Add rsyslog portions for further refinement

This commit is contained in:
Louis Abel 2024-04-02 13:48:55 -07:00
parent 47573d1181
commit 1260f2ce54
Signed by: label
GPG key ID: 2A6975660E424560
7 changed files with 168 additions and 9 deletions

View file

@ -0,0 +1,13 @@
/var/log/remote/*.log
{
daily
rotate 5
missingok
sharedscripts
compress
copytruncate
minsize 100k
postrotate
/usr/bin/systemctl -s HUP kill rsyslog.service >/dev/null 2>&1 || true
endscript
}

View file

@ -63,6 +63,11 @@
state: restarted
daemon_reload: true
- name: restart_rsyslog
ansible.builtin.service:
name: rsyslog
state: restarted
- name: enable_crb
ansible.builtin.shell: "set -o pipefail && /usr/bin/crb enable"
changed_when: "1 != 1"

View file

@ -0,0 +1,45 @@
---
# This should already be taken care of in the system-config. But run this
# manually for boxes that need it.
- name: Setup a syslog client
hosts: "{{ host }}"
become: true
vars_files:
# Vaults required
# vars/vaults/encpass.yml
# vars/vaults/hostman.yml
# vars/graylog.yml
- vars/syslog.yml
vars:
syslog_type: "client"
# This is to try to avoid the handler issue in pre/post tasks
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
tasks:
- name: Setup syslog
ansible.builtin.import_tasks: "tasks/syslog.yml"
post_tasks:
- name: Touching run file that ansible has ran here
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root
...

View file

@ -0,0 +1,48 @@
---
# Configure and setup graylog
# Reccommended specs
# CPU: 2 cores
# Memory: 4GB
# Storage: Yes
- name: Install syslog server
hosts: syslog
become: true
vars_files:
# Vaults required
# vars/vaults/encpass.yml
# vars/vaults/hostman.yml
# vars/graylog.yml
- vars/syslog.yml
vars:
syslog_type: "server"
# This is to try to avoid the handler issue in pre/post tasks
handlers:
- import_tasks: handlers/main.yml
pre_tasks:
- name: Check if ansible cannot be run here
stat:
path: /etc/no-ansible
register: no_ansible
- name: Verify if we can run ansible
ansible.builtin.assert:
that:
- "not no_ansible.stat.exists"
success_msg: "We are able to run on this node"
fail_msg: "/etc/no-ansible exists - skipping run on this node"
tasks:
- name: Setup syslog
ansible.builtin.import_tasks: "tasks/syslog.yml"
post_tasks:
- name: Touching run file that ansible has ran here
ansible.builtin.file:
path: /var/log/ansible.run
state: touch
mode: '0644'
owner: root
group: root
...

View file

@ -1,5 +1,38 @@
---
- name: Notice
ansible.builtin.debug:
msg: "Nothing to do yet"
- name: Ensure rsyslog is installed
ansible.builtin.package:
name: rsyslog
state: present
- name: Setup rsyslog client
ansible.builtin.block:
- name: Drop configuration item for syslog
ansible.builtin.template:
src: "etc/rsyslog.d/forwarder.conf"
dest: "/etc/rsyslog.d/forwarder.conf"
owner: root
group: root
mode: "0644"
notify: restart_rsyslog
when: syslog_type == "client"
- name: Setup rsyslog server
ansible.builtin.block:
- name: Drop configuration item for syslog
ansible.builtin.template:
src: "etc/rsyslog.d/receiver.conf"
dest: "/etc/rsyslog.d/receiver.conf"
owner: root
group: root
mode: "0644"
notify: restart_rsyslog
- name: Deploy logrotate file
ansible.builtin.file:
src: "etc/logrotate.d/syslogserver"
dest: "/etc/logrotate.d/syslogserver"
owner: root
group: root
mode: '0644'
when: syslog_type == "server"
...

View file

@ -1,12 +1,19 @@
# Receive logs
# Logs will appear as /var/log/remote/hostname.example.com-{secure,messages}.log
module(load="imtcp")
input(type="imtcp" port="514")
module(load="imudp")
input(type="imudp" port="514")
$AllowedSender UDP, {{ allowed_rsyslog_clients|join(', ') }}
$AllowedSender TCP, {{ allowed_rsyslog_clients|join(', ') }}
$template RemoteHostSyslog,"/var/log/remote/%HOSTNAME%-log
template(name="TmplAuth" type="string" string="/var/log/remote/%FROMHOST%-secure.log")
$RuleSet remote
*.* -?RemoteHostSyslog
*.info;mail.none;authpriv.none;cron.none ?RemoteHostSyslog
template(name="TmplMsg" type="string" string="/var/log/remote/%FROMHOST%-messages.log")
# Process the equivalent of /var/log/{messages,secure} on a given system
ruleset(name="remote_1_log"){
authpriv.* action(type="omfile" DynaFile="TmplAuth")
*.info;mail.none;authpriv.none;cron.none action(type="omfile" DynaFile="TmplMsg")
}
input(type="imtcp" port="514" ruleset="remote_1_log")
input(type="imudp" port="514" ruleset="remote_1_log")

8
vars/syslog.yml Normal file
View file

@ -0,0 +1,8 @@
---
# remote_rsyslog_host: set in playbook for now, please.
allowed_rsyslog_clients:
- "10.32.0.0/16"
- "10.61.0.0/16"
- "*.rockylinux.org"
- "*.resf.org"
...