diff --git a/global/overlay/etc/puppet/modules/soc/manifests/rsyslog/server.pp b/global/overlay/etc/puppet/modules/soc/manifests/rsyslog/server.pp index e59a935..3b67003 100644 --- a/global/overlay/etc/puppet/modules/soc/manifests/rsyslog/server.pp +++ b/global/overlay/etc/puppet/modules/soc/manifests/rsyslog/server.pp @@ -8,9 +8,10 @@ class soc::rsyslog::server( $udp_client = lookup('udp_client', undef, undef, 'any'), $tcp_port = lookup(tcp_port, undef, undef, undef), $tcp_client = lookup('tcp_client', undef, undef, 'any'), - $relp_port = lookup(relp_port, undef, undef, undef), + $relp_port = lookup(relp_port, undef, undef, '2514'), $relp_client = lookup('relp_client', undef, undef, 'any'), $traditional_file_format = false, + $hostgroups = $facts['configured_hosts_in_cosmos'], ) { # Install rsyslog packages [ 'rsyslog', 'rsyslog-relp', 'rsyslog-openssl' ].each |String $package| { @@ -53,7 +54,7 @@ class soc::rsyslog::server( subscribe => File['/etc/rsyslog.d/60-remote.conf'], } - if ($tcp_port or $udp_port or $relp_port) { + if ($tcp_port or $udp_port) { if ($udp_port) { sunet::nftables::allow { "allow-syslog-udp-${udp_port}": from => $udp_client, @@ -70,14 +71,7 @@ class soc::rsyslog::server( port => $tcp_port } } - if ($relp_port) { - sunet::nftables::allow { "allow-syslog-relp-${relp_port}": - from => $relp_client, - to => 'any', - proto => 'tcp', - port => $relp_port - } - } + } file { '/etc/rsyslog.d/50-local.conf': ensure => file, @@ -96,4 +90,16 @@ class soc::rsyslog::server( content => template('soc/rsyslog/rsyslog.logrotate.erb'), } } + + if 'all' in $hostgroups { + $hostgroups['all'].each |String $hostname| { + $ip_list = dnsLookup($hostname) + $ip_list.each |String $ip| { + sunet::nftables::allow { "allow-rsyslog-relp-${relp_port}": + from => $ip, + port => $relp_port, + } + } + } + } }