From e2bd95f2c23284540f3cd869ce682914e7e9afc0 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 17 Jan 2020 17:30:44 +0100 Subject: [PATCH] Role that setups remote logging in rsyslog. --- .../centos-common/meta/main.yml | 1 + .../deb-ubuntu-common/meta/main.yml | 1 + library/roles/rsyslog/defaults/main.yml | 25 +++++++ library/roles/rsyslog/handlers/main.yml | 5 ++ library/roles/rsyslog/tasks/main.yml | 70 +++++++++++++++++++ .../templates/rsyslog-remote-socket.conf.j2 | 34 +++++++++ 6 files changed, 136 insertions(+) create mode 100644 library/roles/rsyslog/defaults/main.yml create mode 100644 library/roles/rsyslog/handlers/main.yml create mode 100644 library/roles/rsyslog/tasks/main.yml create mode 100644 library/roles/rsyslog/templates/rsyslog-remote-socket.conf.j2 diff --git a/library/bootstrap-roles/centos-common/meta/main.yml b/library/bootstrap-roles/centos-common/meta/main.yml index ec6ddc9..ccac7dc 100644 --- a/library/bootstrap-roles/centos-common/meta/main.yml +++ b/library/bootstrap-roles/centos-common/meta/main.yml @@ -1,6 +1,7 @@ --- dependencies: - role: '../../library/centos/roles/centos-bootstrap' + - role: '../../library/centos/roles/rsyslog' - role: '../../library/roles/dell-server-utilities' - role: '../../library/roles/sshd_config' - { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks } diff --git a/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml b/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml index 9130848..053a8f7 100644 --- a/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml +++ b/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml @@ -1,6 +1,7 @@ --- dependencies: - role: '../../library/roles/ubuntu-deb-general' + - role: '../../library/roles/rsyslog' - { role: '../../library/roles/cloud-init', when: ansible_product_name == "oVirt Node" } - role: '../../library/roles/tmpreaper' - role: '../../library/roles/iptables' diff --git a/library/roles/rsyslog/defaults/main.yml b/library/roles/rsyslog/defaults/main.yml new file mode 100644 index 0000000..60332ab --- /dev/null +++ b/library/roles/rsyslog/defaults/main.yml @@ -0,0 +1,25 @@ +--- +rsyslog_enable_remote_socket: False +rsyslog_enable_remote_udp: 'enabled' +rsyslog_enable_remote_tcp: 'disabled' + +rsyslog_remote_path: /var/log/remote +rsyslog_tls_status: 'disabled' +rsyslog_tls_deb_pkgs: + - 'rsyslog-gnutls' + +rsyslog_tls_rh_pkgs: + - 'rsyslog-gnutls' + +rsyslog_udp_port: 514 +rsyslog_tcp_port: 514 + +rsyslog_send_to_remote: False + +rsyslog_firewalld_services: + - { service: 'syslog', state: '{{ rsyslog_enable_remote_udp }}', zone: '{{ firewalld_default_zone }}' } + - { service: 'syslog-tls', state: '{{ rsyslog_tls_status }}', zone: '{{ firewalld_default_zone }}' } + +rsyslog_firewalld_ports: + - { port: '{{ rsyslog_tcp_port }}', protocol: 'tcp', state: '{{ rsyslog_enable_remote_tcp }}', zone: '{{ firewalld_default_zone }}' } + diff --git a/library/roles/rsyslog/handlers/main.yml b/library/roles/rsyslog/handlers/main.yml new file mode 100644 index 0000000..1d11ad2 --- /dev/null +++ b/library/roles/rsyslog/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart rsyslog + service: name=rsyslog state=restarted + + diff --git a/library/roles/rsyslog/tasks/main.yml b/library/roles/rsyslog/tasks/main.yml new file mode 100644 index 0000000..2d87b61 --- /dev/null +++ b/library/roles/rsyslog/tasks/main.yml @@ -0,0 +1,70 @@ +--- +- name: Configure rsyslog so that it accepts logs from remote services + block: + - name: Ensure that the rsyslog package is installed. deb/ubuntu + apt: pkg=rsyslog state=present cache_valid_time=1800 + when: ansible_distribution_file_variety == "Debian" + + - name: Ensure that the rsyslog package is installed. centos/rhel + yum: pkg=rsyslog state=present + when: ansible_distribution_file_variety == "RedHat" + + - name: Create the additional rsyslog directory + file: dest={{ rsyslog_remote_path }} state=directory owner=syslog group=adm + + - name: Install the rsyslog configuration + template: src=rsyslog-remote-socket.conf.j2 dest=/etc/rsyslog.d/10-rsyslog-remote-socket.conf + notify: Restart rsyslog + + - name: Ensure that rsyslog is running and enabled + service: name=rsyslog state=started enabled=yes + + when: rsyslog_enable_remote_socket | bool + tags: [ 'syslog', 'rsyslog', 'remote_syslog' ] + +- name: Install the rsyslog TLS package on deb/ubuntu + block: + - name: Install the rsyslog TLS support + apt: pkg={{ rsyslog_tls_deb_pkgs }} state=present cache_valid_time=1800 + notify: Restart rsyslog + + when: + - rsyslog_enable_remote_socket | bool + - rsyslog_tls_status == 'enabled' + - ansible_distribution_file_variety == "Debian" + tags: [ 'syslog', 'rsyslog', 'remote_syslog' ] + +- name: Install the rsyslog TLS package on RHEL/CentOS + block: + - name: Install the rsyslog TLS support + yum: pkg={{ rsyslog_tls_rh_pkgs }} state=present + notify: Restart rsyslog + + when: + - rsyslog_enable_remote_socket | bool + - rsyslog_tls_status == 'enabled' + - ansible_distribution_file_variety == "RedHat" + tags: [ 'syslog', 'rsyslog', 'remote_syslog' ] + +- name: Configure SELinux and firewalld on RHEL/CentOS + block: + - name: SELinux udp port + seport: ignore_selinux_state=yes ports=514 proto=udp setype=syslogd_port_t state=present + when: rsyslog_enable_remote_udp == 'enabled' + + - name: SELinux tcp port + seport: ignore_selinux_state=yes ports=514 proto=tcp setype=syslogd_port_t state=present + when: rsyslog_enable_remote_tcp == 'enabled' + + - name: rsyslog firewalld services + firewalld: service={{ item.service }} zone={{ item.zone }} permanent={{ item.permanent | default(True) }} state={{ item.state }} immediate=True + with_items: '{{ rsyslog_firewalld_services }}' + + - name: rsyslog firewalld ports + firewalld: port={{ item.port }}/{{ item.protocol }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True + with_items: '{{ rsyslog_firewalld_ports }}' + + when: + - rsyslog_enable_remote_socket | bool + - ansible_distribution_file_variety == "RedHat" + tags: [ 'syslog', 'rsyslog', 'remote_syslog', 'selinux', 'firewalld' ] diff --git a/library/roles/rsyslog/templates/rsyslog-remote-socket.conf.j2 b/library/roles/rsyslog/templates/rsyslog-remote-socket.conf.j2 new file mode 100644 index 0000000..bedbb6d --- /dev/null +++ b/library/roles/rsyslog/templates/rsyslog-remote-socket.conf.j2 @@ -0,0 +1,34 @@ +# +# The order counts +# +{% if rsyslog_enable_remote_udp == 'enabled' %} +# Provides UDP syslog reception +module(load="imudp") # needs to be done just once +# input(type="imudp" port="{{ rsyslog_udp_port }}") +{% endif %} + +{% if rsyslog_enable_remote_tcp == 'enabled' %} +# Provides TCP syslog reception +module(load="imtcp") # needs to be done just once +# input(type="imtcp" port="{{ rsyslog_tcp_port }}") +{% endif %} + +# log every host in its own directory +$template RemoteHost,"{{ rsyslog_remote_path }}/%HOSTNAME%/syslog.log" +$RuleSet remote +*.* ?RemoteHost + +{% if rsyslog_enable_remote_udp == 'enabled' %} +# bind the ruleset to the udp listener +$InputUDPServerBindRuleset remote +# and activate it: +$UDPServerRun {{ rsyslog_udp_port }} +{% endif %} + +{% if rsyslog_enable_remote_tcp == 'enabled' %} +# bind the ruleset to the tcp listener +$InputTCPServerBindRuleset remote +# and activate it: +$InputTCPServerRun {{ rsyslog_tcp_port }} +{% endif %} +