[logall-cachan] flemme de pepcrans

2021-05-24 17:06:26 +02:00 · 2021-05-24 17:06:26 +02:00 · 24fdf21bb4
parent 9e5d931b06
commit 24fdf21bb4
4 changed files with 89 additions and 1 deletions
--- a/plays/firewall.yml
+++ b/plays/firewall.yml
@ -1,9 +1,13 @@
 #!/usr/bin/env ansible-playbook
 ---
- hosts: routeurs_vms
+- hosts: routeurs_vms !routeur-gulp.cachan-adm.crans.org
  roles:
    - logall

+- hosts: routeur-gulp.cachan-adm.crans.org
+  roles:
+    - logall-cachan
+
 - hosts: firewall
  vars:
    service: "{{ glob_service_firewall | default({}) | combine(loc_service_firewall | default({})) }}"
--- a/roles/logall-cachan/tasks/main.yml
+++ b/roles/logall-cachan/tasks/main.yml
@ -0,0 +1,24 @@
+---
+- name: Deploy firewall rsyslog
+  template:
+    src: rsyslog.d/10-firewall.conf.j2
+    dest: /etc/rsyslog.d/10-firewall.conf
+    mode: 0644
+    owner: root
+    group: root
+
+- name: Create firewall log directory
+  file:
+    path: /var/log/firewall
+    mode: 0755
+    owner: root
+    group: root
+    state: directory
+
+- name: Deploy firewall logrotate
+  template:
+    src: logrotate.d/firewall.j2
+    dest: /etc/logrotate.d/firewall
+    mode: 0644
+    owner: root
+    group: root
--- a/roles/logall-cachan/templates/logrotate.d/firewall.j2
+++ b/roles/logall-cachan/templates/logrotate.d/firewall.j2
@ -0,0 +1,28 @@
+{{ ansible_header | comment }}
+
+/var/log/firewall/trace.log
+/var/log/firewall/filtre.log
+/var/log/firewall/iptables.err
+/var/log/firewall/iptables.log {
+    rotate 1
+        weekly
+        missingok
+        notifempty
+        compress
+        postrotate
+        /usr/sbin/invoke-rc.d rsyslog rotate >/dev/null;
+    endscript
+}
+/var/log/firewall/logall.log {
+    daily
+        compress
+        compresscmd /bin/bzip2
+        uncompresscmd /bin/bunzip2
+        compressext .bz2
+        rotate 365
+        notifempty
+        sharedscripts
+        postrotate
+        /usr/sbin/invoke-rc.d rsyslog rotate >/dev/null;
+    endscript
+}
--- a/roles/logall-cachan/templates/rsyslog.d/10-firewall.conf.j2
+++ b/roles/logall-cachan/templates/rsyslog.d/10-firewall.conf.j2
@ -0,0 +1,32 @@
+{{ ansible_header | comment }}
+#$ModLoad imklog #Déjà présent dans rsyslog.conf
+
+# Messages du firewall (ie de sa génération)
+if $programname == 'firewall' and $syslogseverity <= '3' then /var/log/firewall/iptables.err
+
+if $programname == 'firewall' then /var/log/firewall/iptables.log
+
+
+# kernel (facility = 0):
+# Discard broadcast (sinon trop de spam)
+# Note: on discard tout au final, sinon, on risquerait d'envoyer du contenu
+# (LOG_ALL est dans PREROUTING donc je sais pas si ça compte, mais je veux
+# pas essayer)
+if $syslogfacility == '0' and $msg contains 'ff:ff:ff:ff:ff:ff' then ~
+
+# LOG_ALL pour … je sais plus à quoi ça sert …
+if $syslogfacility == '0' and $msg contains 'LOG_ALL' and ($msg contains 'SRC=10.' or $msg contains 'SRC=100.64.' or $msg contains 'SRC=172.16.' or $msg contains 'SRC=185.230.76.' or $msg contains 'SRC=185.230.77.' or $msg contains 'SRC=185.230.78.' or $msg contains 'SRC=185.230.79.' or $msg contains 'SRC=2a0c:0700:') then /var/log/firewall/logall.log
+&   ~
+
+# LOG_MAC_IP pour l'association mac_ip en ipv6
+if $syslogfacility == '0' and $msg contains 'LOG_MAC_IP' then ~
+
+# TRACE
+if $syslogfacility == '0' and $msg contains 'TRACE:' then /var/log/firewall/trace.log
+&   ~
+
+# filtre.log était parsé par un script pour gérer les déconnexions
+#if $syslogfacility == '0' and $msg contains 'DST=' then /var/log/firewall/filtre.log
+#&   ~
+
+if $syslogfacility == '0' and $msg contains 'LOG_ALL' then ~