Puppet Class: rsyslog

Inherits:
::rsyslog::params
Defined in:
manifests/init.pp

Overview

Set up rsyslog 7

The configuration is particularly slanted toward the issues present in the version of rsyslog included with Enterprise Linux systems. It should still work on other systems but they may have different/other bugs that have not been addressed.

Parameters:

  • service_name (String) (defaults to: $::rsyslog::params::service_name)

    The name of the RSyslog service; typically rsyslog

  • package_name (String) (defaults to: $::rsyslog::params::package_name)

    The name of the Rsyslog package to install; typically rsyslog

  • tls_package_name (String) (defaults to: $::rsyslog::params::tls_package_name)

    The name of the Rsyslog package to install TLS utilities; typically rsyslog-gnutls

  • trusted_nets (Array[String]) (defaults to: simplib::lookup('simp_options::trusted_nets', {'default_value' => ['127.0.0.1/32'] }))

    A whitelist of subnets (in CIDR notation) permitted access

    • This will be used in conjunction with IPTables (if enabled) to allow connections from within the given subnets.

  • enable_tls_logging (Boolean) (defaults to: false)

    Enable the TLS libraries where applicable

    • If enabled, clients will encrypt all log data being sent to the given log servers. Also, all log servers specified to use TLS (see rsyslog::server::tls_tcp_server) will load the imtcp libraries and set the necessary global NetStreamDriver information.

  • log_servers (Array[String]) (defaults to: simplib::lookup('simp_options::syslog::log_servers', { 'default_value' => [] }))

    A list of primary RSyslog servers

    • All nodes in this list will get a copy of all logs if remote logging is enabled.

  • failover_log_servers (Array[String]) (defaults to: simplib::lookup('simp_options::syslog::failover_log_servers', { 'default_value' => [] }))

    A list of the failover RSyslog servers

    • This order-dependent list will serve as all of the possible failover log servers for clients to send to if the servers in log_servers are unavailable.

  • queue_spool_directory (Stdlib::Absolutepath) (defaults to: '/var/spool/rsyslog')

    The path to the directory where RSyslog should store disk message queues

  • rule_dir (Stdlib::Absolutepath) (defaults to: '/etc/rsyslog.simp.d')

    The path at which all managed rules will begin

  • tcp_server (Boolean) (defaults to: false)

    Make this host listen for TCP connections

    • Ideally, all connections would be TLS enabled. Only enable this if necessary.

  • tcp_listen_port (Stdlib::Compat::Integer) (defaults to: '514')

    The port upon which to listen for regular TCP connections

  • tls_tcp_server (Boolean) (defaults to: false)

    Make this host listen for TLS enabled TCP connections

  • tls_tcp_listen_port (Stdlib::Compat::Integer) (defaults to: '6514')

    The port upon which to listen for TLS enabled TCP connections

  • udp_server (Boolean) (defaults to: false)

    Make this host listend for UDP connections

    • This really should not be enabled unless you have devices that cannot speak TLS @param enable_logrotate

  • udp_listen_address (String) (defaults to: '127.0.0.1')

    The address upon which to listen for UDP connections

    • The default of 127.0.0.1 is set primariliy for supporting Java applications that cannot work with a modern method of logging.

  • udp_listen_port (Stdlib::Compat::Integer) (defaults to: '514')

    The port upon which to listen for UDP connections

  • read_journald (Boolean) (defaults to: $::rsyslog::params::read_journald)

    Enable the processing of journald messages natively in Rsyslog

  • enable_logrotate (Boolean) (defaults to: true)

    Ensure that logrotate is enabled on this system

    • You will need to configure specific logrotate settings via the logrotate module.

  • pki (Variant[Boolean,Enum['simp']]) (defaults to: simplib::lookup('simp_options::pki', {'default_value' => false}))

    Enable SIMP management of PKI keys

    • Options

      • 'simp' => Use the SIMP key distribution mechanism

      • true => Use the pki::copy method

      • false => Do not manage the PKI keys, you're on your own

  • pki_base_dir (Stdlib::Absolutepath) (defaults to: '/etc/rsyslog.d')

    The location, on disk, for the module's PKI certificates

    • By default, we expect the certificates to be in a pki subdirectory of pki_base_dir so this should not be included in your path.

    • The default expected directory structure is:

      • pki_base_dir/pki/cacerts

        • All CA Certificates in PEM format with Hash-based aliases

      • pki_base_dir/pki/cacerts/cacerts.pem

        • All CA Certificates in a single PEM file

      • pki_base_dir/pki/public/$<code>facts['fqdn']</code>.pub

        • The daemon's public X.509 Certificate in PEM format

      • pki_base_dir/pki/private/$<code>facts['fqdn']</code>.pem

        • The daemon's private RSA key in PEM format

Author:



117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
# File 'manifests/init.pp', line 117

class rsyslog (
  String                        $service_name          = $::rsyslog::params::service_name,
  String                        $package_name          = $::rsyslog::params::package_name,
  String                        $tls_package_name      = $::rsyslog::params::tls_package_name,
  Array[String]                 $trusted_nets          = simplib::lookup('simp_options::trusted_nets', {'default_value' => ['127.0.0.1/32'] }),
  Boolean                       $enable_tls_logging    = false,
  Array[String]                 $log_servers           = simplib::lookup('simp_options::syslog::log_servers', { 'default_value' => [] }),
  Array[String]                 $failover_log_servers  = simplib::lookup('simp_options::syslog::failover_log_servers', { 'default_value' => [] }),
  Stdlib::Absolutepath          $queue_spool_directory = '/var/spool/rsyslog',
  Stdlib::Absolutepath          $rule_dir              = '/etc/rsyslog.simp.d',
  Boolean                       $tcp_server            = false,
  Stdlib::Compat::Integer       $tcp_listen_port       = '514',
  Boolean                       $tls_tcp_server        = false,
  Stdlib::Compat::Integer       $tls_tcp_listen_port   = '6514',
  Boolean                       $udp_server            = false,
  String                        $udp_listen_address    = '127.0.0.1',
  Stdlib::Compat::Integer       $udp_listen_port       = '514',
  Boolean                       $read_journald         = $::rsyslog::params::read_journald,
  Boolean                       $enable_logrotate      = true,
  Variant[Boolean,Enum['simp']] $pki                   = simplib::lookup('simp_options::pki', {'default_value' => false}),
  Stdlib::Absolutepath          $pki_base_dir          = '/etc/rsyslog.d'
) inherits ::rsyslog::params {

  contain '::rsyslog::install'
  contain '::rsyslog::config'
  contain '::rsyslog::service'

  Class['rsyslog::install'] ->
  Class['rsyslog::config'] ~>
  Class['rsyslog::service']

  if $enable_logrotate {
    contain '::rsyslog::config::logrotate'
    Class['rsyslog::service'] -> Class['rsyslog::config::logrotate']
  }

  if $pki {
    contain '::rsyslog::config::pki'
    Class['rsyslog::config::pki'] -> Class['rsyslog::config']
    Class['rsyslog::config::pki'] ~> Class['rsyslog::service']
  }
}