debops.rsyslog default variables

General configuration

rsyslog__enabled

Enable or disable rsyslog management.

rsyslog__enabled: True
rsyslog__capabilities

List of different capabilities to configure. See rsyslog__capabilities for more details.

rsyslog__capabilities: []
rsyslog__unprivileged

Enable or disable unprivileged rsyslogd operation. Warning, enabling this option requires additional configuration outside of the debops.rsyslog role. See Unprivileged syslog and encrypted connections for more details.

rsyslog__unprivileged: '{{ "True"
                           if (ansible_distribution in [ "Ubuntu" ])
                           else "False" }}'
rsyslog__message_reduction

Enable or disable message reduction. This is disabled by default so that log parsers like fail2ban can work correctly.

rsyslog__message_reduction: False

APT packages

rsyslog__base_packages

List of default APT packages to install.

rsyslog__base_packages: [ 'rsyslog' ]
rsyslog__tls_packages

List of APT packages required for TLS support.

rsyslog__tls_packages: [ 'rsyslog-gnutls', 'ca-certificates' ]
rsyslog__packages

List of additional APT packages to install.

rsyslog__packages: []

User, group, home, file ownership

rsyslog__user

The unprivileged system user account used by the rsyslogd daemon, when unprivileged operation is enabled.

rsyslog__user: '{{ "syslog" if rsyslog__unprivileged|bool else "root" }}'
rsyslog__group

The unprivileged system group account used by the rsyslogd daemon, when unprivileged operation is enabled.

rsyslog__group: '{{ "syslog" if rsyslog__unprivileged|bool else "root" }}'
rsyslog__home

The home directory of the rsyslog__user user, dependent on the OS defaults. Takes effect only when the unprivileged mode is enabled.

rsyslog__home: '{{ "/home/syslog"
                   if (ansible_distribution in [ "Ubuntu" ])
                   else "/var/log" }}'
rsyslog__file_owner

The account which will be set as the owner of the log files generated by rsyslogd. When an unprivileged mode is enabled, it should be the same as the rsyslogd user account.

rsyslog__file_owner: '{{ rsyslog__user }}'
rsyslog__file_group

The system group which will be set as the default group of the log files generated by rsyslogd.

rsyslog__file_group: 'adm'
rsyslog__default_logfiles

List of default logfiles managed by debops.rsyslog role. This list is used in the debops.logrotate configuration to create log rotation, as well as to change the file owner/group when unprivileged operation is enabled.

rsyslog__default_logfiles:
  - '/var/log/syslog'
  - '/var/log/kern.log'
  - '/var/log/auth.log'
  - '/var/log/user.log'
  - '/var/log/daemon.log'
  - '/var/log/messages'
  - '/var/log/mail.log'
  - '/var/log/mail.info'
  - '/var/log/mail.warn'
  - '/var/log/mail.err'
  - '/var/log/cron.log'
  - '/var/log/lpr.log'
  - '/var/log/debug'
  - '/var/log/messages'

Encrypted communication

rsyslog__pki

Enable or disable support for X.509 certificates managed by debops.pki role, used for TLS connections.

rsyslog__pki: '{{ True
                  if (ansible_local|d() and ansible_local.pki|d() and
                      ansible_local.pki.enabled|bool)
                  else False }}'
rsyslog__pki_path

Path to the directory with PKI realms.

rsyslog__pki_path: '{{ ansible_local.pki.path
                       if (ansible_local|d() and ansible_local.pki|d() and
                           ansible_local.pki.path|d())
                       else "/etc/pki" }}'
rsyslog__pki_realm

Name of the PKi realm to use with rsyslogd.

rsyslog__pki_realm: '{{ ansible_local.pki.realm
                        if (ansible_local|d() and ansible_local.pki|d() and
                            ansible_local.pki.realm|d())
                        else "domain" }}'
rsyslog__pki_ca

Name of the root CA certificate used by the debops.rsyslog role.

rsyslog__pki_ca: '{{ ansible_local.pki.ca
                      if (ansible_local|d() and ansible_local.pki|d() and
                          ansible_local.pki.ca|d())
                      else "CA.crt" }}'
rsyslog__pki_crt

Name of the client certificate file used by the debops.rsyslog role.

rsyslog__pki_crt: '{{ ansible_local.pki.crt
                      if (ansible_local|d() and ansible_local.pki|d() and
                          ansible_local.pki.crt|d())
                      else "default.crt" }}'
rsyslog__pki_key

Name of the private key file used by the debops.rsyslog role.

rsyslog__pki_key: '{{ ansible_local.pki.key
                      if (ansible_local|d() and ansible_local.pki|d() and
                          ansible_local.pki.key|d())
                      else "default.key" }}'
rsyslog__default_netstream_driver

Specify the default netstrap driver used by the imtcp module. The gtls will be enabled by default if the support for PKI is enabled, otherwise ptcp will be used.

rsyslog__default_netstream_driver: '{{ "gtls"
                                       if (rsyslog__pki|bool and
                                           "tls" in rsyslog__capabilities)
                                       else "ptcp" }}'
rsyslog__default_driver_authmode

Specify the default network driver authetication mode. Actualy only x509/name or anon are available:

rsyslog__default_driver_authmode: "x509/name"
rsyslog__send_over_tls

This configuration is added to the forward options when tls capability is enabled. It's used to configure TLS options.

rsyslog__send_over_tls: |-
  $ActionSendStreamDriver gtls
  $ActionSendStreamDriverAuthMode {{ rsyslog__default_driver_authmode }}
  {% if rsyslog__default_driver_authmode != "anon" %}
  {%   if rsyslog__send_permitted_peers is string %}
  $ActionSendStreamDriverPermittedPeer {{ rsyslog__send_permitted_peers }}
  {%   else %}
  {%     for peer in rsyslog__send_permitted_peers %}
  $ActionSendStreamDriverPermittedPeer {{ peer }}
  {%     endfor %}
  {%   endif %}
  {% endif %}
  $ActionSendStreamDriverMode 1
rsyslog__send_over_tls_only

Specify if you want only TLS communications.

rsyslog__send_over_tls_only: False
rsyslog__domain

The default DNS domain used to accept remote incoming logs from remote hosts.

rsyslog__domain: '{{ ansible_domain if ansible_domain else ansible_hostname }}'
rsyslog__permitted_peers

List of hostnames, IP addresses or wildcard DNS domains which will be allowed by the rsyslogd server to connect and send logs over TLS.

rsyslog__permitted_peers: [ '*.{{ rsyslog__domain }}' ]
rsyslog__send_permitted_peers

List of hostnames, IP addresses or wildcard DNS domains which will be verified by the rsyslogd client and will allow to send logs to the remote server over TLS.

rsyslog__send_permitted_peers: '{{ rsyslog__permitted_peers }}'

Firewall, UDP, TCP ports

rsyslog__udp_port

The incoming UDP port used for remote logging.

rsyslog__udp_port: '514'
rsyslog__tcp_port

The incoming TCP port used for remote logging.

rsyslog__tcp_port: '514'
rsyslog__tcp_tls_port

The incoming TCP TLS port used for remote logging.

rsyslog__tcp_tls_port: '6514'
rsyslog__allow

List of IP addresses or CIDR subnets which should be allowed to connect to rsyslogd ports by the firewall. This variable should be used for all hosts in the inventory.

rsyslog__allow: []
rsyslog__group_allow

List of IP addresses or CIDR subnets which should be allowed to connect to rsyslogd ports by the firewall. This variable should be used for specific group of hosts in the inventory.

rsyslog__group_allow: []
rsyslog__host_allow

List of IP addresses or CIDR subnets which should be allowed to connect to rsyslogd ports by the firewall. This variable should be used for specific hosts in the inventory.

rsyslog__host_allow: []

Log forwarding

rsyslog__forward

List of rsyslogd options that configure log forwarding for all hosts in the inventory. See rsyslog__forward for more details.

rsyslog__forward: []
rsyslog__group_forward

List of rsyslogd options that configure log forwarding for hosts in a specific group. See rsyslog__forward for more details.

rsyslog__group_forward: []
rsyslog__host_forward

List of rsyslogd options that configure log forwarding for specific hosts in Ansible inventory. See rsyslog__forward for more details.

rsyslog__host_forward: []

Rsyslog configuration rules

rsyslog__weight_map

This is a dictionary map of different configuration "types" corresponding to numbers used to sort configuration files in /etc/rsyslog.d/ directory (configuration order is important). You can specify a type in the configuration by using the item.type parameter.

If you change the default weight map values, you will most likely need to remove all files from /etc/rsyslog.d/ to reset the configuration.

See rsyslog__rules for more details.

rsyslog__weight_map:
  'global':    '05'
  'module':    '10'
  'modules':   '10'
  'template':  '20'
  'templates': '20'
  'output':    '30'
  'service':   '30'
  'rule':      '50'
  'rules':     '50'
  'ruleset':   '50'
  'input':     '90'
rsyslog__rules

List of YAML dictionaries, each dictionary should contain rsyslogd configuration in a special format. See rsyslog__rules for more details. This list should be used for configuration of all hosts in the inventory.

rsyslog__rules: []
rsyslog__group_rules

List of YAML dictionaries, each dictionary should contain rsyslogd configuration in a special format. See rsyslog__rules for more details. This list should be used for configuration of a group of hosts in the inventory.

rsyslog__group_rules: []
rsyslog__host_rules

List of YAML dictionaries, each dictionary should contain rsyslogd configuration in a special format. See rsyslog__rules for more details. This list should be used for configuration of specific hosts in the inventory.

rsyslog__host_rules: []
rsyslog__dependent_rules

List of YAML dictionaries, each dictionary should contain rsyslogd configuration in a special format. See rsyslog__rules for more details. This list should be used for configuration by other Ansible roles.

rsyslog__dependent_rules: []
rsyslog__default_rules

List of YAML dictionaries, each dictionary should contain rsyslogd configuration in a special format. See rsyslog__rules for more details. This lis specifies default rsyslogd configuration enabled in the role.

rsyslog__default_rules:

  - '{{ rsyslog__conf_global_options }}'
  - '{{ rsyslog__conf_local_modules }}'
  - '{{ rsyslog__conf_network_modules }}'
  - '{{ rsyslog__conf_common_defaults }}'
  - '{{ rsyslog__conf_divert_ubuntu }}'
  - '{{ rsyslog__conf_filename_templates }}'
  - '{{ rsyslog__conf_remote_forward }}'
  - '{{ rsyslog__conf_default_rulesets }}'
  - '{{ rsyslog__conf_system_rules }}'
  - '{{ rsyslog__conf_system_cron }}'
  - '{{ rsyslog__conf_network_input }}'
  - '{{ rsyslog__conf_dynamic_logs }}'
  - '{{ rsyslog__conf_stop_remote }}'

Default configuration options

rsyslog__conf_global_options

Some of the global rsyslogd configuration options. See http://www.rsyslog.com/doc/v8-stable/rainerscript/global.html for more details.

rsyslog__conf_global_options:

  - filename: '00-global.conf'
    comment: 'Global options'
    options: |-
      global(
        defaultNetstreamDriver="{{ rsyslog__default_netstream_driver }}"
      {% if rsyslog__pki|bool and "tls" in rsyslog__capabilities %}
        defaultNetstreamDriverCAFile="{{ rsyslog__pki_path + '/' + rsyslog__pki_realm + '/' + rsyslog__pki_ca }}"
      {%   if rsyslog__default_driver_authmode != "anon" or "network" in rsyslog__capabilities %}
        defaultNetstreamDriverCertFile="{{ rsyslog__pki_path + '/' + rsyslog__pki_realm + '/' + rsyslog__pki_crt }}"
        defaultNetstreamDriverKeyFile="{{ rsyslog__pki_path + '/' + rsyslog__pki_realm + '/' + rsyslog__pki_key }}"
      {%   endif %}
      {% endif %}
      )
rsyslog__conf_local_modules

List of rsyslogd modules that enable logs from the local system to be received and parsed by the rsyslogd daemon.

rsyslog__conf_local_modules:

  - name: 'local-modules'
    type: 'modules'
    sections:

      - comment: 'Log messages sent to local UNIX socket'
        options: '$ModLoad imuxsock'

      - comment: 'Log kernel messages'
        options: |-
          $ModLoad imklog
          $KLogPermitNonKernelFacility on
        state: '{{ "present"
                  if (ansible_local|d() and ansible_local.cap12s|d() and
                      (not ansible_local.cap12s.enabled|bool or
                       "cap_sys_admin" in ansible_local.cap12s.list))
                  else "absent" }}'

      - comment: 'Log periodic -- MARK -- messages'
        options: |-
          $ModLoad immark
          $MarkMessagePeriod {{ (60 * 60) }}
        state: '{{ "absent"
                  if ("!mark" in rsyslog__capabilities)
                  else "present" }}'
rsyslog__conf_network_modules

List of rsyslogd modules that receive logs from remote systems over the network. They are enabled by the network capability.

rsyslog__conf_network_modules:

  - name: 'network-modules'
    type: 'modules'
    state: '{{ "present"
              if ("network" in rsyslog__capabilities)
              else "absent" }}'
    sections:

      - comment: 'Enable UDP support'
        options: |-
          module(load="imudp")
        state: '{{ "present"
                  if (rsyslog__send_over_tls_only)
                  else "absent" }}'

      - comment: 'Enable TCP support'
        options: |-
          module(load="imptcp")
        state: '{{ "present"
                  if (rsyslog__send_over_tls_only)
                  else "absent" }}'

      - comment: 'Enable GnuTLS TCP support'
        options: |-
          module(
            load="imtcp"
            streamDriver.name="gtls"
            streamDriver.mode="1"
            streamDriver.authMode="{{ rsyslog__default_driver_authmode }}"
          {% if rsyslog__default_driver_authmode != "anon" %}
            {% if rsyslog__permitted_peers is string %}
              permittedPeer="{{ rsyslog__permitted_peers }}"
            {% else %}
              permittedPeer=["{{ rsyslog__permitted_peers | join('","') }}"]
            {% endif %}
          {% endif %}
          )
        state: '{{ "present"
                  if ("tls" in rsyslog__capabilities)
                  else "absent" }}'
rsyslog__conf_network_input

Configuration of UDP, TCP and TCP over TLS inputs to receive logs from remote hosts, enabled by the network capability.

rsyslog__conf_network_input:

  - name: 'network-input'
    type: 'input'
    state: '{{ "present"
              if ("network" in rsyslog__capabilities)
              else "absent" }}'
    sections:

      - comment: 'Log messages from remote hosts over UDP'
        options: |-
          input(
            type="imudp"
            port="{{ rsyslog__udp_port }}"
            ruleset="remote"
          )
        state: '{{ "present"
                  if (not rsyslog__send_over_tls_only)
                  else "absent" }}'

      - comment: 'Log messages from remote hosts over TCP'
        options: |-
          input(
            type="imptcp"
            port="{{ rsyslog__tcp_port }}"
            ruleset="remote"
          )
        state: '{{ "present"
                  if (not rsyslog__send_over_tls_only)
                  else "absent" }}'

      - comment: 'Log messages from remote hosts over TLS'
        options: |-
          input(
            type="imtcp"
            name="imtls"
            port="{{ rsyslog__tcp_tls_port }}"
            ruleset="remote"
          )
        state: '{{ "present"
                  if ("tls" in rsyslog__capabilities)
                  else "absent" }}'
rsyslog__conf_common_defaults

List of common rsyslogd configuration, like new file owner/group and permissions, work directory, configuration of message reduction.

rsyslog__conf_common_defaults:

  - name: 'common-defaults'
    type: 'global'
    sections:

      - comment: 'Set default permissions for all log files'
        options: |-
          $FileOwner {{ rsyslog__file_owner }}
          $FileGroup {{ rsyslog__file_group }}
          $FileCreateMode 0640
          $DirCreateMode 0755
          $Umask 0022
          {% if rsyslog__unprivileged|bool %}
          $PrivDropToUser {{ rsyslog__user }}
          $PrivDropToGroup {{ rsyslog__group }}
          {% endif %}

      - comment: 'Where to place spool and state files'
        options: |-
          $WorkDirectory /var/spool/rsyslog

      - comment: 'Log every message'
        options: |-
          $RepeatedMsgReduction {{ "on" if rsyslog__message_reduction|bool else "off" }}
rsyslog__conf_divert_ubuntu

Divert the default rsyslogd configuration provided in Ubuntu systems so that the role can write its own version.

rsyslog__conf_divert_ubuntu:

  - filename: '20-ufw.conf'
    divert: True
    divert_to: '65-ufw.system'
    state: '{{ "present"
               if (ansible_distribution in [ "Ubuntu" ])
               else "absent" }}'

  - filename: '50-default.conf'
    divert: True
    state: '{{ "present"
               if (ansible_distribution in [ "Ubuntu" ])
               else "absent" }}'
rsyslog__conf_filename_templates

List of rsyslogd templates which are used to generate dynamic filenames for remote logs, based on hostnames. You can add additional template configuration by writing it in the /etc/rsyslog.d/*.template files, they will be included by the main configuration.

rsyslog__conf_filename_templates:

  - name: 'templates'
    type: 'template'
    sections:

      - comment: 'Remote host system logs'
        options: |-
          template(
            name="RemoteHostSyslog"
            type="string"
            string="/var/log/remote/hosts/%HOSTNAME%/syslog"
          )

      - comment: 'Remote host auth logs'
        options: |-
          template(
            name="RemoteHostAuthLog"
            type="string"
            string="/var/log/remote/hosts/%HOSTNAME%/auth.log"
          )

      - comment: 'Remote host cron logs'
        options: |-
          template(
            name="RemoteHostCronLog"
            type="string"
            string="/var/log/remote/hosts/%HOSTNAME%/cron.log"
          )

      - comment: 'Remote service auth logs'
        options: |-
          template(
            name="RemoteServiceAuthLog"
            type="string"
            string="/var/log/remote/services/auth/auth.log"
          )

      - comment: 'Remote service cron logs'
        options: |-
          template(
            name="RemoteServiceCronLog"
            type="string"
            string="/var/log/remote/services/cron/cron.log"
          )

      - comment: 'Remote service mail logs'
        options: |-
          template(
            name="RemoteServiceMailLog"
            type="string"
            string="/var/log/remote/services/mail/mail.log"
          )

      - comment: 'Include custom templates'
        options: |-
          $IncludeConfig /etc/rsyslog.d/*.template

      - comment: 'Use traditional timestamp format'
        options: |-
          $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
rsyslog__conf_remote_forward

Enable log forwardin to another rsyslogd instance if it's enabled in rsyslog__forward variables. See rsyslog__forward for more details.

rsyslog__conf_remote_forward:

  - filename: '20-remote-forward.system'
    state: '{{ "present"
               if (rsyslog__forward|d() or rsyslog__group_forward|d() or rsyslog__host_forward|d())
               else "absent" }}'

    sections:

      - comment: 'Forward logs over TLS by default'
        options: '{{ rsyslog__send_over_tls }}'
        state: '{{ "present"
                   if (rsyslog__pki|bool and
                       "tls" in rsyslog__capabilities)
                   else "absent" }}'

      - comment: 'Forward logs to specified hosts'
        options: |-
          {% for element in (rsyslog__forward + rsyslog__group_forward + rsyslog__host_forward) %}
          {{ element }}
          {% endfor %}
rsyslog__conf_default_rulesets

The rsyslogd configuration can contain multiple rulesets, each one connected to an input channel (see http://www.rsyslog.com/doc/v8-stable/concepts/multi_ruleset.html for more details).

By default debops.rsyslog use the default ruleset for local system logs, and defines a separate remote ruleset for logs incoming over the network from remote hosts. The local log rules are stored in /etc/rsyslog.d/*.system configuration files, and remote log rules are stored in /etc/rsyslog.d/*.remote configuration files.

rsyslog__conf_default_rulesets:

  - name: 'default-rulesets'
    type: 'rules'
    sections:

      - comment: 'Rules for the local system logs'
        options: |-
          $IncludeConfig /etc/rsyslog.d/*.system

      - comment: 'Rules for logs incoming from remote hosts'
        options: |-
          ruleset(name="remote") {
            $IncludeConfig /etc/rsyslog.d/*.remote
          }
rsyslog__conf_system_rules

A set of default rsyslog options which store local system logs in files located in /var/log/ directory. This is mostly the same as the default rsyslogd configuration provided in Debian/Ubuntu installations.

rsyslog__conf_system_rules:

  - filename: '50-default.system'
    sections:

      - comment: 'Standard log files, split by facility'
        options: |-
          auth,authpriv.*                /var/log/auth.log
          *.*;cron,auth,authpriv.none    -/var/log/syslog
          cron.*                         -/var/log/cron.log
          daemon.*                       -/var/log/daemon.log
          kern.*                         -/var/log/kern.log
          lpr.*                          -/var/log/lpr.log
          mail.*                         -/var/log/mail.log
          user.*                         -/var/log/user.log

      - comment: 'Copy of the local log files to complete remote logs'
        options: |-
          auth,authpriv.*                ?RemoteHostAuthLog
          auth,authpriv.*                ?RemoteServiceAuthLog
          *.*;cron,auth,authpriv.none    -?RemoteHostSyslog
          cron.*                         -?RemoteHostCronLog
          cron.*                         -?RemoteServiceCronLog
          mail.*                         -?RemoteServiceMailLog
        state: '{{ "present"
                   if ("remote-files" in rsyslog__capabilities)
                   else "absent" }}'

      - comment: |-
          Logging for the mail system. Split it up so that
          it is easy to write scripts to parse these files
        options: |-
          mail.info                      -/var/log/mail.info
          mail.warn                      -/var/log/mail.warn
          mail.err                       /var/log/mail.err

      - comment: 'Logging for INN news system'
        options: |-
          news.crit                      /var/log/news/news.crit
          news.err                       /var/log/news/news.err
          news.notice                    -/var/log/news/news.notice
        state: '{{ "absent"
                  if ("!news" in rsyslog__capabilities)
                  else "present" }}'

      - comment: 'Some "catch-all" log files'
        options: |-
          *.=debug;\
                  auth,authpriv.none;\
                  mail,news.none          -/var/log/debug
          *.=info;*.=notice;*.=warn;\
                  auth,authpriv.none;\
                  cron,daemon.none;\
                  mail,news.none          -/var/log/messages

      - comment: 'Emergencies are sent to everybody logged in'
        options: |-
          *.emerg                         :omusrmsg:*

      - comment: 'Send selected logs to xconsole'
        options: |-
          daemon.*;mail.*;\
                  *.=debug;*.=info;\
                  *.=notice;*.=warn       |/dev/xconsole
        state: '{{ "present"
                  if ("xconsole" in rsyslog__capabilities)
                  else "absent" }}'
rsyslog__conf_dynamic_logs

List of rsyslogd rules which maintain dynamic log files in /var/log/remote/ directory. These log files will store logs incoming from other, remote hosts.

rsyslog__conf_dynamic_logs:

  - filename: '40-dynamic-cron.remote'
    options: |
      if ($msg contains "pam_unix(cron:session): session opened for user") then {
        action(type="omfile" DynaFile="RemoteHostCronLog")
        action(type="omfile" DynaFile="RemoteServiceCronLog")
        stop
      } else if ($msg contains "pam_unix(cron:session): session closed for user") then {
        action(type="omfile" DynaFile="RemoteHostCronLog")
        action(type="omfile" DynaFile="RemoteServiceCronLog")
        stop
      }
    state: '{{ "present"
               if ("remote-files" in rsyslog__capabilities)
               else "absent" }}'

  - filename: '50-dynamic-logs.remote'
    comment: 'Store remote logs in separate logfiles'
    options: |-
      auth,authpriv.*                     ?RemoteHostAuthLog
      auth,authpriv.*                     ?RemoteServiceAuthLog
      *.*;cron,auth,authpriv.none         -?RemoteHostSyslog
      cron.*                              -?RemoteHostCronLog
      cron.*                              -?RemoteServiceCronLog
      mail.*                              -?RemoteServiceMailLog
    state: '{{ "present"
               if ("remote-files" in rsyslog__capabilities)
               else "absent" }}'
rsyslog__conf_stop_remote

The older rsyslogd versions do not support empty rulesets. This configuration file is used to allow empty remote ruleset when remote log support is disabled, and should be included in the configuration at the very end.

rsyslog__conf_stop_remote:

  - filename: 'zz-stop.remote'
    comment: |-
      This is a workaround to support empty "remote" ruleset on
      older versions of rsyslog package.
      http://comments.gmane.org/gmane.comp.sysutils.rsyslog/15616
    options: |-
      stop
rsyslog__conf_system_cron

Configuration for system cron logs. This will ensure that cron logs will be stored in separate /var/log/cron.log file and won't clutter auth or syslog logs.

rsyslog__conf_system_cron:
  filename: '40-cron.system'
  options: |
    if ($msg contains "pam_unix(cron:session): session opened for user") then {
      action(type="omfile" file="/var/log/cron.log")
    {% if 'remote-files' in rsyslog__capabilities %}
      action(type="omfile" DynaFile="RemoteHostCronLog")
      action(type="omfile" DynaFile="RemoteServiceCronLog")
    {% endif %}
      stop
    } else if ($msg contains "pam_unix(cron:session): session closed for user") then {
      action(type="omfile" file="/var/log/cron.log")
    {% if 'remote-files' in rsyslog__capabilities %}
      action(type="omfile" DynaFile="RemoteHostCronLog")
      action(type="omfile" DynaFile="RemoteServiceCronLog")
    {% endif %}
      stop
    }

Log rotation

rsyslog__rotation_period_system

How often to rotate local system logs

rsyslog__rotation_period_system: 'weekly'
rsyslog__rotation_count_system

How many old logfiles to keep for local system logs.

rsyslog__rotation_count_system: '8'
rsyslog__rotation_period_remote

How often to rotate remote logs.

rsyslog__rotation_period_remote: 'monthly'
rsyslog__rotation_count_remote

How many old logfiles to keep for remote logs.

rsyslog__rotation_count_remote: '12'

Configuration for other Ansible roles

rsyslog__etc_services__dependent_list

Configuration for debops.etc_services Ansible role.

rsyslog__etc_services__dependent_list:

  - name: 'syslog-tls'
    port: '{{ rsyslog__tcp_tls_port }}'
    protocol: [ 'tcp' ]
    comment: 'Syslog over TLS [RFC5425]'
    state: '{{ "present"
               if (ansible_distribution_release in ["wheezy"])
               else "absent" }}'
rsyslog__apt_preferences__dependent_list

Configuration for debops.apt_preferences Ansible role, to install newer version of rsyslog package on older systems.

rsyslog__apt_preferences__dependent_list:

  - package: 'rsyslog rsyslog-* libestr0'
    backports: [ 'wheezy' ]
    reason: 'Version parity with Debian Jessie'
    role: 'debops.rsyslog'
rsyslog__ferm__dependent_rules

Configuration for debops.ferm Ansible role.

rsyslog__ferm__dependent_rules:

  - type: 'accept'
    dport: [ '514' ]
    protocols: [ 'udp', 'tcp' ]
    saddr: '{{ rsyslog__allow + rsyslog__group_allow + rsyslog__host_allow }}'
    role: 'rsyslog'
    accept_any: False
    rule_state: '{{ "present"
                    if ("network" in rsyslog__capabilities and not rsyslog__send_over_tls_only)
                    else "absent" }}'

  - type: 'accept'
    dport: [ 'syslog-tls' ]
    saddr: '{{ rsyslog__allow + rsyslog__group_allow + rsyslog__host_allow }}'
    role: 'rsyslog'
    accept_any: False
    rule_state: '{{ "present"
                    if ("network" in rsyslog__capabilities and
                        "tls" in rsyslog__capabilities)
                    else "absent" }}'
rsyslog__logrotate__dependent_config

Configuration for debops.logrotate Ansible role.

rsyslog__logrotate__dependent_config:

  - filename: '000rsyslog-unprivileged'
    comment: 'The rsyslog daemon is run unprivileged'
    options: |
      su root {{ rsyslog__group }}
    state: '{{ "present" if rsyslog__unprivileged|bool
                         else "absent" }}'

  - filename: 'rsyslog'
    divert: True
    sections:

      - logs: '/var/log/syslog'
        options: |
          rotate {{ rsyslog__rotation_count_system }}
          {{ rsyslog__rotation_period_system }}
          missingok
          notifempty
          delaycompress
          compress
        postrotate: |
          invoke-rc.d rsyslog rotate > /dev/null

      - logs: '{{ rsyslog__default_logfiles | difference(["/var/log/syslog"]) }}'
        options: |
          rotate {{ rsyslog__rotation_count_system }}
          {{ rsyslog__rotation_period_system }}
          missingok
          notifempty
          compress
          delaycompress
          sharedscripts
        postrotate: |
          invoke-rc.d rsyslog rotate > /dev/null

  - filename: 'rsyslog-remote'
    logs: [ '/var/log/remote/*/*/syslog', '/var/log/remote/*/*/*.log' ]
    options: |
      rotate {{ rsyslog__rotation_count_remote }}
      {{ rsyslog__rotation_period_remote }}
      missingok
      notifempty
      compress
      delaycompress
      sharedscripts
    postrotate: |
      invoke-rc.d rsyslog rotate > /dev/null