├── docs ├── changelog.rst ├── includes │ └── all.rst ├── copyright.rst ├── index.rst ├── introduction.rst ├── playbooks │ └── rsyslog.yml ├── getting-started.rst ├── defaults-detailed.rst └── unprivileged-tls.rst ├── handlers └── main.yml ├── templates └── etc │ ├── rsyslog.conf.j2 │ └── rsyslog.d │ └── rules.conf.j2 ├── .travis.yml ├── meta ├── main.yml └── ansigenome.yml ├── COPYRIGHT ├── CHANGES.rst ├── README.md ├── tasks └── main.yml ├── LICENSE └── defaults └── main.yml /docs/changelog.rst: -------------------------------------------------------------------------------- 1 | .. include:: ../CHANGES.rst 2 | -------------------------------------------------------------------------------- /docs/includes/all.rst: -------------------------------------------------------------------------------- 1 | .. include:: includes/global.rst 2 | -------------------------------------------------------------------------------- /docs/copyright.rst: -------------------------------------------------------------------------------- 1 | Copyright 2 | ========= 3 | 4 | .. literalinclude:: ../COPYRIGHT 5 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Restart rsyslogd 4 | service: 5 | name: 'rsyslog' 6 | state: 'restarted' 7 | -------------------------------------------------------------------------------- /templates/etc/rsyslog.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | # 4 | # Include all config files in /etc/rsyslog.d/ 5 | # 6 | $IncludeConfig /etc/rsyslog.d/*.conf 7 | 8 | -------------------------------------------------------------------------------- /docs/index.rst: -------------------------------------------------------------------------------- 1 | .. _debops.rsyslog: 2 | 3 | Ansible role: debops.rsyslog 4 | ============================ 5 | 6 | .. toctree:: 7 | :maxdepth: 2 8 | 9 | introduction 10 | getting-started 11 | defaults 12 | defaults-detailed 13 | unprivileged-tls 14 | copyright 15 | changelog 16 | 17 | .. 18 | Local Variables: 19 | mode: rst 20 | ispell-local-dictionary: "american" 21 | End: 22 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | language: 'python' 4 | python: '2.7' 5 | 6 | virtualenv: 7 | system_site_packages: true 8 | 9 | before_install: True 10 | install: True 11 | 12 | script: 13 | - 'git clone --depth 1 https://github.com/nickjj/rolespec' 14 | - 'cd rolespec ; bin/rolespec -r https://github.com/debops/test-suite' 15 | 16 | notifications: 17 | webhooks: 18 | - 'https://galaxy.ansible.com/api/v1/notifications/' 19 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | dependencies: [] 4 | 5 | galaxy_info: 6 | 7 | author: 'Maciej Delmanowski' 8 | description: 'Manage rsyslog configuration' 9 | company: 'DebOps' 10 | license: 'GPL-3.0' 11 | min_ansible_version: '2.0.0' 12 | 13 | platforms: 14 | 15 | - name: 'Ubuntu' 16 | versions: [ 'all' ] 17 | 18 | - name: 'Debian' 19 | versions: [ 'all' ] 20 | 21 | galaxy_tags: 22 | - system 23 | - logging 24 | - logs 25 | - security 26 | - audit 27 | -------------------------------------------------------------------------------- /docs/introduction.rst: -------------------------------------------------------------------------------- 1 | Introduction 2 | ============ 3 | 4 | The `rsyslog `_ package is used to read, process, store 5 | and forward system logs in different ways, on local or remote systems. The 6 | ``debops.rsyslog`` role can be used to easily configure log forwarding to 7 | a central log server, as well as store logs on the filesystem or other storage 8 | backends. 9 | 10 | Installation 11 | ~~~~~~~~~~~~ 12 | 13 | This role requires at least Ansible ``v2.0.0``. To install it, run: 14 | 15 | .. code-block:: console 16 | 17 | ansible-galaxy install debops.rsyslog 18 | 19 | .. 20 | Local Variables: 21 | mode: rst 22 | ispell-local-dictionary: "american" 23 | End: 24 | -------------------------------------------------------------------------------- /COPYRIGHT: -------------------------------------------------------------------------------- 1 | debops.rsyslog - Manage syslog daemon using Ansible 2 | 3 | Copyright (C) 2015-2017 Maciej Delmanowski 4 | Copyright (C) 2015-2017 DebOps https://debops.org/ 5 | 6 | This Ansible role is part of DebOps. 7 | 8 | DebOps is free software; you can redistribute it and/or modify 9 | it under the terms of the GNU General Public License version 3, as 10 | published by the Free Software Foundation. 11 | 12 | DebOps is distributed in the hope that it will be useful, 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | GNU General Public License for more details. 16 | 17 | You should have received a copy of the GNU General Public License 18 | along with DebOps. If not, see https://www.gnu.org/licenses/. 19 | -------------------------------------------------------------------------------- /meta/ansigenome.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | ansigenome_info: 4 | galaxy_url: 'https://galaxy.ansible.com/debops/rsyslog' 5 | github_url: 'https://github.com/debops/ansible-rsyslog' 6 | git_branch: "master" 7 | 8 | travis: True 9 | 10 | license_url: 'https://tldrlegal.com/license/gnu-general-public-license-v3-(gpl-3)' 11 | 12 | authors: 13 | - name: 'Maciej Delmanowski' 14 | url: '' 15 | email: 'drybjed@gmail.com' 16 | twitter: 'drybjed' 17 | github: 'drybjed' 18 | 19 | synopsis: | 20 | The [rsyslog](http://rsyslog.com/) package is used to read, process, store 21 | and forward system logs in different ways, on local or remote systems. The 22 | `debops.rsyslog` role can be used to easily configure log forwarding to 23 | a central log server, as well as store logs on the filesystem or other storage 24 | backends. 25 | -------------------------------------------------------------------------------- /docs/playbooks/rsyslog.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Configure rsyslog 4 | hosts: [ 'debops_service_rsyslog' ] 5 | become: True 6 | 7 | roles: 8 | 9 | - role: debops.etc_services 10 | tags: [ 'role::etc_services' ] 11 | etc_services__dependent_list: 12 | - '{{ rsyslog__etc_services__dependent_list }}' 13 | 14 | - role: debops.apt_preferences 15 | tags: [ 'role::apt_preferences' ] 16 | apt_preferences__dependent_list: 17 | - '{{ rsyslog__apt_preferences__dependent_list }}' 18 | 19 | - role: debops.ferm 20 | tags: [ 'role::ferm' ] 21 | ferm__dependent_rules: 22 | - '{{ rsyslog__ferm__dependent_rules }}' 23 | 24 | - role: debops.logrotate 25 | tags: [ 'role::logrotate' ] 26 | logrotate__dependent_config: 27 | - '{{ rsyslog__logrotate__dependent_config }}' 28 | 29 | - role: debops.rsyslog 30 | tags: [ 'role::rsyslog' ] 31 | -------------------------------------------------------------------------------- /templates/etc/rsyslog.d/rules.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | {% macro print_config(element) %} 4 | {% if element is mapping %} 5 | {% if element.state is undefined or element.state != 'absent' %} 6 | {% if element.comment|d() %} 7 | {{ element.comment | comment }} 8 | {% endif %} 9 | {% if element.selector|d() and element.action|d() %} 10 | {% set rsyslog__tpl_selector = element.selector | trim %} 11 | {{ "%-30s %s" | format(rsyslog__tpl_selector, element.action) }} 12 | 13 | {% elif element.options|d() %} 14 | {{ element.options }} 15 | 16 | {% endif %} 17 | {% endif %} 18 | {% elif element is string %} 19 | {{ element }} 20 | 21 | {% else %} 22 | {% for thing in element %} 23 | {{ print_config(thing) -}} 24 | {% endfor %} 25 | {% endif %} 26 | {% endmacro %} 27 | {% if item.sections|d() %} 28 | {% for section in item.sections %} 29 | {{ print_config(section) -}} 30 | {% endfor %} 31 | {% else %} 32 | {{ print_config(item) -}} 33 | {% endif %} 34 | 35 | -------------------------------------------------------------------------------- /CHANGES.rst: -------------------------------------------------------------------------------- 1 | .. _rsyslog__ref_changelog: 2 | 3 | Changelog 4 | ========= 5 | 6 | .. include:: includes/all.rst 7 | 8 | **debops.rsyslog** 9 | 10 | This project adheres to `Semantic Versioning `__ 11 | and `human-readable changelog `__. 12 | 13 | The current role maintainer_ is drybjed_. 14 | 15 | 16 | `debops.rsyslog master`_ - unreleased 17 | ------------------------------------- 18 | 19 | .. _debops.rsyslog master: https://github.com/debops/ansible-rsyslog/compare/v0.2.1...master 20 | 21 | 22 | `debops.rsyslog v0.2.1`_ - 2017-02-03 23 | ------------------------------------- 24 | 25 | .. _debops.rsyslog v0.2.1: https://github.com/debops/ansible-rsyslog/compare/v0.2.1...v0.2.0 26 | 27 | Added 28 | ~~~~~ 29 | 30 | - Add support for anonymous TLS connections, as well as a way to allow only TLS 31 | connections. [bleuchtang] 32 | 33 | Changed 34 | ~~~~~~~ 35 | 36 | - Update role documentation and Changelog. [drybjed_] 37 | 38 | Fixed 39 | ~~~~~ 40 | 41 | - Make sure that the original files that are diverted when the role is enabled 42 | are not removed when the role is executed multiple times. [drybjed_] 43 | 44 | 45 | `debops.rsyslog v0.2.0`_ - 2016-05-18 46 | ------------------------------------- 47 | 48 | .. _debops.rsyslog v0.2.0: https://github.com/debops/ansible-rsyslog/compare/v0.1.0...v0.2.0 49 | 50 | Changed 51 | ~~~~~~~ 52 | 53 | - Role has been redesigned from scratch. It now supports local as well as 54 | remote logs, forwarding over UDP, TCP and TLS. Configuration is defined in 55 | default variables which can be easily overriden if necessary. New 56 | documentation has been written as well. [drybjed_] 57 | 58 | 59 | debops.rsyslog v0.1.0 - 2016-05-18 60 | ---------------------------------- 61 | 62 | Added 63 | ~~~~~ 64 | 65 | - Add Changelog. [drybjed_] 66 | 67 | Changed 68 | ~~~~~~~ 69 | 70 | - Fix deprecation warnings in Ansible 2.1.0. [ypid_] 71 | 72 | - Default to ``enabled: True`` in ``rsyslog_pools``. 73 | Before this, an entry missing a ``enabled`` has been ignored. [ypid_] 74 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## [![DebOps project](http://debops.org/images/debops-small.png)](http://debops.org) rsyslog 2 | 3 | 5 | 6 | [![Travis CI](http://img.shields.io/travis/debops/ansible-rsyslog.svg?style=flat)](http://travis-ci.org/debops/ansible-rsyslog) 7 | [![test-suite](http://img.shields.io/badge/test--suite-ansible--rsyslog-blue.svg?style=flat)](https://github.com/debops/test-suite/tree/master/ansible-rsyslog/) 8 | [![Ansible Galaxy](http://img.shields.io/badge/galaxy-debops.rsyslog-660198.svg?style=flat)](https://galaxy.ansible.com/debops/rsyslog) 9 | 10 | 11 | The [rsyslog](http://rsyslog.com/) package is used to read, process, store 12 | and forward system logs in different ways, on local or remote systems. The 13 | `debops.rsyslog` role can be used to easily configure log forwarding to 14 | a central log server, as well as store logs on the filesystem or other storage 15 | backends. 16 | 17 | ### Installation 18 | 19 | This role requires at least Ansible `v2.0.0`. To install it, run: 20 | 21 | ```Shell 22 | ansible-galaxy install debops.rsyslog 23 | ``` 24 | 25 | ### Documentation 26 | 27 | More information about `debops.rsyslog` can be found in the 28 | [official debops.rsyslog documentation](http://docs.debops.org/en/latest/ansible/roles/ansible-rsyslog/docs/). 29 | 30 | 31 | 32 | ### Are you using this as a standalone role without DebOps? 33 | 34 | You may need to include missing roles from the [DebOps common 35 | playbook](https://github.com/debops/debops-playbooks/blob/master/playbooks/common.yml) 36 | into your playbook. 37 | 38 | [Try DebOps now](https://github.com/debops/debops) for a complete solution to run your Debian-based infrastructure. 39 | 40 | 41 | 42 | 43 | 44 | ### Authors and license 45 | 46 | `rsyslog` role was written by: 47 | 48 | - Maciej Delmanowski | [e-mail](mailto:drybjed@gmail.com) | [Twitter](https://twitter.com/drybjed) | [GitHub](https://github.com/drybjed) 49 | 50 | License: [GPLv3](https://tldrlegal.com/license/gnu-general-public-license-v3-%28gpl-3%29) 51 | 52 | *** 53 | 54 | This role is part of the [DebOps](http://debops.org/) project. README generated by [ansigenome](https://github.com/nickjj/ansigenome/). 55 | -------------------------------------------------------------------------------- /docs/getting-started.rst: -------------------------------------------------------------------------------- 1 | Getting started 2 | =============== 3 | 4 | .. contents:: 5 | :local: 6 | 7 | Initial configuration 8 | --------------------- 9 | 10 | The ``debops.rsyslog`` default configuration is designed to closely resemble 11 | the Debian ``rsyslog`` package defaults. The same system logs will be 12 | generated, although with slightly longer log rotation. If the operating system 13 | is Debian, ``rsyslog`` will be run on a privileged ``root`` account; if the 14 | system is Ubuntu, an unprivileged ``syslog`` account will be used by default. 15 | 16 | The ``rsyslog`` configuration is stored in :file:`/etc/rsyslog.d/`, most of the 17 | configuration located in :file:`/etc/rsyslog.conf` has been moved to the directory 18 | and put in separate files (old configuration is preserved in a diverted file). 19 | 20 | Configuration filename extensions 21 | --------------------------------- 22 | 23 | The configuration order is important, and to aid support of configuration from 24 | other roles, ``debops.rsyslog`` includes configuration files with different 25 | filename extensions at certain parts of the configuration: 26 | 27 | :file:`/etc/rsyslog.d/*.conf` 28 | These files are included by default. They are meant to be used for 29 | configuration of the local system logs, the extension is used to preserve 30 | compatibility with Debian package conventions. 31 | 32 | :file:`/etc/rsyslog.d/*.template` 33 | These configuration files can be used to create custom templates used by 34 | ``rsyslog`` in different parts of the configuration. 35 | 36 | :file:`/etc/rsyslog.d/*.system` 37 | These configuration files are meant to be used to define log matching rules 38 | specific to a given system, to store logs in different files. 39 | 40 | :file:`/etc/rsyslog.d/*.remote` 41 | These configuration files are meant to store configuration for logs coming 42 | from other systems over the network. These rules will be defined in 43 | a separate "ruleset" called ``remote`` which is used by the UDP and TCP input 44 | modules. This way the local (system) logs and remote logs from other hosts 45 | can be managed separately and shouldn't mix with each other. 46 | 47 | Quick start: log forwarding 48 | --------------------------- 49 | 50 | To enable log forwarding, you will want to configure a few variables different 51 | parts of Ansible inventory. The quick and dirty setup described here assumes 52 | that you want to forward logs over UDP without any encryption, so it should 53 | only be used for testing if remote logs work. For more advanced configuration 54 | check the :ref:`rsyslog__forward` documentation. 55 | 56 | First, on the host that should receive the remote logs, for example in 57 | :file:`ansible/inventory/host_vars/logs.example.org/rsyslog.yml`, configure 58 | variables: 59 | 60 | .. code-block:: yaml 61 | 62 | # Enable network input channels and storage of remote logs in filesystem 63 | rsyslog__capabilities: [ 'network', 'remote-files' ] 64 | 65 | # Specify which subnets can send remote logs through the firewall 66 | rsyslog__host_allow: [ '192.0.2.0/24', '2001:db8::/32' ] 67 | 68 | # Mask log forwarding configuration defined elsewhere 69 | rsyslog__forward: [] 70 | rsyslog__group_forward: [] 71 | rsyslog__host_forward: [] 72 | 73 | # Or, alternatively, forward logs to a different host 74 | rsyslog__host_forward: [ '*.* @other.{{ ansible_domain }}' ] 75 | 76 | This will prepare a given central log storage host to receive logs from other 77 | systems on specified subnets, and store them in :file:`/var/log/remote/` directory. 78 | 79 | Now, you can enable log forwarding for all hosts in your inventory (in 80 | :file:`ansible/inventory/group_vars/all/rsyslog.yml`) or only for a specific group 81 | (in :file:`ansible/inventory/group_vars/logged/rsyslog.yml`), using: 82 | 83 | .. code-block:: yaml 84 | 85 | rsyslog__forward: [ '*.* @logs.{{ ansible_domain }}' ] 86 | 87 | This will forward logs on all hosts in the inventory over unencrypted UDP to 88 | a specified host. Due to above "masking" of the variables on the host inventory 89 | level, the log server should not create an infinite loop which forwards logs to 90 | itself. The ``debops.rsyslog`` role does not handle such case automatically, so 91 | you need to make sure this doesn't happen by accident. 92 | 93 | The role by default supports more advanced setups like forwarding logs over TCP 94 | using encrypted TLS connections, but these require more extensive configuration 95 | from different Ansible roles. You should read the rest of the 96 | ``debops.rsyslog`` documentation to see how you can enable these features. 97 | 98 | Example inventory 99 | ----------------- 100 | 101 | To enable the ``debops.rsyslog`` role on a given host or group of hosts, you 102 | need to add that host to the ``[debops_service_rsyslog]`` Ansible inventory 103 | group: 104 | 105 | .. code-block:: none 106 | 107 | [debops_service_rsyslog] 108 | hostname 109 | 110 | Example playbook 111 | ---------------- 112 | 113 | Here's an example playbook which uses ``debops.rsyslog`` role: 114 | 115 | .. literalinclude:: playbooks/rsyslog.yml 116 | :language: yaml 117 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Install required packages 4 | apt: 5 | name: '{{ item }}' 6 | state: 'present' 7 | install_recommends: False 8 | with_flattened: 9 | - '{{ rsyslog__base_packages }}' 10 | - '{{ rsyslog__tls_packages if rsyslog__pki|bool else [] }}' 11 | - '{{ rsyslog__packages }}' 12 | when: rsyslog__enabled|bool 13 | 14 | - name: Create required system group 15 | group: 16 | name: '{{ rsyslog__group }}' 17 | state: 'present' 18 | system: True 19 | when: rsyslog__unprivileged|bool and rsyslog__group != 'root' 20 | 21 | - name: Create required system user 22 | user: 23 | name: '{{ rsyslog__user }}' 24 | group: '{{ rsyslog__group }}' 25 | home: '{{ rsyslog__home }}' 26 | shell: '/bin/false' 27 | state: 'present' 28 | createhome: False 29 | system: True 30 | when: rsyslog__unprivileged|bool and rsyslog__user != 'root' 31 | 32 | - name: Fix directory permissions if needed 33 | file: 34 | path: '/var/spool/rsyslog' 35 | owner: '{{ rsyslog__user }}' 36 | group: '{{ rsyslog__file_group }}' 37 | mode: '0700' 38 | register: rsyslog__register_unprivileged_files 39 | when: rsyslog__unprivileged|bool and rsyslog__user != 'root' 40 | 41 | - name: Update directory and file permissions 42 | shell: | 43 | [ ! -d {{ rsyslog__home }} ] || ( [ "$(stat -c '%G' {{ rsyslog__home }})" = "{{ rsyslog__group }}" ] || ( chown -v root:{{ rsyslog__group }} {{ rsyslog__home }} ; chmod -v 775 {{ rsyslog__home }} ) ) 44 | for i in {{ rsyslog__default_logfiles | join(" ") }} ; do 45 | [ ! -f ${i} ] || ( [ "$(stat -c '%U' ${i})" = "{{ rsyslog__file_owner }}" ] || chown -v {{ rsyslog__file_owner }}:{{ rsyslog__file_group }} ${i} ) 46 | done 47 | register: rsyslog__register_file_permissions 48 | when: rsyslog__unprivileged|bool 49 | changed_when: rsyslog__register_file_permissions.stdout != '' 50 | notify: [ 'Restart rsyslogd' ] 51 | 52 | - name: Divert main rsyslog configuration 53 | command: dpkg-divert --quiet --local --divert /etc/rsyslog.conf.dpkg-divert --rename /etc/rsyslog.conf 54 | args: 55 | creates: '/etc/rsyslog.conf.dpkg-divert' 56 | when: rsyslog__enabled|bool 57 | notify: [ 'Restart rsyslogd' ] 58 | 59 | - name: Generate main rsyslog configuration 60 | template: 61 | src: 'etc/rsyslog.conf.j2' 62 | dest: '/etc/rsyslog.conf' 63 | owner: 'root' 64 | group: 'root' 65 | mode: '0644' 66 | notify: [ 'Restart rsyslogd' ] 67 | when: rsyslog__enabled|bool 68 | 69 | - name: Revert the default configuration file 70 | shell: rm -f /etc/rsyslog.conf ; dpkg-divert --quiet --local --rename --remove /etc/rsyslog.conf 71 | args: 72 | removes: '/etc/rsyslog.conf.dpkg-divert' 73 | warn: False 74 | when: not rsyslog__enabled|bool 75 | 76 | - name: Divert the custom rsyslog configuration 77 | environment: 78 | LC_ALL: 'C' 79 | command: dpkg-divert --local --divert /etc/rsyslog.d/{{ item.divert_to | d(item.filename + ".dpkg-divert") }} --rename /etc/rsyslog.d/{{ item.filename }} 80 | args: 81 | creates: '/etc/rsyslog.d/{{ item.divert_to | d(item.filename + ".dpkg-divert") }}' 82 | register: rsyslog__register_divert_rules 83 | with_flattened: 84 | - '{{ rsyslog_pools | d([]) }}' 85 | - '{{ rsyslog__default_rules }}' 86 | - '{{ rsyslog__rules }}' 87 | - '{{ rsyslog__group_rules }}' 88 | - '{{ rsyslog__host_rules }}' 89 | - '{{ rsyslog__dependent_rules }}' 90 | when: (rsyslog__enabled|bool and item.filename|d() and 91 | (item.state is undefined or item.state != 'absent') and 92 | (item.divert|d() and item.divert|bool)) 93 | changed_when: rsyslog__register_divert_rules.stdout.startswith("Adding 'local diversion of ") 94 | notify: [ 'Restart rsyslogd' ] 95 | 96 | - name: Generate rsyslog configuration rules 97 | template: 98 | src: 'etc/rsyslog.d/rules.conf.j2' 99 | dest: '/etc/rsyslog.d/{{ item.filename | d((item.weight if item.weight|d() else rsyslog__weight_map[item.type|d("rules")]) + "-" + (item.name|d("rules")) + "." + (item.suffix |d ("conf"))) }}' 100 | owner: '{{ item.owner | d("root") }}' 101 | group: '{{ item.group | d("root") }}' 102 | mode: '{{ item.mode | d("0644") }}' 103 | with_flattened: 104 | - '{{ rsyslog_pools | d([]) }}' 105 | - '{{ rsyslog__default_rules }}' 106 | - '{{ rsyslog__rules }}' 107 | - '{{ rsyslog__group_rules }}' 108 | - '{{ rsyslog__host_rules }}' 109 | - '{{ rsyslog__dependent_rules }}' 110 | when: (rsyslog__enabled|bool and (item.filename|d() or item.name|d()) and 111 | (item.state is undefined or item.state != 'absent') and 112 | (item.options|d() or item.sections|d())) 113 | notify: [ 'Restart rsyslogd' ] 114 | 115 | - name: Remove custom config files when requested 116 | file: 117 | path: '/etc/rsyslog.d/{{ item.filename | d((item.weight if item.weight|d() else rsyslog__weight_map[item.type|d("rules")]) + "-" + (item.name|d("rules")) + "." + (item.suffix | d("conf"))) }}' 118 | state: 'absent' 119 | with_flattened: 120 | - '{{ rsyslog_pools | d([]) }}' 121 | - '{{ rsyslog__default_rules }}' 122 | - '{{ rsyslog__rules }}' 123 | - '{{ rsyslog__group_rules }}' 124 | - '{{ rsyslog__host_rules }}' 125 | - '{{ rsyslog__dependent_rules }}' 126 | when: (not rsyslog__enabled|bool or 127 | ((item.filename|d() or item.name|d()) and 128 | (item.state|d() and item.state == 'absent')) and 129 | (item.options|d() or item.sections|d())) and 130 | (item.divert is undefined or not item.divert|bool) 131 | notify: [ 'Restart rsyslogd' ] 132 | 133 | - name: Revert original rsyslog config rules 134 | shell: rm -f /etc/rsyslog.d/{{ item.filename }} ; dpkg-divert --quiet --local --rename --remove /etc/rsyslog.d/{{ item.filename }} 135 | args: 136 | removes: '/etc/rsyslog.d/{{ item.divert_to | d(item.filename + ".dpkg-divert") }}' 137 | warn: False 138 | with_flattened: 139 | - '{{ rsyslog_pools | d([]) }}' 140 | - '{{ rsyslog__default_rules }}' 141 | - '{{ rsyslog__rules }}' 142 | - '{{ rsyslog__group_rules }}' 143 | - '{{ rsyslog__host_rules }}' 144 | - '{{ rsyslog__dependent_rules }}' 145 | when: ((not rsyslog__enabled|bool or 146 | (item.filename|d() and (item.state|d() and item.state == 'absent'))) and 147 | (item.divert|d() and item.divert|bool)) 148 | notify: [ 'Restart rsyslogd' ] 149 | 150 | -------------------------------------------------------------------------------- /docs/defaults-detailed.rst: -------------------------------------------------------------------------------- 1 | Default variable details 2 | ======================== 3 | 4 | .. include:: includes/all.rst 5 | 6 | some of ``debops.rsyslog`` default variables have more extensive configuration 7 | than simple strings or lists, here you can find documentation and examples for 8 | them. 9 | 10 | .. contents:: 11 | :local: 12 | :depth: 1 13 | 14 | .. _rsyslog__capabilities: 15 | 16 | rsyslog__capabilities 17 | --------------------- 18 | 19 | The default configuration provided in the ``debops.rsyslog`` role supports 20 | a few different usage scenarios. To make it easier to enable them as needed, 21 | a separate list of "capabilities" is checked by Ansible to see if specific 22 | keywords are present; this allows for easy selection of different operation 23 | modes. 24 | 25 | With the empty list of capabilities, the ``debops.rsyslog`` role should 26 | configure a local syslog server which stores the logs in a standard set of 27 | files located in :file:`/var/log/` directory. 28 | 29 | The different capabilities that can be enabled in the list: 30 | 31 | ``network`` 32 | Enable support for receiving the logs over the network, via UDP or TCP 33 | connections. By default you also need to specify the CIDR subnets or IP 34 | addresses which are allowed through the firewall using :envvar:`rsyslog__allow`, 35 | :envvar:`rsyslog__group_allow` and/or :envvar:`rsyslog__host_allow` variables. 36 | 37 | ``remote-files`` 38 | Enable storage of remote logs as files in :file:`/var/log/remote/` directory. If 39 | this is not enabled, by default remote logs will be discarded due to being 40 | directed to a separate ``remote`` ruleset. 41 | 42 | ``tls`` 43 | Enable support for TLS connections to the ``rsyslog`` server, both as 44 | a forwarder and as a receiver. This option depends on availability of X.509 45 | certificates managed by debops.pki_ role. 46 | 47 | ``xconsole`` 48 | Enable log output to :file:`/dev/xconsole`. The ``rsyslogd`` daemon needs to run 49 | in privileged mode, or additional steps need to be taken to allow access to 50 | the :file:`/dev/xconsole` by the ``rsyslogd`` unprivileged user. 51 | 52 | ``!mark`` 53 | Disable the periodic ``-- MARK --`` messages in the logs, by default they 54 | will be emitted every hour. 55 | 56 | ``!news`` 57 | Disable storage of the ``news.*`` logs to separate log files. 58 | 59 | .. _rsyslog__forward: 60 | 61 | rsyslog__forward 62 | ---------------- 63 | 64 | The :envvar:`rsyslog__forward`, :envvar:`rsyslog__group_forward` and 65 | :envvar:`rsyslog__host_forward` variables are lists used to define forwarding rules 66 | for ``rsyslog``. Because the daemon configuration is ordered, the forward 67 | statements should be set in a specific place in the configuration. You can of 68 | course define your own forwarding rules instead of using these specific 69 | variables, if you wish. 70 | 71 | You can check `the rsyslog remote forward documentation `_ to see 72 | how to forward logs to other hosts. Each configuration entry should be 73 | specified in a separate YAML list element. Some examples: 74 | 75 | Forward all logs over UDP to remote log server: 76 | 77 | .. code-block:: yaml 78 | 79 | rsyslog__forward: 80 | - '*.* @logs.example.org' 81 | 82 | Forward logs to different hosts over TCP: 83 | 84 | .. code-block:: yaml 85 | 86 | rsyslog__forward: 87 | - 'mail.* @@mail-logs.example.org' 88 | - '*.*;mail.none @@no-mail-logs.example.org' 89 | 90 | Forward logs over TCP with TLS encryption using default configuration: 91 | 92 | .. code-block:: yaml 93 | 94 | # Enable TLS encryption 95 | rsyslog__capabilities: [ 'tls' ] 96 | 97 | # Forward logs over TLS 98 | rsyslog__forward: [ '*.* @@logs.example.org:6514' ] 99 | 100 | .. _rsyslog__rules: 101 | 102 | rsyslog__rules 103 | -------------- 104 | 105 | The ``rsyslog`` configuration is defined in YAML dictionaries. The role uses 106 | a simple set of keys and values to allow conditional activation or deactivation 107 | of parts of the ``rsyslogd`` configuration. Each configuration section will be 108 | defined in a separate file located in :file:`/etc/rsyslog.d/` directory. List of 109 | known parameters: 110 | 111 | ``divert`` 112 | Optional, boolean. If specified and ``True``, ``debops.rsyslog`` will use the 113 | :command:`dpkg-divert` command to move specified originaL configuration file out of 114 | the way before generating the configuration from a template. This parameter 115 | can be used to modify the ``rsyslogd`` configuration provided by the system 116 | packages. It should only be used with the ``filename`` parameter, otherwise 117 | there might be unforseen consequences. 118 | 119 | ``divert_to`` 120 | Optional. If the ``divert`` paremter is enabled, using this parameter you can 121 | specify the filename to divert the file to. The diversion will be confined to 122 | :file:`/etc/rsyslog.d/` directory. This can be used to change the order of the 123 | configuration files if needed. 124 | 125 | ``filename`` 126 | Optional. Full name of the file in which to store the given configuration. If 127 | not specified, ``debops.rsyslog`` will generate a filename based on a set of 128 | alternative parameters. 129 | 130 | ``type`` 131 | Optional. Specify the type of the configuration a given entry defines. This 132 | will be mapped to :envvar:`rsyslog__weight_map` variable to a "weight" number 133 | which will determine ordering of the configuration files in 134 | :file:`/etc/rsyslog.d/`. 135 | 136 | ``name`` 137 | Optional. Specify custom name of the configuration file, appended to the 138 | "weight" number. 139 | 140 | ``suffix`` 141 | A custom "extension" added after the dot to the generated filename; different 142 | suffixes are included in different parts of the configuration. If not 143 | specified, ``.conf`` will be used by default. 144 | 145 | ``sections`` 146 | Optional. This is a list of YAML dictionaries with configuration definition 147 | which should be included in the given file. If this option is present, some 148 | of the known parameters on the main level are ignored, and only configuration 149 | in the ``sections`` list will be set in the configuration file. 150 | 151 | The parameters below can be used in the main list or in the ``sections`` list: 152 | 153 | ``comment`` 154 | Optional. A comment added at the beginning of the file. 155 | 156 | ``options`` 157 | Required. YAML text block which contains the ``rsyslogd`` configuration 158 | 159 | ``state`` 160 | Optional. Either ``present`` or ``absent``. If undefined or ``present`` 161 | a given configuration file or configuration section will be present, if 162 | ``absent``, given configuration file or section will be removed. This 163 | parameter can be used to conditionally enable or disable parts of the 164 | configuration. 165 | 166 | You can see many examples of the rules in :file:`defaults/main.yml` file of the 167 | ``debops.rsyslog`` role. 168 | -------------------------------------------------------------------------------- /docs/unprivileged-tls.rst: -------------------------------------------------------------------------------- 1 | .. _rsyslog__unprivileged: 2 | 3 | Unprivileged syslog and encrypted connections 4 | ============================================= 5 | 6 | .. include:: includes/all.rst 7 | 8 | .. contents:: 9 | :local: 10 | 11 | The ``rsyslog`` daemon can be used in a privileged or an unprivileged mode. In 12 | a privileged mode the daemon is run on the ``root`` account, has access to all 13 | required files, sockets, etc. In the unprivileged mode, ``rsyslog`` daemon is 14 | started in a privileged mode first, opens required sockets/ports and then drops 15 | all of its privileges and supplementary UNIX groups. 16 | 17 | The ``debops.rsyslog`` role allows you to select which mode is used by 18 | configuring the :envvar:`rsyslog__unprivileged` boolean variable. By default, to 19 | preserve original configuration, the role enables unprivileged mode on Ubuntu 20 | hosts, leaving the configuration privileged on Debian hosts. 21 | 22 | The unprivileged operation places certain restrictions on the system 23 | configuration. In particular, the ``rsyslog`` process only uses its primary 24 | system group, dropping any additional groups the user is in. This means, that 25 | using TLS with the default configuration maintained by debops.pki_ role 26 | becomes problematic - unprivileged ``rsyslog`` process uses only its own 27 | primary group, so it cannot access private keys to allow encrypted connections. 28 | 29 | There are multiple solutions to this problem, which you can use. Each one has 30 | pros and cons, and you should evaluate the selected method in a development 31 | environment before implementing it in production to avoid issues. 32 | 33 | Run the daemon in privileged mode 34 | --------------------------------- 35 | 36 | This method is the default on Debian hosts. Ubuntu hosts use the unprivileged 37 | mode by default, and reverting to the privileged mode should work, but that 38 | hasn't been evaluated yet. 39 | 40 | The daemon will be run with the ``root`` permissions, and there shouldn't be 41 | any issues with file access. Enabling TLS connections should work out of the 42 | box. On the downside, an externally accessible service is running with ``root`` 43 | permissions, so you should be careful what hosts have access to it, this is 44 | controlled using the firewall. 45 | 46 | To enable this mode, set the following in the Ansible inventory: 47 | 48 | .. code-block:: yaml 49 | 50 | rsyslog__unprivileged: False 51 | 52 | This will enforce the privileged operation. 53 | 54 | Grant access to private keys by additional groups 55 | ------------------------------------------------- 56 | 57 | The debops.pki_ role that maintains the DebOps X.509 infrastructure, allows 58 | you to specify additional system groups, which should have access to the 59 | private keys. This should be configured before the role creates ths private 60 | keys, because the permissions are not enforced afterwards - this means that you 61 | will need to recreate the private keys and certificates, or update the 62 | permissions manually. Additional permissions are granted using the filesystem 63 | ACL support. 64 | 65 | To enable ``rsyslog`` to get access to the private keys in unprivileged mode by 66 | the ``syslog`` system groups, configure in the Ansible inventory: 67 | 68 | .. code-block:: yaml 69 | 70 | # Ensure that needed system group is present 71 | pki_private_groups_present: 72 | - name: 'syslog' 73 | system: True 74 | 75 | # Add custom ACL groups to private files and directories for all PKI realms 76 | pki_private_dir_acl_groups: [ 'syslog' ] 77 | pki_private_file_acl_groups: [ 'syslog' ] 78 | 79 | # Or, add custom ACL groups to private files only in default PKI realm 80 | pki_default_realms: 81 | - name: 'domain' 82 | acme: False 83 | private_dir_acl_groups: [ 'syslog' ] 84 | private_file_acl_groups: [ 'syslog' ] 85 | 86 | After the PKI realm is recreated, you can check the result using command: 87 | 88 | .. code-block:: console 89 | 90 | root@logs:~# getfacl /etc/pki/realms/domain/private 91 | root@logs:~# getfacl /etc/pki/realms/domain/private/key.pem 92 | 93 | You should see the ``syslog`` entry on the list of groups that can access the 94 | respective files and directories. When the ``rsyslog`` process is restarted, it 95 | should be able to access the private keys without issues. To enable the 96 | unprivileged mode on Debian hosts, you might want to enforce it through the 97 | Ansible inventory. Here it is, with example log forwarding to remote host with 98 | TCP over TLS: 99 | 100 | .. code-block:: yaml 101 | 102 | # Enable unprivileged operation 103 | rsyslog__unprivileged: True 104 | 105 | # Enable TLS support 106 | rsyslog__capabilities: [ 'tls' ] 107 | 108 | # Forward logs over encrypted TCP connection 109 | rsyslog__forward: [ '*.* @@logs.{{ ansible_domain }}:6514' ] 110 | 111 | Create custom PKI realm for syslog 112 | ---------------------------------- 113 | 114 | The debops.pki_ role allows you to create multiple PKI realms with different 115 | purposes and configuration. If you don't want to modify and existing 116 | infrastructure in place, creating a separate internal realm just for syslog 117 | might be an easy alternative. 118 | 119 | To create new PKI realm, add this to the Ansible inventory for all involved 120 | hosts: 121 | 122 | .. code-block:: yaml 123 | 124 | # Ensure that needed system group is present 125 | pki_private_groups_present: 126 | - name: 'syslog' 127 | system: True 128 | 129 | # Create custom realm for syslog 130 | pki_realms: 131 | - name: 'syslog' 132 | acme: False 133 | private_dir_group: 'syslog' 134 | private_file_group: 'syslog' 135 | 136 | When the new PKI realm is created, the private directory and files inside 137 | should be owned by the ``syslog`` group. This should ensure that the 138 | ``rsyslog`` daemon in the unprivileged mode, running as ``syslog`` user, should 139 | have access to them. The certificates should be signed by existing 140 | debops.pki_ Certificate Authority, so they should be trusted by all hosts in 141 | the cluster. 142 | 143 | When the new PKI realm is ready, you can tell ``debops.rsyslog`` role to use it: 144 | 145 | .. code-block:: yaml 146 | 147 | # Enable unprivileged operation 148 | rsyslog__unprivileged: True 149 | 150 | # Enable TLS support 151 | rsyslog__capabilities: [ 'tls' ] 152 | 153 | # Change the default PKI realm used by rsyslog 154 | rsyslog__pki_realm: 'syslog' 155 | 156 | # Forward logs over encrypted TCP connection 157 | rsyslog__forward: [ '*.* @@logs.{{ ansible_domain }}:6514' ] 158 | 159 | When the new configuration is applied, you should see in the ``rsyslog`` 160 | configuration files that the daemon is using the correct private key and 161 | certificate. 162 | 163 | Testing encrypted connections 164 | ----------------------------- 165 | 166 | To make sure that the logs are sent over an encrypted connection, you can check 167 | the traffic using the ``tshark`` command. On the receiving server, run the 168 | command: 169 | 170 | .. code-block:: console 171 | 172 | root@logs:~# tshark -i eth0 -f "dst port 514 or dst port 6514" \ 173 | -d tcp.port==514,syslog -d tcp.port==6514,syslog 174 | 175 | This will output packets that are sent to TCP ports 514 (plaintext traffic) and 176 | 6514 (TLS traffic). Afterwards, on remote hosts try sending some test log 177 | messages: 178 | 179 | .. code-block:: console 180 | 181 | user@host:~$ logger Test log message, please ignore 182 | 183 | If the connection is not encrypted, you should see something similar to this 184 | (notice the unencrypted contents of the packet):: 185 | 186 | 9 132.751792 192.0.2.2 -> 192.0.2.1 Syslog 133 USER.NOTICE: May 16 14:06:05 host user: Test log message, please ignore\n 187 | 188 | If the connection is encrypted, output should look similar to this:: 189 | 190 | 9 132.751792 192.0.2.2 -> 192.0.2.1 Syslog 164 \027\003\003\000]\000\000\000\000\000\000\000\037\257\301,\030\365\311\324\023qR9\b\352\203\256\306\260T\023\022\016g\271\220\325\031\250\326\323\0045\3549\270\277>\205\301\256\325\234\246\tzt\333\255\002\006K"\254\334\021wB1\353\f\356,u\344\220\207d\024o\305\234\b\201\003Js[\2533\261\207\231?k\230J 191 | 192 | Of course, the contents of the logs should appear normally in the log files, 193 | for example in :file:`/var/log/remote/hosts/host/syslog` you should see:: 194 | 195 | May 16 14:06:05 host user: Test log message, please ignore 196 | 197 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | 676 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # .. vim: foldmarker=[[[,]]]:foldmethod=marker 3 | 4 | # debops.rsyslog default variables [[[ 5 | # ==================================== 6 | 7 | # .. contents:: Sections 8 | # :local: 9 | # 10 | # .. include:: includes/all.rst 11 | 12 | 13 | # General configuration [[[ 14 | # ------------------------- 15 | 16 | # .. envvar:: rsyslog__enabled [[[ 17 | # 18 | # Enable or disable ``rsyslog`` management. 19 | rsyslog__enabled: True 20 | 21 | # ]]] 22 | # .. envvar:: rsyslog__capabilities [[[ 23 | # 24 | # List of different capabilities to configure. See :ref:`rsyslog__capabilities` 25 | # for more details. 26 | rsyslog__capabilities: [] 27 | 28 | # ]]] 29 | # .. envvar:: rsyslog__unprivileged [[[ 30 | # 31 | # Enable or disable unprivileged ``rsyslogd`` operation. Warning, enabling this 32 | # option requires additional configuration outside of the ``debops.rsyslog`` 33 | # role. See :ref:`rsyslog__unprivileged` for more details. 34 | rsyslog__unprivileged: '{{ "True" 35 | if (ansible_distribution in [ "Ubuntu" ]) 36 | else "False" }}' 37 | 38 | # ]]] 39 | # .. envvar:: rsyslog__message_reduction [[[ 40 | # 41 | # Enable or disable message reduction. This is disabled by default so that log 42 | # parsers like :program:`fail2ban` can work correctly. 43 | rsyslog__message_reduction: False 44 | # ]]] 45 | # ]]] 46 | # APT packages [[[ 47 | # ---------------- 48 | 49 | # .. envvar:: rsyslog__base_packages [[[ 50 | # 51 | # List of default APT packages to install. 52 | rsyslog__base_packages: [ 'rsyslog' ] 53 | 54 | # ]]] 55 | # .. envvar:: rsyslog__tls_packages [[[ 56 | # 57 | # List of APT packages required for TLS support. 58 | rsyslog__tls_packages: [ 'rsyslog-gnutls', 'ca-certificates' ] 59 | 60 | # ]]] 61 | # .. envvar:: rsyslog__packages [[[ 62 | # 63 | # List of additional APT packages to install. 64 | rsyslog__packages: [] 65 | # ]]] 66 | # ]]] 67 | # User, group, home, file ownership [[[ 68 | # ------------------------------------- 69 | 70 | # .. envvar:: rsyslog__user [[[ 71 | # 72 | # The unprivileged system user account used by the ``rsyslogd`` daemon, when 73 | # unprivileged operation is enabled. 74 | rsyslog__user: '{{ "syslog" if rsyslog__unprivileged|bool else "root" }}' 75 | 76 | # ]]] 77 | # .. envvar:: rsyslog__group [[[ 78 | # 79 | # The unprivileged system group account used by the ``rsyslogd`` daemon, when 80 | # unprivileged operation is enabled. 81 | rsyslog__group: '{{ "syslog" if rsyslog__unprivileged|bool else "root" }}' 82 | 83 | # ]]] 84 | # .. envvar:: rsyslog__home [[[ 85 | # 86 | # The home directory of the :envvar:`rsyslog__user` user, dependent on the OS 87 | # defaults. Takes effect only when the unprivileged mode is enabled. 88 | rsyslog__home: '{{ "/home/syslog" 89 | if (ansible_distribution in [ "Ubuntu" ]) 90 | else "/var/log" }}' 91 | 92 | # ]]] 93 | # .. envvar:: rsyslog__file_owner [[[ 94 | # 95 | # The account which will be set as the owner of the log files generated by 96 | # ``rsyslogd``. When an unprivileged mode is enabled, it should be the same as 97 | # the ``rsyslogd`` user account. 98 | rsyslog__file_owner: '{{ rsyslog__user }}' 99 | 100 | # ]]] 101 | # .. envvar:: rsyslog__file_group [[[ 102 | # 103 | # The system group which will be set as the default group of the log files 104 | # generated by ``rsyslogd``. 105 | rsyslog__file_group: 'adm' 106 | 107 | # ]]] 108 | # .. envvar:: rsyslog__default_logfiles [[[ 109 | # 110 | # List of default logfiles managed by ``debops.rsyslog`` role. This list is 111 | # used in the debops.logrotate_ configuration to create log rotation, as 112 | # well as to change the file owner/group when unprivileged operation is 113 | # enabled. 114 | rsyslog__default_logfiles: 115 | - '/var/log/syslog' 116 | - '/var/log/kern.log' 117 | - '/var/log/auth.log' 118 | - '/var/log/user.log' 119 | - '/var/log/daemon.log' 120 | - '/var/log/messages' 121 | - '/var/log/mail.log' 122 | - '/var/log/mail.info' 123 | - '/var/log/mail.warn' 124 | - '/var/log/mail.err' 125 | - '/var/log/cron.log' 126 | - '/var/log/lpr.log' 127 | - '/var/log/debug' 128 | - '/var/log/messages' 129 | # ]]] 130 | # ]]] 131 | # Encrypted communication [[[ 132 | # --------------------------- 133 | 134 | # .. envvar:: rsyslog__pki [[[ 135 | # 136 | # Enable or disable support for X.509 certificates managed by debops.pki_ 137 | # role, used for TLS connections. 138 | rsyslog__pki: '{{ True 139 | if (ansible_local|d() and ansible_local.pki|d() and 140 | ansible_local.pki.enabled|bool) 141 | else False }}' 142 | 143 | # ]]] 144 | # .. envvar:: rsyslog__pki_path [[[ 145 | # 146 | # Path to the directory with PKI realms. 147 | rsyslog__pki_path: '{{ ansible_local.pki.path 148 | if (ansible_local|d() and ansible_local.pki|d() and 149 | ansible_local.pki.path|d()) 150 | else "/etc/pki" }}' 151 | 152 | # ]]] 153 | # .. envvar:: rsyslog__pki_realm [[[ 154 | # 155 | # Name of the PKi realm to use with ``rsyslogd``. 156 | rsyslog__pki_realm: '{{ ansible_local.pki.realm 157 | if (ansible_local|d() and ansible_local.pki|d() and 158 | ansible_local.pki.realm|d()) 159 | else "domain" }}' 160 | 161 | # ]]] 162 | # .. envvar:: rsyslog__pki_ca [[[ 163 | # 164 | # Name of the root CA certificate used by the ``debops.rsyslog`` role. 165 | rsyslog__pki_ca: '{{ ansible_local.pki.ca 166 | if (ansible_local|d() and ansible_local.pki|d() and 167 | ansible_local.pki.ca|d()) 168 | else "CA.crt" }}' 169 | 170 | # ]]] 171 | # .. envvar:: rsyslog__pki_crt [[[ 172 | # 173 | # Name of the client certificate file used by the ``debops.rsyslog`` role. 174 | rsyslog__pki_crt: '{{ ansible_local.pki.crt 175 | if (ansible_local|d() and ansible_local.pki|d() and 176 | ansible_local.pki.crt|d()) 177 | else "default.crt" }}' 178 | 179 | # ]]] 180 | # .. envvar:: rsyslog__pki_key [[[ 181 | # 182 | # Name of the private key file used by the ``debops.rsyslog`` role. 183 | rsyslog__pki_key: '{{ ansible_local.pki.key 184 | if (ansible_local|d() and ansible_local.pki|d() and 185 | ansible_local.pki.key|d()) 186 | else "default.key" }}' 187 | 188 | # ]]] 189 | # .. envvar:: rsyslog__default_netstream_driver [[[ 190 | # 191 | # Specify the default netstrap driver used by the ``imtcp`` module. The 192 | # ``gtls`` will be enabled by default if the support for PKI is enabled, 193 | # otherwise ``ptcp`` will be used. 194 | rsyslog__default_netstream_driver: '{{ "gtls" 195 | if (rsyslog__pki|bool and 196 | "tls" in rsyslog__capabilities) 197 | else "ptcp" }}' 198 | 199 | # ]]] 200 | # .. envvar:: rsyslog__default_driver_authmode [[[ 201 | # 202 | # Specify the default network driver authetication mode. Actualy only 203 | # `x509/name` or `anon` are available: 204 | rsyslog__default_driver_authmode: "x509/name" 205 | 206 | # ]]] 207 | # .. envvar:: rsyslog__send_over_tls [[[ 208 | # 209 | # This configuration is added to the forward options when ``tls`` capability is 210 | # enabled. It's used to configure TLS options. 211 | rsyslog__send_over_tls: |- 212 | $ActionSendStreamDriver gtls 213 | $ActionSendStreamDriverAuthMode {{ rsyslog__default_driver_authmode }} 214 | {% if rsyslog__default_driver_authmode != "anon" %} 215 | {% if rsyslog__send_permitted_peers is string %} 216 | $ActionSendStreamDriverPermittedPeer {{ rsyslog__send_permitted_peers }} 217 | {% else %} 218 | {% for peer in rsyslog__send_permitted_peers %} 219 | $ActionSendStreamDriverPermittedPeer {{ peer }} 220 | {% endfor %} 221 | {% endif %} 222 | {% endif %} 223 | $ActionSendStreamDriverMode 1 224 | 225 | # ]]] 226 | # .. envvar:: rsyslog__send_over_tls_only [[[ 227 | # 228 | # Specify if you want only TLS communications. 229 | rsyslog__send_over_tls_only: False 230 | 231 | # ]]] 232 | # .. envvar:: rsyslog__domain [[[ 233 | # 234 | # The default DNS domain used to accept remote incoming logs from remote hosts. 235 | rsyslog__domain: '{{ ansible_domain if ansible_domain else ansible_hostname }}' 236 | 237 | # ]]] 238 | # .. envvar:: rsyslog__permitted_peers [[[ 239 | # 240 | # List of hostnames, IP addresses or wildcard DNS domains which will be allowed 241 | # by the ``rsyslogd`` server to connect and send logs over TLS. 242 | rsyslog__permitted_peers: [ '*.{{ rsyslog__domain }}' ] 243 | 244 | # ]]] 245 | # .. envvar:: rsyslog__send_permitted_peers [[[ 246 | # 247 | # List of hostnames, IP addresses or wildcard DNS domains which will be 248 | # verified by the ``rsyslogd`` client and will allow to send logs to the remote 249 | # server over TLS. 250 | rsyslog__send_permitted_peers: '{{ rsyslog__permitted_peers }}' 251 | # ]]] 252 | # ]]] 253 | # Firewall, UDP, TCP ports [[[ 254 | # ---------------------------- 255 | 256 | # .. envvar:: rsyslog__udp_port [[[ 257 | # 258 | # The incoming UDP port used for remote logging. 259 | rsyslog__udp_port: '514' 260 | 261 | # ]]] 262 | # .. envvar:: rsyslog__tcp_port [[[ 263 | # 264 | # The incoming TCP port used for remote logging. 265 | rsyslog__tcp_port: '514' 266 | 267 | # ]]] 268 | # .. envvar:: rsyslog__tcp_tls_port [[[ 269 | # 270 | # The incoming TCP TLS port used for remote logging. 271 | rsyslog__tcp_tls_port: '6514' 272 | 273 | # ]]] 274 | # .. envvar:: rsyslog__allow [[[ 275 | # 276 | # List of IP addresses or CIDR subnets which should be allowed to connect to 277 | # ``rsyslogd`` ports by the firewall. This variable should be used for all 278 | # hosts in the inventory. 279 | rsyslog__allow: [] 280 | 281 | # ]]] 282 | # .. envvar:: rsyslog__group_allow [[[ 283 | # 284 | # List of IP addresses or CIDR subnets which should be allowed to connect to 285 | # ``rsyslogd`` ports by the firewall. This variable should be used for specific 286 | # group of hosts in the inventory. 287 | rsyslog__group_allow: [] 288 | 289 | # ]]] 290 | # .. envvar:: rsyslog__host_allow [[[ 291 | # 292 | # List of IP addresses or CIDR subnets which should be allowed to connect to 293 | # ``rsyslogd`` ports by the firewall. This variable should be used for specific 294 | # hosts in the inventory. 295 | rsyslog__host_allow: [] 296 | # ]]] 297 | # ]]] 298 | # Log forwarding [[[ 299 | # ------------------ 300 | 301 | # .. envvar:: rsyslog__forward [[[ 302 | # 303 | # List of ``rsyslogd`` options that configure log forwarding for all hosts in 304 | # the inventory. See :ref:`rsyslog__forward` for more details. 305 | rsyslog__forward: [] 306 | 307 | # ]]] 308 | # .. envvar:: rsyslog__group_forward [[[ 309 | # 310 | # List of ``rsyslogd`` options that configure log forwarding for hosts in 311 | # a specific group. See :ref:`rsyslog__forward` for more details. 312 | rsyslog__group_forward: [] 313 | 314 | # ]]] 315 | # .. envvar:: rsyslog__host_forward [[[ 316 | # 317 | # List of ``rsyslogd`` options that configure log forwarding for specific hosts 318 | # in Ansible inventory. See :ref:`rsyslog__forward` for more details. 319 | rsyslog__host_forward: [] 320 | # ]]] 321 | # ]]] 322 | # Rsyslog configuration rules [[[ 323 | # ------------------------------- 324 | 325 | # .. envvar:: rsyslog__weight_map [[[ 326 | # 327 | # This is a dictionary map of different configuration "types" corresponding to 328 | # numbers used to sort configuration files in :file:`/etc/rsyslog.d/` directory 329 | # (configuration order is important). You can specify a type in the 330 | # configuration by using the ``item.type`` parameter. 331 | # 332 | # If you change the default weight map values, you will most likely need to 333 | # remove all files from :file:`/etc/rsyslog.d/` to reset the configuration. 334 | # 335 | # See :ref:`rsyslog__rules` for more details. 336 | rsyslog__weight_map: 337 | 'global': '05' 338 | 'module': '10' 339 | 'modules': '10' 340 | 'template': '20' 341 | 'templates': '20' 342 | 'output': '30' 343 | 'service': '30' 344 | 'rule': '50' 345 | 'rules': '50' 346 | 'ruleset': '50' 347 | 'input': '90' 348 | 349 | # ]]] 350 | # .. envvar:: rsyslog__rules [[[ 351 | # 352 | # List of YAML dictionaries, each dictionary should contain ``rsyslogd`` 353 | # configuration in a special format. See :ref:`rsyslog__rules` for more 354 | # details. This list should be used for configuration of all hosts in the 355 | # inventory. 356 | rsyslog__rules: [] 357 | 358 | # ]]] 359 | # .. envvar:: rsyslog__group_rules [[[ 360 | # 361 | # List of YAML dictionaries, each dictionary should contain ``rsyslogd`` 362 | # configuration in a special format. See :ref:`rsyslog__rules` for more 363 | # details. This list should be used for configuration of a group of hosts in 364 | # the inventory. 365 | rsyslog__group_rules: [] 366 | 367 | # ]]] 368 | # .. envvar:: rsyslog__host_rules [[[ 369 | # 370 | # List of YAML dictionaries, each dictionary should contain ``rsyslogd`` 371 | # configuration in a special format. See :ref:`rsyslog__rules` for more 372 | # details. This list should be used for configuration of specific hosts in the 373 | # inventory. 374 | rsyslog__host_rules: [] 375 | 376 | # ]]] 377 | # .. envvar:: rsyslog__dependent_rules [[[ 378 | # 379 | # List of YAML dictionaries, each dictionary should contain ``rsyslogd`` 380 | # configuration in a special format. See :ref:`rsyslog__rules` for more 381 | # details. This list should be used for configuration by other Ansible roles. 382 | rsyslog__dependent_rules: [] 383 | 384 | # ]]] 385 | # .. envvar:: rsyslog__default_rules [[[ 386 | # 387 | # List of YAML dictionaries, each dictionary should contain ``rsyslogd`` 388 | # configuration in a special format. See :ref:`rsyslog__rules` for more 389 | # details. This lis specifies default ``rsyslogd`` configuration enabled in the 390 | # role. 391 | rsyslog__default_rules: 392 | 393 | - '{{ rsyslog__conf_global_options }}' 394 | - '{{ rsyslog__conf_local_modules }}' 395 | - '{{ rsyslog__conf_network_modules }}' 396 | - '{{ rsyslog__conf_common_defaults }}' 397 | - '{{ rsyslog__conf_divert_ubuntu }}' 398 | - '{{ rsyslog__conf_filename_templates }}' 399 | - '{{ rsyslog__conf_remote_forward }}' 400 | - '{{ rsyslog__conf_default_rulesets }}' 401 | - '{{ rsyslog__conf_system_rules }}' 402 | - '{{ rsyslog__conf_system_cron }}' 403 | - '{{ rsyslog__conf_network_input }}' 404 | - '{{ rsyslog__conf_dynamic_logs }}' 405 | - '{{ rsyslog__conf_stop_remote }}' 406 | # ]]] 407 | # ]]] 408 | # Default configuration options [[[ 409 | # --------------------------------- 410 | 411 | # .. envvar:: rsyslog__conf_global_options [[[ 412 | # 413 | # Some of the global ``rsyslogd`` configuration options. See 414 | # http://www.rsyslog.com/doc/v8-stable/rainerscript/global.html for more 415 | # details. 416 | rsyslog__conf_global_options: 417 | 418 | - filename: '00-global.conf' 419 | comment: 'Global options' 420 | options: |- 421 | global( 422 | defaultNetstreamDriver="{{ rsyslog__default_netstream_driver }}" 423 | {% if rsyslog__pki|bool and "tls" in rsyslog__capabilities %} 424 | defaultNetstreamDriverCAFile="{{ rsyslog__pki_path + '/' + rsyslog__pki_realm + '/' + rsyslog__pki_ca }}" 425 | {% if rsyslog__default_driver_authmode != "anon" or "network" in rsyslog__capabilities %} 426 | defaultNetstreamDriverCertFile="{{ rsyslog__pki_path + '/' + rsyslog__pki_realm + '/' + rsyslog__pki_crt }}" 427 | defaultNetstreamDriverKeyFile="{{ rsyslog__pki_path + '/' + rsyslog__pki_realm + '/' + rsyslog__pki_key }}" 428 | {% endif %} 429 | {% endif %} 430 | ) 431 | 432 | # ]]] 433 | # .. envvar:: rsyslog__conf_local_modules [[[ 434 | # 435 | # List of ``rsyslogd`` modules that enable logs from the local system to be 436 | # received and parsed by the ``rsyslogd`` daemon. 437 | rsyslog__conf_local_modules: 438 | 439 | - name: 'local-modules' 440 | type: 'modules' 441 | sections: 442 | 443 | - comment: 'Log messages sent to local UNIX socket' 444 | options: '$ModLoad imuxsock' 445 | 446 | - comment: 'Log kernel messages' 447 | options: |- 448 | $ModLoad imklog 449 | $KLogPermitNonKernelFacility on 450 | state: '{{ "present" 451 | if (ansible_local|d() and ansible_local.cap12s|d() and 452 | (not ansible_local.cap12s.enabled|bool or 453 | "cap_sys_admin" in ansible_local.cap12s.list)) 454 | else "absent" }}' 455 | 456 | - comment: 'Log periodic -- MARK -- messages' 457 | options: |- 458 | $ModLoad immark 459 | $MarkMessagePeriod {{ (60 * 60) }} 460 | state: '{{ "absent" 461 | if ("!mark" in rsyslog__capabilities) 462 | else "present" }}' 463 | 464 | # ]]] 465 | # .. envvar:: rsyslog__conf_network_modules [[[ 466 | # 467 | # List of ``rsyslogd`` modules that receive logs from remote systems over the 468 | # network. They are enabled by the ``network`` capability. 469 | rsyslog__conf_network_modules: 470 | 471 | - name: 'network-modules' 472 | type: 'modules' 473 | state: '{{ "present" 474 | if ("network" in rsyslog__capabilities) 475 | else "absent" }}' 476 | sections: 477 | 478 | - comment: 'Enable UDP support' 479 | options: |- 480 | module(load="imudp") 481 | state: '{{ "present" 482 | if (rsyslog__send_over_tls_only) 483 | else "absent" }}' 484 | 485 | - comment: 'Enable TCP support' 486 | options: |- 487 | module(load="imptcp") 488 | state: '{{ "present" 489 | if (rsyslog__send_over_tls_only) 490 | else "absent" }}' 491 | 492 | - comment: 'Enable GnuTLS TCP support' 493 | options: |- 494 | module( 495 | load="imtcp" 496 | streamDriver.name="gtls" 497 | streamDriver.mode="1" 498 | streamDriver.authMode="{{ rsyslog__default_driver_authmode }}" 499 | {% if rsyslog__default_driver_authmode != "anon" %} 500 | {% if rsyslog__permitted_peers is string %} 501 | permittedPeer="{{ rsyslog__permitted_peers }}" 502 | {% else %} 503 | permittedPeer=["{{ rsyslog__permitted_peers | join('","') }}"] 504 | {% endif %} 505 | {% endif %} 506 | ) 507 | state: '{{ "present" 508 | if ("tls" in rsyslog__capabilities) 509 | else "absent" }}' 510 | 511 | # ]]] 512 | # .. envvar:: rsyslog__conf_network_input [[[ 513 | # 514 | # Configuration of UDP, TCP and TCP over TLS inputs to receive logs from remote 515 | # hosts, enabled by the ``network`` capability. 516 | rsyslog__conf_network_input: 517 | 518 | - name: 'network-input' 519 | type: 'input' 520 | state: '{{ "present" 521 | if ("network" in rsyslog__capabilities) 522 | else "absent" }}' 523 | sections: 524 | 525 | - comment: 'Log messages from remote hosts over UDP' 526 | options: |- 527 | input( 528 | type="imudp" 529 | port="{{ rsyslog__udp_port }}" 530 | ruleset="remote" 531 | ) 532 | state: '{{ "present" 533 | if (not rsyslog__send_over_tls_only) 534 | else "absent" }}' 535 | 536 | - comment: 'Log messages from remote hosts over TCP' 537 | options: |- 538 | input( 539 | type="imptcp" 540 | port="{{ rsyslog__tcp_port }}" 541 | ruleset="remote" 542 | ) 543 | state: '{{ "present" 544 | if (not rsyslog__send_over_tls_only) 545 | else "absent" }}' 546 | 547 | - comment: 'Log messages from remote hosts over TLS' 548 | options: |- 549 | input( 550 | type="imtcp" 551 | name="imtls" 552 | port="{{ rsyslog__tcp_tls_port }}" 553 | ruleset="remote" 554 | ) 555 | state: '{{ "present" 556 | if ("tls" in rsyslog__capabilities) 557 | else "absent" }}' 558 | 559 | # ]]] 560 | # .. envvar:: rsyslog__conf_common_defaults [[[ 561 | # 562 | # List of common ``rsyslogd`` configuration, like new file owner/group and 563 | # permissions, work directory, configuration of message reduction. 564 | rsyslog__conf_common_defaults: 565 | 566 | - name: 'common-defaults' 567 | type: 'global' 568 | sections: 569 | 570 | - comment: 'Set default permissions for all log files' 571 | options: |- 572 | $FileOwner {{ rsyslog__file_owner }} 573 | $FileGroup {{ rsyslog__file_group }} 574 | $FileCreateMode 0640 575 | $DirCreateMode 0755 576 | $Umask 0022 577 | {% if rsyslog__unprivileged|bool %} 578 | $PrivDropToUser {{ rsyslog__user }} 579 | $PrivDropToGroup {{ rsyslog__group }} 580 | {% endif %} 581 | 582 | - comment: 'Where to place spool and state files' 583 | options: |- 584 | $WorkDirectory /var/spool/rsyslog 585 | 586 | - comment: 'Log every message' 587 | options: |- 588 | $RepeatedMsgReduction {{ "on" if rsyslog__message_reduction|bool else "off" }} 589 | 590 | # ]]] 591 | # .. envvar:: rsyslog__conf_divert_ubuntu [[[ 592 | # 593 | # Divert the default ``rsyslogd`` configuration provided in Ubuntu systems so 594 | # that the role can write its own version. 595 | rsyslog__conf_divert_ubuntu: 596 | 597 | - filename: '20-ufw.conf' 598 | divert: True 599 | divert_to: '65-ufw.system' 600 | state: '{{ "present" 601 | if (ansible_distribution in [ "Ubuntu" ]) 602 | else "absent" }}' 603 | 604 | - filename: '50-default.conf' 605 | divert: True 606 | state: '{{ "present" 607 | if (ansible_distribution in [ "Ubuntu" ]) 608 | else "absent" }}' 609 | 610 | # ]]] 611 | # .. envvar:: rsyslog__conf_filename_templates [[[ 612 | # 613 | # List of ``rsyslogd`` templates which are used to generate dynamic filenames 614 | # for remote logs, based on hostnames. You can add additional template 615 | # configuration by writing it in the :file:`/etc/rsyslog.d/*.template` files, they 616 | # will be included by the main configuration. 617 | rsyslog__conf_filename_templates: 618 | 619 | - name: 'templates' 620 | type: 'template' 621 | sections: 622 | 623 | - comment: 'Remote host system logs' 624 | options: |- 625 | template( 626 | name="RemoteHostSyslog" 627 | type="string" 628 | string="/var/log/remote/hosts/%HOSTNAME%/syslog" 629 | ) 630 | 631 | - comment: 'Remote host auth logs' 632 | options: |- 633 | template( 634 | name="RemoteHostAuthLog" 635 | type="string" 636 | string="/var/log/remote/hosts/%HOSTNAME%/auth.log" 637 | ) 638 | 639 | - comment: 'Remote host cron logs' 640 | options: |- 641 | template( 642 | name="RemoteHostCronLog" 643 | type="string" 644 | string="/var/log/remote/hosts/%HOSTNAME%/cron.log" 645 | ) 646 | 647 | - comment: 'Remote service auth logs' 648 | options: |- 649 | template( 650 | name="RemoteServiceAuthLog" 651 | type="string" 652 | string="/var/log/remote/services/auth/auth.log" 653 | ) 654 | 655 | - comment: 'Remote service cron logs' 656 | options: |- 657 | template( 658 | name="RemoteServiceCronLog" 659 | type="string" 660 | string="/var/log/remote/services/cron/cron.log" 661 | ) 662 | 663 | - comment: 'Remote service mail logs' 664 | options: |- 665 | template( 666 | name="RemoteServiceMailLog" 667 | type="string" 668 | string="/var/log/remote/services/mail/mail.log" 669 | ) 670 | 671 | - comment: 'Include custom templates' 672 | options: |- 673 | $IncludeConfig /etc/rsyslog.d/*.template 674 | 675 | - comment: 'Use traditional timestamp format' 676 | options: |- 677 | $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat 678 | 679 | # ]]] 680 | # .. envvar:: rsyslog__conf_remote_forward [[[ 681 | # 682 | # Enable log forwardin to another ``rsyslogd`` instance if it's enabled in 683 | # :envvar:`rsyslog__forward` variables. See :ref:`rsyslog__forward` for more details. 684 | rsyslog__conf_remote_forward: 685 | 686 | - filename: '20-remote-forward.system' 687 | state: '{{ "present" 688 | if (rsyslog__forward|d() or rsyslog__group_forward|d() or rsyslog__host_forward|d()) 689 | else "absent" }}' 690 | 691 | sections: 692 | 693 | - comment: 'Forward logs over TLS by default' 694 | options: '{{ rsyslog__send_over_tls }}' 695 | state: '{{ "present" 696 | if (rsyslog__pki|bool and 697 | "tls" in rsyslog__capabilities) 698 | else "absent" }}' 699 | 700 | - comment: 'Forward logs to specified hosts' 701 | options: |- 702 | {% for element in (rsyslog__forward + rsyslog__group_forward + rsyslog__host_forward) %} 703 | {{ element }} 704 | {% endfor %} 705 | 706 | # ]]] 707 | # .. envvar:: rsyslog__conf_default_rulesets [[[ 708 | # 709 | # The ``rsyslogd`` configuration can contain multiple rulesets, each one 710 | # connected to an input channel (see 711 | # http://www.rsyslog.com/doc/v8-stable/concepts/multi_ruleset.html for more 712 | # details). 713 | # 714 | # By default ``debops.rsyslog`` use the default ruleset for local 715 | # system logs, and defines a separate ``remote`` ruleset for logs incoming over 716 | # the network from remote hosts. The local log rules are stored in 717 | # :file:`/etc/rsyslog.d/*.system` configuration files, and remote log rules are 718 | # stored in :file:`/etc/rsyslog.d/*.remote` configuration files. 719 | rsyslog__conf_default_rulesets: 720 | 721 | - name: 'default-rulesets' 722 | type: 'rules' 723 | sections: 724 | 725 | - comment: 'Rules for the local system logs' 726 | options: |- 727 | $IncludeConfig /etc/rsyslog.d/*.system 728 | 729 | - comment: 'Rules for logs incoming from remote hosts' 730 | options: |- 731 | ruleset(name="remote") { 732 | $IncludeConfig /etc/rsyslog.d/*.remote 733 | } 734 | 735 | # ]]] 736 | # .. envvar:: rsyslog__conf_system_rules [[[ 737 | # 738 | # A set of default ``rsyslog`` options which store local system logs in files 739 | # located in :file:`/var/log/` directory. This is mostly the same as the default 740 | # ``rsyslogd`` configuration provided in Debian/Ubuntu installations. 741 | rsyslog__conf_system_rules: 742 | 743 | - filename: '50-default.system' 744 | sections: 745 | 746 | - comment: 'Standard log files, split by facility' 747 | options: |- 748 | auth,authpriv.* /var/log/auth.log 749 | *.*;cron,auth,authpriv.none -/var/log/syslog 750 | cron.* -/var/log/cron.log 751 | daemon.* -/var/log/daemon.log 752 | kern.* -/var/log/kern.log 753 | lpr.* -/var/log/lpr.log 754 | mail.* -/var/log/mail.log 755 | user.* -/var/log/user.log 756 | 757 | - comment: 'Copy of the local log files to complete remote logs' 758 | options: |- 759 | auth,authpriv.* ?RemoteHostAuthLog 760 | auth,authpriv.* ?RemoteServiceAuthLog 761 | *.*;cron,auth,authpriv.none -?RemoteHostSyslog 762 | cron.* -?RemoteHostCronLog 763 | cron.* -?RemoteServiceCronLog 764 | mail.* -?RemoteServiceMailLog 765 | state: '{{ "present" 766 | if ("remote-files" in rsyslog__capabilities) 767 | else "absent" }}' 768 | 769 | - comment: |- 770 | Logging for the mail system. Split it up so that 771 | it is easy to write scripts to parse these files 772 | options: |- 773 | mail.info -/var/log/mail.info 774 | mail.warn -/var/log/mail.warn 775 | mail.err /var/log/mail.err 776 | 777 | - comment: 'Logging for INN news system' 778 | options: |- 779 | news.crit /var/log/news/news.crit 780 | news.err /var/log/news/news.err 781 | news.notice -/var/log/news/news.notice 782 | state: '{{ "absent" 783 | if ("!news" in rsyslog__capabilities) 784 | else "present" }}' 785 | 786 | - comment: 'Some "catch-all" log files' 787 | options: |- 788 | *.=debug;\ 789 | auth,authpriv.none;\ 790 | mail,news.none -/var/log/debug 791 | *.=info;*.=notice;*.=warn;\ 792 | auth,authpriv.none;\ 793 | cron,daemon.none;\ 794 | mail,news.none -/var/log/messages 795 | 796 | - comment: 'Emergencies are sent to everybody logged in' 797 | options: |- 798 | *.emerg :omusrmsg:* 799 | 800 | - comment: 'Send selected logs to xconsole' 801 | options: |- 802 | daemon.*;mail.*;\ 803 | *.=debug;*.=info;\ 804 | *.=notice;*.=warn |/dev/xconsole 805 | state: '{{ "present" 806 | if ("xconsole" in rsyslog__capabilities) 807 | else "absent" }}' 808 | 809 | # ]]] 810 | # .. envvar:: rsyslog__conf_dynamic_logs [[[ 811 | # 812 | # List of ``rsyslogd`` rules which maintain dynamic log files in 813 | # :file:`/var/log/remote/` directory. These log files will store logs incoming from 814 | # other, remote hosts. 815 | rsyslog__conf_dynamic_logs: 816 | 817 | - filename: '40-dynamic-cron.remote' 818 | options: | 819 | if ($msg contains "pam_unix(cron:session): session opened for user") then { 820 | action(type="omfile" DynaFile="RemoteHostCronLog") 821 | action(type="omfile" DynaFile="RemoteServiceCronLog") 822 | stop 823 | } else if ($msg contains "pam_unix(cron:session): session closed for user") then { 824 | action(type="omfile" DynaFile="RemoteHostCronLog") 825 | action(type="omfile" DynaFile="RemoteServiceCronLog") 826 | stop 827 | } 828 | state: '{{ "present" 829 | if ("remote-files" in rsyslog__capabilities) 830 | else "absent" }}' 831 | 832 | - filename: '50-dynamic-logs.remote' 833 | comment: 'Store remote logs in separate logfiles' 834 | options: |- 835 | auth,authpriv.* ?RemoteHostAuthLog 836 | auth,authpriv.* ?RemoteServiceAuthLog 837 | *.*;cron,auth,authpriv.none -?RemoteHostSyslog 838 | cron.* -?RemoteHostCronLog 839 | cron.* -?RemoteServiceCronLog 840 | mail.* -?RemoteServiceMailLog 841 | state: '{{ "present" 842 | if ("remote-files" in rsyslog__capabilities) 843 | else "absent" }}' 844 | 845 | # ]]] 846 | # .. envvar:: rsyslog__conf_stop_remote [[[ 847 | # 848 | # The older ``rsyslogd`` versions do not support empty rulesets. This 849 | # configuration file is used to allow empty ``remote`` ruleset when remote log 850 | # support is disabled, and should be included in the configuration at the very 851 | # end. 852 | rsyslog__conf_stop_remote: 853 | 854 | - filename: 'zz-stop.remote' 855 | comment: |- 856 | This is a workaround to support empty "remote" ruleset on 857 | older versions of rsyslog package. 858 | http://comments.gmane.org/gmane.comp.sysutils.rsyslog/15616 859 | options: |- 860 | stop 861 | 862 | # ]]] 863 | # .. envvar:: rsyslog__conf_system_cron [[[ 864 | # 865 | # Configuration for system :program:`cron` logs. This will ensure that :program:`cron` logs 866 | # will be stored in separate :file:`/var/log/cron.log` file and won't clutter auth 867 | # or syslog logs. 868 | rsyslog__conf_system_cron: 869 | filename: '40-cron.system' 870 | options: | 871 | if ($msg contains "pam_unix(cron:session): session opened for user") then { 872 | action(type="omfile" file="/var/log/cron.log") 873 | {% if 'remote-files' in rsyslog__capabilities %} 874 | action(type="omfile" DynaFile="RemoteHostCronLog") 875 | action(type="omfile" DynaFile="RemoteServiceCronLog") 876 | {% endif %} 877 | stop 878 | } else if ($msg contains "pam_unix(cron:session): session closed for user") then { 879 | action(type="omfile" file="/var/log/cron.log") 880 | {% if 'remote-files' in rsyslog__capabilities %} 881 | action(type="omfile" DynaFile="RemoteHostCronLog") 882 | action(type="omfile" DynaFile="RemoteServiceCronLog") 883 | {% endif %} 884 | stop 885 | } 886 | # ]]] 887 | # ]]] 888 | # Log rotation [[[ 889 | # ---------------- 890 | 891 | # .. envvar:: rsyslog__rotation_period_system [[[ 892 | # 893 | # How often to rotate local system logs 894 | rsyslog__rotation_period_system: 'weekly' 895 | 896 | # ]]] 897 | # .. envvar:: rsyslog__rotation_count_system [[[ 898 | # 899 | # How many old logfiles to keep for local system logs. 900 | rsyslog__rotation_count_system: '8' 901 | 902 | # ]]] 903 | # .. envvar:: rsyslog__rotation_period_remote [[[ 904 | # 905 | # How often to rotate remote logs. 906 | rsyslog__rotation_period_remote: 'monthly' 907 | 908 | # ]]] 909 | # .. envvar:: rsyslog__rotation_count_remote [[[ 910 | # 911 | # How many old logfiles to keep for remote logs. 912 | rsyslog__rotation_count_remote: '12' 913 | # ]]] 914 | # ]]] 915 | # Configuration for other Ansible roles [[[ 916 | # ----------------------------------------- 917 | 918 | # .. envvar:: rsyslog__etc_services__dependent_list [[[ 919 | # 920 | # Configuration for debops.etc_services_ Ansible role. 921 | rsyslog__etc_services__dependent_list: 922 | 923 | - name: 'syslog-tls' 924 | port: '{{ rsyslog__tcp_tls_port }}' 925 | protocol: [ 'tcp' ] 926 | comment: 'Syslog over TLS [RFC5425]' 927 | state: '{{ "present" 928 | if (ansible_distribution_release in ["wheezy"]) 929 | else "absent" }}' 930 | 931 | # ]]] 932 | # .. envvar:: rsyslog__apt_preferences__dependent_list [[[ 933 | # 934 | # Configuration for debops.apt_preferences_ Ansible role, to install newer 935 | # version of ``rsyslog`` package on older systems. 936 | rsyslog__apt_preferences__dependent_list: 937 | 938 | - package: 'rsyslog rsyslog-* libestr0' 939 | backports: [ 'wheezy' ] 940 | reason: 'Version parity with Debian Jessie' 941 | role: 'debops.rsyslog' 942 | 943 | # ]]] 944 | # .. envvar:: rsyslog__ferm__dependent_rules [[[ 945 | # 946 | # Configuration for debops.ferm_ Ansible role. 947 | rsyslog__ferm__dependent_rules: 948 | 949 | - type: 'accept' 950 | dport: [ '514' ] 951 | protocols: [ 'udp', 'tcp' ] 952 | saddr: '{{ rsyslog__allow + rsyslog__group_allow + rsyslog__host_allow }}' 953 | role: 'rsyslog' 954 | accept_any: False 955 | rule_state: '{{ "present" 956 | if ("network" in rsyslog__capabilities and not rsyslog__send_over_tls_only) 957 | else "absent" }}' 958 | 959 | - type: 'accept' 960 | dport: [ 'syslog-tls' ] 961 | saddr: '{{ rsyslog__allow + rsyslog__group_allow + rsyslog__host_allow }}' 962 | role: 'rsyslog' 963 | accept_any: False 964 | rule_state: '{{ "present" 965 | if ("network" in rsyslog__capabilities and 966 | "tls" in rsyslog__capabilities) 967 | else "absent" }}' 968 | 969 | # ]]] 970 | # .. envvar:: rsyslog__logrotate__dependent_config [[[ 971 | # 972 | # Configuration for debops.logrotate_ Ansible role. 973 | rsyslog__logrotate__dependent_config: 974 | 975 | - filename: '000rsyslog-unprivileged' 976 | comment: 'The rsyslog daemon is run unprivileged' 977 | options: | 978 | su root {{ rsyslog__group }} 979 | state: '{{ "present" if rsyslog__unprivileged|bool 980 | else "absent" }}' 981 | 982 | - filename: 'rsyslog' 983 | divert: True 984 | sections: 985 | 986 | - logs: '/var/log/syslog' 987 | options: | 988 | rotate {{ rsyslog__rotation_count_system }} 989 | {{ rsyslog__rotation_period_system }} 990 | missingok 991 | notifempty 992 | delaycompress 993 | compress 994 | postrotate: | 995 | invoke-rc.d rsyslog rotate > /dev/null 996 | 997 | - logs: '{{ rsyslog__default_logfiles | difference(["/var/log/syslog"]) }}' 998 | options: | 999 | rotate {{ rsyslog__rotation_count_system }} 1000 | {{ rsyslog__rotation_period_system }} 1001 | missingok 1002 | notifempty 1003 | compress 1004 | delaycompress 1005 | sharedscripts 1006 | postrotate: | 1007 | invoke-rc.d rsyslog rotate > /dev/null 1008 | 1009 | - filename: 'rsyslog-remote' 1010 | logs: [ '/var/log/remote/*/*/syslog', '/var/log/remote/*/*/*.log' ] 1011 | options: | 1012 | rotate {{ rsyslog__rotation_count_remote }} 1013 | {{ rsyslog__rotation_period_remote }} 1014 | missingok 1015 | notifempty 1016 | compress 1017 | delaycompress 1018 | sharedscripts 1019 | postrotate: | 1020 | invoke-rc.d rsyslog rotate > /dev/null 1021 | # ]]] 1022 | # ]]] 1023 | # ]]] 1024 | --------------------------------------------------------------------------------