From 1260f2ce549e00dbe7671ab036479639608d5de8 Mon Sep 17 00:00:00 2001
From: Louis Abel <label@rockylinux.org>
Date: Tue, 2 Apr 2024 13:48:55 -0700
Subject: [PATCH] Add rsyslog portions for further refinement

---
 files/etc/logrotate.d/syslogserver       | 13 +++++++
 handlers/main.yml                        |  5 +++
 init-rocky-syslog-client.yml             | 45 ++++++++++++++++++++++
 role-rocky-syslog-server.yml             | 48 ++++++++++++++++++++++++
 tasks/syslog.yml                         | 39 +++++++++++++++++--
 templates/etc/rsyslog.d/receiver.conf.j2 | 19 +++++++---
 vars/syslog.yml                          |  8 ++++
 7 files changed, 168 insertions(+), 9 deletions(-)
 create mode 100644 files/etc/logrotate.d/syslogserver
 create mode 100644 init-rocky-syslog-client.yml
 create mode 100644 role-rocky-syslog-server.yml
 create mode 100644 vars/syslog.yml

diff --git a/files/etc/logrotate.d/syslogserver b/files/etc/logrotate.d/syslogserver
new file mode 100644
index 0000000..dd77f52
--- /dev/null
+++ b/files/etc/logrotate.d/syslogserver
@@ -0,0 +1,13 @@
+/var/log/remote/*.log
+{
+  daily
+  rotate 5
+  missingok
+  sharedscripts
+  compress
+  copytruncate
+  minsize 100k
+  postrotate
+    /usr/bin/systemctl -s HUP kill rsyslog.service >/dev/null 2>&1 || true
+  endscript
+}
diff --git a/handlers/main.yml b/handlers/main.yml
index 0771314..8fa7d26 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -63,6 +63,11 @@
     state: restarted
     daemon_reload: true
 
+- name: restart_rsyslog
+  ansible.builtin.service:
+    name: rsyslog
+    state: restarted
+
 - name: enable_crb
   ansible.builtin.shell: "set -o pipefail && /usr/bin/crb enable"
   changed_when: "1 != 1"
diff --git a/init-rocky-syslog-client.yml b/init-rocky-syslog-client.yml
new file mode 100644
index 0000000..f55794f
--- /dev/null
+++ b/init-rocky-syslog-client.yml
@@ -0,0 +1,45 @@
+---
+# This should already be taken care of in the system-config. But run this
+# manually for boxes that need it.
+- name: Setup a syslog client
+  hosts: "{{ host }}"
+  become: true
+  vars_files:
+    # Vaults required
+    # vars/vaults/encpass.yml
+    # vars/vaults/hostman.yml
+    # vars/graylog.yml
+    - vars/syslog.yml
+  vars:
+    syslog_type: "client"
+
+  # This is to try to avoid the handler issue in pre/post tasks
+  handlers:
+    - import_tasks: handlers/main.yml
+
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      ansible.builtin.assert:
+        that:
+          - "not no_ansible.stat.exists"
+        success_msg: "We are able to run on this node"
+        fail_msg: "/etc/no-ansible exists - skipping run on this node"
+
+  tasks:
+    - name: Setup syslog
+      ansible.builtin.import_tasks: "tasks/syslog.yml"
+
+  post_tasks:
+    - name: Touching run file that ansible has ran here
+      ansible.builtin.file:
+        path: /var/log/ansible.run
+        state: touch
+        mode: '0644'
+        owner: root
+        group: root
+...
diff --git a/role-rocky-syslog-server.yml b/role-rocky-syslog-server.yml
new file mode 100644
index 0000000..504f418
--- /dev/null
+++ b/role-rocky-syslog-server.yml
@@ -0,0 +1,48 @@
+---
+# Configure and setup graylog
+# Reccommended specs
+# CPU: 2 cores
+# Memory: 4GB
+# Storage: Yes
+- name: Install syslog server
+  hosts: syslog
+  become: true
+  vars_files:
+    # Vaults required
+    # vars/vaults/encpass.yml
+    # vars/vaults/hostman.yml
+    # vars/graylog.yml
+    - vars/syslog.yml
+  vars:
+    syslog_type: "server"
+
+  # This is to try to avoid the handler issue in pre/post tasks
+  handlers:
+    - import_tasks: handlers/main.yml
+
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      ansible.builtin.assert:
+        that:
+          - "not no_ansible.stat.exists"
+        success_msg: "We are able to run on this node"
+        fail_msg: "/etc/no-ansible exists - skipping run on this node"
+
+  tasks:
+    - name: Setup syslog
+      ansible.builtin.import_tasks: "tasks/syslog.yml"
+
+  post_tasks:
+    - name: Touching run file that ansible has ran here
+      ansible.builtin.file:
+        path: /var/log/ansible.run
+        state: touch
+        mode: '0644'
+        owner: root
+        group: root
+...
diff --git a/tasks/syslog.yml b/tasks/syslog.yml
index 5a28188..fa577a8 100644
--- a/tasks/syslog.yml
+++ b/tasks/syslog.yml
@@ -1,5 +1,38 @@
 ---
-- name: Notice
-  ansible.builtin.debug:
-    msg: "Nothing to do yet"
+- name: Ensure rsyslog is installed
+  ansible.builtin.package:
+    name: rsyslog
+    state: present
+
+- name: Setup rsyslog client
+  ansible.builtin.block:
+    - name: Drop configuration item for syslog
+      ansible.builtin.template:
+        src: "etc/rsyslog.d/forwarder.conf"
+        dest: "/etc/rsyslog.d/forwarder.conf"
+        owner: root
+        group: root
+        mode: "0644"
+      notify: restart_rsyslog
+  when: syslog_type == "client"
+
+- name: Setup rsyslog server
+  ansible.builtin.block:
+    - name: Drop configuration item for syslog
+      ansible.builtin.template:
+        src: "etc/rsyslog.d/receiver.conf"
+        dest: "/etc/rsyslog.d/receiver.conf"
+        owner: root
+        group: root
+        mode: "0644"
+      notify: restart_rsyslog
+
+    - name: Deploy logrotate file
+      ansible.builtin.file:
+        src: "etc/logrotate.d/syslogserver"
+        dest: "/etc/logrotate.d/syslogserver"
+        owner: root
+        group: root
+        mode: '0644'
+  when: syslog_type == "server"
 ...
diff --git a/templates/etc/rsyslog.d/receiver.conf.j2 b/templates/etc/rsyslog.d/receiver.conf.j2
index 964f5e6..ea54c1f 100644
--- a/templates/etc/rsyslog.d/receiver.conf.j2
+++ b/templates/etc/rsyslog.d/receiver.conf.j2
@@ -1,12 +1,19 @@
 # Receive logs
+# Logs will appear as /var/log/remote/hostname.example.com-{secure,messages}.log
 module(load="imtcp")
-input(type="imtcp" port="514")
 module(load="imudp")
-input(type="imudp" port="514")
+$AllowedSender UDP, {{ allowed_rsyslog_clients|join(', ') }}
 $AllowedSender TCP, {{ allowed_rsyslog_clients|join(', ') }}
 
-$template RemoteHostSyslog,"/var/log/remote/%HOSTNAME%-log
+template(name="TmplAuth" type="string" string="/var/log/remote/%FROMHOST%-secure.log")
 
-$RuleSet remote
-*.* -?RemoteHostSyslog
-*.info;mail.none;authpriv.none;cron.none ?RemoteHostSyslog
+template(name="TmplMsg" type="string" string="/var/log/remote/%FROMHOST%-messages.log")
+
+# Process the equivalent of /var/log/{messages,secure} on a given system
+ruleset(name="remote_1_log"){
+  authpriv.*                               action(type="omfile" DynaFile="TmplAuth")
+  *.info;mail.none;authpriv.none;cron.none action(type="omfile" DynaFile="TmplMsg")
+}
+
+input(type="imtcp" port="514" ruleset="remote_1_log")
+input(type="imudp" port="514" ruleset="remote_1_log")
diff --git a/vars/syslog.yml b/vars/syslog.yml
new file mode 100644
index 0000000..b4d29e5
--- /dev/null
+++ b/vars/syslog.yml
@@ -0,0 +1,8 @@
+---
+# remote_rsyslog_host: set in playbook for now, please.
+allowed_rsyslog_clients:
+  - "10.32.0.0/16"
+  - "10.61.0.0/16"
+  - "*.rockylinux.org"
+  - "*.resf.org"
+...