From 89181c6cd6eaf16107f315876b04e6260f81dc48 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sun, 28 Feb 2021 22:59:36 +0100 Subject: [PATCH 01/23] Add log.adm.auro.re to inventory --- hosts | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts b/hosts index 7cf9128..fd690e8 100644 --- a/hosts +++ b/hosts @@ -37,6 +37,7 @@ wikijs.adm.auro.re prometheus-aurore.adm.auro.re portail.adm.auro.re jitsi-aurore.adm.auro.re +log.adm.auro.re [aurore_testing_vm] pendragon.adm.auro.re -- 2.43.4 From 6263c317851487ff0b83a3c2a2ab435b3d0b3e19 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Mon, 1 Mar 2021 01:27:30 +0100 Subject: [PATCH 02/23] Add rsyslog_common role --- roles/rsyslog_common/defaults/main.yml | 3 + roles/rsyslog_common/handlers/main.yml | 13 +++ roles/rsyslog_common/tasks/main.yml | 57 +++++++++ .../templates/99-common.conf.j2 | 108 ++++++++++++++++++ .../templates/forward-syslog.conf.j2 | 6 + .../rsyslog_common/templates/rsyslog.conf.j2 | 3 + 6 files changed, 190 insertions(+) create mode 100644 roles/rsyslog_common/defaults/main.yml create mode 100644 roles/rsyslog_common/handlers/main.yml create mode 100644 roles/rsyslog_common/tasks/main.yml create mode 100644 roles/rsyslog_common/templates/99-common.conf.j2 create mode 100644 roles/rsyslog_common/templates/forward-syslog.conf.j2 create mode 100644 roles/rsyslog_common/templates/rsyslog.conf.j2 diff --git a/roles/rsyslog_common/defaults/main.yml b/roles/rsyslog_common/defaults/main.yml new file mode 100644 index 0000000..e5e6024 --- /dev/null +++ b/roles/rsyslog_common/defaults/main.yml @@ -0,0 +1,3 @@ +--- +rsyslog_outputs: [] +... diff --git a/roles/rsyslog_common/handlers/main.yml b/roles/rsyslog_common/handlers/main.yml new file mode 100644 index 0000000..2a378d7 --- /dev/null +++ b/roles/rsyslog_common/handlers/main.yml @@ -0,0 +1,13 @@ +--- +- name: Restart rsyslog + become: yes + systemd: + name: rsyslog.service + state: restarted + +- name: Restart systemd-journald + become: yes + systemd: + name: systemd-journald.service + state: restarted +... diff --git a/roles/rsyslog_common/tasks/main.yml b/roles/rsyslog_common/tasks/main.yml new file mode 100644 index 0000000..9e1c7eb --- /dev/null +++ b/roles/rsyslog_common/tasks/main.yml @@ -0,0 +1,57 @@ +--- +- name: Install rsyslog + become: true + apt: + name: rsyslog + state: latest + +- name: Install rsyslog modules if needed + become: true + apt: + name: "{{ item.pkg }}" + state: latest + when: "rsyslog_outputs | selectattr('proto', 'eq', item.proto) | list" + loop: + - proto: relp + pkg: rsyslog-relp + - proto: redis + pkg: rsyslog-hiredis + +- name: Deploy main rsyslog configuration + become: true + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: root + mode: u=rw,g=r,o=r + loop: + - src: rsyslog.conf.j2 + dest: /etc/rsyslog.conf + - src: 99-common.conf.j2 + dest: /etc/rsyslog.d/99-common.conf + notify: Restart rsyslog + +- name: Create journald.conf.d directory + become: true + file: + path: /etc/systemd/journald.conf.d + state: directory + +- name: Deploy journald configuration + become: true + template: + src: forward-syslog.conf.j2 + dest: /etc/systemd/journald.conf.d/forward-syslog.conf + owner: root + group: root + mode: u=rw,g=r,o=r + notify: Restart systemd-journald + +- name: Enable rsyslog service + become: true + systemd: + name: rsyslog.service + state: started + enabled: true +... diff --git a/roles/rsyslog_common/templates/99-common.conf.j2 b/roles/rsyslog_common/templates/99-common.conf.j2 new file mode 100644 index 0000000..dcb1775 --- /dev/null +++ b/roles/rsyslog_common/templates/99-common.conf.j2 @@ -0,0 +1,108 @@ +{{ ansible_managed | comment }} + +{% + set output_modules = { + "relp": "omrelp", + "udp": "omfwd", + "redis": "omhiredis", + } +%} + +global( + workDirectory="/var/spool/rsyslog" + preserveFQDN="on" +) + +# Collect logs via /dev/log +module(load="imuxsock") + +# Collect kernel logs +module(load="imklog") + +# Collect systemd-journald logs +module(load="imjournal") + +# Parse CEE logs +module(load="mmjsonparse") + +# Load export modules +{% + for module in rsyslog_outputs + | map(attribute="proto") + | map("extract", output_modules) + | list + | unique +%} +module(load="{{ module }}") +{% endfor %} + +# FIXME: Attention, il faut voir si rsyslog arrive bien à créer +# les fichiers de plusieurs jours (le 1er est peut-être crée avant +# de dropper les privilèges, mais les suivants je pense pas). +module( + load="builtin:omfile" + # Format avec dates précises + template="RSYSLOG_FileFormat" + fileOwner="root" + fileGroup="adm" + fileCreateMode="0640" + dirCreateMode="0755" +) + +template(name="templateJson" type="list" option.jsonf="on") { + property(outname="hostname_reported" name="hostname" format="jsonf") + property(outname="src" name="fromhost-ip" format="jsonf") + property(outname="facility" name="syslogfacility-text" format="jsonf") + property(outname="program" name="programname" format="jsonf") + property(outname="pid" name="procid" format="jsonf") + property(outname="time_reported" name="timereported" format="jsonf" + dateformat="rfc3339") + property(outname="time_generated" name="timegenerated" format="jsonf" + dateformat="rfc3339") + property(outname="message" name="msg" format="jsonf") +} + +ruleset(name="sendLogsToDisk") { + auth,authpriv.* action(type="omfile" file="/var/log/auth.log") + mail.* action(type="omfile" file="/var/log/mail.log" sync="off") + kern.* action(type="omfile" file="/var/log/kern.log") + *.*;auth,authpriv.none action(type="omfile" file="/var/log/syslog.log" + sync="off") +} + +# Send logs to remote collector(s) +ruleset(name="sendLogsToRemote") { +{% for output in rsyslog_outputs %} + action( + type="{{ output_modules[output.proto] }}" + +{% if output_modules[output.proto] == "omfwd" %} + protocol="{{ output.proto }}" + target="{{ output.address }}" + port="{{ output.port }}" +{% elif output_modules[output.proto] == "omhiredis" %} + server="{{ output.address }}" + serverport="{{ output.port }}" + mode="publish" + key="{{ output.key }}" + template="templateJson" +{% if output.password is defined %} + serverpassword="{{ output.password }}" +{% endif %} +{% elif output_modules[output.proto] == "omrelp" %} + target="{{ output.address }}" + port="{{ output.port }}" +{% endif %} + +{% if loop.index > 1 and output.fallback %} + action.execOnlyWhenPreviousIsSuspended="on" +{% endif %} + ) +{% endfor %} +} + +# Send local logs to files (useful for debugging or if the collector is down) +call sendLogsToDisk + +# Send local logs to the remote collector +call sendLogsToRemote diff --git a/roles/rsyslog_common/templates/forward-syslog.conf.j2 b/roles/rsyslog_common/templates/forward-syslog.conf.j2 new file mode 100644 index 0000000..7f81095 --- /dev/null +++ b/roles/rsyslog_common/templates/forward-syslog.conf.j2 @@ -0,0 +1,6 @@ +{{ ansible_managed | comment }} + +[Journal] +# journald logs are already retrieved by rsyslog using imjournal +ForwardToSyslog=no +MaxLevelSyslog=debug diff --git a/roles/rsyslog_common/templates/rsyslog.conf.j2 b/roles/rsyslog_common/templates/rsyslog.conf.j2 new file mode 100644 index 0000000..9c4c687 --- /dev/null +++ b/roles/rsyslog_common/templates/rsyslog.conf.j2 @@ -0,0 +1,3 @@ +{{ ansible_managed | comment }} + +include(file="/etc/rsyslog.d/*.conf") -- 2.43.4 From 7fd1b5ff5d86914f7b006af5f23e40792a666ea3 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Mon, 1 Mar 2021 01:27:56 +0100 Subject: [PATCH 03/23] Add rsyslog_collector role --- roles/rsyslog_collector/defaults/main.yml | 4 ++ roles/rsyslog_collector/meta/main.yml | 4 ++ roles/rsyslog_collector/tasks/main.yml | 24 +++++++++ .../templates/10-collector.conf.j2 | 53 +++++++++++++++++++ 4 files changed, 85 insertions(+) create mode 100644 roles/rsyslog_collector/defaults/main.yml create mode 100644 roles/rsyslog_collector/meta/main.yml create mode 100644 roles/rsyslog_collector/tasks/main.yml create mode 100644 roles/rsyslog_collector/templates/10-collector.conf.j2 diff --git a/roles/rsyslog_collector/defaults/main.yml b/roles/rsyslog_collector/defaults/main.yml new file mode 100644 index 0000000..d0f9337 --- /dev/null +++ b/roles/rsyslog_collector/defaults/main.yml @@ -0,0 +1,4 @@ +--- +rsyslog_inputs: [] +rsyslog_collector_base_dir: /var/log/remote +... diff --git a/roles/rsyslog_collector/meta/main.yml b/roles/rsyslog_collector/meta/main.yml new file mode 100644 index 0000000..8e7f44c --- /dev/null +++ b/roles/rsyslog_collector/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - role: rsyslog_common +... diff --git a/roles/rsyslog_collector/tasks/main.yml b/roles/rsyslog_collector/tasks/main.yml new file mode 100644 index 0000000..d0487e6 --- /dev/null +++ b/roles/rsyslog_collector/tasks/main.yml @@ -0,0 +1,24 @@ +--- +- name: Install rsyslog-relp if needed + become: true + apt: + name: rsyslog-relp + state: latest + when: "rsyslog_inputs | selectattr('proto', 'eq', 'relp') | list" + +- name: Ensure log storage directory exists + become: true + file: + path: "{{ rsyslog_collector_base_dir }}" + state: directory + +- name: Deploy rsyslog input configuration file + become: true + template: + src: 10-collector.conf.j2 + dest: /etc/rsyslog.d/10-collector.conf + owner: root + group: root + mode: u=rw,g=r,o=r + notify: Restart rsyslog +... diff --git a/roles/rsyslog_collector/templates/10-collector.conf.j2 b/roles/rsyslog_collector/templates/10-collector.conf.j2 new file mode 100644 index 0000000..793e519 --- /dev/null +++ b/roles/rsyslog_collector/templates/10-collector.conf.j2 @@ -0,0 +1,53 @@ +{{ ansible_managed | comment }} + +module(load="mmrm1stspace") + +{% + set input_modules = { + "relp": "imrelp", + "udp": "imudp", + } +%} + +{% + for module in rsyslog_inputs + | map(attribute="proto") + | map("extract", input_modules) + | list + | unique +%} +module(load="{{ module }}") +{% endfor %} + +template(name="incomingFilename" type="list") { + constant(value="{{ rsyslog_collector_base_dir }}/") + property(name="fromhost-ip") + constant(value="/") + property(name="timegenerated" dateFormat="year") + constant(value="-") + property(name="timegenerated" dateFormat="month") + constant(value="-") + property(name="timegenerated" dateFormat="day") + constant(value=".log") +} + +ruleset(name="handleIncomingLogs") { + action(type="mmrm1stspace") + action( + type="omfile" + dynaFile="incomingFilename" + template="RSYSLOG_FileFormat" + ) +} + +# TODO: add protocol-specific options (eg. TLS) +{% for input in rsyslog_inputs %} +input( + type="{{ input_modules[input.proto] }}" +{% if "address" in input %} + address="{{ input.address }}" +{% endif %} + port="{{ input.port }}" + ruleset="handleIncomingLogs" +) +{% endfor %} -- 2.43.4 From 4a43bf8a16aa67bf901d194c4b963f71075eeb61 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Mon, 1 Mar 2021 01:28:30 +0100 Subject: [PATCH 04/23] Add logging configuration for log.adm.auro.re --- host_vars/log.adm.auro.re.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 host_vars/log.adm.auro.re.yml diff --git a/host_vars/log.adm.auro.re.yml b/host_vars/log.adm.auro.re.yml new file mode 100644 index 0000000..24ae171 --- /dev/null +++ b/host_vars/log.adm.auro.re.yml @@ -0,0 +1,8 @@ +--- +rsyslog_collector_base_dir: /var/log/remote +rsyslog_inputs: + - proto: relp + port: 20514 + - proto: udp + port: 514 +... -- 2.43.4 From 02a8cb84dfc6c684a3e899208a0e64f3d8dae0f4 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Mon, 1 Mar 2021 01:29:16 +0100 Subject: [PATCH 05/23] Add log.yml playbook --- log.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 log.yml diff --git a/log.yml b/log.yml new file mode 100644 index 0000000..8c8fc15 --- /dev/null +++ b/log.yml @@ -0,0 +1,5 @@ +--- +- hosts: log.adm.auro.re + roles: + - rsyslog_collector +... -- 2.43.4 From ba8b4e8c2963548f6f2eb4abe81cee02a546e456 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Mon, 1 Mar 2021 02:11:29 +0100 Subject: [PATCH 06/23] Fix the ordering of rsyslog.d files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A call to sendLogsToRemote for logs received through RELP/UDP has been added (to send them to Logstash/Redis/…), so common.conf's prefix must be lower than collector.conf's. Note: future "third-party" config files will also call sendLogsToRemote and thus will also have to use a prefix higher than 10. --- roles/rsyslog_collector/tasks/main.yml | 4 ++-- .../templates/{10-collector.conf.j2 => 20-collector.conf.j2} | 2 ++ roles/rsyslog_common/tasks/main.yml | 4 ++-- .../templates/{99-common.conf.j2 => 10-common.conf.j2} | 0 4 files changed, 6 insertions(+), 4 deletions(-) rename roles/rsyslog_collector/templates/{10-collector.conf.j2 => 20-collector.conf.j2} (97%) rename roles/rsyslog_common/templates/{99-common.conf.j2 => 10-common.conf.j2} (100%) diff --git a/roles/rsyslog_collector/tasks/main.yml b/roles/rsyslog_collector/tasks/main.yml index d0487e6..0ee20a2 100644 --- a/roles/rsyslog_collector/tasks/main.yml +++ b/roles/rsyslog_collector/tasks/main.yml @@ -15,8 +15,8 @@ - name: Deploy rsyslog input configuration file become: true template: - src: 10-collector.conf.j2 - dest: /etc/rsyslog.d/10-collector.conf + src: 20-collector.conf.j2 + dest: /etc/rsyslog.d/20-collector.conf owner: root group: root mode: u=rw,g=r,o=r diff --git a/roles/rsyslog_collector/templates/10-collector.conf.j2 b/roles/rsyslog_collector/templates/20-collector.conf.j2 similarity index 97% rename from roles/rsyslog_collector/templates/10-collector.conf.j2 rename to roles/rsyslog_collector/templates/20-collector.conf.j2 index 793e519..a67956b 100644 --- a/roles/rsyslog_collector/templates/10-collector.conf.j2 +++ b/roles/rsyslog_collector/templates/20-collector.conf.j2 @@ -49,5 +49,7 @@ input( {% endif %} port="{{ input.port }}" ruleset="handleIncomingLogs" + + call sendLogsToRemote ) {% endfor %} diff --git a/roles/rsyslog_common/tasks/main.yml b/roles/rsyslog_common/tasks/main.yml index 9e1c7eb..ce0d35a 100644 --- a/roles/rsyslog_common/tasks/main.yml +++ b/roles/rsyslog_common/tasks/main.yml @@ -28,8 +28,8 @@ loop: - src: rsyslog.conf.j2 dest: /etc/rsyslog.conf - - src: 99-common.conf.j2 - dest: /etc/rsyslog.d/99-common.conf + - src: 10-common.conf.j2 + dest: /etc/rsyslog.d/10-common.conf notify: Restart rsyslog - name: Create journald.conf.d directory diff --git a/roles/rsyslog_common/templates/99-common.conf.j2 b/roles/rsyslog_common/templates/10-common.conf.j2 similarity index 100% rename from roles/rsyslog_common/templates/99-common.conf.j2 rename to roles/rsyslog_common/templates/10-common.conf.j2 -- 2.43.4 From f7183095c14dbc22641fce0f08d2ff04c446016f Mon Sep 17 00:00:00 2001 From: Jeltz Date: Mon, 1 Mar 2021 02:26:22 +0100 Subject: [PATCH 07/23] Add explicit permissions for directories --- roles/rsyslog_collector/tasks/main.yml | 3 +++ roles/rsyslog_common/tasks/main.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/roles/rsyslog_collector/tasks/main.yml b/roles/rsyslog_collector/tasks/main.yml index 0ee20a2..16a3ab9 100644 --- a/roles/rsyslog_collector/tasks/main.yml +++ b/roles/rsyslog_collector/tasks/main.yml @@ -11,6 +11,9 @@ file: path: "{{ rsyslog_collector_base_dir }}" state: directory + owner: root + group: adm + mode: u=rwx,g=rwx,o= - name: Deploy rsyslog input configuration file become: true diff --git a/roles/rsyslog_common/tasks/main.yml b/roles/rsyslog_common/tasks/main.yml index ce0d35a..c3a0cc3 100644 --- a/roles/rsyslog_common/tasks/main.yml +++ b/roles/rsyslog_common/tasks/main.yml @@ -37,6 +37,9 @@ file: path: /etc/systemd/journald.conf.d state: directory + owner: root + group: root + mode: u=rwx,g=rx,o=rx - name: Deploy journald configuration become: true -- 2.43.4 From c65b3f090b85211c08d26588091b60826640623b Mon Sep 17 00:00:00 2001 From: Jeltz Date: Mon, 1 Mar 2021 03:58:58 +0100 Subject: [PATCH 08/23] Compress and delete old remote logs Logrotate is not used because I didn't found an easy way to configure it to handle the compression/deletion of log files already rotated by rsyslog (it is probably possible, but I found the script to be easier). --- roles/rsyslog_collector/defaults/main.yml | 3 + roles/rsyslog_collector/files/rotate | 62 +++++++++++++++++++ roles/rsyslog_collector/handlers/main.yml | 5 ++ roles/rsyslog_collector/tasks/main.yml | 30 +++++++++ .../templates/rotate-remote-logs.service.j2 | 12 ++++ .../templates/rotate-remote-logs.timer.j2 | 10 +++ 6 files changed, 122 insertions(+) create mode 100644 roles/rsyslog_collector/files/rotate create mode 100644 roles/rsyslog_collector/handlers/main.yml create mode 100644 roles/rsyslog_collector/templates/rotate-remote-logs.service.j2 create mode 100644 roles/rsyslog_collector/templates/rotate-remote-logs.timer.j2 diff --git a/roles/rsyslog_collector/defaults/main.yml b/roles/rsyslog_collector/defaults/main.yml index d0f9337..6ded0ef 100644 --- a/roles/rsyslog_collector/defaults/main.yml +++ b/roles/rsyslog_collector/defaults/main.yml @@ -1,4 +1,7 @@ --- rsyslog_inputs: [] rsyslog_collector_base_dir: /var/log/remote +rsyslog_collector_rotate_path: /usr/local/sbin/rotate_remote_logs +rsyslog_collector_keep_days: 0 +rsyslog_collector_compress_days: 1 ... diff --git a/roles/rsyslog_collector/files/rotate b/roles/rsyslog_collector/files/rotate new file mode 100644 index 0000000..8738fef --- /dev/null +++ b/roles/rsyslog_collector/files/rotate @@ -0,0 +1,62 @@ +#!/usr/bin/env python3 +import argparse +import datetime +import logging +import pathlib +import subprocess + + +def compress_file(filename): + subprocess.run(["xz", "-z", str(filename)]) + + +def find_files(base_dir, extension, days): + delta = datetime.timedelta(days=days) + now = datetime.datetime.now() + for path in base_dir.rglob(f"*{extension}"): + stem = path.name.removesuffix(extension) + date = datetime.datetime.fromisoformat(stem) + if date < now - delta: + yield path + + +def compress_logs(base_dir, days): + for path in find_files(base_dir, ".log", days): + logging.info("Compressing log file %s", str(path)) + compress_file(path) + + +def remove_logs(base_dir, days): + for path in find_files(base_dir, ".log.xz", days): + logging.info("Removing log file %s", str(path)) + path.unlink() + + +def main(): + + parser = argparse.ArgumentParser() + parser.add_argument("--compress-days", type=int, default=0) + parser.add_argument("--keep-days", type=int, default=0) + parser.add_argument( + "--base-dir", type=pathlib.Path, default="/var/log/remote" + ) + + args = parser.parse_args() + + logging.basicConfig( + format="[%(asctime)s] %(levelname)s %(message)s", level=logging.INFO + ) + + logging.info("Rotate script started") + + if args.compress_days > 0: + compress_logs(args.base_dir, args.compress_days) + + if args.keep_days > 0: + remove_logs(args.base_dir, args.keep_days) + + logging.info("Rotate script done") + + +if __name__ == "__main__": + main() diff --git a/roles/rsyslog_collector/handlers/main.yml b/roles/rsyslog_collector/handlers/main.yml new file mode 100644 index 0000000..60f493a --- /dev/null +++ b/roles/rsyslog_collector/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Run systemd daemon-reload + systemd: + daemon_reload: true +... diff --git a/roles/rsyslog_collector/tasks/main.yml b/roles/rsyslog_collector/tasks/main.yml index 16a3ab9..0c122e9 100644 --- a/roles/rsyslog_collector/tasks/main.yml +++ b/roles/rsyslog_collector/tasks/main.yml @@ -24,4 +24,34 @@ group: root mode: u=rw,g=r,o=r notify: Restart rsyslog + +- name: Install rotate script + become: true + copy: + src: rotate + dest: "{{ rsyslog_collector_rotate_path }}" + owner: root + group: root + mode: u=rwx,g=rx,o= + +- name: Install timer and service for rotate script + become: true + template: + src: "{{ item }}.j2" + dest: "/etc/systemd/system/{{ item }}" + owner: root + group: root + mode: u=rw,g=r,o= + loop: + - rotate-remote-logs.timer + - rotate-remote-logs.service + notify: + - Run systemd daemon-reload + +- name: Enable timer for log rotation + become: true + systemd: + name: rotate-remote-logs.timer + enabled: true + state: started ... diff --git a/roles/rsyslog_collector/templates/rotate-remote-logs.service.j2 b/roles/rsyslog_collector/templates/rotate-remote-logs.service.j2 new file mode 100644 index 0000000..3b915e7 --- /dev/null +++ b/roles/rsyslog_collector/templates/rotate-remote-logs.service.j2 @@ -0,0 +1,12 @@ +{{ ansible_managed | comment }} + +[Unit] +Description=Rotate remote logs + +[Service] +User=root +Type=OneShot +ExecStart={{ rsyslog_collector_rotate_path }} \ + --base-dir {{ rsyslog_collector_keep_days }} \ + --compress-days {{ rsyslog_collector_compress_days }} \ + --keep-days {{ rsyslog_collector_base_dir }} diff --git a/roles/rsyslog_collector/templates/rotate-remote-logs.timer.j2 b/roles/rsyslog_collector/templates/rotate-remote-logs.timer.j2 new file mode 100644 index 0000000..f4b1151 --- /dev/null +++ b/roles/rsyslog_collector/templates/rotate-remote-logs.timer.j2 @@ -0,0 +1,10 @@ +{{ ansible_managed | comment }} + +[Unit] +Description=Rotate remote logs daily + +[Timer] +OnCalendar=daily + +[Install] +WantedBy=timers.target -- 2.43.4 From e4b58c0bf47ebce3b0cca515e920874c2aca6d21 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Mon, 1 Mar 2021 04:07:17 +0100 Subject: [PATCH 09/23] Fix typo in 20-collector.conf.j2 --- roles/rsyslog_collector/templates/20-collector.conf.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/rsyslog_collector/templates/20-collector.conf.j2 b/roles/rsyslog_collector/templates/20-collector.conf.j2 index a67956b..897945f 100644 --- a/roles/rsyslog_collector/templates/20-collector.conf.j2 +++ b/roles/rsyslog_collector/templates/20-collector.conf.j2 @@ -38,6 +38,7 @@ ruleset(name="handleIncomingLogs") { dynaFile="incomingFilename" template="RSYSLOG_FileFormat" ) + call sendLogsToRemote } # TODO: add protocol-specific options (eg. TLS) @@ -49,7 +50,5 @@ input( {% endif %} port="{{ input.port }}" ruleset="handleIncomingLogs" - - call sendLogsToRemote ) {% endfor %} -- 2.43.4 From 9252249d18993ddd161eef7135d0a66f12b3a1fc Mon Sep 17 00:00:00 2001 From: Jeltz Date: Mon, 1 Mar 2021 04:15:54 +0100 Subject: [PATCH 10/23] Use 'true' instead of 'yes' --- roles/rsyslog_common/handlers/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/rsyslog_common/handlers/main.yml b/roles/rsyslog_common/handlers/main.yml index 2a378d7..563f2fc 100644 --- a/roles/rsyslog_common/handlers/main.yml +++ b/roles/rsyslog_common/handlers/main.yml @@ -1,12 +1,12 @@ --- - name: Restart rsyslog - become: yes + become: true systemd: name: rsyslog.service state: restarted - name: Restart systemd-journald - become: yes + become: true systemd: name: systemd-journald.service state: restarted -- 2.43.4 From cdb9f88614ec09296fba451764a445fc9281e8f0 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Mon, 1 Mar 2021 16:31:52 +0100 Subject: [PATCH 11/23] Do not rate limit collection of journald logs --- roles/rsyslog_common/templates/10-common.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rsyslog_common/templates/10-common.conf.j2 b/roles/rsyslog_common/templates/10-common.conf.j2 index dcb1775..c5e6449 100644 --- a/roles/rsyslog_common/templates/10-common.conf.j2 +++ b/roles/rsyslog_common/templates/10-common.conf.j2 @@ -20,7 +20,7 @@ module(load="imuxsock") module(load="imklog") # Collect systemd-journald logs -module(load="imjournal") +module(load="imjournal" ratelimit.interval="0" ratelimit.burst="0") # Parse CEE logs module(load="mmjsonparse") -- 2.43.4 From 9547868c7d8bb88ad626653eb4ef7db1403c2543 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Mon, 1 Mar 2021 17:40:05 +0100 Subject: [PATCH 12/23] Send nginx logs to local syslog --- roles/nginx/tasks/main.yml | 18 ++++++++++++++++++ .../nginx/conf.d/extended_log.conf.j2 | 7 +++++++ .../nginx/sites-available/redirect.j2 | 8 ++++++++ .../nginx/sites-available/reverseproxy.j2 | 4 ++++ .../reverseproxy_redirect_dname.j2 | 4 ++++ .../templates/nginx/sites-available/service.j2 | 9 +++++++++ .../templates/nginx/snippets/syslog.conf.j2 | 4 ++++ 7 files changed, 54 insertions(+) create mode 100644 roles/nginx/templates/nginx/conf.d/extended_log.conf.j2 create mode 100644 roles/nginx/templates/nginx/snippets/syslog.conf.j2 diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 210c7f0..a8fb885 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -29,6 +29,24 @@ dest: "/etc/nginx/sites-enabled/default" state: absent +- name: Add 'extended' log format + template: + src: nginx/conf.d/extended_log.conf.j2 + dest: /etc/nginx/conf.d/extended_log.conf + owner: root + group: root + mode: 0644 + notify: Reload nginx + +- name: Add syslog snippet + template: + src: nginx/snippets/syslog.conf.j2 + dest: /etc/nginx/snippets/syslog.conf + owner: root + group: root + mode: 0644 + notify: Reload nginx + - name: Copy reverse proxy sites when: reverseproxy is defined template: diff --git a/roles/nginx/templates/nginx/conf.d/extended_log.conf.j2 b/roles/nginx/templates/nginx/conf.d/extended_log.conf.j2 new file mode 100644 index 0000000..b28809f --- /dev/null +++ b/roles/nginx/templates/nginx/conf.d/extended_log.conf.j2 @@ -0,0 +1,7 @@ +{{ ansible_managed | comment }} + +log_format extended + '$remote_addr - $http_x_forwarded_for - $connection ' + '$remote_user [$time_local] ' + '"$host" "$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; diff --git a/roles/nginx/templates/nginx/sites-available/redirect.j2 b/roles/nginx/templates/nginx/sites-available/redirect.j2 index 2543400..9e8e687 100644 --- a/roles/nginx/templates/nginx/sites-available/redirect.j2 +++ b/roles/nginx/templates/nginx/sites-available/redirect.j2 @@ -8,6 +8,8 @@ server { server_name {{ site.from }}; + include "/etc/nginx/snippets/syslog.conf"; + {% for realip in nginx.real_ip_from %} set_real_ip_from {{ realip }}; {% endfor %} @@ -25,6 +27,8 @@ server { server_name {{ site.from }}; + include "/etc/nginx/snippets/syslog.conf"; + # SSL common conf include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf"; @@ -52,6 +56,8 @@ server { server_name {{ from }}; + include "/etc/nginx/snippets/syslog.conf"; + {% for realip in nginx.real_ip_from %} set_real_ip_from {{ realip }}; {% endfor %} @@ -72,6 +78,8 @@ server { # SSL common conf include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf"; + include "/etc/nginx/snippets/syslog.conf"; + {% for realip in nginx.real_ip_from %} set_real_ip_from {{ realip }}; {% endfor %} diff --git a/roles/nginx/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx/templates/nginx/sites-available/reverseproxy.j2 index ae2d7a6..699d6d5 100644 --- a/roles/nginx/templates/nginx/sites-available/reverseproxy.j2 +++ b/roles/nginx/templates/nginx/sites-available/reverseproxy.j2 @@ -15,6 +15,8 @@ server { server_name {{ site.from }}; + include "/etc/nginx/snippets/syslog.conf"; + {% for realip in nginx.real_ip_from %} set_real_ip_from {{ realip }}; {% endfor %} @@ -39,6 +41,8 @@ server { access_log /var/log/nginx/{{ site.from }}.log; error_log /var/log/nginx/{{ site.from }}_error.log; + include "/etc/nginx/snippets/syslog.conf"; + # Keep the TCP connection open a bit for faster browsing keepalive_timeout 70; diff --git a/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 b/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 index 819fd7a..f90d53b 100644 --- a/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 +++ b/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 @@ -12,6 +12,8 @@ server { server_name {{ from }}; + include "/etc/nginx/snippets/syslog.conf"; + {% for realip in nginx.real_ip_from %} set_real_ip_from {{ realip }}; {% endfor %} @@ -29,6 +31,8 @@ server { server_name {{ from }}; + include "/etc/nginx/snippets/syslog.conf"; + # SSL common conf include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf"; diff --git a/roles/nginx/templates/nginx/sites-available/service.j2 b/roles/nginx/templates/nginx/sites-available/service.j2 index 39f25eb..77c3d74 100644 --- a/roles/nginx/templates/nginx/sites-available/service.j2 +++ b/roles/nginx/templates/nginx/sites-available/service.j2 @@ -19,6 +19,9 @@ upstream {{ upstream.name }} { server { listen 443 default_server ssl; listen [::]:443 default_server ssl; + + include "/etc/nginx/snippets/syslog.conf"; + include "/etc/nginx/snippets/options-ssl.{{ nginx.default_ssl_domain }}.conf"; server_name _; @@ -50,6 +53,8 @@ server { # Hide Nginx version server_tokens off; + include "/etc/nginx/snippets/syslog.conf"; + {% for realip in nginx.real_ip_from %} set_real_ip_from {{ realip }}; {% endfor %} @@ -71,6 +76,8 @@ server { server_name {{ server.server_name|join(" ") }}; charset utf-8; + include "/etc/nginx/snippets/syslog.conf"; + # Hide Nginx version server_tokens off; @@ -98,6 +105,8 @@ server { server_name {{ server.server_name|join(" ") }}; charset utf-8; + include "/etc/nginx/snippets/syslog.conf"; + # Hide Nginx version server_tokens off; diff --git a/roles/nginx/templates/nginx/snippets/syslog.conf.j2 b/roles/nginx/templates/nginx/snippets/syslog.conf.j2 new file mode 100644 index 0000000..b34867c --- /dev/null +++ b/roles/nginx/templates/nginx/snippets/syslog.conf.j2 @@ -0,0 +1,4 @@ +{{ ansible_managed | comment }} + +access_log syslog:server=unix:/dev/log,tag=nginx,nohostname,severity=info extended; +error_log syslog:server=unix:/dev/log,tag=nginx,nohostname,severity=error; -- 2.43.4 From acd5721a5b006e0ac41379b7fe79271a03d6cb7c Mon Sep 17 00:00:00 2001 From: Jeltz Date: Mon, 1 Mar 2021 17:42:34 +0100 Subject: [PATCH 13/23] Fix typos in rotate-remote-logs.service.j2 --- .../templates/rotate-remote-logs.service.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/rsyslog_collector/templates/rotate-remote-logs.service.j2 b/roles/rsyslog_collector/templates/rotate-remote-logs.service.j2 index 3b915e7..4d8733e 100644 --- a/roles/rsyslog_collector/templates/rotate-remote-logs.service.j2 +++ b/roles/rsyslog_collector/templates/rotate-remote-logs.service.j2 @@ -5,8 +5,8 @@ Description=Rotate remote logs [Service] User=root -Type=OneShot +Type=oneshot ExecStart={{ rsyslog_collector_rotate_path }} \ - --base-dir {{ rsyslog_collector_keep_days }} \ + --base-dir {{ rsyslog_collector_base_dir }} \ --compress-days {{ rsyslog_collector_compress_days }} \ - --keep-days {{ rsyslog_collector_base_dir }} + --keep-days {{ rsyslog_collector_keep_days }} -- 2.43.4 From 8f815a30c597f5b4da84dd0e90214a7279f6c762 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Mon, 1 Mar 2021 17:47:12 +0100 Subject: [PATCH 14/23] Remove useless date (already added by journald) --- roles/rsyslog_collector/files/rotate | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/roles/rsyslog_collector/files/rotate b/roles/rsyslog_collector/files/rotate index 8738fef..6dc23e0 100644 --- a/roles/rsyslog_collector/files/rotate +++ b/roles/rsyslog_collector/files/rotate @@ -43,9 +43,7 @@ def main(): args = parser.parse_args() - logging.basicConfig( - format="[%(asctime)s] %(levelname)s %(message)s", level=logging.INFO - ) + logging.basicConfig(format="%(levelname)s %(message)s", level=logging.INFO) logging.info("Rotate script started") -- 2.43.4 From b13b22da054da89c943f3f2543ece8d468cea3c6 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Mon, 1 Mar 2021 19:39:11 +0100 Subject: [PATCH 15/23] Add ignored destinations for firewall logs --- roles/router/templates/firewall_config.py | 5 +++++ roles/router/templates/firewall_config_aurore.py | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py index 9971765..07e25e0 100644 --- a/roles/router/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -36,6 +36,11 @@ interfaces_type = { 'admin' : ['ens18'] } +log_ignore_v4 = [ + '224.0.0.0/24', + '224.0.1.0/24', + '239.0.0.0/8', +] ### Specify nat settings: name, interfaces with range, and global range for nat ### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST diff --git a/roles/router/templates/firewall_config_aurore.py b/roles/router/templates/firewall_config_aurore.py index 9565e3b..91a4808 100644 --- a/roles/router/templates/firewall_config_aurore.py +++ b/roles/router/templates/firewall_config_aurore.py @@ -33,6 +33,12 @@ interfaces_type = { 'admin' : ['ens19', 'ens20', 'ens23'] } +log_ignore_v4 = [ + '224.0.0.0/24', + '224.0.1.0/24', + '239.0.0.0/8', +] + ### Specify nat settings: name, interfaces with range, and global range for nat ### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST ### contain /16 range -- 2.43.4 From 0f55b90de9a8921785bf50eeaaf74d9aa030de64 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Mon, 1 Mar 2021 20:04:02 +0100 Subject: [PATCH 16/23] Remove 10.129.0.1 gateway on routeur-aurore-* --- roles/router/templates/interfaces-aurore | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/router/templates/interfaces-aurore b/roles/router/templates/interfaces-aurore index 401e5aa..7a5ef1d 100644 --- a/roles/router/templates/interfaces-aurore +++ b/roles/router/templates/interfaces-aurore @@ -11,7 +11,6 @@ iface lo inet loopback auto ens18 iface ens18 inet static address 10.129.0.{{ router_hard_ip_suffix }}/16 - gateway 10.129.0.1 iface ens18 inet6 static address 2a09:6840:129::0:{{ router_hard_ip_suffix }}/64 -- 2.43.4 From 1f6bfeee2312a65e3ccbe74f566cc53b636e5f1d Mon Sep 17 00:00:00 2001 From: Jeltz Date: Mon, 1 Mar 2021 20:04:38 +0100 Subject: [PATCH 17/23] Fix broadcast address on routeur-aurore --- roles/router/templates/keepalived-aurore.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/router/templates/keepalived-aurore.conf b/roles/router/templates/keepalived-aurore.conf index cd22a5b..b8882fd 100644 --- a/roles/router/templates/keepalived-aurore.conf +++ b/roles/router/templates/keepalived-aurore.conf @@ -39,7 +39,7 @@ vrrp_instance VI_ROUT_aurore_IPv4 { 10.129.0.254/16 brd 10.129.255.255 dev ens18 scope global # Adm - 10.128.0.254/16 brd 10.129.255.255 dev ens19 scope global + 10.128.0.254/16 brd 10.128.255.255 dev ens19 scope global # Switches 10.130.0.254/16 brd 10.130.255.255 dev ens20 scope global -- 2.43.4 From ee041b9eadb379e4d3deb7706046c62763a2abb8 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Tue, 2 Mar 2021 00:14:25 +0100 Subject: [PATCH 18/23] Use 'simple' instead of 'oneshot' (rotate service) --- roles/rsyslog_collector/templates/rotate-remote-logs.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rsyslog_collector/templates/rotate-remote-logs.service.j2 b/roles/rsyslog_collector/templates/rotate-remote-logs.service.j2 index 4d8733e..0e75a2b 100644 --- a/roles/rsyslog_collector/templates/rotate-remote-logs.service.j2 +++ b/roles/rsyslog_collector/templates/rotate-remote-logs.service.j2 @@ -5,7 +5,7 @@ Description=Rotate remote logs [Service] User=root -Type=oneshot +Type=simple ExecStart={{ rsyslog_collector_rotate_path }} \ --base-dir {{ rsyslog_collector_base_dir }} \ --compress-days {{ rsyslog_collector_compress_days }} \ -- 2.43.4 From 529550f59432165d9ad4e1d8d4f9b9cc7917f4f0 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Tue, 2 Mar 2021 00:46:16 +0100 Subject: [PATCH 19/23] Don't use 'imjournal' ('imuxsock' is already used) I still don't understand why it increased the size of the firewall logs by a factor of 5 to 10, but we don't really need structured logs from systemd-journald and the author seems to discourage it's use, so I will not investigate further. --- roles/rsyslog_common/templates/10-common.conf.j2 | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/rsyslog_common/templates/10-common.conf.j2 b/roles/rsyslog_common/templates/10-common.conf.j2 index c5e6449..ffc48de 100644 --- a/roles/rsyslog_common/templates/10-common.conf.j2 +++ b/roles/rsyslog_common/templates/10-common.conf.j2 @@ -19,9 +19,6 @@ module(load="imuxsock") # Collect kernel logs module(load="imklog") -# Collect systemd-journald logs -module(load="imjournal" ratelimit.interval="0" ratelimit.burst="0") - # Parse CEE logs module(load="mmjsonparse") -- 2.43.4 From 5d319cf167b7cf1fc1f3627496b793eb44207f3b Mon Sep 17 00:00:00 2001 From: Jeltz Date: Tue, 2 Mar 2021 00:52:38 +0100 Subject: [PATCH 20/23] Define rsyslog_{inputs,outputs} for all hosts --- group_vars/all/vars.yml | 6 ++++++ host_vars/log.adm.auro.re.yml | 1 + 2 files changed, 7 insertions(+) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 599e834..9a85175 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -89,3 +89,9 @@ apartment_block_dhcp: "{{ apartment_block }}" ipv6_base_prefix: "2a09:6840" is_aurore_host: "{{ 'aurore_vm' in group_names }}" + +rsyslog_outputs: + - proto: relp + address: 10.128.0.241 + port: 20514 +... diff --git a/host_vars/log.adm.auro.re.yml b/host_vars/log.adm.auro.re.yml index 24ae171..1c2ba97 100644 --- a/host_vars/log.adm.auro.re.yml +++ b/host_vars/log.adm.auro.re.yml @@ -5,4 +5,5 @@ rsyslog_inputs: port: 20514 - proto: udp port: 514 +rsyslog_outputs: [] ... -- 2.43.4 From 77a5fdac6fd78429223ebd6a9146ef93f8362d20 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Tue, 2 Mar 2021 00:54:59 +0100 Subject: [PATCH 21/23] Remove some duplicate logs from syslog.log --- roles/rsyslog_common/templates/10-common.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/rsyslog_common/templates/10-common.conf.j2 b/roles/rsyslog_common/templates/10-common.conf.j2 index ffc48de..36cd4dc 100644 --- a/roles/rsyslog_common/templates/10-common.conf.j2 +++ b/roles/rsyslog_common/templates/10-common.conf.j2 @@ -63,8 +63,8 @@ ruleset(name="sendLogsToDisk") { auth,authpriv.* action(type="omfile" file="/var/log/auth.log") mail.* action(type="omfile" file="/var/log/mail.log" sync="off") kern.* action(type="omfile" file="/var/log/kern.log") - *.*;auth,authpriv.none action(type="omfile" file="/var/log/syslog.log" - sync="off") + *.*;auth,authpriv,mail,kern.none action(type="omfile" + file="/var/log/syslog.log" sync="off") } # Send logs to remote collector(s) -- 2.43.4 From 6525508401c9892226ab95d5ffc9b6c964ea623a Mon Sep 17 00:00:00 2001 From: Jeltz Date: Tue, 2 Mar 2021 01:24:53 +0100 Subject: [PATCH 22/23] Forward journald logs to rsyslog --- roles/rsyslog_common/templates/forward-syslog.conf.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/rsyslog_common/templates/forward-syslog.conf.j2 b/roles/rsyslog_common/templates/forward-syslog.conf.j2 index 7f81095..c332de6 100644 --- a/roles/rsyslog_common/templates/forward-syslog.conf.j2 +++ b/roles/rsyslog_common/templates/forward-syslog.conf.j2 @@ -1,6 +1,5 @@ {{ ansible_managed | comment }} [Journal] -# journald logs are already retrieved by rsyslog using imjournal -ForwardToSyslog=no +ForwardToSyslog=yes MaxLevelSyslog=debug -- 2.43.4 From 637b74a2ada52f5b897b489e60469fa8d71935eb Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 13 Mar 2021 05:05:30 +0100 Subject: [PATCH 23/23] Fix some linter issues --- .ansible-lint | 1 + roles/rsyslog_collector/tasks/main.yml | 2 +- roles/rsyslog_common/tasks/main.yml | 4 ++-- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index d98efd4..0e01ba3 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -2,6 +2,7 @@ skip_list: - no-changed-when - load-failure - document-start + - meta-no-info warn_list: - experimental # all rules tagged as experimental diff --git a/roles/rsyslog_collector/tasks/main.yml b/roles/rsyslog_collector/tasks/main.yml index 0c122e9..dc64fcc 100644 --- a/roles/rsyslog_collector/tasks/main.yml +++ b/roles/rsyslog_collector/tasks/main.yml @@ -3,7 +3,7 @@ become: true apt: name: rsyslog-relp - state: latest + state: present when: "rsyslog_inputs | selectattr('proto', 'eq', 'relp') | list" - name: Ensure log storage directory exists diff --git a/roles/rsyslog_common/tasks/main.yml b/roles/rsyslog_common/tasks/main.yml index c3a0cc3..030fd10 100644 --- a/roles/rsyslog_common/tasks/main.yml +++ b/roles/rsyslog_common/tasks/main.yml @@ -3,13 +3,13 @@ become: true apt: name: rsyslog - state: latest + state: present - name: Install rsyslog modules if needed become: true apt: name: "{{ item.pkg }}" - state: latest + state: present when: "rsyslog_outputs | selectattr('proto', 'eq', item.proto) | list" loop: - proto: relp -- 2.43.4