---
- name: Bastionhost | rsyslog forwarding | Ensure rsyslog TLS module is installed
  ansible.builtin.package:
    name: rsyslog-gnutls # For TLS support
    state: present

- name: Bastionhost | rsyslog forwarding | Ensure rsyslog GELF module is installed (on RedHat family)
  ansible.builtin.package:
    name: rsyslog-gelf # For Graylog Extended Log Format (GELF)
    state: present
  when:
    - log_forwarding_type == 'gelf'
    - ansible_os_family == "RedHat"

- name: Bastionhost | rsyslog forwarding | Configure GELF forwarding for SSH logs (for Graylog)
  ansible.builtin.copy:
    dest: /etc/rsyslog.d/60-forward-ssh-logs.conf
    owner: root
    group: root
    mode: '0644'
    content: |
      # This file is managed by Ansible
      # Forward sshd logs to a remote Graylog server using GELF over TLS
      module(load="omgelf")
      template(name="gelf" type="list") {
          constant(value="{\"version\": \"1.1\", \"host\": \"")
          property(name="hostname")
          constant(value="\", \"short_message\": \"")
          property(name="msg" format="json")
          constant(value="\", \"timestamp\": ")
          property(name="timereported" dateFormat="unixtimestamp")
          constant(value=", \"level\": ")
          property(name="syslogseverity")
          constant(value=", \"_facility\": \"")
          property(name="syslogfacility-text")
          constant(value="\", \"_program\": \"")
          property(name="programname")
          constant(value="\"}")
      }

      # Filter for sshd messages and apply the action
      if $programname == 'sshd' then {
          action(type="omgelf"
                 target="{{ log_forwarding_target }}"
                 port="{{ log_forwarding_port | default(12201) }}"
                 protocol="tcp"
                 template="gelf"
                 StreamDriver="gtls"
                 StreamDriverMode="1"
                 StreamDriverAuthMode="x509/name"
                 StreamDriverPermittedPeer="{{ log_forwarding_permitted_peer }}"
                 Action.sendStreamDriverCaFile="{{ log_forwarding_ca_cert }}"
          )
      }
  notify: restart rsyslog
  when:
    - log_forwarding_type == 'gelf'
    - log_forwarding_target is defined
    - log_forwarding_permitted_peer is defined
    - log_forwarding_ca_cert is defined

- name: Bastionhost | rsyslog forwarding | Configure standard TLS forwarding for SSH logs
  ansible.builtin.copy:
    dest: /etc/rsyslog.d/60-forward-ssh-logs.conf
    owner: root
    group: root
    mode: '0644'
    content: |
      # This file is managed by Ansible
      # Forward sshd logs to a remote syslog server using RFC5424 over TLS
      template(name="RSYSLOG_SyslogProtocol23Format" type="string" string="<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")
      if $programname == 'sshd' then {
          action(
              type="omfwd"
              target="{{ log_forwarding_target }}"
              port="{{ log_forwarding_port | default(6514) }}"
              protocol="tcp"
              template="RSYSLOG_SyslogProtocol23Format"
              StreamDriver="gtls"
              StreamDriverMode="1"
              StreamDriverAuthMode="x509/name"
              StreamDriverPermittedPeer="{{ log_forwarding_permitted_peer }}"
              Action.sendStreamDriverCaFile="{{ log_forwarding_ca_cert }}"
          )
      }
  notify: restart rsyslog
  when:
    - log_forwarding_target is defined
    - log_forwarding_permitted_peer is defined
    - log_forwarding_ca_cert is defined
    - log_forwarding_type == 'syslog'