remote logging for SSHD

roles/bastionhost/tasks/main.yml

@@ -16,6 +16,7 @@
   - import_tasks: system_setup/ntfy_alerts.yml
   - import_tasks: system_setup/auditd_logging.yml
   - import_tasks: system_setup/aide.yml
+  - import_tasks: system_setup/rsyslog_forwarding.yml
 
   rescue:
     - set_fact: task_failed=true

roles/bastionhost/tasks/system_setup/rsyslog_forwarding.yml

@@ -0,0 +1,42 @@
+---
+- name: Bastionhost | rsyslog forwarding | Ensure rsyslog-gnutls is installed
+  ansible.builtin.package:
+    name: rsyslog-gnutls
+    state: present
+
+- name: Bastionhost | rsyslog forwarding | Configure forwarding for SSH logs
+  ansible.builtin.copy:
+    dest: /etc/rsyslog.d/60-forward-ssh-logs.conf
+    owner: root
+    group: root
+    mode: '0644'
+    content: |
+      # This file is managed by Ansible
+      # Forward sshd logs to a remote log server
+
+      # Define the template for forwarding
+      template(name="RSYSLOG_SyslogProtocol23Format" type="string" string="<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")
+
+      # Setup forwarding action
+      action(
+          type="omfwd"
+          target="{{ log_forwarding_target }}"
+          port="{{ log_forwarding_port | default(6514) }}"
+          protocol="tcp"
+          template="RSYSLOG_SyslogProtocol23Format"
+          StreamDriver="gtls"
+          StreamDriverMode="1" # Run in TLS-only mode
+          StreamDriverAuthMode="x509/name"
+      )
+
+      # Filter for sshd messages and apply the action
+      if $programname == 'sshd' then {
+          call-action
+      }
+  notify: restart rsyslog
+  when:
+    - log_forwarding_target is defined
+    - log_forwarding_permitted_peer is defined
+    - log_forwarding_ca_cert is defined
+    - log_forwarding_cert is defined
+    - log_forwarding_key is defined