From b0bb9eb2e873e4803fc0b2a0895ed7a0544350ff Mon Sep 17 00:00:00 2001 From: Theo Chatzimichos Date: Dec 04 2017 15:01:15 +0000 Subject: Merge branch 'tampakrap_rsyslog_setup' into 'production' rsyslog on all hosts: See merge request infra/salt!95 --- diff --git a/FORMULAS.yaml b/FORMULAS.yaml index 1392885..4e1dc04 100644 --- a/FORMULAS.yaml +++ b/FORMULAS.yaml @@ -11,7 +11,10 @@ ntp: {} openldap: {} openssh: {} powerdns: {} -rsyslog: {} +rsyslog: + namespace: 'tampakrap' + pending: + - 'https://github.com/saltstack-formulas/rsyslog-formula/pull/16' salt: {} sqlite: namespace: 'tampakrap' diff --git a/pillar/common.sls b/pillar/common.sls index 9b34774..f127dad 100644 --- a/pillar/common.sls +++ b/pillar/common.sls @@ -42,6 +42,10 @@ openldap: openssh: banner_src: salt://profile/accounts/files/ssh_banner sshd_config_mode: 0640 +rsyslog: + custom: + - salt://profile/log/files/etc/rsyslog.d/remote.conf.jinja + custom_config_template: salt://profile/log/files/etc/rsyslog.conf salt: minion: backup_mode: minion diff --git a/pillar/id/monitor_infra_opensuse_org.sls b/pillar/id/monitor_infra_opensuse_org.sls index 2b4e48f..f76e75f 100644 --- a/pillar/id/monitor_infra_opensuse_org.sls +++ b/pillar/id/monitor_infra_opensuse_org.sls @@ -1,5 +1,7 @@ grains: city: nuremberg country: de + roles: + - syslog salt_cluster: opensuse virt_cluster: atreju diff --git a/pillar/role/syslog.sls b/pillar/role/syslog.sls new file mode 100644 index 0000000..256791f --- /dev/null +++ b/pillar/role/syslog.sls @@ -0,0 +1,3 @@ +rsyslog: + custom: + - salt://profile/log/files/etc/rsyslog.d/server.conf diff --git a/pillar/salt_cluster/opensuse.sls b/pillar/salt_cluster/opensuse.sls index 38cd45f..45c038a 100644 --- a/pillar/salt_cluster/opensuse.sls +++ b/pillar/salt_cluster/opensuse.sls @@ -8,6 +8,9 @@ ntp: - ntp2.infra.opensuse.org iburst - ntp3.infra.opensuse.org iburst {% endif %} +profile: + log: + rsyslog_host: 192.168.47.7 salt: minion: master: minnie.infra.opensuse.org diff --git a/salt/profile/log.sls b/salt/profile/log.sls deleted file mode 100644 index bfae231..0000000 --- a/salt/profile/log.sls +++ /dev/null @@ -1,8 +0,0 @@ -# TODO: replace with a proper logrotate formula -{% set osmajorrelease = salt['grains.get']('osmajorrelease') %} - -{% if osmajorrelease in ['12', '42'] %} -logrotate.timer: - service.running: - - enable: True -{% endif %} diff --git a/salt/profile/log/files/etc/rsyslog.conf b/salt/profile/log/files/etc/rsyslog.conf new file mode 100644 index 0000000..c837e3e --- /dev/null +++ b/salt/profile/log/files/etc/rsyslog.conf @@ -0,0 +1,178 @@ +# Managed by Salt +## +## === When you're using remote logging, enable on-disk queues === +## === in rsyslog.d/remote.conf. When neccesary also set the === +## === SYSLOG_REQUIRES_NETWORK=yes in /etc/sysconfig/syslog, === +## === e.g. when rsyslog has to receive on a specific IP only. === +## +## Note, that when the MYSQL, PGSQL, GSSAPI, GnuTLS or SNMP modules +## (provided in separate rsyslog-module-* packages) are enabled, the +## configuration can't be used on a system with /usr on a remote +## filesystem, except on newer systems where initrd mounts /usr. +## [The modules are linked against libraries installed bellow of +## /usr thus also installed in /usr/lib*/rsyslog because of this.] +## + +# +# if you experience problems, check +# http://www.rsyslog.com/troubleshoot for assistance +# and report them at http://bugzilla.novell.com/ +# + +# since rsyslog v3: load input modules +# If you do not load inputs, nothing happens! + +# provides --MARK-- message capability (every 1 hour) +$ModLoad immark.so +$MarkMessagePeriod 3600 + +# provides support for local system logging (e.g. via logger command) +$ModLoad imuxsock.so + +# reduce dupplicate log messages (last message repeated n times) +$RepeatedMsgReduction on + +# kernel logging (may be also provided by /sbin/klogd) +# see also http://www.rsyslog.com/doc-imklog.html. +$ModLoad imklog.so +# set log level 1 (same as in /etc/sysconfig/syslog). +$klogConsoleLogLevel 1 + +# Use rsyslog native, rfc5424 conform log format as default +# ($ActionFileDefaultTemplate RSYSLOG_FileFormat). +# +# To change a single file to use obsolete BSD syslog format +# (rfc 3164, no high-precision timestamps), set the variable +# bellow or append ";RSYSLOG_FileFormat" to the filename. +# See +# http://www.rsyslog.com/doc/rsyslog_conf_templates.html +# for more informations. +# +#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# +# Include config generated by /etc/init.d/syslog script +# using the SYSLOGD_ADDITIONAL_SOCKET* variables in the +# /etc/sysconfig/syslog file. +# +$IncludeConfig /run/rsyslog/additional-log-sockets.conf + +# +# Include config files, that the admin provided? : +# +$IncludeConfig /etc/rsyslog.d/*.conf + + +### +# print most important on tty10 and on the xconsole pipe +# +if ( \ + /* kernel up to warning except of firewall */ \ + ($syslogfacility-text == 'kern') and \ + ($syslogseverity <= 4 /* warning */ ) and not \ + ($msg contains 'IN=' and $msg contains 'OUT=') \ + ) or ( \ + /* up to errors except of facility authpriv */ \ + ($syslogseverity <= 3 /* errors */ ) and not \ + ($syslogfacility-text == 'authpriv') \ + ) \ +then { + /dev/tty10 + |/dev/xconsole +} + + +# Emergency messages to everyone logged on (wall) +*.emerg :omusrmsg:* + +# enable this, if you want that root is informed +# immediately, e.g. of logins +#*.alert root + + +# +# firewall messages into separate file and stop their further processing +# +if ($syslogfacility-text == 'kern') and \ + ($msg contains 'IN=' and $msg contains 'OUT=') \ +then { + -/var/log/firewall + stop +} + + +# +# acpid messages into separate file and stop their further processing +# +# => all acpid messages for debuging (uncomment if needed): +#if ($programname == 'acpid' or $syslogtag == '[acpid]:') then \ +# -/var/log/acpid +# +# => up to notice (skip info and debug) +if ($programname == 'acpid' or $syslogtag == '[acpid]:') and \ + ($syslogseverity <= 5 /* notice */) \ +then { + -/var/log/acpid + stop +} + + +# +# NetworkManager into separate file and stop their further processing +# +if ($programname == 'NetworkManager') or \ + ($programname startswith 'nm-') \ +then { + -/var/log/NetworkManager + stop +} + + +# +# email-messages +# +mail.* -/var/log/mail +mail.info -/var/log/mail.info +mail.warning -/var/log/mail.warn +mail.err /var/log/mail.err + + +# +# news-messages +# +news.crit -/var/log/news/news.crit +news.err -/var/log/news/news.err +news.notice -/var/log/news/news.notice +# enable this, if you want to keep all news messages +# in one file +#news.* -/var/log/news.all + + +# +# Warnings in one file +# +*.=warning;*.=err -/var/log/warn +*.crit /var/log/warn + + +# +# the rest in one file +# +*.*;mail.none;news.none -/var/log/messages + + +# +# enable this, if you want to keep all messages +# in one file +#*.* -/var/log/allmessages + + +# +# Some foreign boot scripts require local7 +# +local0.*;local1.* -/var/log/localmessages +local2.*;local3.* -/var/log/localmessages +local4.*;local5.* -/var/log/localmessages +local6.*;local7.* -/var/log/localmessages + +### diff --git a/salt/profile/log/files/etc/rsyslog.d/remote.conf.jinja b/salt/profile/log/files/etc/rsyslog.d/remote.conf.jinja new file mode 100644 index 0000000..61be8b6 --- /dev/null +++ b/salt/profile/log/files/etc/rsyslog.d/remote.conf.jinja @@ -0,0 +1,82 @@ +## Managed by Salt +## +## === When you're using remote logging, enable on-disk queues === +## === in rsyslog.d/remote.conf. When neccesary also set the === +## === SYSLOG_REQUIRES_NETWORK=yes in /etc/sysconfig/syslog, === +## === e.g. when rsyslog has to receive on a specific IP only. === +## +## Note, that when the MYSQL, PGSQL, GSSAPI, GnuTLS or SNMP modules +## (provided in separate rsyslog-module-* packages) are enabled, the +## configuration can't be used on a system with /usr on a remote +## filesystem, except on newer systems where initrd mounts /usr. +## [The modules are linked against libraries installed bellow of +## /usr thus also installed in /usr/lib*/rsyslog because of this.] +## + +# ######### Enable On-Disk queues for remote logging ########## +# +# An on-disk queue is created for this action. If the remote host is +# down, messages are spooled to disk and sent when it is up again. +# +$WorkDirectory /var/spool/rsyslog # where to place spool files +$ActionQueueFileName uniqName # unique name prefix for spool files +$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) +$ActionQueueSaveOnShutdown on # save messages to disk on shutdown +$ActionQueueType LinkedList # run asynchronously +$ActionResumeRetryCount -1 # infinite retries if host is down + +# ######### Sending Messages to Remote Hosts ########## + +# Remote Logging using TCP for reliable delivery +# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional +{%- set roles = salt['grains.get']('roles', []) %} +{%- if 'syslog' not in roles %} +*.* @@syslog.infra.opensuse.org +{%- endif %} + +# Remote Logging using UDP +# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional +#*.* @remote-host + + +# ######### Receiving Messages from Remote Hosts ########## +# TCP Syslog Server: +# provides TCP syslog reception and GSS-API (if compiled to support it) +#$ModLoad imtcp.so # load module +##$UDPServerAddress 10.10.0.1 # force to listen on this IP only, +## # needs SYSLOG_REQUIRES_NETWORK=yes. +#$InputTCPServerRun # Starts a TCP server on selected port + +# UDP Syslog Server: +#$ModLoad imudp.so # provides UDP syslog reception +##$UDPServerAddress 10.10.0.1 # force to listen on this IP only, +## # needs SYSLOG_REQUIRES_NETWORK=yes. +#$UDPServerRun 514 # start a UDP syslog server at standard port 514 + + +########### Encrypting Syslog Traffic with TLS ########## +# -- TLS Syslog Server: +## make gtls driver the default +#$DefaultNetstreamDriver gtls +# +## certificate files +#$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem +#$DefaultNetstreamDriverCertFile /etc/rsyslog.d/server_cert.pem +#$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/server_key.pem +# +#$ModLoad imtcp # load TCP listener +# +#$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode +#$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated +#$InputTCPServerRun 10514 # start up listener at port 10514 +# +# -- TLS Syslog Client: +## certificate files - just CA for a client +#$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem +# +## set up the action +#$DefaultNetstreamDriver gtls # use gtls netstream driver +#$ActionSendStreamDriverMode 1 # require TLS for the connection +#$ActionSendStreamDriverAuthMode anon # server is NOT authenticated +#*.* @@(o)server.example.net:10514 # send (all) messages + diff --git a/salt/profile/log/files/etc/rsyslog.d/server.conf b/salt/profile/log/files/etc/rsyslog.d/server.conf new file mode 100644 index 0000000..9ba05c7 --- /dev/null +++ b/salt/profile/log/files/etc/rsyslog.d/server.conf @@ -0,0 +1,11 @@ +# Managed by Salt +# +# We are using a static file because the new syntax for template is not +# supported yet at the formula + +template(name="DynFile" type="string" string="/var/log/opensuse/hosts/%HOSTNAME%.log") + +if $hostname != "monitor" then { + ?DynFile + stop +} diff --git a/salt/profile/log/init.sls b/salt/profile/log/init.sls new file mode 100644 index 0000000..0e21ea9 --- /dev/null +++ b/salt/profile/log/init.sls @@ -0,0 +1,26 @@ +{% set osmajorrelease = salt['grains.get']('osmajorrelease') %} +{% set roles = salt['grains.get']('roles', []) %} + +include: + - rsyslog + +rsyslog_host: + host.present: + - ip: {{ salt['pillar.get']('profile:log:rsyslog_host') }} + - names: + - monitor.infra.opensuse.org + - syslog.infra.opensuse.org + - monitor + - syslog + +systemd-logger: + pkg.removed: + - require_in: + - pkg: rsyslog + +# TODO: replace with a proper logrotate formula +{% if osmajorrelease in ['12', '42'] %} +logrotate.timer: + service.running: + - enable: True +{% endif %}