From 15cd5ce7ecc756eef717cb267a26b0f0efcfae90 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Mon, 20 Jan 2020 14:10:03 +0100
Subject: [PATCH] [logall] Added role to handle firewall logs

---
 network.yml                                   | 13 +++++---
 roles/logall/tasks/main.yml                   | 16 ++++++++++
 .../logall/templates/logrotate.d/firewall.j2  | 29 +++++++++++++++++
 .../templates/rsyslog.d/10-firewall.conf.j2   | 32 +++++++++++++++++++
 4 files changed, 86 insertions(+), 4 deletions(-)
 create mode 100644 roles/logall/tasks/main.yml
 create mode 100644 roles/logall/templates/logrotate.d/firewall.j2
 create mode 100644 roles/logall/templates/rsyslog.d/10-firewall.conf.j2

diff --git a/network.yml b/network.yml
index ede84085..b96909f2 100644
--- a/network.yml
+++ b/network.yml
@@ -34,7 +34,13 @@
   roles:
     - unifi-controller
 
-# Deploy BGP server on IPv4 routers
+# Configure routers
+- hosts: gulp.adm.crans.org,odlyd.adm.crans.org,ipv6-zayo.adm.crans.org
+  roles:
+    - logall
+    - quagga
+
+# Deploy BGP server configuration on IPv4 routers
 - hosts: gulp.adm.crans.org,odlyd.adm.crans.org
   vars:
     zebra:
@@ -46,10 +52,9 @@
       neighbor: 158.255.113.72
       remote_as: 8218
   roles:
-    - quagga
     - quagga-ipv4
 
-# Deploy BGP server on IPv6 routers
+# Deploy BGP server configuration on IPv6 routers
 - hosts: ipv6-zayo.adm.crans.org
   vars:
     zebra:
@@ -61,5 +66,5 @@
       neighbor: 2001:1b48:2:103::bb:1
       remote_as: 8218
   roles:
-    - quagga
     - quagga-ipv6
+
diff --git a/roles/logall/tasks/main.yml b/roles/logall/tasks/main.yml
new file mode 100644
index 00000000..d9f16005
--- /dev/null
+++ b/roles/logall/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+- name: Deploy firewall rsyslog
+  template:
+    src: rsyslog.d/10-firewall.conf.j2
+    dest: /etc/rsyslog.d/10-firewall.conf
+    mode: 0644
+    owner: root
+    group: root
+
+- name: Deploy firewall logrotate
+  template:
+    src: logrotate.d/firewall.j2
+    dest: /etc/logrotate.d/firewall
+    mode: 0644
+    owner: root
+    group: root
diff --git a/roles/logall/templates/logrotate.d/firewall.j2 b/roles/logall/templates/logrotate.d/firewall.j2
new file mode 100644
index 00000000..550e85ab
--- /dev/null
+++ b/roles/logall/templates/logrotate.d/firewall.j2
@@ -0,0 +1,29 @@
+# {{ ansible_managed }}
+
+/var/log/firewall/trace.log
+/var/log/firewall/filtre.log
+/var/log/firewall/iptables.err
+/var/log/firewall/iptables.log {
+    rotate 1
+        weekly
+        missingok
+        notifempty
+        compress
+        postrotate
+        /usr/sbin/invoke-rc.d rsyslog rotate >/dev/null;
+    endscript
+}
+/var/log/firewall/logall.log {
+    daily
+        compress
+        compresscmd /bin/bzip2
+        uncompresscmd /bin/bunzip2
+        compressext .bz2
+        rotate 10
+        notifempty
+        sharedscripts
+        postrotate
+        /usr/sbin/invoke-rc.d rsyslog rotate >/dev/null;
+    QUIET=y /usr/scripts/firewall/firewall-logrotate-script.sh;
+    endscript
+}
diff --git a/roles/logall/templates/rsyslog.d/10-firewall.conf.j2 b/roles/logall/templates/rsyslog.d/10-firewall.conf.j2
new file mode 100644
index 00000000..94e23c4d
--- /dev/null
+++ b/roles/logall/templates/rsyslog.d/10-firewall.conf.j2
@@ -0,0 +1,32 @@
+# {{ ansible_managed }}
+#$ModLoad imklog #Déjà présent dans rsyslog.conf
+
+# Messages du firewall (ie de sa génération)
+if $programname == 'firewall' and $syslogseverity <= '3' then /var/log/firewall/iptables.err
+
+if $programname == 'firewall' then /var/log/firewall/iptables.log
+
+
+# kernel (facility = 0):
+# Discard broadcast (sinon trop de spam)
+# Note: on discard tout au final, sinon, on risquerait d'envoyer du contenu
+# (LOG_ALL est dans PREROUTING donc je sais pas si ça compte, mais je veux
+# pas essayer)
+if $syslogfacility == '0' and $msg contains 'ff:ff:ff:ff:ff:ff' then ~
+
+# LOG_ALL pour … je sais plus à quoi ça sert …
+if $syslogfacility == '0' and $msg contains 'LOG_ALL' and ($msg contains 'SRC=10.' or $msg contains 'SRC=185.230.76.' or $msg contains 'SRC=185.230.77.' or $msg contains 'SRC=185.230.78.' or $msg contains 'SRC=185.230.79.' or $msg contains 'SRC=136.231.' or $msg contains 'SRC=2a0c:0700:') then /var/log/firewall/logall.log
+&   ~
+
+# LOG_MAC_IP pour l'association mac_ip en ipv6
+if $syslogfacility == '0' and $msg contains 'LOG_MAC_IP' then ~
+
+# TRACE
+if $syslogfacility == '0' and $msg contains 'TRACE:' then /var/log/firewall/trace.log
+&   ~
+
+# filtre.log était parsé par un script pour gérer les déconnexions
+#if $syslogfacility == '0' and $msg contains 'DST=' then /var/log/firewall/filtre.log
+#&   ~
+
+if $syslogfacility == '0' and $msg contains 'LOG_ALL' then ~