diff --git a/README.md b/README.md index 54e2d6f..7aeee18 100644 --- a/README.md +++ b/README.md @@ -75,6 +75,16 @@ rsyslog_mods: # Configure rsyslog minimally (may be in conflict with custom configuration files) rsyslog_deploy_default_config: yes +# Default rsyslogd rules +rsyslog_default_rules: + - { rule: '*.info;mail.none;authpriv.none;cron.none', logpath: '/var/log/messages' } + - { rule: 'authpriv.*', logpath: '/var/log/secure' } + - { rule: 'mail.*', logpath: '-/var/log/maillog' } + - { rule: 'cron.*', logpath: '/var/log/cron' } + - { rule: '*.emerg', logpath: ':omusrmsg:*' } + - { rule: 'uucp,news.crit', logpath: '/var/log/spooler' } + - { rule: 'local7.*', logpath: '/var/log/boot.log' } + # Use the (obsolete) legacy, pre-v6 configuration file format, or the more # modern # 'advanced' configuration file format available in v6 and up. The # default is to use the 'legacy' format to not change config files for @@ -94,6 +104,17 @@ rsyslog_package_state: present # part from a name that is within the same domain as the receiving system is # stripped. If set to on, full names are always used. rsyslog_preservefqdn: false + +# Configure additional config files in /etc/rsyslog.d +# Example: +# rsyslog_rsyslog_d_files: +# 000-splunk: +# content: | +# auth,authpriv.* action(type="omfwd" +# target="splunk" +# port="514" +# protocol="tcp") +rsyslog_rsyslog_d_files: [] ``` ## [Requirements](#requirements) diff --git a/defaults/main.yml b/defaults/main.yml index be32dbf..3593e09 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -35,6 +35,16 @@ rsyslog_mods: # Configure rsyslog minimally (may be in conflict with custom configuration files) rsyslog_deploy_default_config: yes +# Default rsyslogd rules +rsyslog_default_rules: + - { rule: '*.info;mail.none;authpriv.none;cron.none', logpath: '/var/log/messages' } + - { rule: 'authpriv.*', logpath: '/var/log/secure' } + - { rule: 'mail.*', logpath: '-/var/log/maillog' } + - { rule: 'cron.*', logpath: '/var/log/cron' } + - { rule: '*.emerg', logpath: ':omusrmsg:*' } + - { rule: 'uucp,news.crit', logpath: '/var/log/spooler' } + - { rule: 'local7.*', logpath: '/var/log/boot.log' } + # Use the (obsolete) legacy, pre-v6 configuration file format, or the more # modern # 'advanced' configuration file format available in v6 and up. The # default is to use the 'legacy' format to not change config files for @@ -54,3 +64,14 @@ rsyslog_package_state: present # part from a name that is within the same domain as the receiving system is # stripped. If set to on, full names are always used. rsyslog_preservefqdn: false + +# Configure additional config files in /etc/rsyslog.d +# Example: +# rsyslog_rsyslog_d_files: +# 000-splunk: +# content: | +# auth,authpriv.* action(type="omfwd" +# target="splunk" +# port="514" +# protocol="tcp") +rsyslog_rsyslog_d_files: [] diff --git a/tasks/main.yml b/tasks/main.yml index af8ad11..c43beef 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -42,6 +42,18 @@ notify: - restart rsyslog +- name: configuring additional config files + ansible.builtin.copy: + content: "{{ item.value.content | default('') }}" + dest: "/etc/rsyslog.d/{{ item.key }}.conf" + validate: "{{ 'rsyslogd -N1 -f %s' if item.value.validate | default(false) else 'true %s' }}" + owner: root + group: root + mode: 0440 + with_dict: "{{ rsyslog_rsyslog_d_files }}" + when: item.value.state | default('present') == 'present' + notify: restart rsyslog + - name: start and enable rsyslog ansible.builtin.service: name: "{{ rsyslog_service }}" diff --git a/templates/advanced_rsyslog.conf.j2 b/templates/advanced_rsyslog.conf.j2 index d914b85..47e401c 100644 --- a/templates/advanced_rsyslog.conf.j2 +++ b/templates/advanced_rsyslog.conf.j2 @@ -1,26 +1,13 @@ {{ ansible_managed | comment }} -# rsyslog configuration file +# /etc/rsyslog.conf configuration file for rsyslog +# +# For more information install rsyslog-doc and see +# /usr/share/doc/rsyslog-doc/html/configuration/index.html -# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html -# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html -# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html - -#### GLOBAL DIRECTIVES #### - -# Where to place auxiliary files -global(workDirectory="{{ rsyslog_work_directory }}") - -# Use default timestamp format -module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat") - -# Include all config files in /etc/rsyslog.d/ -include(file="/etc/rsyslog.d/*.conf" mode="optional") - -{% if rsyslog_preservefqdn %} -$PreserveFQDN on -{% endif %} +################# #### MODULES #### +################# # Provides support for local system logging (e.g. via logger command) # And turns off message reception via local log socket; @@ -31,28 +18,60 @@ $PreserveFQDN on # And provides file to store the position in the journal {{ '' if 'imjournal' in rsyslog_mods else '#' }}module(load="imjournal" StateFile="imjournal.state") -# reads kernel messages (the same are read from journald) +# provides kernel logging support {{ '' if 'imklog' in rsyslog_mods else '#' }}module(load="imklog") # provides --MARK-- message capability {{ '' if 'immark' in rsyslog_mods else '#' }}module(load="immark") -# Provides access to specific log file +# provides access to specific log file {{ '' if 'imfile' in rsyslog_mods else '#' }}module(load="imfile") -# Provides UDP syslog reception -# for parameters see http://www.rsyslog.com/doc/imudp.html +# provides UDP syslog reception {{ '' if rsyslog_receiver is defined else '#' }}module(load="imudp") # needs to be done just once {{ '' if rsyslog_receiver is defined else '#' }}input(type="imudp" port="514") -# Provides TCP syslog reception -# for parameters see http://www.rsyslog.com/doc/imtcp.html +# provides TCP syslog reception {{ '' if rsyslog_receiver is defined else '#' }}module(load="imtcp") # needs to be done just once {{ '' if rsyslog_receiver is defined else '#' }}input(type="imtcp" port="514") -{% if rsyslog_deploy_default_config %} -#### RULES #### +########################### +#### GLOBAL DIRECTIVES #### +########################### + +# +# Use traditional timestamp format. +# To enable high precision timestamps, comment out the following line. +# +module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat") +# +# Set the default permissions for all log files. +# +$FileCreateMode {{ rsyslog_filecreatemode }} +$DirCreateMode {{ rsyslog_dircreatemode }} + +# +# Where to place spool and state files +# +global(workDirectory="{{ rsyslog_work_directory }}") + +{% if rsyslog_preservefqdn %} +# +# Use FQDN (usefull when sending logs to another system) +# +$PreserveFQDN on +{% endif %} + +# +# Include all config files in /etc/rsyslog.d/ +# +include(file="/etc/rsyslog.d/*.conf" mode="optional") + +############### +#### RULES #### +############### +{% if rsyslog_deploy_default_config %} # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console @@ -67,7 +86,6 @@ authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog - # Log cron stuff cron.* /var/log/cron @@ -79,10 +97,18 @@ uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log - +{% endif %} +{% if rsyslog_default_rules is defined %} +{% for item in rsyslog_default_rules %} +{{ item.rule }} {{ item.logpath }} +{% endfor %} +{% endif %} {% if rsyslog_remote is defined %} -# ### sample forwarding rule ### +######################### +#### FORWARDING RULE #### +######################### + action(type="omfwd" # # An on-disk queue is created for this action. If the remote host is # # down, messages are spooled to disk and sent when it is up again. @@ -95,6 +121,5 @@ action(type="omfwd" # # remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514 #Target="remote_host" Port="XXX" Protocol="tcp") Target="{{ rsyslog_remote }}" Port="{{ rsyslog_remote_port }}" Protocol="{{ 'tcp' if rsyslog_remote_tcp else 'udp' }}") -{% endif %} # ### end of the forwarding rule ### {% endif %} diff --git a/templates/legacy_rsyslog.conf.j2 b/templates/legacy_rsyslog.conf.j2 index 84eaa32..0e7a761 100644 --- a/templates/legacy_rsyslog.conf.j2 +++ b/templates/legacy_rsyslog.conf.j2 @@ -1,59 +1,84 @@ {{ ansible_managed | comment }} -# rsyslog configuration file - -# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html -# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html +# /etc/rsyslog.conf configuration file for rsyslog +# +# For more information install rsyslog-doc and see +# /usr/share/doc/rsyslog-doc/html/configuration/index.html -{% if rsyslog_preservefqdn %} -$PreserveFQDN on -{% endif %} +################# #### MODULES #### +################# # The imjournal module bellow is now used as a message source instead of imuxsock. {{ '#' if not 'imuxsock' in rsyslog_mods else '' }}$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) {{ '#' if not 'imjournal' in rsyslog_mods else '' }}$ModLoad imjournal # provides access to the systemd journal -{{ '#' if not 'imklog' in rsyslog_mods else '' }}$ModLoad imklog # reads kernel messages (the same are read from journald) +{{ '#' if not 'imklog' in rsyslog_mods else '' }}$ModLoad imklog # provides kernel logging support {{ '#' if not 'immark' in rsyslog_mods else '' }}$ModLoad immark # provides --MARK-- message capability {{ '#' if not 'imfile' in rsyslog_mods else '' }}$ModLoad imfile # provides access to specific log file -# Provides UDP syslog reception +# provides UDP syslog reception {{ '' if rsyslog_receiver is defined else '#' }}$ModLoad imudp {{ '' if rsyslog_receiver is defined else '#' }}$UDPServerRun 514 -# Provides TCP syslog reception +# provides TCP syslog reception {{ '' if rsyslog_receiver is defined else '#' }}$ModLoad imtcp {{ '' if rsyslog_receiver is defined else '#' }}$InputTCPServerRun 514 + +########################### #### GLOBAL DIRECTIVES #### +########################### + +# +# Use traditional timestamp format. +# To enable high precision timestamps, comment out the following line. +# +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# +# Set the default permissions for all log files. +# +$FileCreateMode {{ rsyslog_filecreatemode }} +$DirCreateMode {{ rsyslog_dircreatemode }} -# Where to place auxiliary files +# +# Where to place spool and state files +# $WorkDirectory {{ rsyslog_work_directory }} -# Use default timestamp format -$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat +# +# Include all config files in /etc/rsyslog.d/ +# +$IncludeConfig /etc/rsyslog.d/*.conf + +{% if rsyslog_preservefqdn %} +# +# Use FQDN (usefull when sending logs to another system) +# +$PreserveFQDN on +{% endif %} +# # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit +# #$ActionFileEnableSync on -# Include all config files in /etc/rsyslog.d/ -$IncludeConfig /etc/rsyslog.d/*.conf - +# # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. +# {{ '#' if 'imuxsock' in rsyslog_mods else '' }}$OmitLocalLogging on +# # File to store the position in the journal +# {{ '#' if not 'imjournal' in rsyslog_mods else '' }}$IMJournalStateFile imjournal.state -# Set mode for new files and directories -$DirCreateMode {{ rsyslog_dircreatemode }} -$FileCreateMode {{ rsyslog_filecreatemode }} - -{% if rsyslog_deploy_default_config %} +############### #### RULES #### - +############### +{% if rsyslog_deploy_default_config %} # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console @@ -80,9 +105,18 @@ uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log +{% endif %} +{% if rsyslog_default_rules is defined %} +{% for item in rsyslog_default_rules %} +{{ item.rule }} {{ item.logpath }} +{% endfor %} +{% endif %} +{% if rsyslog_remote is defined %} +######################### +#### FORWARDING RULE #### +######################### -# ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! @@ -97,8 +131,6 @@ local7.* /var/log/boot.log #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 -{% if rsyslog_remote is defined %} {{ rsyslog_remote_selector }} {{ '@@' if rsyslog_remote_tcp else '@' }}{{ rsyslog_remote }}:{{ rsyslog_remote_port }} -{% endif %} # ### end of the forwarding rule ### {% endif %}