debops.rsyslog default variables

General configuration

rsyslog__enabled

Enable or disable the management of the rsyslog service using the debops.rsyslog Ansible role.

rsyslog__enabled: True
rsyslog__deploy_state

Define the desired state of the rsyslog service on a given host, either present to install and configure the service, or absent to uninstall it and remove any changes applied by Ansible.

rsyslog__deploy_state: 'present'
rsyslog__unprivileged

Enable or disable unprivileged rsyslogd operation. Warning, enabling this option requires additional configuration outside of the debops.rsyslog role. See Unprivileged syslog and encrypted connections for more details.

rsyslog__unprivileged: '{{ "True"
                           if (ansible_distribution in ["Ubuntu"])
                           else "False" }}'
rsyslog__remote_enabled

Enable or disable support for receiving logs from remote hosts. It will be enabled automatically if a list of hosts or subnets allowed to connect to the rsyslog service is defined in the Ansible inventory.

rsyslog__remote_enabled: '{{ True
                             if (rsyslog__allow
                                 + rsyslog__group_allow
                                 + rsyslog__host_allow)
                             else False }}'
rsyslog__forward_enabled

Enable or disable support for forwarding logs to another host. The forwarding will be enabled automatically if any forward targets are configured and support for receiving logs via the rsyslog__remote_enabled variable is not active.

rsyslog__forward_enabled: '{{ True
                              if q("flattened", (rsyslog__default_forward
                                                 + rsyslog__forward
                                                 + rsyslog__group_forward
                                                 + rsyslog__host_forward))
                              else False }}'

APT packages

rsyslog__base_packages

List of default APT packages to install.

rsyslog__base_packages: [ 'rsyslog' ]
rsyslog__tls_packages

List of APT packages required for TLS support.

rsyslog__tls_packages: [ 'rsyslog-gnutls' ]
rsyslog__packages

List of additional APT packages to install.

rsyslog__packages: []

User, group, home, file ownership

rsyslog__user

The unprivileged system user account used by the rsyslogd daemon, when unprivileged operation is enabled.

rsyslog__user: '{{ "syslog" if rsyslog__unprivileged | bool else "root" }}'
rsyslog__group

The unprivileged system group account used by the rsyslogd daemon, when unprivileged operation is enabled.

rsyslog__group: '{{ "syslog" if rsyslog__unprivileged | bool else "root" }}'
rsyslog__append_groups

List of additional UNIX groups to add the rsyslog user into. The ssl-cert UNIX group is used for the X.509 private key access.

rsyslog__append_groups: '{{ ["ssl-cert"] if (rsyslog__unprivileged | bool
                              and rsyslog__pki | bool) else [] }}'
rsyslog__home

The home directory of the rsyslog__user user, dependent on the OS defaults. Takes effect only when the unprivileged mode is enabled.

rsyslog__home: '{{ "/home/syslog"
                   if (ansible_distribution in ["Ubuntu"])
                   else "/var/log" }}'
rsyslog__file_owner

The account which will be set as the owner of the log files generated by rsyslogd. When an unprivileged mode is enabled, it should be the same as the rsyslogd user account.

rsyslog__file_owner: '{{ rsyslog__user }}'
rsyslog__file_group

The system group which will be set as the default group of the log files generated by rsyslogd.

rsyslog__file_group: 'adm'
rsyslog__default_logfiles

List of default logfiles managed by debops.rsyslog role. This list is used in the debops.logrotate configuration to create log rotation, as well as to change the file owner/group when unprivileged operation is enabled.

rsyslog__default_logfiles:
  - '/var/log/syslog'
  - '/var/log/kern.log'
  - '/var/log/auth.log'
  - '/var/log/user.log'
  - '/var/log/daemon.log'
  - '/var/log/messages'
  - '/var/log/mail.log'
  - '/var/log/mail.info'
  - '/var/log/mail.warn'
  - '/var/log/mail.err'
  - '/var/log/cron.log'
  - '/var/log/lpr.log'
  - '/var/log/debug'
rsyslog__logfiles

List of additional logfiles managed by the debops.rsyslog role.

rsyslog__logfiles: []

Encrypted communication

rsyslog__pki

Enable or disable support for X.509 certificates managed by debops.pki role, used for TLS connections.

rsyslog__pki: '{{ ansible_local.pki.enabled | d() | bool }}'
rsyslog__pki_path

Path to the directory with PKI realms.

rsyslog__pki_path: '{{ ansible_local.pki.path | d("/etc/pki") }}'
rsyslog__pki_realm

Name of the PKi realm to use with rsyslogd.

rsyslog__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
rsyslog__pki_ca

Name of the root CA certificate used by the debops.rsyslog role.

rsyslog__pki_ca: '{{ ansible_local.pki.ca | d("CA.crt") }}'
rsyslog__pki_crt

Name of the client certificate file used by the debops.rsyslog role.

rsyslog__pki_crt: '{{ ansible_local.pki.crt | d("default.crt") }}'
rsyslog__pki_key

Name of the private key file used by the debops.rsyslog role.

rsyslog__pki_key: '{{ ansible_local.pki.key | d("default.key") }}'
rsyslog__default_netstream_driver

Specify the default NetStream driver used by the imtcp module. The gtls will be enabled by default if the support for PKI is enabled, otherwise ptcp will be used.

rsyslog__default_netstream_driver: '{{ "gtls"
                                       if rsyslog__pki | bool
                                       else "ptcp" }}'
rsyslog__default_driver_mode

The NetStream driver mode. The ptcp driver only supports mode 0 (unencrypted transmission). The gtls driver supports modes 0 (unencrypted transmission, just like the ptcp driver) and 1 (TLS-protected operation). Ref: https://rsyslog.readthedocs.io/en/latest/concepts/netstrm_drvr.html

rsyslog__default_driver_mode: '{{ "1"
                                  if rsyslog__default_netstream_driver == "gtls"
                                  else "0" }}'
rsyslog__default_driver_authmode

Specify the default network driver authentication mode. Currently only x509/name or anon are available:

rsyslog__default_driver_authmode: '{{ "x509/name"
                                      if rsyslog__default_netstream_driver == "gtls" and
                                         rsyslog__default_driver_mode == "1"
                                      else "anon" }}'
rsyslog__domain

The default DNS domain used to accept remote incoming logs from remote hosts.

rsyslog__domain: '{{ ansible_domain }}'
rsyslog__permitted_peers

List of hostnames, IP addresses or wildcard DNS domains which will be allowed by the rsyslogd server to connect and send logs over TLS.

rsyslog__permitted_peers: [ '*.{{ rsyslog__domain }}' ]
rsyslog__send_permitted_peers

Hostname, IP address or wildcard DNS domain which will be verified by the rsyslogd client and will allow to connect and send logs to the remote server over TLS. Currently only one peer is supported by rsyslog.

rsyslog__send_permitted_peers: '{{ rsyslog__permitted_peers | first }}'

Firewall, UDP, TCP ports

rsyslog__allow

List of IP addresses or CIDR subnets which should be allowed to connect to rsyslogd ports by the firewall. This variable should be used for all hosts in the inventory.

rsyslog__allow: []
rsyslog__group_allow

List of IP addresses or CIDR subnets which should be allowed to connect to rsyslogd ports by the firewall. This variable should be used for specific group of hosts in the inventory.

rsyslog__group_allow: []
rsyslog__host_allow

List of IP addresses or CIDR subnets which should be allowed to connect to rsyslogd ports by the firewall. This variable should be used for specific hosts in the inventory.

rsyslog__host_allow: []

Log forwarding

The variables below define lists of syslog servers to which the logs generated by a given host will be forwarded. The role will create the /etc/rsyslog.d/00forward-logs.conf configuration file with configuration for each host defined here. See rsyslog__forward documentation for more details.

rsyslog__syslog_srv_rr

List which contains the result of the DNS query for syslog server SRV resource records in the host's domain. See https://tools.ietf.org/html/draft-schoenw-opsawg-nm-srv-03 for details.

rsyslog__syslog_srv_rr: '{{ q("debops.debops.dig_srv", "_syslog._tcp." + rsyslog__domain,
                              "syslog." + rsyslog__domain, 6514) }}'
rsyslog__default_forward

List of the hosts detected via the DNS SRV resource records to which log messages will be forwarded. If multiple servers are configured in the SRV record, logs will be sent to all of them.

rsyslog__default_forward: '{{ rsyslog__syslog_srv_rr
                              if (rsyslog__syslog_srv_rr[0]["dig_srv_src"] | d("") != "fallback" and
                                  not rsyslog__remote_enabled | bool and
                                  rsyslog__pki | bool)
                              else [] }}'
rsyslog__forward

List of rsyslogd options that configure log forwarding for all hosts in the inventory. See rsyslog__forward for more details.

rsyslog__forward: []
rsyslog__group_forward

List of rsyslogd options that configure log forwarding for hosts in a specific group. See rsyslog__forward for more details.

rsyslog__group_forward: []
rsyslog__host_forward

List of rsyslogd options that configure log forwarding for specific hosts in Ansible inventory. See rsyslog__forward for more details.

rsyslog__host_forward: []

Main rsyslog configuration

The variables below define the contents of the /etc/rsyslog.conf configuration file. See rsyslog__configuration for more details.

rsyslog__original_configuration

The original configuration options included in the Debian package.

rsyslog__original_configuration:

  - name: 'module_imuxsock'
    comment: 'Provides support for local system logging'
    raw: |
      module(load="imuxsock")
    state: 'present'
    section: 'modules'

  - name: 'module_imklog'
    comment: 'Provides kernel logging support'
    raw: |
      module(load="imklog")
    state: 'present'
    section: 'modules'

  - name: 'module_immark'
    comment: 'Provides --MARK-- message capability'
    raw: |
      module(load="immark")
    state: 'comment'
    section: 'modules'

  - name: 'module_imudp'
    comment: 'Provides UDP syslog reception'
    raw: |
      module(load="imudp")
      input(type="imudp" port="514")
    state: 'comment'
    section: 'modules'

  - name: 'module_imtcp'
    comment: 'Provides TCP syslog reception'
    raw: |
      module(load="imtcp")
      input(type="imtcp" port="514")
    state: 'comment'
    section: 'modules'

  - name: 'default_template'
    comment: |
      Use traditional timestamp format.
      To enable high precision timestamps, comment out the following line.
    raw: |
      $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    state: 'present'
    section: 'global'

  - name: 'default_permissions'
    comment: 'Set the default permissions for all log files.'
    raw: |
      $FileOwner root
      $FileGroup adm
      $FileCreateMode 0640
      $DirCreateMode 0755
      $Umask 0022
    state: 'present'
    section: 'global'

  - name: 'spool_state'
    comment: 'Where to place spool and state files'
    raw: |
      $WorkDirectory /var/spool/rsyslog
    state: 'present'
    section: 'global'

  - name: 'include_config'
    comment: 'Include all config files in /etc/rsyslog.d/'
    raw: |
      $IncludeConfig /etc/rsyslog.d/*.conf
    state: 'present'
    section: 'global'

  - name: 'auth_facility'
    comment: 'First some standard log files.  Log by facility.'
    raw: |
      auth,authpriv.*                 /var/log/auth.log
      *.*;auth,authpriv.none          -/var/log/syslog
    state: 'present'
    section: 'rules'

  - name: 'cron_facility'
    raw: |
      cron.*                          /var/log/cron.log
    state: 'comment'
    section: 'rules'

  - name: 'daemon_facility'
    raw: |
      daemon.*                        -/var/log/daemon.log
    state: 'present'
    section: 'rules'

  - name: 'kern_facility'
    raw: |
      kern.*                          -/var/log/kern.log
    state: 'present'
    section: 'rules'

  - name: 'lpr_facility'
    raw: |
      lpr.*                           -/var/log/lpr.log
    state: 'present'
    section: 'rules'

  - name: 'mail_facility'
    raw: |
      mail.*                          -/var/log/mail.log
    state: 'present'
    section: 'rules'

  - name: 'user_facility'
    raw: |
      user.*                          -/var/log/user.log
    state: 'present'
    section: 'rules'

  - name: 'mail_log'
    comment: |
      Logging for the mail system.  Split it up so that
      it is easy to write scripts to parse these files.
    raw: |
      mail.info                       -/var/log/mail.info
      mail.warn                       -/var/log/mail.warn
      mail.err                        /var/log/mail.err
    state: 'present'
    section: 'rules'

  - name: 'debug_log'
    comment: 'Some "catch-all" log files.'
    raw: |
      *.=debug;\
              auth,authpriv.none;\
              news.none;mail.none     -/var/log/debug
    state: 'present'
    section: 'rules'

  - name: 'messages'
    raw: |
      *.=info;*.=notice;*.=warn;\
              auth,authpriv.none;\
              cron,daemon.none;\
              mail,news.none          -/var/log/messages
    state: 'present'
    section: 'rules'

  - name: 'emergencies'
    comment: 'Emergencies are sent to everybody logged in.'
    raw: |
      *.emerg                         :omusrmsg:*
    state: 'present'
    section: 'rules'
rsyslog__default_configuration

The default rsyslog configuration defined by the role.

rsyslog__default_configuration:

  # Don't load the kernel input module in Linux Containers
  - name: 'module_imklog'
    state: '{{ "comment"
               if (ansible_virtualization_type in ["lxc", "docker", "openvz"])
               else "ignore" }}'

  - name: 'module_imudp'
    raw: |
      module(load="imudp")
      input(type="imudp" port="514" ruleset="remote")
    state: '{{ "present" if rsyslog__remote_enabled | bool else "comment" }}'

  - name: 'include_modules'
    comment: 'Include *.input files in /etc/rsyslog.d/'
    raw: |
      $IncludeConfig /etc/rsyslog.d/*.input
    state: 'present'
    section: 'modules'

  - name: 'default_permissions'
    raw: |
      $FileOwner {{ rsyslog__file_owner }}
      $FileGroup {{ rsyslog__file_group }}
      $FileCreateMode 0640
      $DirCreateMode 0755
      $Umask 0022
      {% if rsyslog__unprivileged | bool %}
      $PrivDropToUser {{ rsyslog__user }}
      $PrivDropToGroup {{ rsyslog__group }}
      {% endif %}
    state: 'present'

  - name: 'cron_facility'
    state: 'present'

  - name: 'include_templates'
    comment: 'Include *.template files in /etc/rsyslog.d/'
    raw: |
      $IncludeConfig /etc/rsyslog.d/*.template
    state: 'present'
    section: 'global'
    copy_id_from: 'default_template'

  - name: 'include_outputs'
    comment: 'Include *.output files in /etc/rsyslog.d/'
    raw: |
      $IncludeConfig /etc/rsyslog.d/*.output
    state: 'present'
    section: 'global'

  - name: 'include_rules'
    comment: 'Include *.ruleset files in /etc/rsyslog.d/'
    raw: |
      $IncludeConfig /etc/rsyslog.d/*.ruleset
    state: 'present'
    section: 'rules'

  - name: 'include_remote_rules'
    comment: 'Include *.remote files in /etc/rsyslog.d/'
    raw: |
      ruleset(name="remote") {
        $IncludeConfig /etc/rsyslog.d/*.remote
      }
    section: 'rules'
    state: '{{ "present" if rsyslog__remote_enabled | bool else "absent" }}'
rsyslog__configuration

The rsyslog configuration options defined on all hosts in the Ansible inventory.

rsyslog__configuration: []
rsyslog__group_configuration

The rsyslog configuration options defined on hosts in a specific Ansible inventory group.

rsyslog__group_configuration: []
rsyslog__host_configuration

The rsyslog configuration options defined on specific hosts in the Ansible inventory.

rsyslog__host_configuration: []
rsyslog__combined_configuration

The variable which combines all other main configuration variables and is used in the role tasks and templates.

rsyslog__combined_configuration: '{{ rsyslog__original_configuration
                                     + rsyslog__default_configuration
                                     + rsyslog__configuration
                                     + rsyslog__group_configuration
                                     + rsyslog__host_configuration }}'

Main configuration sections

The variables below define the configuration sections inside the /etc/rsyslog.conf configuration file. See rsyslog__configuration_sections for more details.

rsyslog__default_configuration_sections

The default configuration sections defined by the role.

rsyslog__default_configuration_sections:

  - name: 'modules'

  - name: 'global'
    title: 'Global directives'

  - name: 'templates'
    state: 'hidden'

  - name: 'output'
    title: 'Output channels'
    state: 'hidden'

  - name: 'rules'

  - name: 'unknown'
    title: 'Other options'
rsyslog__configuration_sections

The configuration sections defined by the user.

rsyslog__configuration_sections: []
rsyslog__combined_configuration_sections

The variable which combines all configuration sections variables and is used in the role tasks and templates.

rsyslog__combined_configuration_sections: '{{ rsyslog__default_configuration_sections
                                              + rsyslog__configuration_sections }}'

Rsyslog configuration rules

rsyslog__default_rules

List of YAML dictionaries, each dictionary should contain rsyslogd configuration in a special format. See rsyslog__rules for more details. This lis specifies default rsyslogd configuration enabled in the role.

rsyslog__default_rules:

  - name: '00forward-logs.conf'
    state: '{{ "present"
               if (rsyslog__forward_enabled | bool and
                   rsyslog__pki | bool)
               else "absent" }}'
    options:

      - name: 'forward_logs_to_hosts'
        comment: 'Forward logs to specified hosts'
        raw: |-
          {% for element in q("flattened", (rsyslog__default_forward
                                            + rsyslog__forward
                                            + rsyslog__group_forward
                                            + rsyslog__host_forward)) %}
          {{ element.selector | d("*.*") }} action(
                type="omfwd"
                target="{{ (element.target | d(element)) | regex_replace("\.$", "") }}"
                port="{{ element.port | d('6514') }}"
                protocol="{{ element.protocol | d('tcp') }}"
                queue.type="{{ element.queue_type | d('linkedList') }}"
                queue.size="{{ element.queue_size | d('10000') }}"
                action.resumeRetryCount="{{ element.resume_retry_count | d('100') }}"
                streamDriver="{{ element.netstream_driver | d(rsyslog__default_netstream_driver) }}"
                streamDriverMode="{{ element.driver_mode | d(rsyslog__default_driver_mode) }}"
                streamDriverAuthMode="{{ element.driver_authmode | d(rsyslog__default_driver_authmode) }}"
          {% if element.driver_authmode | d(rsyslog__default_driver_authmode) != "anon" %}
          {% if rsyslog__send_permitted_peers is string %}
                streamDriverPermittedPeers="{{ rsyslog__send_permitted_peers }}"
          {% else %}
                streamDriverPermittedPeers="{{ rsyslog__send_permitted_peers | first }}"
          {% endif %}
          {% endif %}
              )
          {% endfor %}
        state: 'present'

  - name: 'cron-session.conf'
    comment: |
      Redirect PAM session information for 'cron' entries to the cron log file,
      to avoid filling up auth.log
    raw: |
      if ($msg contains "pam_unix(cron:session): session opened for user") then {
        action(
          type="omfile"
          file="/var/log/cron.log"
          fileOwner="{{ rsyslog__file_owner }}"
          fileGroup="{{ rsyslog__file_group }}"
          fileCreateMode="0640"
          dirCreateMode="0755"
        )
      {% if rsyslog__remote_enabled | bool %}
        action(
          type="omfile"
          dynaFile="RemoteHostCronLog"
          fileOwner="{{ rsyslog__file_owner }}"
          fileGroup="{{ rsyslog__file_group }}"
          fileCreateMode="0640"
          dirCreateMode="0755"
        )
        action(
          type="omfile"
          dynaFile="RemoteServiceCronLog"
          fileOwner="{{ rsyslog__file_owner }}"
          fileGroup="{{ rsyslog__file_group }}"
          fileCreateMode="0640"
          dirCreateMode="0755"
        )
      {% endif %}
        stop
      } else if ($msg contains "pam_unix(cron:session): session closed for user") then {
        action(
          type="omfile"
          file="/var/log/cron.log"
          fileOwner="{{ rsyslog__file_owner }}"
          fileGroup="{{ rsyslog__file_group }}"
          fileCreateMode="0640"
          dirCreateMode="0755"
        )
      {% if rsyslog__remote_enabled | bool %}
        action(
          type="omfile"
          dynaFile="RemoteHostCronLog"
          fileOwner="{{ rsyslog__file_owner }}"
          fileGroup="{{ rsyslog__file_group }}"
          fileCreateMode="0640"
          dirCreateMode="0755"
        )
        action(
          type="omfile"
          dynaFile="RemoteServiceCronLog"
          fileOwner="{{ rsyslog__file_owner }}"
          fileGroup="{{ rsyslog__file_group }}"
          fileCreateMode="0640"
          dirCreateMode="0755"
        )
      {% endif %}
        stop
      }
    state: 'present'

  - name: 'network.conf'
    comment: 'Network and TLS configuration options'
    raw: |-
      global(
        defaultNetstreamDriver="{{ rsyslog__default_netstream_driver }}"
      {% if rsyslog__pki | bool %}
        defaultNetstreamDriverCAFile="{{ rsyslog__pki_path + '/' + rsyslog__pki_realm + '/' + rsyslog__pki_ca }}"
        defaultNetstreamDriverCertFile="{{ rsyslog__pki_path + '/' + rsyslog__pki_realm + '/' + rsyslog__pki_crt }}"
        defaultNetstreamDriverKeyFile="{{ rsyslog__pki_path + '/' + rsyslog__pki_realm + '/' + rsyslog__pki_key }}"
      {% endif %}
      )
    state: '{{ "present"
               if (rsyslog__remote_enabled | bool or
                   rsyslog__forward_enabled | bool)
               else "absent" }}'

  - name: 'remote.input'
    state: '{{ "present"
               if rsyslog__remote_enabled | bool
               else "absent" }}'
    options:

      - name: 'tcp_plain_module'
        comment: 'Enable plain TCP support'
        raw: |-
          module(
            load="imptcp"
          )
        state: 'present'

      - name: 'tcp_tls_module'
        comment: 'Enable GnuTLS TCP support'
        raw: |-
          module(
            load="imtcp"
            streamDriver.name="gtls"
            streamDriver.mode="1"
            streamDriver.authMode="{{ rsyslog__default_driver_authmode }}"
          {% if rsyslog__default_driver_authmode != "anon" %}
          {% if rsyslog__permitted_peers is string %}
            permittedPeer="{{ rsyslog__permitted_peers }}"
          {% else %}
            permittedPeer=["{{ rsyslog__permitted_peers | join('","') }}"]
          {% endif %}
          {% endif %}
          )
        state: '{{ "present" if rsyslog__pki | bool else "absent" }}'

      - name: 'tcp_plain_input'
        comment: 'Enable plain TCP input'
        raw: |-
          input(
              type="imptcp"
              port="514"
              ruleset="remote"
          )
        state: 'present'

      - name: 'tcp_tls_input'
        comment: 'Enable GnuTLS TCP input'
        raw: |-
          input(
            type="imtcp"
            port="6514"
            ruleset="remote"
          )
        state: '{{ "present" if rsyslog__pki | bool else "absent" }}'

  - name: '20-ufw.conf'
    divert: True
    divert_to: '65-ufw.conf'
    state: '{{ rsyslog__deploy_state
               if (ansible_distribution in ["Ubuntu"])
               else "ignore" }}'

  - name: '50-default.conf'
    divert: True
    state: '{{ "present"
               if (ansible_distribution in ["Ubuntu"])
               else "absent" }}'

  - name: 'remote.template'
    state: '{{ "present" if rsyslog__remote_enabled | bool else "absent" }}'
    options:

      - name: 'remote_host_syslog'
        comment: 'Remote host system logs'
        raw: |-
          template(
            name="RemoteHostSyslog"
            type="string"
            string="/var/log/remote/hosts/%HOSTNAME%/syslog"
          )
        state: 'present'

      - name: 'remote_host_auth_log'
        comment: 'Remote host auth logs'
        raw: |-
          template(
            name="RemoteHostAuthLog"
            type="string"
            string="/var/log/remote/hosts/%HOSTNAME%/auth.log"
          )
        state: 'present'

      - name: 'remote_host_cron_log'
        comment: 'Remote host cron logs'
        raw: |-
          template(
            name="RemoteHostCronLog"
            type="string"
            string="/var/log/remote/hosts/%HOSTNAME%/cron.log"
          )
        state: 'present'

      - name: 'remote_service_auth_log'
        comment: 'Remote service auth logs'
        raw: |-
          template(
            name="RemoteServiceAuthLog"
            type="string"
            string="/var/log/remote/services/auth/auth.log"
          )
        state: 'present'

      - name: 'remote_service_cron_log'
        comment: 'Remote service cron logs'
        raw: |-
          template(
            name="RemoteServiceCronLog"
            type="string"
            string="/var/log/remote/services/cron/cron.log"
          )
        state: 'present'

      - name: 'remote_service_mail_log'
        comment: 'Remote service mail logs'
        raw: |-
          template(
            name="RemoteServiceMailLog"
            type="string"
            string="/var/log/remote/services/mail/mail.log"
          )
        state: 'present'

  - name: 'local-as-remote.ruleset'
    state: '{{ "present" if rsyslog__remote_enabled | bool else "absent" }}'
    options:

      - name: 'remote_log_copy'
        comment: 'Copy of the local log files to complete remote logs'
        raw: |-
          auth,authpriv.*                ?RemoteHostAuthLog
          auth,authpriv.*                ?RemoteServiceAuthLog
          *.*;cron,auth,authpriv.none    -?RemoteHostSyslog
          cron.*                         -?RemoteHostCronLog
          cron.*                         -?RemoteServiceCronLog
          mail.*                         -?RemoteServiceMailLog
        state: 'present'

  - name: 'cron-session.remote'
    raw: |
      if ($msg contains "pam_unix(cron:session): session opened for user") then {
        action(
          type="omfile"
          dynaFile="RemoteHostCronLog"
          fileOwner="{{ rsyslog__file_owner }}"
          fileGroup="{{ rsyslog__file_group }}"
          fileCreateMode="0640"
          dirCreateMode="0755"
        )
        action(
          type="omfile"
          dynaFile="RemoteServiceCronLog"
          fileOwner="{{ rsyslog__file_owner }}"
          fileGroup="{{ rsyslog__file_group }}"
          fileCreateMode="0640"
          dirCreateMode="0755"
        )
        stop
      } else if ($msg contains "pam_unix(cron:session): session closed for user") then {
        action(
          type="omfile"
          dynaFile="RemoteHostCronLog"
          fileOwner="{{ rsyslog__file_owner }}"
          fileGroup="{{ rsyslog__file_group }}"
          fileCreateMode="0640"
          dirCreateMode="0755"
        )
        action(
          type="omfile"
          dynaFile="RemoteServiceCronLog"
          fileOwner="{{ rsyslog__file_owner }}"
          fileGroup="{{ rsyslog__file_group }}"
          fileCreateMode="0640"
          dirCreateMode="0755"
        )
        stop
      }
    state: '{{ "present" if rsyslog__remote_enabled | bool else "absent" }}'

  - name: '50-dynamic-logs.remote'
    state: 'absent'

  - name: 'ruleset.remote'
    comment: 'Store remote logs in separate logfiles'
    raw: |-
      auth,authpriv.*                     ?RemoteHostAuthLog
      auth,authpriv.*                     ?RemoteServiceAuthLog
      *.*;cron,auth,authpriv.none         -?RemoteHostSyslog
      cron.*                              -?RemoteHostCronLog
      cron.*                              -?RemoteServiceCronLog
      mail.*                              -?RemoteServiceMailLog
    state: '{{ "present" if rsyslog__remote_enabled | bool else "absent" }}'

  - name: 'zz-stop.remote'
    comment: |-
      This is a workaround to support empty "remote" ruleset on
      older versions of rsyslog package.
      http://comments.gmane.org/gmane.comp.sysutils.rsyslog/15616
    raw: |-
      stop
    state: '{{ "present" if rsyslog__remote_enabled | bool else "absent" }}'
rsyslog__legacy_rules

These rules remove the old files that were used by previous debops.rsyslog role implementations. This variable will be removed in the future.

rsyslog__legacy_rules:

  - name: '00-global.conf'
    state: 'absent'

  - name: '05-common-defaults.conf'
    state: 'absent'

  - name: '10-local-modules.conf'
    state: 'absent'

  - name: '20-templates.conf'
    state: 'absent'

  - name: '40-cron.system'
    state: 'absent'

  - name: '50-default-rulesets.conf'
    state: 'absent'

  - name: '50-default.system'
    state: 'absent'
rsyslog__rules

List of YAML dictionaries, each dictionary should contain rsyslogd configuration in a special format. See rsyslog__rules for more details. This list should be used for configuration of all hosts in the inventory.

rsyslog__rules: []
rsyslog__group_rules

List of YAML dictionaries, each dictionary should contain rsyslogd configuration in a special format. See rsyslog__rules for more details. This list should be used for configuration of a group of hosts in the inventory.

rsyslog__group_rules: []
rsyslog__host_rules

List of YAML dictionaries, each dictionary should contain rsyslogd configuration in a special format. See rsyslog__rules for more details. This list should be used for configuration of specific hosts in the inventory.

rsyslog__host_rules: []
rsyslog__dependent_rules

List of YAML dictionaries, each dictionary should contain rsyslogd configuration in a special format. See rsyslog__rules for more details. This list should be used for configuration by other Ansible roles.

rsyslog__dependent_rules: []
rsyslog__combined_rules

This variable combines all other rule variables and is used in the role tasks and templates.

rsyslog__combined_rules: '{{ rsyslog__default_rules
                             + rsyslog__legacy_rules
                             + rsyslog__rules
                             + rsyslog__group_rules
                             + rsyslog__host_rules
                             + rsyslog__dependent_rules }}'

Log rotation

rsyslog__rotation_period_system

How often to rotate local system logs

rsyslog__rotation_period_system: 'weekly'
rsyslog__rotation_count_system

How many old logfiles to keep for local system logs.

rsyslog__rotation_count_system: '8'
rsyslog__rotation_period_remote

How often to rotate remote logs.

rsyslog__rotation_period_remote: 'weekly'
rsyslog__rotation_count_remote

How many old logfiles to keep for remote logs.

rsyslog__rotation_count_remote: '52'

Configuration for other Ansible roles

rsyslog__ferm__dependent_rules

Configuration for debops.ferm Ansible role.

rsyslog__ferm__dependent_rules:

  - name: 'syslog_udp_tcp'
    type: 'accept'
    dport: [ '514' ]
    protocols: [ 'udp', 'tcp' ]
    saddr: '{{ rsyslog__allow + rsyslog__group_allow + rsyslog__host_allow }}'
    role: 'rsyslog'
    accept_any: False
    rule_state: '{{ "present"
                    if (rsyslog__enabled | bool and rsyslog__deploy_state != "absent" and
                        rsyslog__remote_enabled | bool)
                    else "absent" }}'

  - name: 'syslog-tls'
    type: 'accept'
    dport: [ 'syslog-tls' ]
    saddr: '{{ rsyslog__allow + rsyslog__group_allow + rsyslog__host_allow }}'
    role: 'rsyslog'
    accept_any: False
    rule_state: '{{ "present"
                    if (rsyslog__enabled | bool and rsyslog__deploy_state != "absent" and
                        rsyslog__remote_enabled | bool)
                    else "absent" }}'
rsyslog__logrotate__dependent_config

Configuration for debops.logrotate Ansible role.

rsyslog__logrotate__dependent_config:

  - filename: '000rsyslog-unprivileged'
    comment: 'The rsyslog daemon is run unprivileged'
    options: |
      su root {{ rsyslog__group }}
    state: '{{ "present"
                if (rsyslog__enabled | bool and rsyslog__deploy_state != "absent" and
                    rsyslog__unprivileged | bool)
                else "absent" }}'

  - filename: 'rsyslog'
    divert: True
    sections:

      - logs: '/var/log/syslog'
        options: |
          rotate {{ rsyslog__rotation_count_system }}
          {{ rsyslog__rotation_period_system }}
          missingok
          notifempty
          delaycompress
          compress
        postrotate: |
          {{ "invoke-rc.d rsyslog rotate > /dev/null"
            if (ansible_distribution_release in
                 (["stretch", "trusty"]))
            else "/usr/lib/rsyslog/rsyslog-rotate" }}

      - logs: '{{ (rsyslog__default_logfiles
                   + rsyslog__logfiles)
                  | difference(["/var/log/syslog"]) }}'
        options: |
          rotate {{ rsyslog__rotation_count_system }}
          {{ rsyslog__rotation_period_system }}
          missingok
          notifempty
          compress
          delaycompress
          sharedscripts
        postrotate: |
          {{ "invoke-rc.d rsyslog rotate > /dev/null"
            if (ansible_distribution_release in
                 (["stretch", "trusty"]))
            else "/usr/lib/rsyslog/rsyslog-rotate" }}
    state: '{{ "present"
                if (rsyslog__enabled | bool and rsyslog__deploy_state != "absent")
                else "absent" }}'

  - filename: 'rsyslog-remote'
    logs: [ '/var/log/remote/*/*/syslog', '/var/log/remote/*/*/*.log' ]
    options: |
      rotate {{ rsyslog__rotation_count_remote }}
      {{ rsyslog__rotation_period_remote }}
      missingok
      notifempty
      compress
      delaycompress
      sharedscripts
    postrotate: |
      {{ "invoke-rc.d rsyslog rotate > /dev/null"
        if (ansible_distribution_release in
             (["stretch", "trusty"]))
        else "/usr/lib/rsyslog/rsyslog-rotate" }}
    state: '{{ "present"
                if (rsyslog__enabled | bool and rsyslog__deploy_state != "absent" and
                    rsyslog__remote_enabled | bool)
                else "absent" }}'
rsyslog__dpkg_cleanup__dependent_packages

Configuration for the debops.dpkg_cleanup Ansible role.

rsyslog__dpkg_cleanup__dependent_packages:

  - name: 'rsyslog'
    revert_files:
      - '/etc/rsyslog.conf'
      - '/etc/logrotate.d/rsyslog'
      - '{{ rsyslog__combined_rules | flatten | debops.debops.parse_kv_items
            | selectattr("divert", "defined") | list
            | selectattr("divert", "equalto", True) | list
            | map(attribute="name") | list
            | map("regex_replace", "^(.*)$", "/etc/rsyslog.d/\1") | list }}'
    remove_files:
      - '/etc/logrotate.d/rsyslog-remote'
      - '{{ rsyslog__combined_rules | flatten | debops.debops.parse_kv_items
            | selectattr("divert", "undefined") | list
            | map(attribute="name") | list
            | map("regex_replace", "^(.*)$", "/etc/rsyslog.d/\1") | list }}'