diff --git a/group_vars/all.yaml b/group_vars/all.yaml
index 8c5cc4c..0bc55bf 100644
--- a/group_vars/all.yaml
+++ b/group_vars/all.yaml
@@ -39,6 +39,7 @@ immich_pg_password: HISTORY_PURGED_SECRET
 
 event_dispatcher_token: "HISTORY_PURGED_SECRET"
 
+opensearch_logstash_password: "HISTORY_PURGED_SECRET"
 opensearch_admin_password: "HISTORY_PURGED_SECRET"
 opensearch_seed_hosts:
     - ipv4.atlantishq.de:9300
diff --git a/playbook.yaml b/playbook.yaml
index 793fdd9..500d539 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -9,12 +9,19 @@
     - { role : base,              tags : [ "base" ] }
     - { role : zabbix-agent,      tags : [ "zabbix-agent" ] }
     - { role : iptables,          tags : [ "iptables" ] }
+    - { role : opensearch,        tags : [ "opensearch" ] }
 
 - hosts: signal
   strategy: free
   roles:
     - { role : signal, tags : [ "signal" ] }
 
+- hosts:
+    - kube1
+  strategy: free
+  roles:
+    - { role : filebeat, tags : [ "filebeat" ] }
+
 - hosts: mail
   strategy: free
   roles:
diff --git a/roles/filebeat/tasks/main.yaml b/roles/filebeat/tasks/main.yaml
new file mode 100644
index 0000000..9293276
--- /dev/null
+++ b/roles/filebeat/tasks/main.yaml
@@ -0,0 +1,33 @@
+---
+- name: Add Elastic GPG key
+  ansible.builtin.apt_key:
+    url: https://artifacts.elastic.co/GPG-KEY-elasticsearch
+    state: present
+
+- name: Ensure apt-transport-https is installed
+  ansible.builtin.apt:
+    name: apt-transport-https
+    state: present
+    update_cache: yes
+
+- name: Add Elastic repository (OSS package)
+  ansible.builtin.copy:
+    dest: /etc/apt/sources.list.d/elastic-8.x.list
+    content: "deb https://artifacts.elastic.co/packages/oss-8.x/apt stable main\n"
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Update apt cache
+  ansible.builtin.apt:
+    update_cache: yes
+
+- name: Install Filebeat
+  ansible.builtin.apt:
+    name: filebeat
+    state: present
+
+- name: Enable Filebeat to start on boot
+  ansible.builtin.systemd:
+    name: filebeat
+    enabled: yes