From 3fa4ad3616a2a11b2dbe39882f2b2d36ed6770bb Mon Sep 17 00:00:00 2001
From: Rene Mewissen <rene@tantooine.myfirewall.org>
Date: Tue, 7 Oct 2025 14:53:14 +0200
Subject: [PATCH] remote logging for SSHD

---
 roles/bastionhost/handlers/main.yml           |  2 +-
 roles/bastionhost/tasks/main.yml              |  1 +
 .../tasks/system_setup/rsyslog_forwarding.yml | 42 ++++++++++++
 roles/bastionhost/vars/main.yml               | 68 ++++++++++++-------
 4 files changed, 87 insertions(+), 26 deletions(-)
 create mode 100644 roles/bastionhost/tasks/system_setup/rsyslog_forwarding.yml

diff --git a/roles/bastionhost/handlers/main.yml b/roles/bastionhost/handlers/main.yml
index 6025e13..2b0f82b 100644
--- a/roles/bastionhost/handlers/main.yml
+++ b/roles/bastionhost/handlers/main.yml
@@ -9,6 +9,6 @@
     state: restarted
 
 - name: restart rsyslog
-  service:
+  ansible.builtin.service:
     name: rsyslog
     state: restarted
\ No newline at end of file
diff --git a/roles/bastionhost/tasks/main.yml b/roles/bastionhost/tasks/main.yml
index 1bccd13..bac470e 100644
--- a/roles/bastionhost/tasks/main.yml
+++ b/roles/bastionhost/tasks/main.yml
@@ -16,6 +16,7 @@
   - import_tasks: system_setup/ntfy_alerts.yml
   - import_tasks: system_setup/auditd_logging.yml
   - import_tasks: system_setup/aide.yml
+  - import_tasks: system_setup/rsyslog_forwarding.yml
 
   rescue:
     - set_fact: task_failed=true
diff --git a/roles/bastionhost/tasks/system_setup/rsyslog_forwarding.yml b/roles/bastionhost/tasks/system_setup/rsyslog_forwarding.yml
new file mode 100644
index 0000000..c065a9f
--- /dev/null
+++ b/roles/bastionhost/tasks/system_setup/rsyslog_forwarding.yml
@@ -0,0 +1,42 @@
+---
+- name: Bastionhost | rsyslog forwarding | Ensure rsyslog-gnutls is installed
+  ansible.builtin.package:
+    name: rsyslog-gnutls
+    state: present
+
+- name: Bastionhost | rsyslog forwarding | Configure forwarding for SSH logs
+  ansible.builtin.copy:
+    dest: /etc/rsyslog.d/60-forward-ssh-logs.conf
+    owner: root
+    group: root
+    mode: '0644'
+    content: |
+      # This file is managed by Ansible
+      # Forward sshd logs to a remote log server
+
+      # Define the template for forwarding
+      template(name="RSYSLOG_SyslogProtocol23Format" type="string" string="<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")
+
+      # Setup forwarding action
+      action(
+          type="omfwd"
+          target="{{ log_forwarding_target }}"
+          port="{{ log_forwarding_port | default(6514) }}"
+          protocol="tcp"
+          template="RSYSLOG_SyslogProtocol23Format"
+          StreamDriver="gtls"
+          StreamDriverMode="1" # Run in TLS-only mode
+          StreamDriverAuthMode="x509/name"
+      )
+
+      # Filter for sshd messages and apply the action
+      if $programname == 'sshd' then {
+          call-action
+      }
+  notify: restart rsyslog
+  when:
+    - log_forwarding_target is defined
+    - log_forwarding_permitted_peer is defined
+    - log_forwarding_ca_cert is defined
+    - log_forwarding_cert is defined
+    - log_forwarding_key is defined
\ No newline at end of file
diff --git a/roles/bastionhost/vars/main.yml b/roles/bastionhost/vars/main.yml
index 59ee953..d184c3f 100644
--- a/roles/bastionhost/vars/main.yml
+++ b/roles/bastionhost/vars/main.yml
@@ -1,26 +1,44 @@
 $ANSIBLE_VAULT;1.1;AES256
-65396466653564326330323561623932366130366565303161646335393738646666313165636332
-3962366134303535383238653937353530353534666265380a313734643339343331326630636232
-62633264346465663637303934383763316436323233346337373961363961366364646430646133
-6532653866366330610a313833333961313164376537373561393766313533666534386230643337
-64356337663864313039306138316263333838346235623136643934313063646462313361366162
-34656537643361336631333366613835336138303830643930663333363034396438373631373139
-64666139396365386532333764646366313830333363366233333631616266636333343231343734
-65643134616639333239303136343835363430353436306439336533663632636535366266656162
-30643434376664313632343763386262663866353436356530343761653065613962336366396263
-66343163643061363165653737333464333739366365383833313737623764356337393232313437
-35343031653434346136306434333864626537623530333638633830326633663062356634303566
-36343961623364643333326332646564363838636531396462356239363337623436373964303730
-65313332363563386533363933326566356438616231373438376331656337636437376464653531
-66376635663435623038343237356262333831363665656437643035363933613738613731643631
-34646633363965636439383037353437373863393039613836633833393063633630653461336639
-65353430366435383763623434386135393532656135376437373932653833363165393965316462
-63653766343363646238313962303963653965343432373365656230396464643263666465333532
-33373661656661616666356666353166623462663033653563656232653466343139626136376335
-30373863626135303236643931353033353330656331613962326662363930303462623432396566
-37623134303737366164663435656532613462326136313135633932383130363364643333663338
-38333739643537323865333639353062646337666431303931316166303262343732303063656639
-64313963643861326632343538313561363831653133353862666563316237613737626461303733
-65663730373561323533356135306263623563396462666164346430663937663736613062313963
-65306135323665303665383135313938623338303934633065333739663565636234633238363632
-3936
+61333765333035376432346536323631396432653338303031366335326362373634646634333234
+6363636236313966616332393632343564653637333838640a326563666366343235366334633835
+31386635613936366531656137346164316335366132356338313963336632306639356231373638
+3065333563656639380a626134646463643834393262616633643565333465316235383161643031
+66363231383063383733623839643464663531366232323832343630633465363563393934336266
+31623439366534653563633636363137623238643266306339353934623662393137363866663631
+34383862626166626166363066383261636364326337653235653836376165303430663430613132
+63333939333233323161646163326130326535306631613530396432633961393266323662653064
+38653064656335613261316630366135393066323337626538363533333263303437623932303832
+66373566306465323732646562323033646235643739653161353665623332643433656231373235
+34373636623530393966313638303335363533663366333238636165663831353264616137376532
+64663839666639393335656464383532313231663063376434656430303039346663303336356636
+66633137636236633738643030393431663433356138393862383639383864653538363035303666
+34356266313931326138386632353238313438306538323764366335336364663631643931326437
+64663132666661626135626362623639303933336366323537303735343865343066323031356266
+63313862323537376137376230333462313538306135313564393034336130316635616334383730
+34326163666332393131376337343566323164633461313864633534663531363361626436356233
+32353333313130623666663637626161646435306164326131653965303162383862613234313138
+62396632323632643663643765306136383538653535646565306162326162343762313462356336
+66373139653737316161386330363839656338623231353365626562646461633035303364363432
+32343234373332306263626564636539363164643063393231373738343765326262363463363334
+62343237343034316461323361643635316538303165383863616362353838666631363738623737
+39656461616463633333396238336266376334396463326433663335626331626135633539323166
+38306534653938663265383238333433326631653666346535633630623737363965376338396137
+35363365383366636139393365633065326531656137633938663136383666666462323933343931
+33316162363339343762343737373734383338343061323630653436356263653566636237363138
+34303334356235386162326530343132636266353932376631336639383930653966663163656538
+61613239363161353662373564383264666139306661623833386139333539396663363930663230
+38366536306230613561353861306563323839613937316363333636343330613837656133326337
+39393438353934623732346566303262666564373239653565646564363632613561316535396139
+34393262383837383962613064633364393662313237616535643431626364393861386332326236
+66623961313131313634613666366665666536346535373166333231353264646336313737646131
+61346639656166633735323865643864646134653166313661326464303062393839376234353561
+61666137303165653961303062396661616265626666393266336435636461303764386463326339
+36333838303237366330323565366465323736303633653063306661343138643632393134306432
+33356133663861653038666165613635303966323839353431386663303466663664653039666531
+61343065616330333836306636366262363434663933353038313563616363323831333337323032
+33656530343038666436333039396635356163396365383733633434316432373965366537633232
+63373565363762396162633233313438393262636264386638643036326233363461383032663733
+36353534366332333464633037353430326161316332393338303333366163363462613633343937
+34303033393863386334383565346166336333633266316361393762643063323563316462616432
+64396630633861633532666239366539616632356566313430333037623335653835373830363433
+333363383932633665656436623032306336