From 5617f99096a592fd1d307ce7ca8a2a198b495367 Mon Sep 17 00:00:00 2001
From: Rene Mewissen <rene@tantooine.myfirewall.org>
Date: Tue, 7 Oct 2025 17:04:28 +0200
Subject: [PATCH] use GELF for log

---
 .../tasks/system_setup/rsyslog_forwarding.yml |  91 +++++++++++----
 roles/bastionhost/vars/main.yml               | 107 ++++++++++--------
 2 files changed, 127 insertions(+), 71 deletions(-)

diff --git a/roles/bastionhost/tasks/system_setup/rsyslog_forwarding.yml b/roles/bastionhost/tasks/system_setup/rsyslog_forwarding.yml
index 5c341cf..7d2e541 100644
--- a/roles/bastionhost/tasks/system_setup/rsyslog_forwarding.yml
+++ b/roles/bastionhost/tasks/system_setup/rsyslog_forwarding.yml
@@ -1,10 +1,16 @@
 ---
-- name: Bastionhost | rsyslog forwarding | Ensure rsyslog-gnutls is installed
+- name: Bastionhost | rsyslog forwarding | Ensure rsyslog TLS module is installed
   ansible.builtin.package:
-    name: rsyslog-gnutls
+    name: rsyslog-gnutls # For TLS support
     state: present
 
-- name: Bastionhost | rsyslog forwarding | Configure forwarding for SSH logs
+- name: Bastionhost | rsyslog forwarding | Ensure rsyslog GELF module is installed for Graylog
+  ansible.builtin.package:
+    name: rsyslog-gelf # For Graylog Extended Log Format (GELF)
+    state: present
+  when: log_forwarding_type == 'gelf'
+
+- name: Bastionhost | rsyslog forwarding | Configure GELF forwarding for SSH logs (for Graylog)
   ansible.builtin.copy:
     dest: /etc/rsyslog.d/60-forward-ssh-logs.conf
     owner: root
@@ -12,29 +18,72 @@
     mode: '0644'
     content: |
       # This file is managed by Ansible
-      # Forward sshd logs to a remote log server
-
-      # Define the template for forwarding
-      template(name="RSYSLOG_SyslogProtocol23Format" type="string" string="<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")
-
-      # Setup forwarding action
-      action(
-          type="omfwd"
-          target="{{ log_forwarding_target }}"
-          port="{{ log_forwarding_port | default(6514) }}"
-          protocol="tcp"
-          template="RSYSLOG_SyslogProtocol23Format"
-          StreamDriver="gtls"
-          StreamDriverMode="1" # Run in TLS-only mode
-          StreamDriverAuthMode="x509/name"
-      )
+      # Forward sshd logs to a remote Graylog server using GELF over TLS
+      module(load="omgelf")
+      template(name="gelf" type="list") {
+          constant(value="{\"version\": \"1.1\", \"host\": \"")
+          property(name="hostname")
+          constant(value="\", \"short_message\": \"")
+          property(name="msg" format="json")
+          constant(value="\", \"timestamp\": ")
+          property(name="timereported" dateFormat="unixtimestamp")
+          constant(value=", \"level\": ")
+          property(name="syslogseverity")
+          constant(value=", \"_facility\": \"")
+          property(name="syslogfacility-text")
+          constant(value="\", \"_program\": \"")
+          property(name="programname")
+          constant(value="\"}")
+      }
 
       # Filter for sshd messages and apply the action
       if $programname == 'sshd' then {
-          call-action
+          action(type="omgelf"
+                 target="{{ log_forwarding_target }}"
+                 port="{{ log_forwarding_port | default(12201) }}"
+                 protocol="tcp"
+                 template="gelf"
+                 StreamDriver="gtls"
+                 StreamDriverMode="1"
+                 StreamDriverAuthMode="x509/name"
+                 StreamDriverPermittedPeer="{{ log_forwarding_permitted_peer }}"
+                 Action.sendStreamDriverCaFile="{{ log_forwarding_ca_cert }}"
+          )
+      }
+  notify: restart rsyslog
+  when:
+    - log_forwarding_type == 'gelf'
+    - log_forwarding_target is defined
+    - log_forwarding_permitted_peer is defined
+    - log_forwarding_ca_cert is defined
+
+- name: Bastionhost | rsyslog forwarding | Configure standard TLS forwarding for SSH logs
+  ansible.builtin.copy:
+    dest: /etc/rsyslog.d/60-forward-ssh-logs.conf
+    owner: root
+    group: root
+    mode: '0644'
+    content: |
+      # This file is managed by Ansible
+      # Forward sshd logs to a remote syslog server using RFC5424 over TLS
+      template(name="RSYSLOG_SyslogProtocol23Format" type="string" string="<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")
+      if $programname == 'sshd' then {
+          action(
+              type="omfwd"
+              target="{{ log_forwarding_target }}"
+              port="{{ log_forwarding_port | default(6514) }}"
+              protocol="tcp"
+              template="RSYSLOG_SyslogProtocol23Format"
+              StreamDriver="gtls"
+              StreamDriverMode="1"
+              StreamDriverAuthMode="x509/name"
+              StreamDriverPermittedPeer="{{ log_forwarding_permitted_peer }}"
+              Action.sendStreamDriverCaFile="{{ log_forwarding_ca_cert }}"
+          )
       }
   notify: restart rsyslog
   when:
     - log_forwarding_target is defined
     - log_forwarding_permitted_peer is defined
-    - log_forwarding_ca_cert is defined
\ No newline at end of file
+    - log_forwarding_ca_cert is defined
+    - log_forwarding_type == 'syslog'
\ No newline at end of file
diff --git a/roles/bastionhost/vars/main.yml b/roles/bastionhost/vars/main.yml
index 685be0a..5402867 100644
--- a/roles/bastionhost/vars/main.yml
+++ b/roles/bastionhost/vars/main.yml
@@ -1,51 +1,58 @@
 $ANSIBLE_VAULT;1.1;AES256
-31303030333134323161353832663732376564373537326630313238613438353738616534363962
-6565356166353639646166666262386334313266663239330a333335663566616564333030313839
-66316237636561656539336532633061626530343532613937633963663061623735623163623332
-3138313066303533310a326665386136633935636138366437333234336561373639616437643833
-66373738633630336465633265616638316538366138356366353938316638366164363639653331
-34653232386164343931616130383437383861343436316535383866316636373862356337323632
-66353438643562393864633830373339306263356662353039383163613163333230383065336432
-35333533333965616265663866303733653635643464666462323531663635373436613430313664
-37653337333832613638323935666135643733373362646561616463623334323933663965363637
-65636634613061656163366236356232363439376630656237386435316430636538326632633337
-31663133663135383735646665623235623135393035343130343237336564646563353666653630
-37376166333431646237303239396235373232316466663235386131666564323431626138623066
-62356564613333383339323038363938626666343064373830393535346163616130626434346330
-65303139623539316530323365336161346339633236346637636233393465363366333933396366
-61336235343733643265643434353533383561363166623463386334343235616136646433393766
-32393563353963323561626630303266333462663836623632663532356233633731393835333936
-65383862386161656332663534343730383532666533623038323663663639366630663137643230
-34646132616230666633376365326234373030356430383666376637653764313732383433656537
-31313936326463343262626135306535366163653737623839376132383431376633313233643132
-30633830383331343261363232616439396331343966643433363639616630323633633634663230
-39363830326433643130653832333334356430353661633365613035646538366236383532306336
-36366463306538626333373838396566323839373536666138376666323431336665303230393864
-32626239613531303734306533383735623934306162633365343364343964313332346362653238
-64323862626138663463646433653135623462613166373933336337326561303538333331316634
-61646334333532626234303435393265306233396563663431346635663237646563353765623362
-64373733323561333764353336336432383166316666366636333330393635666230316161613565
-38653139666635616136333362663564633135383235356232333264623766646433636331376136
-62333534353035616332313233613333306239313734306136633161623333343531656362623533
-39646635633730613238386232646561306664303463386635633565333531353266373063626636
-30303432663234333731303163393464366665336265313733613730343930633630323938346639
-31313761623033316437663538306564336561363239333638373739336561316364353639633766
-37323038643261386637376637656662393133653034396530663937643930356530333763306538
-64646336373463353332613566366366383134386633643831616237343036346434646437623231
-39316465666266633438303630343831663666306437376331613962366339393264323333353931
-66373738633062323438323131636566373230303336366439643537643436383835353136626230
-33663961303539373031383430393035353734643666623536313938313739646438653462353635
-64613062663438663932383530656366343566653865306666653163363637613535386262316161
-34363937306264646662343030666463396133356537346565643035646563373633653033316331
-62633065396135383439343364646638313339393236623736643332613431663630646332613264
-36373365346163653837643464626362643061373534663933666234663835356166363033656133
-66383033643030653966636163316366613233663438376431373235336330633361633231346637
-36396334623466646438383436356630303632626638623231366635636132643935306338373632
-37323130323036633733383530633061656361353539373465393639353565373331613462356430
-61383862366135616630643932626661386662376133663236363861666362336634303265393739
-63643862383065336331353964633763633462386230656336626639363063653134356232376264
-31373334396338643163313065353336623062636532363862653432636162353564633635656338
-37396262633637646464666261626363316661363633623331313631393634363333353736646161
-32653739303831353965333535303737633965336135663965656630343037646630333062303934
-35383939633961663636326131383866646435333037326235626666336663386664343336343732
-3930663532336264363037366161613439336230623032303431
+64326232656662363236303965383864333836363137313433396134613539386264376137353565
+3239383563386164373464393432376537326630626531640a663262323433623435623439313461
+32393336333365306232393462346261373837656561376561323361353666316136363665316162
+6664653639623861620a386130626432376339656232326666393230323132633964616263653933
+34373236653935653366653466636538323166373638643939666634356664303431396330663565
+37623365323262323734393730643661376365666235336633356231396238376236383364303532
+66303335313637363738353835613536376136376265373135386665353230393361366463643863
+61396461343834316139353066366561306437643436646639643433623066663236323930656538
+31383666383666636635663565653765353835316562343834616331383535663761653235323339
+65343832613433316134346537346261306233343434313032653039646637303131323039393135
+32393332383563656439663862383663323339646333323233373833363434353435373863396366
+34613966646331616231353135646336393533393862343838383066643838653536366239313162
+35333238333162613032333833343564363935326230666165316438646638303664363534303966
+36633865336435613164363462396366616239613465393966646338346234663532303961376439
+30653534316538376130363236386133396132653432316565633439613533373939656333653330
+65393334373064663162306131343664393836376137636563633836633330363438666266636163
+61343166633665623663636463386538623031323533323436623365343066653161306465333130
+39393533643234663537616361333835356466313361333436636632646566376137653437626638
+30306636373338383730613136613433643535613963326362313336393762626334313833613463
+35623263326233326661643965356639663237363265656161306639373032666630336534363936
+36373631623136336534633235353230383238303330653830666561633836626562366230313737
+35623163613538343932316537373133633234393933373830633836626465383735393734623839
+64376561313434353861613037323436333734613034356563623763353136363832333233356166
+31386462396261373361383830386162353465653866396162356263316337353634373836666631
+33643366616463613236666138393434363833373132393038386464633935626136666162636137
+34303766363731323762363335623764363137613762326230346666386230393862646636363864
+61663938653433383533633133626166393366623366656663636336393039643430653635353635
+38343235366530343536666238613261353231623332626365366538303637653036656632313932
+34666236383031656639656462353935626463333666373164333166613930666333393261643431
+61633064333938326366636437396666643730653738636564393436333238363131303331646337
+39316337303066316432373162636265663561383936333036646464623839386266353330306135
+38323639616137303162643161656465306334356331393536616433353032656563636566313861
+39303637376639383439303766626664363331646562633230356430343734336465613835643965
+37346338346430313065333930303239613231353161643736613932656133663363343132653438
+66393361373461383732373633313736353638326439646332663737613033616166643730336632
+31376463663731646138663635633136663035356661313266393662653965633262353464643466
+32343638353262376137353364646235346534333436626363383336356233336666623837376236
+61663238636235613161386236656436396461373762396639366432363533323938353165393638
+35383137303733643633613933346362643061373336636635396565303463363337646530393435
+39616536626462323264363466393331653862303333613135333437386334346538313239343631
+32333132633332346365373336396636333661663336316234643461343039346663643832643161
+66366135636563626335656236333666626266336430653830346165623065613064646636396239
+34366366386132366265656334336537613932303131346639303161373561656164366439386662
+33393738363062376433373837343137646131313363633664353437643565653538363934323533
+32663363323939616262303562346337666163383661363538613738636130653566363133633939
+35383736623165353961383337663030366562326539363735323763633437666234363238636133
+35653039326133316435353264313035663832343462316239666139373231383134363636666335
+34333263616164393762346632636232623535313838393931663732383764363634373463393763
+38396233303332336465663865626234666364613930663262653031386233376435636662643338
+61626331353036316636363965656262393634396139373937636362326531633330303733303161
+33336266376533303030646361313966336162343039306364623233646333323361343064633832
+37353032626532636430316466346630616535303561646434356664343535643262306234366233
+33393532643634663266336663373235303864343261393136303665643461653165313534346464
+31336565316566346130323465613730666631653338393234343562633062663739646630303638
+37613663373837656563353163666164306635646531353462653864653538656463633361636464
+36353538623365663562323661353536666362376634636233396666393538663131303638653164
+6238