Role that setups remote logging in rsyslog.

library/bootstrap-roles/centos-common/meta/main.yml

@@ -1,6 +1,7 @@
 ---
 dependencies:
   - role: '../../library/centos/roles/centos-bootstrap'
+  - role: '../../library/centos/roles/rsyslog'
   - role: '../../library/roles/dell-server-utilities'
   - role: '../../library/roles/sshd_config'
   - { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks }

library/bootstrap-roles/deb-ubuntu-common/meta/main.yml

@@ -1,6 +1,7 @@
 ---
 dependencies:
   - role: '../../library/roles/ubuntu-deb-general'
+  - role: '../../library/roles/rsyslog'
   - { role: '../../library/roles/cloud-init', when:  ansible_product_name == "oVirt Node" }
   - role: '../../library/roles/tmpreaper'
   - role: '../../library/roles/iptables'

library/roles/rsyslog/defaults/main.yml

@@ -0,0 +1,25 @@
+---
+rsyslog_enable_remote_socket: False
+rsyslog_enable_remote_udp: 'enabled'
+rsyslog_enable_remote_tcp: 'disabled'
+
+rsyslog_remote_path: /var/log/remote
+rsyslog_tls_status: 'disabled'
+rsyslog_tls_deb_pkgs:
+  - 'rsyslog-gnutls'
+
+rsyslog_tls_rh_pkgs:
+  - 'rsyslog-gnutls'
+
+rsyslog_udp_port: 514
+rsyslog_tcp_port: 514
+
+rsyslog_send_to_remote: False
+
+rsyslog_firewalld_services:
+  - { service: 'syslog', state: '{{ rsyslog_enable_remote_udp }}', zone: '{{ firewalld_default_zone }}' }
+  - { service: 'syslog-tls', state: '{{ rsyslog_tls_status }}', zone: '{{ firewalld_default_zone }}'  }
+
+rsyslog_firewalld_ports:
+  - { port: '{{ rsyslog_tcp_port }}', protocol: 'tcp', state: '{{ rsyslog_enable_remote_tcp }}', zone: '{{ firewalld_default_zone }}'  }
+

library/roles/rsyslog/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart rsyslog
+  service: name=rsyslog state=restarted
+
+

library/roles/rsyslog/tasks/main.yml

@@ -0,0 +1,70 @@
+---
+- name: Configure rsyslog so that it accepts logs from remote services
+  block:
+    - name: Ensure that the rsyslog package is installed. deb/ubuntu
+      apt: pkg=rsyslog state=present cache_valid_time=1800
+      when: ansible_distribution_file_variety == "Debian"
+
+    - name: Ensure that the rsyslog package is installed. centos/rhel
+      yum: pkg=rsyslog state=present
+      when: ansible_distribution_file_variety == "RedHat"
+
+    - name: Create the additional rsyslog directory
+      file: dest={{ rsyslog_remote_path }} state=directory owner=syslog group=adm
+
+    - name: Install the rsyslog configuration
+      template: src=rsyslog-remote-socket.conf.j2 dest=/etc/rsyslog.d/10-rsyslog-remote-socket.conf
+      notify: Restart rsyslog
+
+    - name: Ensure that rsyslog is running and enabled
+      service: name=rsyslog state=started enabled=yes
+
+  when: rsyslog_enable_remote_socket | bool
+  tags: [ 'syslog', 'rsyslog', 'remote_syslog' ]
+
+- name: Install the rsyslog TLS package on deb/ubuntu
+  block:
+    - name: Install the rsyslog TLS support
+      apt: pkg={{ rsyslog_tls_deb_pkgs }} state=present cache_valid_time=1800
+      notify: Restart rsyslog
+
+  when:
+    - rsyslog_enable_remote_socket | bool
+    - rsyslog_tls_status == 'enabled'
+    - ansible_distribution_file_variety == "Debian"
+  tags: [ 'syslog', 'rsyslog', 'remote_syslog' ]
+
+- name: Install the rsyslog TLS package on RHEL/CentOS
+  block:
+    - name: Install the rsyslog TLS support
+      yum: pkg={{ rsyslog_tls_rh_pkgs }} state=present
+      notify: Restart rsyslog
+
+  when:
+    - rsyslog_enable_remote_socket | bool
+    - rsyslog_tls_status == 'enabled'
+    - ansible_distribution_file_variety == "RedHat"
+  tags: [ 'syslog', 'rsyslog', 'remote_syslog' ]
+
+- name: Configure SELinux and firewalld on RHEL/CentOS
+  block:
+    - name: SELinux udp port
+      seport: ignore_selinux_state=yes ports=514 proto=udp setype=syslogd_port_t state=present
+      when: rsyslog_enable_remote_udp == 'enabled'
+
+    - name: SELinux tcp port
+      seport: ignore_selinux_state=yes ports=514 proto=tcp setype=syslogd_port_t state=present
+      when: rsyslog_enable_remote_tcp == 'enabled'
+
+    - name: rsyslog firewalld services
+      firewalld: service={{ item.service }} zone={{ item.zone }} permanent={{ item.permanent | default(True) }} state={{ item.state }} immediate=True
+      with_items: '{{ rsyslog_firewalld_services }}'
+
+    - name: rsyslog firewalld ports
+      firewalld: port={{ item.port }}/{{ item.protocol }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
+      with_items: '{{ rsyslog_firewalld_ports }}'
+
+  when:
+    - rsyslog_enable_remote_socket | bool
+    - ansible_distribution_file_variety == "RedHat"
+  tags: [ 'syslog', 'rsyslog', 'remote_syslog', 'selinux', 'firewalld' ]

library/roles/rsyslog/templates/rsyslog-remote-socket.conf.j2

@@ -0,0 +1,34 @@
+#
+# The order counts
+#
+{% if rsyslog_enable_remote_udp == 'enabled' %}
+# Provides UDP syslog reception
+module(load="imudp") # needs to be done just once 
+# input(type="imudp" port="{{ rsyslog_udp_port }}")
+{% endif %}
+
+{% if rsyslog_enable_remote_tcp == 'enabled' %}
+# Provides TCP syslog reception
+module(load="imtcp") # needs to be done just once 
+# input(type="imtcp" port="{{ rsyslog_tcp_port }}")
+{% endif %}
+
+# log every host in its own directory
+$template RemoteHost,"{{ rsyslog_remote_path }}/%HOSTNAME%/syslog.log"
+$RuleSet remote
+*.* ?RemoteHost
+
+{% if rsyslog_enable_remote_udp == 'enabled' %}
+# bind the ruleset to the udp listener
+$InputUDPServerBindRuleset remote
+# and activate it:
+$UDPServerRun {{ rsyslog_udp_port }}
+{% endif %}
+
+{% if rsyslog_enable_remote_tcp == 'enabled' %}
+# bind the ruleset to the tcp listener
+$InputTCPServerBindRuleset remote
+# and activate it:
+$InputTCPServerRun {{ rsyslog_tcp_port }}
+{% endif %}
+