forked from ISTI-ansible-roles/ansible-roles
Role that setups remote logging in rsyslog.
This commit is contained in:
parent
83ac7ea7e3
commit
e2bd95f2c2
|
@ -1,6 +1,7 @@
|
|||
---
|
||||
dependencies:
|
||||
- role: '../../library/centos/roles/centos-bootstrap'
|
||||
- role: '../../library/centos/roles/rsyslog'
|
||||
- role: '../../library/roles/dell-server-utilities'
|
||||
- role: '../../library/roles/sshd_config'
|
||||
- { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks }
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
---
|
||||
dependencies:
|
||||
- role: '../../library/roles/ubuntu-deb-general'
|
||||
- role: '../../library/roles/rsyslog'
|
||||
- { role: '../../library/roles/cloud-init', when: ansible_product_name == "oVirt Node" }
|
||||
- role: '../../library/roles/tmpreaper'
|
||||
- role: '../../library/roles/iptables'
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
rsyslog_enable_remote_socket: False
|
||||
rsyslog_enable_remote_udp: 'enabled'
|
||||
rsyslog_enable_remote_tcp: 'disabled'
|
||||
|
||||
rsyslog_remote_path: /var/log/remote
|
||||
rsyslog_tls_status: 'disabled'
|
||||
rsyslog_tls_deb_pkgs:
|
||||
- 'rsyslog-gnutls'
|
||||
|
||||
rsyslog_tls_rh_pkgs:
|
||||
- 'rsyslog-gnutls'
|
||||
|
||||
rsyslog_udp_port: 514
|
||||
rsyslog_tcp_port: 514
|
||||
|
||||
rsyslog_send_to_remote: False
|
||||
|
||||
rsyslog_firewalld_services:
|
||||
- { service: 'syslog', state: '{{ rsyslog_enable_remote_udp }}', zone: '{{ firewalld_default_zone }}' }
|
||||
- { service: 'syslog-tls', state: '{{ rsyslog_tls_status }}', zone: '{{ firewalld_default_zone }}' }
|
||||
|
||||
rsyslog_firewalld_ports:
|
||||
- { port: '{{ rsyslog_tcp_port }}', protocol: 'tcp', state: '{{ rsyslog_enable_remote_tcp }}', zone: '{{ firewalld_default_zone }}' }
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: Restart rsyslog
|
||||
service: name=rsyslog state=restarted
|
||||
|
||||
|
|
@ -0,0 +1,70 @@
|
|||
---
|
||||
- name: Configure rsyslog so that it accepts logs from remote services
|
||||
block:
|
||||
- name: Ensure that the rsyslog package is installed. deb/ubuntu
|
||||
apt: pkg=rsyslog state=present cache_valid_time=1800
|
||||
when: ansible_distribution_file_variety == "Debian"
|
||||
|
||||
- name: Ensure that the rsyslog package is installed. centos/rhel
|
||||
yum: pkg=rsyslog state=present
|
||||
when: ansible_distribution_file_variety == "RedHat"
|
||||
|
||||
- name: Create the additional rsyslog directory
|
||||
file: dest={{ rsyslog_remote_path }} state=directory owner=syslog group=adm
|
||||
|
||||
- name: Install the rsyslog configuration
|
||||
template: src=rsyslog-remote-socket.conf.j2 dest=/etc/rsyslog.d/10-rsyslog-remote-socket.conf
|
||||
notify: Restart rsyslog
|
||||
|
||||
- name: Ensure that rsyslog is running and enabled
|
||||
service: name=rsyslog state=started enabled=yes
|
||||
|
||||
when: rsyslog_enable_remote_socket | bool
|
||||
tags: [ 'syslog', 'rsyslog', 'remote_syslog' ]
|
||||
|
||||
- name: Install the rsyslog TLS package on deb/ubuntu
|
||||
block:
|
||||
- name: Install the rsyslog TLS support
|
||||
apt: pkg={{ rsyslog_tls_deb_pkgs }} state=present cache_valid_time=1800
|
||||
notify: Restart rsyslog
|
||||
|
||||
when:
|
||||
- rsyslog_enable_remote_socket | bool
|
||||
- rsyslog_tls_status == 'enabled'
|
||||
- ansible_distribution_file_variety == "Debian"
|
||||
tags: [ 'syslog', 'rsyslog', 'remote_syslog' ]
|
||||
|
||||
- name: Install the rsyslog TLS package on RHEL/CentOS
|
||||
block:
|
||||
- name: Install the rsyslog TLS support
|
||||
yum: pkg={{ rsyslog_tls_rh_pkgs }} state=present
|
||||
notify: Restart rsyslog
|
||||
|
||||
when:
|
||||
- rsyslog_enable_remote_socket | bool
|
||||
- rsyslog_tls_status == 'enabled'
|
||||
- ansible_distribution_file_variety == "RedHat"
|
||||
tags: [ 'syslog', 'rsyslog', 'remote_syslog' ]
|
||||
|
||||
- name: Configure SELinux and firewalld on RHEL/CentOS
|
||||
block:
|
||||
- name: SELinux udp port
|
||||
seport: ignore_selinux_state=yes ports=514 proto=udp setype=syslogd_port_t state=present
|
||||
when: rsyslog_enable_remote_udp == 'enabled'
|
||||
|
||||
- name: SELinux tcp port
|
||||
seport: ignore_selinux_state=yes ports=514 proto=tcp setype=syslogd_port_t state=present
|
||||
when: rsyslog_enable_remote_tcp == 'enabled'
|
||||
|
||||
- name: rsyslog firewalld services
|
||||
firewalld: service={{ item.service }} zone={{ item.zone }} permanent={{ item.permanent | default(True) }} state={{ item.state }} immediate=True
|
||||
with_items: '{{ rsyslog_firewalld_services }}'
|
||||
|
||||
- name: rsyslog firewalld ports
|
||||
firewalld: port={{ item.port }}/{{ item.protocol }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
|
||||
with_items: '{{ rsyslog_firewalld_ports }}'
|
||||
|
||||
when:
|
||||
- rsyslog_enable_remote_socket | bool
|
||||
- ansible_distribution_file_variety == "RedHat"
|
||||
tags: [ 'syslog', 'rsyslog', 'remote_syslog', 'selinux', 'firewalld' ]
|
|
@ -0,0 +1,34 @@
|
|||
#
|
||||
# The order counts
|
||||
#
|
||||
{% if rsyslog_enable_remote_udp == 'enabled' %}
|
||||
# Provides UDP syslog reception
|
||||
module(load="imudp") # needs to be done just once
|
||||
# input(type="imudp" port="{{ rsyslog_udp_port }}")
|
||||
{% endif %}
|
||||
|
||||
{% if rsyslog_enable_remote_tcp == 'enabled' %}
|
||||
# Provides TCP syslog reception
|
||||
module(load="imtcp") # needs to be done just once
|
||||
# input(type="imtcp" port="{{ rsyslog_tcp_port }}")
|
||||
{% endif %}
|
||||
|
||||
# log every host in its own directory
|
||||
$template RemoteHost,"{{ rsyslog_remote_path }}/%HOSTNAME%/syslog.log"
|
||||
$RuleSet remote
|
||||
*.* ?RemoteHost
|
||||
|
||||
{% if rsyslog_enable_remote_udp == 'enabled' %}
|
||||
# bind the ruleset to the udp listener
|
||||
$InputUDPServerBindRuleset remote
|
||||
# and activate it:
|
||||
$UDPServerRun {{ rsyslog_udp_port }}
|
||||
{% endif %}
|
||||
|
||||
{% if rsyslog_enable_remote_tcp == 'enabled' %}
|
||||
# bind the ruleset to the tcp listener
|
||||
$InputTCPServerBindRuleset remote
|
||||
# and activate it:
|
||||
$InputTCPServerRun {{ rsyslog_tcp_port }}
|
||||
{% endif %}
|
||||
|
Loading…
Reference in New Issue