Event-Driven Ansible

Latest posts

Post cover

EVE-NG Linux VM SSH troubleshooting
September 20, 2025

Post cover

Optimizing Strata Cloud Manager API usage
September 14, 2025

Post cover

Authenticating to the Strata Cloud Manager API
September 07, 2025

Post cover

Logging into Cisco ACI
September 03, 2025

Post cover

Automating operations with Strata Cloud Manager
August 31, 2025

Categories

Category cover

Automation
155 posts

Category cover

Learning paths
119 posts

Category cover

CISO
22 posts

Category cover

Security
20 posts

Category cover

Notes
19 posts

Category cover

Personal Security
18 posts

Category cover

Infrastructure
12 posts

Category cover

OT/ICS
5 posts

Category cover

Books
3 posts

Category cover

UNetLab
3 posts

Category cover

Write-up
3 posts

Category cover

OSInt
2 posts

Category cover

My life
1 posts

Event-Driven Ansible

Andrea Dainese
April 19, 2025
Learning paths,
Post cover

Event-Driven Ansible (EDA) allows the execution of an Ansible playbook to be triggered by a specific event. This capability exponentially i

Event-Driven Ansible (EDA) allows the execution of an Ansible playbook to be triggered by a specific event.

This capability exponentially increases Ansible’s potential, transforming it into a tool for automating processes based on specific events, such as troubleshooting, threat intelligence, IoCs, data collection, and general analysis. These activities can be partially or fully automated.

Many security vendors have released specific modules. For instance, Palo Alto Networks  has developed a plugin for analyzing firewall logs and triggering initial automated diagnostics  in case of SSL decryption errors.

Rulebook

An Ansible Rulebook  is a set of rules that EDA uses to execute specific actions. A rulebook can:

  • Monitor one or multiple sources .
  • Contain one or multiple rules .
  • Trigger one or multiple actions .

The first part of a rulebook defines one or more event sources to be monitored. EDA uses Event Source Plugins to monitor these sources.

Event Source Plugins

Event Source Plugins can be classified into three types:

  • Event Bus Plugins: Listens to a stream of events from a source where the connection is established by the plugin itself (e.g., Kafka and AWS SQS Queue plugins).
  • Scraper Plugins: Connects to a source and scrapes data from it, usually at predefined intervals (e.g., URL Check and Watchdog plugins).
  • Callback Plugins: Provides a callback endpoint that the event source can call when data is available (e.g., Webhook and Alertmanager plugins). Callback plugins are the least reliable as they depend on the event source to call the endpoint and are highly susceptible to data loss.

When an Event Source Plugin detects an event, EDA uses rules to determine which action to take. If an event matches a rule, EDA executes the specified actions. Actions can include:

  • run_playbook: Executes an existing Ansible Playbook.
  • run_job_template: Runs a job template via the Ansible Automation Platform.
  • run_module: Runs a specific Ansible module for targeted execution without running an entire playbook.
  • post_event: Posts an event to a running ruleset, allowing action results to feed back into EDA.
  • set_fact: Stores specific event data to be reused within EDA.
  • debug: Outputs debug information, similar to the debug module in Ansible Playbooks.

Continue reading the post on Patreon .