89 lines
3.5 KiB
YAML
89 lines
3.5 KiB
YAML
---
|
|
- name: Bastionhost | rsyslog forwarding | Ensure rsyslog TLS module is installed
|
|
ansible.builtin.package:
|
|
name: rsyslog-gnutls # For TLS support
|
|
state: present
|
|
|
|
- name: Bastionhost | rsyslog forwarding | Ensure rsyslog GELF module is installed for Graylog
|
|
ansible.builtin.package:
|
|
name: rsyslog-gelf # For Graylog Extended Log Format (GELF)
|
|
state: present
|
|
when: log_forwarding_type == 'gelf'
|
|
|
|
- name: Bastionhost | rsyslog forwarding | Configure GELF forwarding for SSH logs (for Graylog)
|
|
ansible.builtin.copy:
|
|
dest: /etc/rsyslog.d/60-forward-ssh-logs.conf
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
content: |
|
|
# This file is managed by Ansible
|
|
# Forward sshd logs to a remote Graylog server using GELF over TLS
|
|
module(load="omgelf")
|
|
template(name="gelf" type="list") {
|
|
constant(value="{\"version\": \"1.1\", \"host\": \"")
|
|
property(name="hostname")
|
|
constant(value="\", \"short_message\": \"")
|
|
property(name="msg" format="json")
|
|
constant(value="\", \"timestamp\": ")
|
|
property(name="timereported" dateFormat="unixtimestamp")
|
|
constant(value=", \"level\": ")
|
|
property(name="syslogseverity")
|
|
constant(value=", \"_facility\": \"")
|
|
property(name="syslogfacility-text")
|
|
constant(value="\", \"_program\": \"")
|
|
property(name="programname")
|
|
constant(value="\"}")
|
|
}
|
|
|
|
# Filter for sshd messages and apply the action
|
|
if $programname == 'sshd' then {
|
|
action(type="omgelf"
|
|
target="{{ log_forwarding_target }}"
|
|
port="{{ log_forwarding_port | default(12201) }}"
|
|
protocol="tcp"
|
|
template="gelf"
|
|
StreamDriver="gtls"
|
|
StreamDriverMode="1"
|
|
StreamDriverAuthMode="x509/name"
|
|
StreamDriverPermittedPeer="{{ log_forwarding_permitted_peer }}"
|
|
Action.sendStreamDriverCaFile="{{ log_forwarding_ca_cert }}"
|
|
)
|
|
}
|
|
notify: restart rsyslog
|
|
when:
|
|
- log_forwarding_type == 'gelf'
|
|
- log_forwarding_target is defined
|
|
- log_forwarding_permitted_peer is defined
|
|
- log_forwarding_ca_cert is defined
|
|
|
|
- name: Bastionhost | rsyslog forwarding | Configure standard TLS forwarding for SSH logs
|
|
ansible.builtin.copy:
|
|
dest: /etc/rsyslog.d/60-forward-ssh-logs.conf
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
content: |
|
|
# This file is managed by Ansible
|
|
# Forward sshd logs to a remote syslog server using RFC5424 over TLS
|
|
template(name="RSYSLOG_SyslogProtocol23Format" type="string" string="<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")
|
|
if $programname == 'sshd' then {
|
|
action(
|
|
type="omfwd"
|
|
target="{{ log_forwarding_target }}"
|
|
port="{{ log_forwarding_port | default(6514) }}"
|
|
protocol="tcp"
|
|
template="RSYSLOG_SyslogProtocol23Format"
|
|
StreamDriver="gtls"
|
|
StreamDriverMode="1"
|
|
StreamDriverAuthMode="x509/name"
|
|
StreamDriverPermittedPeer="{{ log_forwarding_permitted_peer }}"
|
|
Action.sendStreamDriverCaFile="{{ log_forwarding_ca_cert }}"
|
|
)
|
|
}
|
|
notify: restart rsyslog
|
|
when:
|
|
- log_forwarding_target is defined
|
|
- log_forwarding_permitted_peer is defined
|
|
- log_forwarding_ca_cert is defined
|
|
- log_forwarding_type == 'syslog' |