "$filebeatRootDir"
    }

    New-Item -ItemType directory $filebeatRootDir
    
    wget $filebeatUrl -OutFile "$filebeatRootDir\$filebeatFile"
    Add-Type -assembly "system.io.compression.filesystem"
    [io.compression.zipfile]::ExtractToDirectory($filebeatFilePath, $filebeatRootDir)

    Write-Output "Filebeat binaries should be in place..."
}
Catch {
    Write-Output $_.Exception.Message
    PostToSlack ":x: Filebeat download/extract/copy failed on $instanceId / $hostname"
    Exit 1
}
### END INSTALL SECTION ###
###################################


###################################
### BEGIN CONFIG CREATE SECTION ###

# Clean the old config, if present
#Remove-Item -Force "$filebeatRootDir\filebeat.yml"


# Get a list of app names compared to W3SVC* numbers
# This is awful
# Create prospectors per W3SVC entry
# We need to build an array
$siteProspectors = @("")

ForEach($website in $(Get-Website)) {
    $siteId = $website.id
    $siteName = $website.name

# the filebeatindex field is also awful
$siteProspectors += @"

  - input_type: log
    paths:
      - 'C:\inetpub\logs\LogFiles\W3SVC$($siteId)\*.log'
    document_type: iis
    encoding: utf-8
    exclude_lines: ["^#"]
    exclude_files: ['.zip','.7z']
    ignore_older: 24h
    scan_frequency: 1s
    tail_files: true
    tags: ["$($prospectorTags)"]
    fields:
      application_name: $($siteName)
      environment: $($enviro)
      filebeatindex: filebeat-iis 
    fields_under_root: true

"@
} 

# Here's the basic config
$filebeatYML = ""
$filebeatYML = @"
filebeat.prospectors:
$($siteProspectors)

filebeat.registry_file: "C:/ProgramData/$($serviceName)/registry"

output.logstash:
  hosts: ["$($elkUrl)"]

logging.to_syslog: false
logging.to_files: true
logging.files:
  path: C:\Logs\Filebeat
  name: $($serviceName)
  rotateeverybytes: 10485760 # = 10MB
  keepfiles: 7

"@

# Push filebeat.yml to the active dir
$filebeatYML | Out-File -Force -Encoding utf8 "$filebeatExeDir\filebeat.yml"

### END CONFIG CREATE SECTION ###
##################################


###################################
### BEGIN CONFIG TEST SECTION ###
# Test the configuration - exit of 1 = test failure
Push-Location $filebeatExeDir
    .\filebeat -c filebeat.yml -configtest
Pop-Location

if ($LASTEXITCODE -eq 1) {
    PostToSlack ":x: Filebeat config test failed on $instanceId / $hostname"
}

### END CONFIG TEST SECTION ###
##################################


###################################
### BEGIN SERVICE SETUP SECTION ###
# Create the service and start it
Write-Output "Here is where we specify the Filebeat instance."
# Create filebeat instance
New-Service -name $serviceName `
    -displayName $serviceName `
    -binaryPathName "`"$filebeatExeDir\\filebeat.exe`" -c `"$filebeatExeDir\\filebeat.yml`""

# Start service, ensure running
Restart-Service $serviceName

### END SERVICE SETUP SECTION ###
###################################


###################################
### BEGIN SERVICE TEST SECTION ###
$testService = Get-Service $serviceName
if ($testService.Status -ne "Running") {
    PostToSlack ":x: Test failed, filebeat service is not running on $instanceId / $hostname"
}
elseif ($testService.Status -eq "Running") {
    PostToSlack ":white_check_mark: Test passed, filebeat service running on $instanceId / $hostname"
}
$testConfigContents = Select-String "$filebeatExeDir\\filebeat.yml" -pattern "$elkUrl"
if (!($testConfigContents)) {
    PostToSlack ":x: Test failed, filebeat config missing params on $instanceId / $hostname"
}
elseif ($testConfigContents) {
    PostToSlack ":white_check_mark: Test passed, filebeat config looks good on $instanceId / $hostname"
}
### END SERVICE TEST SECTION ###
###################################