diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml index c439028..3a794d1 100644 --- a/global/overlay/etc/puppet/cosmos-rules.yaml +++ b/global/overlay/etc/puppet/cosmos-rules.yaml @@ -93,7 +93,7 @@ zammad-test.cert.sunet.se: passthrough: ['/api', '/oauth'] internal-sto3-test-rsyslog-1.cert.sunet.se: - sunet::rsyslog: + soc::rsyslog: syslog_enable_remote: false udp_port: 514 tcp_port: 514 diff --git a/global/overlay/etc/puppet/modules/soc/manifests/rsyslog.pp b/global/overlay/etc/puppet/modules/soc/manifests/rsyslog.pp new file mode 100644 index 0000000..b1e8739 --- /dev/null +++ b/global/overlay/etc/puppet/modules/soc/manifests/rsyslog.pp @@ -0,0 +1,107 @@ +# rsyslog +class soc::rsyslog( + $daily_rotation = true, + $syslog_servers = lookup(syslog_servers, undef, undef, []), + $relp_syslog_servers = lookup(relp_syslog_servers, undef, undef, []), + $single_log_file = false, + $syslog_enable_remote = lookup('syslog_enable_remote', undef, undef, 'true'), + $udp_port = lookup(udp_port, undef, undef, undef), + $udp_client = lookup('udp_client', undef, undef, 'any'), + $tcp_port = lookup(tcp_port, undef, undef, undef), + $tcp_client = lookup('tcp_client', undef, undef, 'any'), + $traditional_file_format = false, +) { + ensure_resource('package', 'rsyslog', { + ensure => 'installed' + }) + + file { '/etc/rsyslog.conf': + ensure => file, + mode => '0644', + content => template('sunet/rsyslog/rsyslog.conf.erb'), + require => Package['rsyslog'], + notify => Service['rsyslog'] + } + + $default_template = $single_log_file ? + { + true => 'rsyslog-default-single-logfile.conf.erb', + false => 'rsyslog-default.conf.erb', + } + file { '/etc/rsyslog.d/50-default.conf': + ensure => file, + mode => '0644', + content => template("sunet/rsyslog/${default_template}"), + require => Package['rsyslog'], + notify => Service['rsyslog'] + } + + $do_remote = str2bool($syslog_enable_remote) + + file { '/etc/rsyslog.d/60-remote.conf': + ensure => file, + mode => '0644', + content => template('sunet/rsyslog/rsyslog-remote.conf.erb'), + require => Package['rsyslog'], + } + + ensure_resource('service', 'rsyslog', { + ensure => 'running', + enable => true, + subscribe => File['/etc/rsyslog.d/60-remote.conf'], + }) + + if $relp_syslog_servers != [] { + ensure_resource('package', 'rsyslog-relp', { + ensure => 'installed' + }) + } + + if ($tcp_port or $udp_port) { + + if ($udp_port) { + sunet::nft::allow { "allow-syslog-udp-${udp_port}": + from => $udp_client, + ip => 'any', + proto => 'udp', + port => $udp_port + } + } + + if ($tcp_port) { + sunet::nft::allow { "allow-syslog-tcp-${tcp_port}": + from => $tcp_client, + ip => 'any', + proto => 'tcp', + port => $tcp_port + } + } + + file { '/etc/rsyslog.d/50-local.conf': + ensure => file, + mode => '0644', + content => template('sunet/rsyslog/rsyslog-local.conf.erb'), + require => Package['rsyslog'], + notify => Service['rsyslog'] + } + + } + + if ($daily_rotation == true) + { + file { '/etc/logrotate.d/rsyslog': + ensure => file, + mode => '0644', + content => template('sunet/rsyslog/rsyslog.logrotate.erb'), + } + } + if ($single_log_file == true and $facts['fail2ban_is_enabled'] == 'yes') { + file { '/etc/fail2ban/jail.d/sshd-rsyslog-single-logfile.conf': + ensure => file, + mode => '0644', + content => template('sunet/rsyslog/fail2ban-ssh-syslog.conf.erb'), + notify => Service['fail2ban'], + } + + } +} diff --git a/global/overlay/etc/puppet/modules/soc/templates/rsyslog/fail2ban-ssh-syslog.conf.erb b/global/overlay/etc/puppet/modules/soc/templates/rsyslog/fail2ban-ssh-syslog.conf.erb new file mode 100644 index 0000000..c879299 --- /dev/null +++ b/global/overlay/etc/puppet/modules/soc/templates/rsyslog/fail2ban-ssh-syslog.conf.erb @@ -0,0 +1,4 @@ +[sshd] +# Rsyslog is configured to log everything to 'syslog'. +logpath = /var/log/syslog + diff --git a/global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog-default-single-logfile.conf.erb b/global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog-default-single-logfile.conf.erb new file mode 100644 index 0000000..61fe9b5 --- /dev/null +++ b/global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog-default-single-logfile.conf.erb @@ -0,0 +1,7 @@ +if $fromhost-ip == "127.0.0.1" then { + action( + type="omfile" + name="omfile-/var/log/syslog" + File="/var/log/syslog" + ) +} diff --git a/global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog-default.conf.erb b/global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog-default.conf.erb new file mode 100644 index 0000000..5fac85e --- /dev/null +++ b/global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog-default.conf.erb @@ -0,0 +1,22 @@ +############### +#### RULES #### +############### + +# +# Log anything besides private authentication messages to a single log file +# +*.*;auth,authpriv.none -/var/log/syslog + +# +# Log commonly used facilities to their own log file +# +auth,authpriv.* /var/log/auth.log +cron.* -/var/log/cron.log +kern.* -/var/log/kern.log +mail.* -/var/log/mail.log +user.* -/var/log/user.log + +# +# Emergencies are sent to everybody logged in. +# +*.emerg :omusrmsg:* diff --git a/global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog-local.conf.erb b/global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog-local.conf.erb new file mode 100644 index 0000000..9e67165 --- /dev/null +++ b/global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog-local.conf.erb @@ -0,0 +1,12 @@ +# Local udp/tcp syslog configuration managed by Puppet (sunet::rsyslog) +# + +<% if @udp_port -%> +module(load="imudp") +input(type="imudp" port="<%= @udp_port %>") +<% end -%> + +<% if @tcp_port -%> +module(load="imtcp") +input(type="imtcp" port="<%= @tcp_port %>") +<% end -%> diff --git a/global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog-remote.conf.erb b/global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog-remote.conf.erb new file mode 100644 index 0000000..9fb6b50 --- /dev/null +++ b/global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog-remote.conf.erb @@ -0,0 +1,24 @@ +# Remote syslog configuration managed by Puppet (sunet::rsyslog) +# Remote enabled by syslog_enable_remote: <%= @do_remote %> + +<% if @do_remote %> +<% @syslog_servers.each do |server| -%> +action( + type="omfwd" + Target="<%= server.split(':')[0] %>" + Port="<%= server.split(':')[1] %>" +) +<% end -%> + +<% if @relp_syslog_servers != [] -%> +module(load="omrelp") + +<% @relp_syslog_servers.each do |server| -%> +action( + type="omrelp" + target="<%= server.split(':')[0] %>" + port="<%= server.split(':')[1] %>" +) +<% end -%> +<% end -%> +<% end -%> diff --git a/global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog.conf.erb b/global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog.conf.erb new file mode 100644 index 0000000..6205eed --- /dev/null +++ b/global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog.conf.erb @@ -0,0 +1,45 @@ +# /etc/rsyslog.conf configuration file for rsyslog +# +# For more information install rsyslog-doc and see +# /usr/share/doc/rsyslog-doc/html/configuration/index.html + + +################# +#### MODULES #### +################# + +module(load="imuxsock") # provides support for local system logging +module(load="imklog") # provides kernel logging support +#module(load="immark") # provides --MARK-- message capability + +# provides UDP syslog reception +#module(load="imudp") +#input(type="imudp" port="514") + +# provides TCP syslog reception +#module(load="imtcp") +#input(type="imtcp" port="514") + +module(load="builtin:omfile" + dirCreateMode="0755" + fileCreateMode="0640" + fileGroup="adm" + fileOwner="root" +<% if @traditional_file_format == true -%> + template="RSYSLOG_TraditionalFileFormat" +<% end -%> +) + +########################### +#### GLOBAL DIRECTIVES #### +########################### + +global( + # Where to place spool and state files + workDirectory="/var/spool/rsyslog" +) + +# +# Include all config files in /etc/rsyslog.d/ +# +$IncludeConfig /etc/rsyslog.d/*.conf diff --git a/global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog.logrotate.erb b/global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog.logrotate.erb new file mode 100644 index 0000000..9bd0707 --- /dev/null +++ b/global/overlay/etc/puppet/modules/soc/templates/rsyslog/rsyslog.logrotate.erb @@ -0,0 +1,24 @@ +/var/log/syslog +/var/log/mail.info +/var/log/mail.warn +/var/log/mail.err +/var/log/mail.log +/var/log/daemon.log +/var/log/kern.log +/var/log/auth.log +/var/log/user.log +/var/log/lpr.log +/var/log/cron.log +/var/log/debug +/var/log/messages +{ + rotate 13 + daily + missingok + notifempty + compress + sharedscripts + postrotate + /usr/lib/rsyslog/rsyslog-rotate + endscript +}