Getting started

Initial configuration

The debops.rsyslog default configuration is designed to closely resemble the Debian rsyslog package defaults. The same system logs will be generated, although with slightly longer log rotation. If the operating system is Debian, rsyslog will be run on a privileged root account; if the system is Ubuntu, an unprivileged syslog account will be used by default.

Configuration filename extensions

The configuration order is important, and to aid support of configuration from other roles, the /etc/rsyslog.conf configuration file includes other configuration files with different filename extensions at certain points of the configuration:

/etc/rsyslog.d/*.input

These files define configuration of the rsyslog input modules which can be used as data sources.

/etc/rsyslog.d/*.template

These configuration files can be used to create custom templates used by rsyslog in different parts of the configuration.

/etc/rsyslog.d/*.conf

These files are included by default. They are meant to be used for configuration of the local system logs, the extension is used to preserve compatibility with Debian package conventions.

/etc/rsyslog.d/*.output

These files define configuration of the rsyslog output modules which can be used as targets by various local and remote rulesets defined later on.

/etc/rsyslog.d/*.ruleset

These configuration files are meant to be used to define log matching rules specific to a given system, to store logs in different files.

/etc/rsyslog.d/*.remote

These configuration files are meant to store configuration for logs coming from other systems over the network. These rules will be defined in a separate "ruleset" called remote which is used by the UDP and TCP input modules. This way the local (system) logs and remote logs from other hosts can be managed separately and shouldn't mix with each other.

Quick start: log forwarding

Log forwarding tells rsyslogd server to send all, or selected, syslog messages to remote syslog server(s). The debops.rsyslog role is tailored to perform log forwarding over TLS to a central syslog server using DNS SRV Records for the following service:

_syslog._tcp.{{ rsyslog__domain }} (default port 6514)

If:

  • the resource records are found; and

  • the host is not configured to receive logs via the rsyslog__remote_enabled variable; and

  • the debops.pki role has been configured on the host

Then the debops.rsyslog role will configure each target server to send syslog messages over TLS. This configuration can be found and changed in the rsyslog__default_forward and the rsyslog__default_rules variables.

Quick start: receiving remote logs

The role does not configure rsyslogd service to receive log messages from the network by default. To enable this, you can specify a list of allowed IP addresses and/or CIDR subnets which are allowed to send syslog messages using the rsyslog__allow, rsyslog__group_allow and/or rsyslog__host_allow variables. Defining these in the inventory will tell the role to configure rsyslog to accept remote logs and store them in subdirectories under the /var/log/remote/ directory. The debops.ferm and the debops.logrotate roles will be used to configure the IPTables firewall and log rotation respectively.

This behaviour is controlled by the rsyslog__remote_enabled variable.

Example inventory

The debops.rsyslog role is included by default in the DebOps common.yml playbook and does not need to be specifically enabled.

To enable the debops.rsyslog role on a given host or group of hosts not managed by DebOps, you need to add that host to the [debops_service_rsyslog] Ansible inventory group:

[debops_service_rsyslog]
hostname

Example playbook

Here's an example playbook which uses debops.rsyslog role:

---

- name: Manage rsyslog service
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debops_all_hosts', 'debops_service_rsyslog' ]
  become: True

  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'

  roles:

    - role: etc_services
      tags: [ 'role::etc_services', 'skip::etc_services' ]
      etc_services__dependent_list:
        - '{{ rsyslog__etc_services__dependent_list }}'

    - role: apt_preferences
      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
      apt_preferences__dependent_list:
        - '{{ rsyslog__apt_preferences__dependent_list }}'

    - role: ferm
      tags: [ 'role::ferm', 'skip::ferm' ]
      ferm__dependent_rules:
        - '{{ rsyslog__ferm__dependent_rules }}'

    - role: cron
      tags: [ 'role::cron', 'skip::cron' ]

    - role: logrotate
      tags: [ 'role::logrotate', 'skip::logrotate' ]
      logrotate__dependent_config:
        - '{{ rsyslog__logrotate__dependent_config }}'

    - role: rsyslog
      tags: [ 'role::rsyslog', 'skip::rsyslog' ]