Move sunet::rsyslog to soc::rsyslog to get it working as we want.

global/overlay/etc/puppet/cosmos-rules.yaml

@@ -93,7 +93,7 @@ zammad-test.cert.sunet.se:
     passthrough: ['/api', '/oauth']
 
 internal-sto3-test-rsyslog-1.cert.sunet.se:
-  sunet::rsyslog:
+  soc::rsyslog:
     syslog_enable_remote: false
     udp_port: 514
     tcp_port: 514

global/overlay/etc/puppet/modules/soc/manifests/rsyslog.pp

@@ -0,0 +1,107 @@
+# rsyslog
+class soc::rsyslog(
+  $daily_rotation = true,
+  $syslog_servers = lookup(syslog_servers, undef, undef, []),
+  $relp_syslog_servers = lookup(relp_syslog_servers, undef, undef, []),
+  $single_log_file = false,
+  $syslog_enable_remote = lookup('syslog_enable_remote', undef, undef, 'true'),
+  $udp_port = lookup(udp_port, undef, undef, undef),
+  $udp_client = lookup('udp_client', undef, undef, 'any'),
+  $tcp_port = lookup(tcp_port, undef, undef, undef),
+  $tcp_client = lookup('tcp_client', undef, undef, 'any'),
+  $traditional_file_format = false,
+) {
+  ensure_resource('package', 'rsyslog', {
+    ensure => 'installed'
+  })
+
+  file { '/etc/rsyslog.conf':
+    ensure  => file,
+    mode    => '0644',
+    content => template('sunet/rsyslog/rsyslog.conf.erb'),
+    require => Package['rsyslog'],
+    notify  => Service['rsyslog']
+  }
+
+  $default_template = $single_log_file ?
+  {
+      true  => 'rsyslog-default-single-logfile.conf.erb',
+      false => 'rsyslog-default.conf.erb',
+  }
+  file { '/etc/rsyslog.d/50-default.conf':
+    ensure  => file,
+    mode    => '0644',
+    content => template("sunet/rsyslog/${default_template}"),
+    require => Package['rsyslog'],
+    notify  => Service['rsyslog']
+  }
+
+  $do_remote = str2bool($syslog_enable_remote)
+
+  file { '/etc/rsyslog.d/60-remote.conf':
+    ensure  => file,
+    mode    => '0644',
+    content => template('sunet/rsyslog/rsyslog-remote.conf.erb'),
+    require => Package['rsyslog'],
+  }
+
+  ensure_resource('service', 'rsyslog', {
+    ensure    => 'running',
+    enable    => true,
+    subscribe => File['/etc/rsyslog.d/60-remote.conf'],
+  })
+
+  if $relp_syslog_servers != [] {
+    ensure_resource('package', 'rsyslog-relp', {
+      ensure => 'installed'
+      })
+  }
+
+  if ($tcp_port or $udp_port) {
+
+    if ($udp_port) {
+        sunet::nft::allow { "allow-syslog-udp-${udp_port}":
+          from  => $udp_client,
+          ip    => 'any',
+          proto => 'udp',
+          port  => $udp_port
+        }
+    }
+
+    if ($tcp_port) {
+        sunet::nft::allow { "allow-syslog-tcp-${tcp_port}":
+          from  => $tcp_client,
+          ip    => 'any',
+          proto => 'tcp',
+          port  => $tcp_port
+        }
+    }
+
+    file { '/etc/rsyslog.d/50-local.conf':
+      ensure  => file,
+      mode    => '0644',
+      content => template('sunet/rsyslog/rsyslog-local.conf.erb'),
+      require => Package['rsyslog'],
+      notify  => Service['rsyslog']
+    }
+
+  }
+
+  if ($daily_rotation == true)
+  {
+    file { '/etc/logrotate.d/rsyslog':
+      ensure  => file,
+      mode    => '0644',
+      content => template('sunet/rsyslog/rsyslog.logrotate.erb'),
+    }
+  }
+  if ($single_log_file == true and $facts['fail2ban_is_enabled'] == 'yes') {
+    file { '/etc/fail2ban/jail.d/sshd-rsyslog-single-logfile.conf':
+      ensure  => file,
+      mode    => '0644',
+      content => template('sunet/rsyslog/fail2ban-ssh-syslog.conf.erb'),
+      notify  => Service['fail2ban'],
+    }
+
+  }
+}

global/overlay/etc/puppet/modules/soc/templates/rsyslog/fail2ban-ssh-syslog.conf.erb

@@ -0,0 +1,4 @@
+[sshd]
+# Rsyslog is configured to log everything to 'syslog'.
+logpath  = /var/log/syslog
+

global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog-default-single-logfile.conf.erb

@@ -0,0 +1,7 @@
+if $fromhost-ip == "127.0.0.1" then {
+  action(
+    type="omfile"
+    name="omfile-/var/log/syslog"
+    File="/var/log/syslog"
+  )
+}

global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog-default.conf.erb

@@ -0,0 +1,22 @@
+###############
+#### RULES ####
+###############
+
+#
+# Log anything besides private authentication messages to a single log file
+#
+*.*;auth,authpriv.none		-/var/log/syslog
+
+#
+# Log commonly used facilities to their own log file
+#
+auth,authpriv.*			/var/log/auth.log
+cron.*				-/var/log/cron.log
+kern.*				-/var/log/kern.log
+mail.*				-/var/log/mail.log
+user.*				-/var/log/user.log
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg				:omusrmsg:*

global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog-local.conf.erb

@@ -0,0 +1,12 @@
+# Local udp/tcp syslog configuration managed by Puppet (sunet::rsyslog)
+#
+
+<% if @udp_port -%>
+module(load="imudp")
+input(type="imudp" port="<%= @udp_port %>")
+<% end -%>
+
+<% if @tcp_port -%>
+module(load="imtcp")
+input(type="imtcp" port="<%= @tcp_port %>")
+<% end -%>

global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog-remote.conf.erb

@@ -0,0 +1,24 @@
+# Remote syslog configuration managed by Puppet (sunet::rsyslog)
+# Remote enabled by syslog_enable_remote: <%= @do_remote %>
+
+<% if @do_remote %>
+<% @syslog_servers.each do |server| -%>
+action(
+  type="omfwd"
+  Target="<%= server.split(':')[0] %>"
+  Port="<%= server.split(':')[1] %>"
+)
+<% end -%>
+
+<% if @relp_syslog_servers != [] -%>
+module(load="omrelp")
+
+<% @relp_syslog_servers.each do |server| -%>
+action(
+  type="omrelp"
+  target="<%= server.split(':')[0] %>"
+  port="<%= server.split(':')[1] %>"
+)
+<% end -%>
+<% end -%>
+<% end -%>

global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog.conf.erb

@@ -0,0 +1,45 @@
+# /etc/rsyslog.conf configuration file for rsyslog
+#
+# For more information install rsyslog-doc and see
+# /usr/share/doc/rsyslog-doc/html/configuration/index.html
+
+
+#################
+#### MODULES ####
+#################
+
+module(load="imuxsock") # provides support for local system logging
+module(load="imklog")   # provides kernel logging support
+#module(load="immark")  # provides --MARK-- message capability
+
+# provides UDP syslog reception
+#module(load="imudp")
+#input(type="imudp" port="514")
+
+# provides TCP syslog reception
+#module(load="imtcp")
+#input(type="imtcp" port="514")
+
+module(load="builtin:omfile"
+  dirCreateMode="0755"
+  fileCreateMode="0640"
+  fileGroup="adm"
+  fileOwner="root"
+<% if @traditional_file_format == true -%>
+  template="RSYSLOG_TraditionalFileFormat"
+<% end -%>
+)
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+global(
+  # Where to place spool and state files
+  workDirectory="/var/spool/rsyslog"
+)
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf

global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog.logrotate.erb

@@ -0,0 +1,24 @@
+/var/log/syslog
+/var/log/mail.info
+/var/log/mail.warn
+/var/log/mail.err
+/var/log/mail.log
+/var/log/daemon.log
+/var/log/kern.log
+/var/log/auth.log
+/var/log/user.log
+/var/log/lpr.log
+/var/log/cron.log
+/var/log/debug
+/var/log/messages
+{
+	rotate 13
+	daily
+	missingok
+	notifempty
+	compress
+	sharedscripts
+	postrotate
+		/usr/lib/rsyslog/rsyslog-rotate
+	endscript
+}