LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@funcky

ROG

Posted at

playbooks/firewalld.yml

  • hosts: all
    become: true
    roles:
    • firewalld

playbooks/rsyslog_server.yml

  • hosts: rsyslog
    become: true
    roles:
    • rsyslog

playbooks/rsyslog_client.yml

  • hosts: rsyslog_client
    become: true
    roles:
    • rsyslog

group_vars/all/firewalld_common.yml

firewalld_permanent: true
firewalld_immediate: true

firewalld_zone_rules_common:
public:
ports:
- "22/tcp"
services: []
rich_rules: []

group_vars/rsyslog/firewalld_zone_rules.yml

firewalld_zone_rules_group:
public:
ports:
- "514/tcp"

group_vars/rsyslog/rsyslog_server.yml

rsyslog_is_server: true
rsyslog_listen_udp: true
rsyslog_listen_tcp: true
rsyslog_udp_port: 514
rsyslog_tcp_port: 514

group_vars/rsyslog_client/rsyslog_client.yml

rsyslog_forward_enable: true
rsyslog_forward_mode: "tcp"
rsyslog_forward_host: "log01.example.local"
rsyslog_forward_port: 514

roles/firewalld/defaults/main.yml

firewalld_permanent: true
firewalld_immediate: true

firewalld_zone_rules_common: {}
firewalld_zone_rules_group: {}
firewalld_zone_rules_host: {}

roles/firewalld/handlers/main.yml

  • name: Restart firewalld
    ansible.builtin.systemd:
    name: firewalld
    state: restarted
    enabled: true

roles/firewalld/tasks/main.yml

  • name: Merge common/group/host rules
    set_fact:
    firewalld_zone_rules_merged: >-
    {{
    firewalld_zone_rules_common | default({}) |
    combine(firewalld_zone_rules_group | default({}), recursive=true, list_merge='append_rp') |
    combine(firewalld_zone_rules_host | default({}), recursive=true, list_merge='append_rp')
    }}

  • name: Build flat list of rules per zone
    set_fact:
    firewalld_rules_flat: "{{ firewalld_rules_flat | default([]) + (
    (item.value.ports | default([]) | map('community.general.dict_kv','type','port' ,'value') | list) +
    (item.value.services | default([]) | map('community.general.dict_kv','type','service' ,'value') | list) +
    (item.value.rich_rules | default([]) | map('community.general.dict_kv','type','rich_rule','value') | list)
    ) | map('combine', {'zone': item.key}) | list }}"
    loop: "{{ firewalld_zone_rules_merged | dict2items }}"
    loop_control:
    label: "{{ item.key }}"

  • name: Apply all firewalld rules (single task)
    ansible.posix.firewalld:
    zone: "{{ item.zone }}"
    permanent: "{{ firewalld_permanent }}"
    immediate: "{{ firewalld_immediate }}"
    state: enabled
    port: "{{ item.value if item.type == 'port' else omit }}"
    service: "{{ item.value if item.type == 'service' else omit }}"
    rich_rule: "{{ item.value if item.type == 'rich_rule' else omit }}"
    loop: "{{ firewalld_rules_flat | default([]) }}"
    loop_control:
    label: "{{ item.zone }} -> {{ item.type }}: {{ item.value }}"
    notify: Restart firewalld

roles/rsyslog/defaults/main.yml

rsyslog_conf_template: "rsyslog.conf.j2"

サーバー or クライアント

rsyslog_is_server: false

サーバー受信設定

rsyslog_listen_udp: true
rsyslog_listen_tcp: true
rsyslog_udp_port: 514
rsyslog_tcp_port: 514

クライアント転送設定(最小限)

rsyslog_forward_enable: false
rsyslog_forward_host: ""
rsyslog_forward_mode: "tcp" # udp or tcp
rsyslog_forward_port: 514

roles/rsyslog/handlers/main.yml

  • name: Restart rsyslog
    ansible.builtin.systemd:
    name: rsyslog
    state: restarted
    enabled: true

roles/rsyslog/tasks/main.yml

  • name: Install rsyslog
    ansible.builtin.package:
    name: rsyslog
    state: present

  • name: Deploy rsyslog.conf
    ansible.builtin.template:
    src: "{{ rsyslog_conf_template }}"
    dest: /etc/rsyslog.conf
    owner: root
    group: root
    mode: "0644"
    validate: "/usr/sbin/rsyslogd -N1 -f %s"
    notify: Restart rsyslog

  • name: Ensure rsyslog is enabled and running
    ansible.builtin.systemd:
    name: rsyslog
    state: started
    enabled: true

roles/rsyslog/templates/rsyslog.conf.j2

Modules

module(load="imuxsock")
module(load="imjournal" StateFile="imjournal.state")

{% if rsyslog_is_server %}
{% if rsyslog_listen_udp %}
module(load="imudp")
input(type="imudp" port="{{ rsyslog_udp_port }}")
{% endif %}
{% if rsyslog_listen_tcp %}
module(load="imtcp")
input(type="imtcp" port="{{ rsyslog_tcp_port }}")
{% endif %}
{% endif %}

Defaults / Templates

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on

authpriv.* /var/log/secure
.info;mail.none;authpriv.none;cron.none /var/log/messages
mail. -/var/log/maillog
cron.* /var/log/cron
.emerg :omusrmsg:
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log

Client Forwarding (optional)

{% if rsyslog_forward_enable and rsyslog_forward_host %}
. {% if rsyslog_forward_mode == "udp" %}@{% else %}@@{% endif %}{{ rsyslog_forward_host }}:{{ rsyslog_forward_port }}
{% endif %}

group_vars/all/rsyslog_common_logs.yml

rsyslog_logs_common:

  • { selector: 'authpriv.*', target: '/var/log/secure' }
  • { selector: '*.info;mail.none;authpriv.none;cron.none', target: '/var/log/messages' }
  • { selector: 'mail.*', target: '-/var/log/maillog' }
  • { selector: 'cron.*', target: '/var/log/cron' }
  • { selector: '.emerg', target: ':omusrmsg:' }
  • { selector: 'uucp,news.crit', target: '/var/log/spooler' }
  • { selector: 'local7.*', target: '/var/log/boot.log' }

group_vars/web/rsyslog_group_logs.yml

rsyslog_logs_group:

  • { selector: 'local1.*', target: '/var/log/webapp.log' }

host_vars/web01.example.com/rsyslog_host_logs.yml

rsyslog_logs_host:

  • { selector: 'local2.*', target: '/var/log/web01_special.log' }

rsyslog_conf_template: "rsyslog.conf.j2"

rsyslog_is_server: false
rsyslog_listen_udp: true
rsyslog_listen_tcp: true
rsyslog_udp_port: 514
rsyslog_tcp_port: 514

rsyslog_forward_enable: false
rsyslog_forward_host: ""
rsyslog_forward_mode: "tcp"
rsyslog_forward_port: 514

rsyslog_logs_common: []
rsyslog_logs_group: []
rsyslog_logs_host: []

  • name: Merge rsyslog log definitions
    set_fact:
    rsyslog_logs_merged: >-
    {{
    rsyslog_logs_common | default([]) +
    rsyslog_logs_group | default([]) +
    rsyslog_logs_host | default([])
    }}

  • name: Install rsyslog
    ansible.builtin.package:
    name: rsyslog
    state: present

  • name: Deploy rsyslog.conf
    ansible.builtin.template:
    src: "{{ rsyslog_conf_template }}"
    dest: /etc/rsyslog.conf
    owner: root
    group: root
    mode: "0644"
    validate: "/usr/sbin/rsyslogd -N1 -f %s"
    notify: Restart rsyslog

  • name: Ensure rsyslog is enabled and running
    ansible.builtin.systemd:
    name: rsyslog
    state: started
    enabled: true

Modules

module(load="imuxsock")
module(load="imjournal" StateFile="imjournal.state")

{% if rsyslog_is_server %}
{% if rsyslog_listen_udp %}
module(load="imudp")
input(type="imudp" port="{{ rsyslog_udp_port }}")
{% endif %}
{% if rsyslog_listen_tcp %}
module(load="imtcp")
input(type="imtcp" port="{{ rsyslog_tcp_port }}")
{% endif %}
{% endif %}

Defaults / Templates

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on

{% for log_rule in rsyslog_logs_merged %}
{{ log_rule.selector }} {{ log_rule.target }}
{% endfor %}

Client Forwarding (optional)

{% if rsyslog_forward_enable and rsyslog_forward_host %}
. {% if rsyslog_forward_mode == "udp" %}@{% else %}@@{% endif %}{{ rsyslog_forward_host }}:{{ rsyslog_forward_port }}
{% endif %}

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?