117 lines
4.5 KiB
YAML
117 lines
4.5 KiB
YAML
---
|
|
- name: Manage the rsyslog packages and service
|
|
block:
|
|
- name: Ensure that the rsyslog package is installed. deb/ubuntu
|
|
apt: pkg=rsyslog state=present cache_valid_time=1800
|
|
when: ansible_distribution_file_variety == "Debian"
|
|
|
|
- name: Ensure that the rsyslog package is installed. centos/rhel
|
|
yum: pkg=rsyslog state=present
|
|
when: ansible_distribution_file_variety == "RedHat"
|
|
|
|
- name: Create the target logs rsyslog directory
|
|
file: dest={{ rsyslog_remote_path }} state=directory owner=syslog group=adm
|
|
|
|
- name: Ensure that rsyslog is running and enabled
|
|
service: name=rsyslog state=started enabled=yes
|
|
|
|
when: rsyslog_enable_remote_socket or rsyslog_enable_send_to_remote
|
|
tags: [ 'syslog', 'rsyslog', 'remote_syslog' ]
|
|
|
|
- name: Install the rsyslog TLS package on deb/ubuntu
|
|
block:
|
|
- name: Install the rsyslog TLS support
|
|
apt: pkg={{ rsyslog_tls_deb_pkgs }} state=present cache_valid_time=1800
|
|
notify: Restart rsyslog
|
|
|
|
when:
|
|
- rsyslog_enable_remote_socket or rsyslog_enable_send_to_remote
|
|
- rsyslog_tls_status == 'enabled'
|
|
- ansible_distribution_file_variety == "Debian"
|
|
tags: [ 'syslog', 'rsyslog', 'remote_syslog' ]
|
|
|
|
- name: Install the rsyslog TLS package on RHEL/CentOS
|
|
block:
|
|
- name: Install the rsyslog TLS support
|
|
yum: pkg={{ rsyslog_tls_rh_pkgs }} state=present
|
|
notify: Restart rsyslog
|
|
|
|
when:
|
|
- rsyslog_enable_remote_socket or rsyslog_enable_send_to_remote
|
|
- rsyslog_tls_status == 'enabled'
|
|
- ansible_distribution_file_variety == "RedHat"
|
|
tags: [ 'syslog', 'rsyslog', 'remote_syslog' ]
|
|
|
|
- name: Initialize the TLS configuration
|
|
block:
|
|
- name: Create the PKI directory
|
|
file: dest={{ rsyslog_tls_certs_dir }} state=directory owner=root group=root mode='0700'
|
|
|
|
- name: Download the remote CA file if required
|
|
get_url: url={{ rsyslog_remote_ca_url }} dest={{ rsyslog_tls_ca }} owner=root group=root mode='0644'
|
|
when: rsyslog_ca_is_remote
|
|
|
|
- name: Check if the certificate file is present
|
|
stat:
|
|
path: '{{ rsyslog_tls_cert }}'
|
|
get_checksum: no
|
|
register: cert_file_presence
|
|
|
|
- name: Create a self signed certificate is one is not present
|
|
openssl_certificate:
|
|
path: '{{ rsyslog_tls_cert }}'
|
|
privatekey_path: '{{ rsyslog_tls_key }}'
|
|
csr_path: '{{ rsyslog_tls_certs_dir }}/cert.csr'
|
|
provider: selfsigned
|
|
when: not cert_file_presence.stat.exists
|
|
|
|
when:
|
|
- rsyslog_tls_status == 'enabled'
|
|
tags: [ 'syslog', 'rsyslog', 'remote_syslog' ]
|
|
|
|
- name: Configure rsyslog so that it accepts logs from remote services
|
|
block:
|
|
- name: Install the rsyslog configuration that enables the remote socket
|
|
template: src=rsyslog-remote-socket.conf.j2 dest=/etc/rsyslog.d/10-rsyslog-remote-socket.conf
|
|
notify: Restart rsyslog
|
|
|
|
when: rsyslog_enable_remote_socket
|
|
tags: [ 'syslog', 'rsyslog', 'remote_syslog', 'rsyslog_conf' ]
|
|
|
|
- name: Configure rsyslog to send logs to a remote collector
|
|
block:
|
|
- name: Install the rsyslog client configuration
|
|
template: src=rsyslog-send-to-remote.conf.j2 dest=/etc/rsyslog.d/10-rsyslog-send-to-remote.conf
|
|
notify: Restart rsyslog
|
|
|
|
when: rsyslog_enable_send_to_remote
|
|
tags: [ 'syslog', 'rsyslog', 'remote_syslog', 'rsyslog_conf' ]
|
|
|
|
|
|
- name: Configure SELinux and firewalld on RHEL/CentOS
|
|
block:
|
|
- name: SELinux udp port
|
|
seport: ignore_selinux_state=yes ports={{ rsyslog_udp_port }} proto=udp setype=syslogd_port_t state=present
|
|
when: rsyslog_enable_remote_udp == 'enabled'
|
|
|
|
- name: SELinux tcp port
|
|
seport: ignore_selinux_state=yes ports={{ rsyslog_udp_port }} proto=tcp setype=syslogd_port_t state=present
|
|
when: rsyslog_enable_remote_tcp == 'enabled'
|
|
|
|
- name: SELinux RELP port
|
|
seport: ignore_selinux_state=yes ports={{ rsyslog_relp_port }} proto=tcp setype=syslogd_port_t state=present
|
|
when: rsyslog_tls_status == 'enabled'
|
|
|
|
- name: rsyslog firewalld services
|
|
firewalld: service={{ item.service }} zone={{ item.zone }} permanent={{ item.permanent | default(True) }} state={{ item.state }} immediate=True
|
|
with_items: '{{ rsyslog_firewalld_services }}'
|
|
|
|
- name: rsyslog firewalld ports
|
|
firewalld: port={{ item.port }}/{{ item.protocol }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
|
|
with_items: '{{ rsyslog_firewalld_ports }}'
|
|
|
|
when:
|
|
- rsyslog_enable_remote_socket
|
|
- ansible_distribution_file_variety == "RedHat"
|
|
tags: [ 'syslog', 'rsyslog', 'remote_syslog', 'selinux', 'firewalld' ]
|