debops.rsyslog default variables
Sections
General configuration
- rsyslog__enabled
Enable or disable the management of the rsyslog service using the debops.rsyslog Ansible role.
rsyslog__enabled: True
- rsyslog__deploy_state
Define the desired state of the rsyslog service on a given host,
either present
to install and configure the service, or absent
to
uninstall it and remove any changes applied by Ansible.
rsyslog__deploy_state: 'present'
- rsyslog__unprivileged
Enable or disable unprivileged rsyslogd
operation. Warning, enabling this
option requires additional configuration outside of the debops.rsyslog
role. See Unprivileged syslog and encrypted connections for more details.
rsyslog__unprivileged: '{{ "True"
if (ansible_distribution in ["Ubuntu"])
else "False" }}'
- rsyslog__remote_enabled
Enable or disable support for receiving logs from remote hosts. It will be enabled automatically if a list of hosts or subnets allowed to connect to the rsyslog service is defined in the Ansible inventory.
rsyslog__remote_enabled: '{{ True
if (rsyslog__allow
+ rsyslog__group_allow
+ rsyslog__host_allow)
else False }}'
- rsyslog__forward_enabled
Enable or disable support for forwarding logs to another host. The forwarding
will be enabled automatically if any forward targets are configured and
support for receiving logs via the rsyslog__remote_enabled
variable
is not active.
rsyslog__forward_enabled: '{{ True
if q("flattened", (rsyslog__default_forward
+ rsyslog__forward
+ rsyslog__group_forward
+ rsyslog__host_forward))
else False }}'
APT packages
- rsyslog__base_packages
List of default APT packages to install.
rsyslog__base_packages: [ 'rsyslog' ]
- rsyslog__tls_packages
List of APT packages required for TLS support.
rsyslog__tls_packages: [ 'rsyslog-gnutls' ]
- rsyslog__packages
List of additional APT packages to install.
rsyslog__packages: []
User, group, home, file ownership
- rsyslog__user
The unprivileged system user account used by the rsyslogd
daemon, when
unprivileged operation is enabled.
rsyslog__user: '{{ "syslog" if rsyslog__unprivileged | bool else "root" }}'
- rsyslog__group
The unprivileged system group account used by the rsyslogd
daemon, when
unprivileged operation is enabled.
rsyslog__group: '{{ "syslog" if rsyslog__unprivileged | bool else "root" }}'
- rsyslog__append_groups
List of additional UNIX groups to add the rsyslog user into. The
ssl-cert
UNIX group is used for the X.509 private key access.
rsyslog__append_groups: '{{ ["ssl-cert"] if (rsyslog__unprivileged | bool
and rsyslog__pki | bool) else [] }}'
- rsyslog__home
The home directory of the rsyslog__user
user, dependent on the OS
defaults. Takes effect only when the unprivileged mode is enabled.
rsyslog__home: '{{ "/home/syslog"
if (ansible_distribution in ["Ubuntu"])
else "/var/log" }}'
- rsyslog__file_owner
The account which will be set as the owner of the log files generated by
rsyslogd
. When an unprivileged mode is enabled, it should be the same as
the rsyslogd
user account.
rsyslog__file_owner: '{{ rsyslog__user }}'
- rsyslog__file_group
The system group which will be set as the default group of the log files
generated by rsyslogd
.
rsyslog__file_group: 'adm'
- rsyslog__default_logfiles
List of default logfiles managed by debops.rsyslog
role. This list is
used in the debops.logrotate configuration to create log rotation, as
well as to change the file owner/group when unprivileged operation is
enabled.
rsyslog__default_logfiles:
- '/var/log/syslog'
- '/var/log/kern.log'
- '/var/log/auth.log'
- '/var/log/user.log'
- '/var/log/daemon.log'
- '/var/log/messages'
- '/var/log/mail.log'
- '/var/log/mail.info'
- '/var/log/mail.warn'
- '/var/log/mail.err'
- '/var/log/cron.log'
- '/var/log/lpr.log'
- '/var/log/debug'
- rsyslog__logfiles
List of additional logfiles managed by the debops.rsyslog
role.
rsyslog__logfiles: []
Encrypted communication
- rsyslog__pki
Enable or disable support for X.509 certificates managed by debops.pki role, used for TLS connections.
rsyslog__pki: '{{ ansible_local.pki.enabled | d() | bool }}'
- rsyslog__pki_path
Path to the directory with PKI realms.
rsyslog__pki_path: '{{ ansible_local.pki.path | d("/etc/pki") }}'
- rsyslog__pki_realm
Name of the PKi realm to use with rsyslogd
.
rsyslog__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
- rsyslog__pki_ca
Name of the root CA certificate used by the debops.rsyslog
role.
rsyslog__pki_ca: '{{ ansible_local.pki.ca | d("CA.crt") }}'
- rsyslog__pki_crt
Name of the client certificate file used by the debops.rsyslog
role.
rsyslog__pki_crt: '{{ ansible_local.pki.crt | d("default.crt") }}'
- rsyslog__pki_key
Name of the private key file used by the debops.rsyslog
role.
rsyslog__pki_key: '{{ ansible_local.pki.key | d("default.key") }}'
- rsyslog__default_netstream_driver
Specify the default NetStream driver used by the imtcp
module. The
gtls
will be enabled by default if the support for PKI is enabled,
otherwise ptcp
will be used.
rsyslog__default_netstream_driver: '{{ "gtls"
if rsyslog__pki | bool
else "ptcp" }}'
- rsyslog__default_driver_mode
The NetStream driver mode. The ptcp driver only supports mode 0 (unencrypted transmission). The gtls driver supports modes 0 (unencrypted transmission, just like the ptcp driver) and 1 (TLS-protected operation). Ref: https://rsyslog.readthedocs.io/en/latest/concepts/netstrm_drvr.html
rsyslog__default_driver_mode: '{{ "1"
if rsyslog__default_netstream_driver == "gtls"
else "0" }}'
- rsyslog__default_driver_authmode
Specify the default network driver authentication mode. Currently only x509/name or anon are available:
rsyslog__default_driver_authmode: '{{ "x509/name"
if rsyslog__default_netstream_driver == "gtls" and
rsyslog__default_driver_mode == "1"
else "anon" }}'
- rsyslog__domain
The default DNS domain used to accept remote incoming logs from remote hosts.
rsyslog__domain: '{{ ansible_domain }}'
- rsyslog__permitted_peers
List of hostnames, IP addresses or wildcard DNS domains which will be allowed
by the rsyslogd
server to connect and send logs over TLS.
rsyslog__permitted_peers: [ '*.{{ rsyslog__domain }}' ]
- rsyslog__send_permitted_peers
Hostname, IP address or wildcard DNS domain which will be verified by the
rsyslogd
client and will allow to connect and send logs to the remote
server over TLS. Currently only one peer is supported by rsyslog.
rsyslog__send_permitted_peers: '{{ rsyslog__permitted_peers | first }}'
Firewall, UDP, TCP ports
- rsyslog__allow
List of IP addresses or CIDR subnets which should be allowed to connect to
rsyslogd
ports by the firewall. This variable should be used for all
hosts in the inventory.
rsyslog__allow: []
- rsyslog__group_allow
List of IP addresses or CIDR subnets which should be allowed to connect to
rsyslogd
ports by the firewall. This variable should be used for specific
group of hosts in the inventory.
rsyslog__group_allow: []
- rsyslog__host_allow
List of IP addresses or CIDR subnets which should be allowed to connect to
rsyslogd
ports by the firewall. This variable should be used for specific
hosts in the inventory.
rsyslog__host_allow: []
Log forwarding
The variables below define lists of syslog servers to which the logs
generated by a given host will be forwarded. The role will create the
/etc/rsyslog.d/00forward-logs.conf
configuration file with
configuration for each host defined here. See rsyslog__forward
documentation for more details.
- rsyslog__syslog_srv_rr
List which contains the result of the DNS query for syslog server SRV
resource records in the host's domain.
See https://tools.ietf.org/html/draft-schoenw-opsawg-nm-srv-03 for details.
rsyslog__syslog_srv_rr: '{{ q("debops.debops.dig_srv", "_syslog._tcp." + rsyslog__domain,
"syslog." + rsyslog__domain, 6514) }}'
- rsyslog__default_forward
List of the hosts detected via the DNS SRV
resource records to which log
messages will be forwarded. If multiple servers are configured in the SRV
record, logs will be sent to all of them.
rsyslog__default_forward: '{{ rsyslog__syslog_srv_rr
if (rsyslog__syslog_srv_rr[0]["dig_srv_src"] | d("") != "fallback" and
not rsyslog__remote_enabled | bool and
rsyslog__pki | bool)
else [] }}'
- rsyslog__forward
List of rsyslogd
options that configure log forwarding for all hosts in
the inventory. See rsyslog__forward for more details.
rsyslog__forward: []
- rsyslog__group_forward
List of rsyslogd
options that configure log forwarding for hosts in
a specific group. See rsyslog__forward for more details.
rsyslog__group_forward: []
- rsyslog__host_forward
List of rsyslogd
options that configure log forwarding for specific hosts
in Ansible inventory. See rsyslog__forward for more details.
rsyslog__host_forward: []
Main rsyslog configuration
The variables below define the contents of the /etc/rsyslog.conf
configuration file. See rsyslog__configuration for more details.
- rsyslog__original_configuration
The original configuration options included in the Debian package.
rsyslog__original_configuration:
- name: 'module_imuxsock'
comment: 'Provides support for local system logging'
raw: |
module(load="imuxsock")
state: 'present'
section: 'modules'
- name: 'module_imklog'
comment: 'Provides kernel logging support'
raw: |
module(load="imklog")
state: 'present'
section: 'modules'
- name: 'module_immark'
comment: 'Provides --MARK-- message capability'
raw: |
module(load="immark")
state: 'comment'
section: 'modules'
- name: 'module_imudp'
comment: 'Provides UDP syslog reception'
raw: |
module(load="imudp")
input(type="imudp" port="514")
state: 'comment'
section: 'modules'
- name: 'module_imtcp'
comment: 'Provides TCP syslog reception'
raw: |
module(load="imtcp")
input(type="imtcp" port="514")
state: 'comment'
section: 'modules'
- name: 'default_template'
comment: |
Use traditional timestamp format.
To enable high precision timestamps, comment out the following line.
raw: |
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
state: 'present'
section: 'global'
- name: 'default_permissions'
comment: 'Set the default permissions for all log files.'
raw: |
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
state: 'present'
section: 'global'
- name: 'spool_state'
comment: 'Where to place spool and state files'
raw: |
$WorkDirectory /var/spool/rsyslog
state: 'present'
section: 'global'
- name: 'include_config'
comment: 'Include all config files in /etc/rsyslog.d/'
raw: |
$IncludeConfig /etc/rsyslog.d/*.conf
state: 'present'
section: 'global'
- name: 'auth_facility'
comment: 'First some standard log files. Log by facility.'
raw: |
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
state: 'present'
section: 'rules'
- name: 'cron_facility'
raw: |
cron.* /var/log/cron.log
state: 'comment'
section: 'rules'
- name: 'daemon_facility'
raw: |
daemon.* -/var/log/daemon.log
state: 'present'
section: 'rules'
- name: 'kern_facility'
raw: |
kern.* -/var/log/kern.log
state: 'present'
section: 'rules'
- name: 'lpr_facility'
raw: |
lpr.* -/var/log/lpr.log
state: 'present'
section: 'rules'
- name: 'mail_facility'
raw: |
mail.* -/var/log/mail.log
state: 'present'
section: 'rules'
- name: 'user_facility'
raw: |
user.* -/var/log/user.log
state: 'present'
section: 'rules'
- name: 'mail_log'
comment: |
Logging for the mail system. Split it up so that
it is easy to write scripts to parse these files.
raw: |
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
state: 'present'
section: 'rules'
- name: 'debug_log'
comment: 'Some "catch-all" log files.'
raw: |
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
state: 'present'
section: 'rules'
- name: 'messages'
raw: |
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
state: 'present'
section: 'rules'
- name: 'emergencies'
comment: 'Emergencies are sent to everybody logged in.'
raw: |
*.emerg :omusrmsg:*
state: 'present'
section: 'rules'
- rsyslog__default_configuration
The default rsyslog configuration defined by the role.
rsyslog__default_configuration:
# Don't load the kernel input module in Linux Containers
- name: 'module_imklog'
state: '{{ "comment"
if (ansible_virtualization_type in ["lxc", "docker", "openvz"])
else "ignore" }}'
- name: 'module_imudp'
raw: |
module(load="imudp")
input(type="imudp" port="514" ruleset="remote")
state: '{{ "present" if rsyslog__remote_enabled | bool else "comment" }}'
- name: 'include_modules'
comment: 'Include *.input files in /etc/rsyslog.d/'
raw: |
$IncludeConfig /etc/rsyslog.d/*.input
state: 'present'
section: 'modules'
- name: 'default_permissions'
raw: |
$FileOwner {{ rsyslog__file_owner }}
$FileGroup {{ rsyslog__file_group }}
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
{% if rsyslog__unprivileged | bool %}
$PrivDropToUser {{ rsyslog__user }}
$PrivDropToGroup {{ rsyslog__group }}
{% endif %}
state: 'present'
- name: 'cron_facility'
state: 'present'
- name: 'include_templates'
comment: 'Include *.template files in /etc/rsyslog.d/'
raw: |
$IncludeConfig /etc/rsyslog.d/*.template
state: 'present'
section: 'global'
copy_id_from: 'default_template'
- name: 'include_outputs'
comment: 'Include *.output files in /etc/rsyslog.d/'
raw: |
$IncludeConfig /etc/rsyslog.d/*.output
state: 'present'
section: 'global'
- name: 'include_rules'
comment: 'Include *.ruleset files in /etc/rsyslog.d/'
raw: |
$IncludeConfig /etc/rsyslog.d/*.ruleset
state: 'present'
section: 'rules'
- name: 'include_remote_rules'
comment: 'Include *.remote files in /etc/rsyslog.d/'
raw: |
ruleset(name="remote") {
$IncludeConfig /etc/rsyslog.d/*.remote
}
section: 'rules'
state: '{{ "present" if rsyslog__remote_enabled | bool else "absent" }}'
- rsyslog__configuration
The rsyslog configuration options defined on all hosts in the Ansible inventory.
rsyslog__configuration: []
- rsyslog__group_configuration
The rsyslog configuration options defined on hosts in a specific Ansible inventory group.
rsyslog__group_configuration: []
- rsyslog__host_configuration
The rsyslog configuration options defined on specific hosts in the Ansible inventory.
rsyslog__host_configuration: []
- rsyslog__combined_configuration
The variable which combines all other main configuration variables and is used in the role tasks and templates.
rsyslog__combined_configuration: '{{ rsyslog__original_configuration
+ rsyslog__default_configuration
+ rsyslog__configuration
+ rsyslog__group_configuration
+ rsyslog__host_configuration }}'
Main configuration sections
The variables below define the configuration sections inside the
/etc/rsyslog.conf
configuration file.
See rsyslog__configuration_sections for more details.
- rsyslog__default_configuration_sections
The default configuration sections defined by the role.
rsyslog__default_configuration_sections:
- name: 'modules'
- name: 'global'
title: 'Global directives'
- name: 'templates'
state: 'hidden'
- name: 'output'
title: 'Output channels'
state: 'hidden'
- name: 'rules'
- name: 'unknown'
title: 'Other options'
- rsyslog__configuration_sections
The configuration sections defined by the user.
rsyslog__configuration_sections: []
- rsyslog__combined_configuration_sections
The variable which combines all configuration sections variables and is used in the role tasks and templates.
rsyslog__combined_configuration_sections: '{{ rsyslog__default_configuration_sections
+ rsyslog__configuration_sections }}'
Rsyslog configuration rules
- rsyslog__default_rules
List of YAML dictionaries, each dictionary should contain rsyslogd
configuration in a special format. See rsyslog__rules for more
details. This lis specifies default rsyslogd
configuration enabled in the
role.
rsyslog__default_rules:
- name: '00forward-logs.conf'
state: '{{ "present"
if (rsyslog__forward_enabled | bool and
rsyslog__pki | bool)
else "absent" }}'
options:
- name: 'forward_logs_to_hosts'
comment: 'Forward logs to specified hosts'
raw: |-
{% for element in q("flattened", (rsyslog__default_forward
+ rsyslog__forward
+ rsyslog__group_forward
+ rsyslog__host_forward)) %}
{{ element.selector | d("*.*") }} action(
type="omfwd"
target="{{ (element.target | d(element)) | regex_replace("\.$", "") }}"
port="{{ element.port | d('6514') }}"
protocol="{{ element.protocol | d('tcp') }}"
queue.type="{{ element.queue_type | d('linkedList') }}"
queue.size="{{ element.queue_size | d('10000') }}"
action.resumeRetryCount="{{ element.resume_retry_count | d('100') }}"
streamDriver="{{ element.netstream_driver | d(rsyslog__default_netstream_driver) }}"
streamDriverMode="{{ element.driver_mode | d(rsyslog__default_driver_mode) }}"
streamDriverAuthMode="{{ element.driver_authmode | d(rsyslog__default_driver_authmode) }}"
{% if element.driver_authmode | d(rsyslog__default_driver_authmode) != "anon" %}
{% if rsyslog__send_permitted_peers is string %}
streamDriverPermittedPeers="{{ rsyslog__send_permitted_peers }}"
{% else %}
streamDriverPermittedPeers="{{ rsyslog__send_permitted_peers | first }}"
{% endif %}
{% endif %}
)
{% endfor %}
state: 'present'
- name: 'cron-session.conf'
comment: |
Redirect PAM session information for 'cron' entries to the cron log file,
to avoid filling up auth.log
raw: |
if ($msg contains "pam_unix(cron:session): session opened for user") then {
action(
type="omfile"
file="/var/log/cron.log"
fileOwner="{{ rsyslog__file_owner }}"
fileGroup="{{ rsyslog__file_group }}"
fileCreateMode="0640"
dirCreateMode="0755"
)
{% if rsyslog__remote_enabled | bool %}
action(
type="omfile"
dynaFile="RemoteHostCronLog"
fileOwner="{{ rsyslog__file_owner }}"
fileGroup="{{ rsyslog__file_group }}"
fileCreateMode="0640"
dirCreateMode="0755"
)
action(
type="omfile"
dynaFile="RemoteServiceCronLog"
fileOwner="{{ rsyslog__file_owner }}"
fileGroup="{{ rsyslog__file_group }}"
fileCreateMode="0640"
dirCreateMode="0755"
)
{% endif %}
stop
} else if ($msg contains "pam_unix(cron:session): session closed for user") then {
action(
type="omfile"
file="/var/log/cron.log"
fileOwner="{{ rsyslog__file_owner }}"
fileGroup="{{ rsyslog__file_group }}"
fileCreateMode="0640"
dirCreateMode="0755"
)
{% if rsyslog__remote_enabled | bool %}
action(
type="omfile"
dynaFile="RemoteHostCronLog"
fileOwner="{{ rsyslog__file_owner }}"
fileGroup="{{ rsyslog__file_group }}"
fileCreateMode="0640"
dirCreateMode="0755"
)
action(
type="omfile"
dynaFile="RemoteServiceCronLog"
fileOwner="{{ rsyslog__file_owner }}"
fileGroup="{{ rsyslog__file_group }}"
fileCreateMode="0640"
dirCreateMode="0755"
)
{% endif %}
stop
}
state: 'present'
- name: 'network.conf'
comment: 'Network and TLS configuration options'
raw: |-
global(
defaultNetstreamDriver="{{ rsyslog__default_netstream_driver }}"
{% if rsyslog__pki | bool %}
defaultNetstreamDriverCAFile="{{ rsyslog__pki_path + '/' + rsyslog__pki_realm + '/' + rsyslog__pki_ca }}"
defaultNetstreamDriverCertFile="{{ rsyslog__pki_path + '/' + rsyslog__pki_realm + '/' + rsyslog__pki_crt }}"
defaultNetstreamDriverKeyFile="{{ rsyslog__pki_path + '/' + rsyslog__pki_realm + '/' + rsyslog__pki_key }}"
{% endif %}
)
state: '{{ "present"
if (rsyslog__remote_enabled | bool or
rsyslog__forward_enabled | bool)
else "absent" }}'
- name: 'remote.input'
state: '{{ "present"
if rsyslog__remote_enabled | bool
else "absent" }}'
options:
- name: 'tcp_plain_module'
comment: 'Enable plain TCP support'
raw: |-
module(
load="imptcp"
)
state: 'present'
- name: 'tcp_tls_module'
comment: 'Enable GnuTLS TCP support'
raw: |-
module(
load="imtcp"
streamDriver.name="gtls"
streamDriver.mode="1"
streamDriver.authMode="{{ rsyslog__default_driver_authmode }}"
{% if rsyslog__default_driver_authmode != "anon" %}
{% if rsyslog__permitted_peers is string %}
permittedPeer="{{ rsyslog__permitted_peers }}"
{% else %}
permittedPeer=["{{ rsyslog__permitted_peers | join('","') }}"]
{% endif %}
{% endif %}
)
state: '{{ "present" if rsyslog__pki | bool else "absent" }}'
- name: 'tcp_plain_input'
comment: 'Enable plain TCP input'
raw: |-
input(
type="imptcp"
port="514"
ruleset="remote"
)
state: 'present'
- name: 'tcp_tls_input'
comment: 'Enable GnuTLS TCP input'
raw: |-
input(
type="imtcp"
port="6514"
ruleset="remote"
)
state: '{{ "present" if rsyslog__pki | bool else "absent" }}'
- name: '20-ufw.conf'
divert: True
divert_to: '65-ufw.conf'
state: '{{ rsyslog__deploy_state
if (ansible_distribution in ["Ubuntu"])
else "ignore" }}'
- name: '50-default.conf'
divert: True
state: '{{ "present"
if (ansible_distribution in ["Ubuntu"])
else "absent" }}'
- name: 'remote.template'
state: '{{ "present" if rsyslog__remote_enabled | bool else "absent" }}'
options:
- name: 'remote_host_syslog'
comment: 'Remote host system logs'
raw: |-
template(
name="RemoteHostSyslog"
type="string"
string="/var/log/remote/hosts/%HOSTNAME%/syslog"
)
state: 'present'
- name: 'remote_host_auth_log'
comment: 'Remote host auth logs'
raw: |-
template(
name="RemoteHostAuthLog"
type="string"
string="/var/log/remote/hosts/%HOSTNAME%/auth.log"
)
state: 'present'
- name: 'remote_host_cron_log'
comment: 'Remote host cron logs'
raw: |-
template(
name="RemoteHostCronLog"
type="string"
string="/var/log/remote/hosts/%HOSTNAME%/cron.log"
)
state: 'present'
- name: 'remote_service_auth_log'
comment: 'Remote service auth logs'
raw: |-
template(
name="RemoteServiceAuthLog"
type="string"
string="/var/log/remote/services/auth/auth.log"
)
state: 'present'
- name: 'remote_service_cron_log'
comment: 'Remote service cron logs'
raw: |-
template(
name="RemoteServiceCronLog"
type="string"
string="/var/log/remote/services/cron/cron.log"
)
state: 'present'
- name: 'remote_service_mail_log'
comment: 'Remote service mail logs'
raw: |-
template(
name="RemoteServiceMailLog"
type="string"
string="/var/log/remote/services/mail/mail.log"
)
state: 'present'
- name: 'local-as-remote.ruleset'
state: '{{ "present" if rsyslog__remote_enabled | bool else "absent" }}'
options:
- name: 'remote_log_copy'
comment: 'Copy of the local log files to complete remote logs'
raw: |-
auth,authpriv.* ?RemoteHostAuthLog
auth,authpriv.* ?RemoteServiceAuthLog
*.*;cron,auth,authpriv.none -?RemoteHostSyslog
cron.* -?RemoteHostCronLog
cron.* -?RemoteServiceCronLog
mail.* -?RemoteServiceMailLog
state: 'present'
- name: 'cron-session.remote'
raw: |
if ($msg contains "pam_unix(cron:session): session opened for user") then {
action(
type="omfile"
dynaFile="RemoteHostCronLog"
fileOwner="{{ rsyslog__file_owner }}"
fileGroup="{{ rsyslog__file_group }}"
fileCreateMode="0640"
dirCreateMode="0755"
)
action(
type="omfile"
dynaFile="RemoteServiceCronLog"
fileOwner="{{ rsyslog__file_owner }}"
fileGroup="{{ rsyslog__file_group }}"
fileCreateMode="0640"
dirCreateMode="0755"
)
stop
} else if ($msg contains "pam_unix(cron:session): session closed for user") then {
action(
type="omfile"
dynaFile="RemoteHostCronLog"
fileOwner="{{ rsyslog__file_owner }}"
fileGroup="{{ rsyslog__file_group }}"
fileCreateMode="0640"
dirCreateMode="0755"
)
action(
type="omfile"
dynaFile="RemoteServiceCronLog"
fileOwner="{{ rsyslog__file_owner }}"
fileGroup="{{ rsyslog__file_group }}"
fileCreateMode="0640"
dirCreateMode="0755"
)
stop
}
state: '{{ "present" if rsyslog__remote_enabled | bool else "absent" }}'
- name: '50-dynamic-logs.remote'
state: 'absent'
- name: 'ruleset.remote'
comment: 'Store remote logs in separate logfiles'
raw: |-
auth,authpriv.* ?RemoteHostAuthLog
auth,authpriv.* ?RemoteServiceAuthLog
*.*;cron,auth,authpriv.none -?RemoteHostSyslog
cron.* -?RemoteHostCronLog
cron.* -?RemoteServiceCronLog
mail.* -?RemoteServiceMailLog
state: '{{ "present" if rsyslog__remote_enabled | bool else "absent" }}'
- name: 'zz-stop.remote'
comment: |-
This is a workaround to support empty "remote" ruleset on
older versions of rsyslog package.
http://comments.gmane.org/gmane.comp.sysutils.rsyslog/15616
raw: |-
stop
state: '{{ "present" if rsyslog__remote_enabled | bool else "absent" }}'
- rsyslog__legacy_rules
These rules remove the old files that were used by previous debops.rsyslog role implementations. This variable will be removed in the future.
rsyslog__legacy_rules:
- name: '00-global.conf'
state: 'absent'
- name: '05-common-defaults.conf'
state: 'absent'
- name: '10-local-modules.conf'
state: 'absent'
- name: '20-templates.conf'
state: 'absent'
- name: '40-cron.system'
state: 'absent'
- name: '50-default-rulesets.conf'
state: 'absent'
- name: '50-default.system'
state: 'absent'
- rsyslog__rules
List of YAML dictionaries, each dictionary should contain rsyslogd
configuration in a special format. See rsyslog__rules for more
details. This list should be used for configuration of all hosts in the
inventory.
rsyslog__rules: []
- rsyslog__group_rules
List of YAML dictionaries, each dictionary should contain rsyslogd
configuration in a special format. See rsyslog__rules for more
details. This list should be used for configuration of a group of hosts in
the inventory.
rsyslog__group_rules: []
- rsyslog__host_rules
List of YAML dictionaries, each dictionary should contain rsyslogd
configuration in a special format. See rsyslog__rules for more
details. This list should be used for configuration of specific hosts in the
inventory.
rsyslog__host_rules: []
- rsyslog__dependent_rules
List of YAML dictionaries, each dictionary should contain rsyslogd
configuration in a special format. See rsyslog__rules for more
details. This list should be used for configuration by other Ansible roles.
rsyslog__dependent_rules: []
- rsyslog__combined_rules
This variable combines all other rule variables and is used in the role tasks and templates.
rsyslog__combined_rules: '{{ rsyslog__default_rules
+ rsyslog__legacy_rules
+ rsyslog__rules
+ rsyslog__group_rules
+ rsyslog__host_rules
+ rsyslog__dependent_rules }}'
Log rotation
- rsyslog__rotation_period_system
How often to rotate local system logs
rsyslog__rotation_period_system: 'weekly'
- rsyslog__rotation_count_system
How many old logfiles to keep for local system logs.
rsyslog__rotation_count_system: '8'
- rsyslog__rotation_period_remote
How often to rotate remote logs.
rsyslog__rotation_period_remote: 'weekly'
- rsyslog__rotation_count_remote
How many old logfiles to keep for remote logs.
rsyslog__rotation_count_remote: '52'
Configuration for other Ansible roles
- rsyslog__ferm__dependent_rules
Configuration for debops.ferm Ansible role.
rsyslog__ferm__dependent_rules:
- name: 'syslog_udp_tcp'
type: 'accept'
dport: [ '514' ]
protocols: [ 'udp', 'tcp' ]
saddr: '{{ rsyslog__allow + rsyslog__group_allow + rsyslog__host_allow }}'
role: 'rsyslog'
accept_any: False
rule_state: '{{ "present"
if (rsyslog__enabled | bool and rsyslog__deploy_state != "absent" and
rsyslog__remote_enabled | bool)
else "absent" }}'
- name: 'syslog-tls'
type: 'accept'
dport: [ 'syslog-tls' ]
saddr: '{{ rsyslog__allow + rsyslog__group_allow + rsyslog__host_allow }}'
role: 'rsyslog'
accept_any: False
rule_state: '{{ "present"
if (rsyslog__enabled | bool and rsyslog__deploy_state != "absent" and
rsyslog__remote_enabled | bool)
else "absent" }}'
- rsyslog__logrotate__dependent_config
Configuration for debops.logrotate Ansible role.
rsyslog__logrotate__dependent_config:
- filename: '000rsyslog-unprivileged'
comment: 'The rsyslog daemon is run unprivileged'
options: |
su root {{ rsyslog__group }}
state: '{{ "present"
if (rsyslog__enabled | bool and rsyslog__deploy_state != "absent" and
rsyslog__unprivileged | bool)
else "absent" }}'
- filename: 'rsyslog'
divert: True
sections:
- logs: '/var/log/syslog'
options: |
rotate {{ rsyslog__rotation_count_system }}
{{ rsyslog__rotation_period_system }}
maxsize 1G
missingok
notifempty
delaycompress
compress
postrotate: |
{{ "invoke-rc.d rsyslog rotate > /dev/null"
if (ansible_distribution_release in
(["stretch", "trusty"]))
else "/usr/lib/rsyslog/rsyslog-rotate" }}
- logs: '{{ (rsyslog__default_logfiles
+ rsyslog__logfiles)
| difference(["/var/log/syslog"]) | sort }}'
options: |
rotate {{ rsyslog__rotation_count_system }}
{{ rsyslog__rotation_period_system }}
maxsize 1G
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate: |
{{ "invoke-rc.d rsyslog rotate > /dev/null"
if (ansible_distribution_release in
(["stretch", "trusty"]))
else "/usr/lib/rsyslog/rsyslog-rotate" }}
state: '{{ "present"
if (rsyslog__enabled | bool and rsyslog__deploy_state != "absent")
else "absent" }}'
- filename: 'rsyslog-remote'
logs: [ '/var/log/remote/*/*/syslog', '/var/log/remote/*/*/*.log' ]
options: |
rotate {{ rsyslog__rotation_count_remote }}
{{ rsyslog__rotation_period_remote }}
maxsize 1G
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate: |
{{ "invoke-rc.d rsyslog rotate > /dev/null"
if (ansible_distribution_release in
(["stretch", "trusty"]))
else "/usr/lib/rsyslog/rsyslog-rotate" }}
state: '{{ "present"
if (rsyslog__enabled | bool and rsyslog__deploy_state != "absent" and
rsyslog__remote_enabled | bool)
else "absent" }}'
- rsyslog__dpkg_cleanup__dependent_packages
Configuration for the debops.dpkg_cleanup Ansible role.
rsyslog__dpkg_cleanup__dependent_packages:
- name: 'rsyslog'
revert_files:
- '/etc/rsyslog.conf'
- '/etc/logrotate.d/rsyslog'
- '{{ rsyslog__combined_rules | flatten | debops.debops.parse_kv_items
| selectattr("divert", "defined") | list
| selectattr("divert", "equalto", True) | list
| map(attribute="name") | list
| map("regex_replace", "^(.*)$", "/etc/rsyslog.d/\1") | list }}'
remove_files:
- '/etc/logrotate.d/rsyslog-remote'
- '{{ rsyslog__combined_rules | flatten | debops.debops.parse_kv_items
| selectattr("divert", "undefined") | list
| map(attribute="name") | list
| map("regex_replace", "^(.*)$", "/etc/rsyslog.d/\1") | list }}'