Getting started
Initial configuration
The debops.rsyslog
default configuration is designed to closely resemble
the Debian rsyslog
package defaults. The same system logs will be
generated, although with slightly longer log rotation. If the operating system
is Debian, rsyslog
will be run on a privileged root
account; if the
system is Ubuntu, an unprivileged syslog
account will be used by default.
Configuration filename extensions
The configuration order is important, and to aid support of configuration from
other roles, the /etc/rsyslog.conf
configuration file includes other
configuration files with different filename extensions at certain points of the
configuration:
/etc/rsyslog.d/*.input
These files define configuration of the rsyslog input modules which can be used as data sources.
/etc/rsyslog.d/*.template
These configuration files can be used to create custom templates used by
rsyslog
in different parts of the configuration./etc/rsyslog.d/*.conf
These files are included by default. They are meant to be used for configuration of the local system logs, the extension is used to preserve compatibility with Debian package conventions.
/etc/rsyslog.d/*.output
These files define configuration of the rsyslog output modules which can be used as targets by various local and remote rulesets defined later on.
/etc/rsyslog.d/*.ruleset
These configuration files are meant to be used to define log matching rules specific to a given system, to store logs in different files.
/etc/rsyslog.d/*.remote
These configuration files are meant to store configuration for logs coming from other systems over the network. These rules will be defined in a separate "ruleset" called
remote
which is used by the UDP and TCP input modules. This way the local (system) logs and remote logs from other hosts can be managed separately and shouldn't mix with each other.
Quick start: log forwarding
Log forwarding tells rsyslogd server to send all, or selected, syslog messages to remote syslog server(s). The debops.rsyslog role is tailored to perform log forwarding over TLS to a central syslog server using DNS SRV Records for the following service:
_syslog._tcp.{{ rsyslog__domain }} (default port 6514)
If:
the resource records are found; and
the host is not configured to receive logs via the
rsyslog__remote_enabled
variable; andthe debops.pki role has been configured on the host
Then the debops.rsyslog role will configure each target server to send
syslog messages over TLS. This configuration can be found and changed in the
rsyslog__default_forward
and the rsyslog__default_rules
variables.
Quick start: receiving remote logs
The role does not configure rsyslogd service to receive log messages
from the network by default. To enable this, you can specify a list of allowed
IP addresses and/or CIDR subnets which are allowed to send syslog messages
using the rsyslog__allow
, rsyslog__group_allow
and/or
rsyslog__host_allow
variables. Defining these in the inventory will
tell the role to configure rsyslog to accept remote logs and store
them in subdirectories under the /var/log/remote/
directory. The
debops.ferm and the debops.logrotate roles will be used to
configure the IPTables firewall and log rotation respectively.
This behaviour is controlled by the rsyslog__remote_enabled
variable.
Example inventory
The debops.rsyslog role is included by default in the DebOps
common.yml
playbook and does not need to be specifically enabled.
To enable the debops.rsyslog
role on a given host or group of hosts not
managed by DebOps, you need to add that host to the
[debops_service_rsyslog]
Ansible inventory group:
[debops_service_rsyslog]
hostname
Example playbook
Here's an example playbook which uses debops.rsyslog
role:
---
- name: Manage rsyslog service
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_all_hosts', 'debops_service_rsyslog' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: ferm
tags: [ 'role::ferm', 'skip::ferm' ]
ferm__dependent_rules:
- '{{ rsyslog__ferm__dependent_rules }}'
- role: cron
tags: [ 'role::cron', 'skip::cron' ]
- role: logrotate
tags: [ 'role::logrotate', 'skip::logrotate' ]
logrotate__dependent_config:
- '{{ rsyslog__logrotate__dependent_config }}'
- role: rsyslog
tags: [ 'role::rsyslog', 'skip::rsyslog' ]