diff --git a/README.md b/README.md index d2e2dd5a..658f6231 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,9 @@ Manage rsyslog client and server via Puppet custom_config => undef, server => 'log', port => '514', + ssl => false, + ssl_ca => undef, + include_drupal => true, } ``` @@ -91,6 +94,9 @@ The following lists all the class parameters this module accepts. log_auth_local true,false Just log auth facility locally. Defaults to false. custom_config STRING Specify your own template to use for client config. Defaults to undef. Example usage: custom_config => 'rsyslog/my_config.erb server STRING Rsyslog server to log to. Will be used in the client configuration file. + ssl true,false + ssl_ca STRING + include_drupal true,false Include a drupal.log file. Defaults to true for backwards compatibility reasons. RSYSLOG::DATABASE CLASS PARAMETERS VALUES DESCRIPTION ------------------------------------------------------------------- diff --git a/files/rsyslog_default b/files/rsyslog_default deleted file mode 100644 index 1f11cd3d..00000000 --- a/files/rsyslog_default +++ /dev/null @@ -1,7 +0,0 @@ -# File is managed by puppet - -# Debian, Ubuntu -RSYSLOGD_OPTIONS="-c4" - -# CentOS, RedHat, Fedora -SYSLOGD_OPTIONS="${RSYSLOGD_OPTIONS}" diff --git a/manifests/client.pp b/manifests/client.pp index 624dfe85..8c8c71c9 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -14,6 +14,9 @@ # [*custom_params*] # [*server*] # [*port*] +# [*ssl*] +# [*ssl_ca*] +# [*include_drupal*] # # === Variables # @@ -22,25 +25,31 @@ # class { 'rsyslog::client': } # class rsyslog::client ( - $log_remote = true, - $spool_size = '1g', - $remote_type = 'tcp', - $log_local = false, - $log_auth_local = false, - $custom_config = undef, - $custom_params = undef, - $server = 'log', - $port = '514' + $log_remote = true, + $spool_size = '1g', + $remote_type = 'tcp', + $log_local = false, + $log_auth_local = false, + $custom_config = undef, + $custom_params = undef, + $protocol_format = 'RSYSLOG_ForwardFormat', + $server = 'log', + $port = '514', + $ssl = false, + $ssl_ca = undef, + $include_drupal = true, # true for backwards compatibility reasons ) inherits rsyslog { - $content_real = $custom_config ? { - '' => template("${module_name}/client.conf.erb"), - default => template($custom_config), + if $custom_config { + $content_real = template($custom_config) + } + else { + $content_real = template("${module_name}/client.conf.erb") } rsyslog::snippet {'client': ensure => present, content => $content_real, - } + } } diff --git a/manifests/config.pp b/manifests/config.pp index d7fbbe60..55c7c858 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -34,7 +34,7 @@ ensure => file, owner => 'root', group => $rsyslog::run_group, - source => 'puppet:///modules/rsyslog/rsyslog_default', + content => template("${module_name}/rsyslog_default.erb"), require => Class['rsyslog::install'], notify => Class['rsyslog::service'], } diff --git a/manifests/install.pp b/manifests/install.pp index 3e9ad1a9..86c00b0e 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -23,4 +23,10 @@ } } + if $rsyslog::ssl != false { + package { 'rsyslog-gnutls': + ensure => $rsyslog::package_status + } + } + } diff --git a/manifests/params.pp b/manifests/params.pp index f580d2e3..d20bffe4 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -30,7 +30,7 @@ $log_style = 'debian' $perm_file = '0640' $perm_dir = '0755' - $spool_dir = '/var/spool/rsyslog/' + $spool_dir = '/var/spool/rsyslog' $service_name = 'rsyslog' $client_conf = "${rsyslog_d}client.conf" $server_conf = "${rsyslog_d}server.conf" @@ -51,7 +51,7 @@ $log_style = 'redhat' $perm_file = '0600' $perm_dir = '0750' - $spool_dir = '/var/lib/rsyslog/' + $spool_dir = '/var/lib/rsyslog' $service_name = 'rsyslog' $client_conf = "${rsyslog_d}client.conf" $server_conf = "${rsyslog_d}server.conf" @@ -72,7 +72,7 @@ $log_style = 'debian' $perm_file = '0640' $perm_dir = '0755' - $spool_dir = '/var/spool/syslog/' + $spool_dir = '/var/spool/syslog' $service_name = 'syslogd' $client_conf = "${rsyslog_d}client.conf" $server_conf = "${rsyslog_d}server.conf" diff --git a/manifests/server.pp b/manifests/server.pp index f1f32605..e004258d 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -8,8 +8,11 @@ # [*enable_udp*] # [*enable_onefile*] # [*server_dir*] -# [*custom_config*] # [*high_precision_timestamps*] +# [*ssl*] +# [*ssl_ca*] +# [*ssl_cert*] +# [*ssl_key*] # # === Variables # @@ -21,26 +24,20 @@ # # Create seperate directory per host # -# class { 'rsyslog::server': -# custom_config => 'rsyslog/server-hostname.conf.erb' -# } -# class rsyslog::server ( $enable_tcp = true, $enable_udp = true, $enable_onefile = false, $server_dir = '/srv/log', - $custom_config = undef, - $high_precision_timestamps = false + $high_precision_timestamps = false, + $ssl = false, + $ssl_ca = undef, + $ssl_cert = undef, + $ssl_key = undef ) inherits rsyslog { - $real_content = $custom_config ? { - '' => template("${module_name}/server-default.conf.erb"), - default => template($custom_config), - } - rsyslog::snippet {'server': ensure => present, - content => $real_content, + content => template("${module_name}/server-default.conf.erb"), } } diff --git a/templates/client.conf.erb b/templates/client.conf.erb index e5dfb8cc..33bdf605 100644 --- a/templates/client.conf.erb +++ b/templates/client.conf.erb @@ -8,12 +8,23 @@ $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # run asynchronously $ActionResumeRetryCount -1 # infinety retries if host is down +<% if scope.lookupvar('rsyslog::client::ssl') -%> +# Setup SSL connection. +# CA/Cert +$DefaultNetStreamDriverCAFile <%= scope.lookupvar('rsyslog::client::ssl_ca') %> + +# Connection settings. +$DefaultNetstreamDriver gtls +$ActionSendStreamDriverMode 1 +$ActionSendStreamDriverAuthMode anon +<% end -%> + <% if scope.lookupvar('rsyslog::client::log_remote') -%> # Log to remote syslog server using <%= scope.lookupvar('rsyslog::client::remote_type') %> <% if scope.lookupvar('rsyslog::client::remote_type') == 'tcp' -%> -*.* @@<%= scope.lookupvar('rsyslog::client::server') -%>:<%= scope.lookupvar('rsyslog::client::port') -%>;RSYSLOG_ForwardFormat +*.* @@<%= scope.lookupvar('rsyslog::client::server') -%>:<%= scope.lookupvar('rsyslog::client::port') -%>;<%= scope.lookupvar('rsyslog::client::protocol_format') -%> <% else -%> -*.* @<%= scope.lookupvar('rsyslog::client::server') -%>:<%= scope.lookupvar('rsyslog::client::port') -%>;RSYSLOG_ForwardFormat +*.* @<%= scope.lookupvar('rsyslog::client::server') -%>:<%= scope.lookupvar('rsyslog::client::port') -%>;<%= scope.lookupvar('rsyslog::client::protocol_format') -%> <% end -%> <% end -%> @@ -21,6 +32,11 @@ $ActionResumeRetryCount -1 # infinety retries if host is down # We log locally, restore to default format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat +<% if scope.lookupvar('rsyslog::client::include_drupal') -%> +# Drupal stuff +if $syslogfacility-text == 'local0' then /var/log/drupal.log +&~ +<% end -%> <% if scope.lookupvar('rsyslog::log_style') == 'debian' -%> # Log auth messages locally auth,authpriv.* /var/log/auth.log @@ -34,13 +50,13 @@ auth,authpriv.* /var/log/secure <% if scope.lookupvar('rsyslog::log_style') == 'debian' -%> # First some standard log files. Log by facility. # -*.*;auth,authpriv.none -/var/log/syslog -cron.* /var/log/cron.log -daemon.* -/var/log/daemon.log -kern.* -/var/log/kern.log -#lpr.* -/var/log/lpr.log -mail.* -/var/log/mail.log -user.* -/var/log/user.log +*.*;auth,authpriv.none,cron.none -/var/log/syslog +cron.* /var/log/cron.log +daemon.* -/var/log/daemon.log +kern.* -/var/log/kern.log +#lpr.* -/var/log/lpr.log +mail.* -/var/log/mail.log +user.* -/var/log/user.log # # Logging for the mail system. Split it up so that @@ -79,7 +95,7 @@ news.notice -/var/log/news/news.notice # The named pipe /dev/xconsole is for the `xconsole' utility. To use it, # you must invoke `xconsole' with the `-file' option: -# +# # $ xconsole -file /dev/xconsole [...] # # NOTE: adjust the list below, or you'll go crazy if you have a reasonably diff --git a/templates/rsyslog_default.erb b/templates/rsyslog_default.erb new file mode 100644 index 00000000..d07cb849 --- /dev/null +++ b/templates/rsyslog_default.erb @@ -0,0 +1,10 @@ +# File is managed by puppet + +<% case @osfamily -%> +<% when 'Debian' -%> +# Debian, Ubuntu +RSYSLOGD_OPTIONS="" +<% when 'RedHat' -%> +# CentOS, RedHat, Fedora +SYSLOGD_OPTIONS="" +<% end -%> diff --git a/templates/server-default.conf.erb b/templates/server-default.conf.erb index fdf32d16..7dad9fc5 100644 --- a/templates/server-default.conf.erb +++ b/templates/server-default.conf.erb @@ -17,8 +17,11 @@ $Template dynUserLog,"<%= scope.lookupvar('rsyslog::server::server_dir') -%>%sou $Template dynMailLog,"<%= scope.lookupvar('rsyslog::server::server_dir') -%>%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/mail.log" $Template dynDebug,"<%= scope.lookupvar('rsyslog::server::server_dir') -%>%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/debug" $Template dynMessages,"<%= scope.lookupvar('rsyslog::server::server_dir') -%>%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/messages" +$Template dynDrupal,"<%= scope.lookupvar('rsyslog::server::server_dir') -%>%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/drupal.log" # Rules +if $syslogfacility-text == 'local0' then ?dynDrupal +&~ auth,authpriv.* ?dynAuthLog *.*;auth,authpriv.none,mail.none,cron.none -?dynSyslog cron.* ?dynCronLog @@ -26,10 +29,6 @@ daemon.* -?dynDaemonLog kern.* -?dynKernLog mail.* -?dynMailLog user.* -?dynUserLog -*.=info;*.=notice;*.=warn;\ - auth.none,authpriv.none;\ - cron.none,daemon.none;\ - mail.none,news.none -?dynMessages <% else -%> # Template $Template dynAllMessages,"<%= scope.lookupvar('rsyslog::server::server_dir') -%>%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/messages" diff --git a/templates/server/_default-header.conf.erb b/templates/server/_default-header.conf.erb index 19eb173f..647628c6 100644 --- a/templates/server/_default-header.conf.erb +++ b/templates/server/_default-header.conf.erb @@ -6,6 +6,7 @@ $ModLoad imudp <% if scope.lookupvar('rsyslog::server::enable_tcp') -%> # Load TCP module $ModLoad imtcp +$InputTCPMaxSessions 1000 # Maximum TCP sessions (default 200) <% end -%> <% if scope.lookupvar('rsyslog::server::high_precision_timestamps') == false -%> @@ -16,5 +17,18 @@ $ModLoad imtcp $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat <% end -%> +<% if scope.lookupvar('rsyslog::server::ssl') -%> +# Server side SSL. +$DefaultNetstreamDriver gtls + +# Cert files. +$DefaultNetstreamDriverCAFile <%= scope.lookupvar('rsyslog::server::ssl_ca') %> +$DefaultNetstreamDriverCertFile <%= scope.lookupvar('rsyslog::server::ssl_cert') %> +$DefaultNetstreamDriverKeyFile <%= scope.lookupvar('rsyslog::server::ssl_key') %> + +$InputTCPServerStreamDriverMode 1 +$InputTCPServerStreamDriverAuthMode anon +<% end -%> + # Switch to remote ruleset $RuleSet remote