diff --git a/roles/rsyslog_common/defaults/main.yml b/roles/rsyslog_common/defaults/main.yml new file mode 100644 index 0000000..e5e6024 --- /dev/null +++ b/roles/rsyslog_common/defaults/main.yml @@ -0,0 +1,3 @@ +--- +rsyslog_outputs: [] +... diff --git a/roles/rsyslog_common/handlers/main.yml b/roles/rsyslog_common/handlers/main.yml new file mode 100644 index 0000000..2a378d7 --- /dev/null +++ b/roles/rsyslog_common/handlers/main.yml @@ -0,0 +1,13 @@ +--- +- name: Restart rsyslog + become: yes + systemd: + name: rsyslog.service + state: restarted + +- name: Restart systemd-journald + become: yes + systemd: + name: systemd-journald.service + state: restarted +... diff --git a/roles/rsyslog_common/tasks/main.yml b/roles/rsyslog_common/tasks/main.yml new file mode 100644 index 0000000..9e1c7eb --- /dev/null +++ b/roles/rsyslog_common/tasks/main.yml @@ -0,0 +1,57 @@ +--- +- name: Install rsyslog + become: true + apt: + name: rsyslog + state: latest + +- name: Install rsyslog modules if needed + become: true + apt: + name: "{{ item.pkg }}" + state: latest + when: "rsyslog_outputs | selectattr('proto', 'eq', item.proto) | list" + loop: + - proto: relp + pkg: rsyslog-relp + - proto: redis + pkg: rsyslog-hiredis + +- name: Deploy main rsyslog configuration + become: true + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: root + mode: u=rw,g=r,o=r + loop: + - src: rsyslog.conf.j2 + dest: /etc/rsyslog.conf + - src: 99-common.conf.j2 + dest: /etc/rsyslog.d/99-common.conf + notify: Restart rsyslog + +- name: Create journald.conf.d directory + become: true + file: + path: /etc/systemd/journald.conf.d + state: directory + +- name: Deploy journald configuration + become: true + template: + src: forward-syslog.conf.j2 + dest: /etc/systemd/journald.conf.d/forward-syslog.conf + owner: root + group: root + mode: u=rw,g=r,o=r + notify: Restart systemd-journald + +- name: Enable rsyslog service + become: true + systemd: + name: rsyslog.service + state: started + enabled: true +... diff --git a/roles/rsyslog_common/templates/99-common.conf.j2 b/roles/rsyslog_common/templates/99-common.conf.j2 new file mode 100644 index 0000000..dcb1775 --- /dev/null +++ b/roles/rsyslog_common/templates/99-common.conf.j2 @@ -0,0 +1,108 @@ +{{ ansible_managed | comment }} + +{% + set output_modules = { + "relp": "omrelp", + "udp": "omfwd", + "redis": "omhiredis", + } +%} + +global( + workDirectory="/var/spool/rsyslog" + preserveFQDN="on" +) + +# Collect logs via /dev/log +module(load="imuxsock") + +# Collect kernel logs +module(load="imklog") + +# Collect systemd-journald logs +module(load="imjournal") + +# Parse CEE logs +module(load="mmjsonparse") + +# Load export modules +{% + for module in rsyslog_outputs + | map(attribute="proto") + | map("extract", output_modules) + | list + | unique +%} +module(load="{{ module }}") +{% endfor %} + +# FIXME: Attention, il faut voir si rsyslog arrive bien à créer +# les fichiers de plusieurs jours (le 1er est peut-être crée avant +# de dropper les privilèges, mais les suivants je pense pas). +module( + load="builtin:omfile" + # Format avec dates précises + template="RSYSLOG_FileFormat" + fileOwner="root" + fileGroup="adm" + fileCreateMode="0640" + dirCreateMode="0755" +) + +template(name="templateJson" type="list" option.jsonf="on") { + property(outname="hostname_reported" name="hostname" format="jsonf") + property(outname="src" name="fromhost-ip" format="jsonf") + property(outname="facility" name="syslogfacility-text" format="jsonf") + property(outname="program" name="programname" format="jsonf") + property(outname="pid" name="procid" format="jsonf") + property(outname="time_reported" name="timereported" format="jsonf" + dateformat="rfc3339") + property(outname="time_generated" name="timegenerated" format="jsonf" + dateformat="rfc3339") + property(outname="message" name="msg" format="jsonf") +} + +ruleset(name="sendLogsToDisk") { + auth,authpriv.* action(type="omfile" file="/var/log/auth.log") + mail.* action(type="omfile" file="/var/log/mail.log" sync="off") + kern.* action(type="omfile" file="/var/log/kern.log") + *.*;auth,authpriv.none action(type="omfile" file="/var/log/syslog.log" + sync="off") +} + +# Send logs to remote collector(s) +ruleset(name="sendLogsToRemote") { +{% for output in rsyslog_outputs %} + action( + type="{{ output_modules[output.proto] }}" + +{% if output_modules[output.proto] == "omfwd" %} + protocol="{{ output.proto }}" + target="{{ output.address }}" + port="{{ output.port }}" +{% elif output_modules[output.proto] == "omhiredis" %} + server="{{ output.address }}" + serverport="{{ output.port }}" + mode="publish" + key="{{ output.key }}" + template="templateJson" +{% if output.password is defined %} + serverpassword="{{ output.password }}" +{% endif %} +{% elif output_modules[output.proto] == "omrelp" %} + target="{{ output.address }}" + port="{{ output.port }}" +{% endif %} + +{% if loop.index > 1 and output.fallback %} + action.execOnlyWhenPreviousIsSuspended="on" +{% endif %} + ) +{% endfor %} +} + +# Send local logs to files (useful for debugging or if the collector is down) +call sendLogsToDisk + +# Send local logs to the remote collector +call sendLogsToRemote diff --git a/roles/rsyslog_common/templates/forward-syslog.conf.j2 b/roles/rsyslog_common/templates/forward-syslog.conf.j2 new file mode 100644 index 0000000..7f81095 --- /dev/null +++ b/roles/rsyslog_common/templates/forward-syslog.conf.j2 @@ -0,0 +1,6 @@ +{{ ansible_managed | comment }} + +[Journal] +# journald logs are already retrieved by rsyslog using imjournal +ForwardToSyslog=no +MaxLevelSyslog=debug diff --git a/roles/rsyslog_common/templates/rsyslog.conf.j2 b/roles/rsyslog_common/templates/rsyslog.conf.j2 new file mode 100644 index 0000000..9c4c687 --- /dev/null +++ b/roles/rsyslog_common/templates/rsyslog.conf.j2 @@ -0,0 +1,3 @@ +{{ ansible_managed | comment }} + +include(file="/etc/rsyslog.d/*.conf")