From 24fdf21bb4e6fd89d9ab749062ee2253c4575c5d Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Mon, 24 May 2021 17:06:26 +0200
Subject: [PATCH] [logall-cachan] flemme de pepcrans

---
 plays/firewall.yml                            |  6 +++-
 roles/logall-cachan/tasks/main.yml            | 24 ++++++++++++++
 .../templates/logrotate.d/firewall.j2         | 28 ++++++++++++++++
 .../templates/rsyslog.d/10-firewall.conf.j2   | 32 +++++++++++++++++++
 4 files changed, 89 insertions(+), 1 deletion(-)
 create mode 100644 roles/logall-cachan/tasks/main.yml
 create mode 100644 roles/logall-cachan/templates/logrotate.d/firewall.j2
 create mode 100644 roles/logall-cachan/templates/rsyslog.d/10-firewall.conf.j2

diff --git a/plays/firewall.yml b/plays/firewall.yml
index 79ba1112..f88b2bd8 100755
--- a/plays/firewall.yml
+++ b/plays/firewall.yml
@@ -1,9 +1,13 @@
 #!/usr/bin/env ansible-playbook
 ---
-- hosts: routeurs_vms
+- hosts: routeurs_vms !routeur-gulp.cachan-adm.crans.org
   roles:
     - logall
 
+- hosts: routeur-gulp.cachan-adm.crans.org
+  roles:
+    - logall-cachan
+
 - hosts: firewall
   vars:
     service: "{{ glob_service_firewall | default({}) | combine(loc_service_firewall | default({})) }}"
diff --git a/roles/logall-cachan/tasks/main.yml b/roles/logall-cachan/tasks/main.yml
new file mode 100644
index 00000000..8a4b031d
--- /dev/null
+++ b/roles/logall-cachan/tasks/main.yml
@@ -0,0 +1,24 @@
+---
+- name: Deploy firewall rsyslog
+  template:
+    src: rsyslog.d/10-firewall.conf.j2
+    dest: /etc/rsyslog.d/10-firewall.conf
+    mode: 0644
+    owner: root
+    group: root
+
+- name: Create firewall log directory
+  file:
+    path: /var/log/firewall
+    mode: 0755
+    owner: root
+    group: root
+    state: directory
+
+- name: Deploy firewall logrotate
+  template:
+    src: logrotate.d/firewall.j2
+    dest: /etc/logrotate.d/firewall
+    mode: 0644
+    owner: root
+    group: root
diff --git a/roles/logall-cachan/templates/logrotate.d/firewall.j2 b/roles/logall-cachan/templates/logrotate.d/firewall.j2
new file mode 100644
index 00000000..9948f3b8
--- /dev/null
+++ b/roles/logall-cachan/templates/logrotate.d/firewall.j2
@@ -0,0 +1,28 @@
+{{ ansible_header | comment }}
+
+/var/log/firewall/trace.log
+/var/log/firewall/filtre.log
+/var/log/firewall/iptables.err
+/var/log/firewall/iptables.log {
+    rotate 1
+        weekly
+        missingok
+        notifempty
+        compress
+        postrotate
+        /usr/sbin/invoke-rc.d rsyslog rotate >/dev/null;
+    endscript
+}
+/var/log/firewall/logall.log {
+    daily
+        compress
+        compresscmd /bin/bzip2
+        uncompresscmd /bin/bunzip2
+        compressext .bz2
+        rotate 365
+        notifempty
+        sharedscripts
+        postrotate
+        /usr/sbin/invoke-rc.d rsyslog rotate >/dev/null;
+    endscript
+}
diff --git a/roles/logall-cachan/templates/rsyslog.d/10-firewall.conf.j2 b/roles/logall-cachan/templates/rsyslog.d/10-firewall.conf.j2
new file mode 100644
index 00000000..61281ea9
--- /dev/null
+++ b/roles/logall-cachan/templates/rsyslog.d/10-firewall.conf.j2
@@ -0,0 +1,32 @@
+{{ ansible_header | comment }}
+#$ModLoad imklog #Déjà présent dans rsyslog.conf
+
+# Messages du firewall (ie de sa génération)
+if $programname == 'firewall' and $syslogseverity <= '3' then /var/log/firewall/iptables.err
+
+if $programname == 'firewall' then /var/log/firewall/iptables.log
+
+
+# kernel (facility = 0):
+# Discard broadcast (sinon trop de spam)
+# Note: on discard tout au final, sinon, on risquerait d'envoyer du contenu
+# (LOG_ALL est dans PREROUTING donc je sais pas si ça compte, mais je veux
+# pas essayer)
+if $syslogfacility == '0' and $msg contains 'ff:ff:ff:ff:ff:ff' then ~
+
+# LOG_ALL pour … je sais plus à quoi ça sert …
+if $syslogfacility == '0' and $msg contains 'LOG_ALL' and ($msg contains 'SRC=10.' or $msg contains 'SRC=100.64.' or $msg contains 'SRC=172.16.' or $msg contains 'SRC=185.230.76.' or $msg contains 'SRC=185.230.77.' or $msg contains 'SRC=185.230.78.' or $msg contains 'SRC=185.230.79.' or $msg contains 'SRC=2a0c:0700:') then /var/log/firewall/logall.log
+&   ~
+
+# LOG_MAC_IP pour l'association mac_ip en ipv6
+if $syslogfacility == '0' and $msg contains 'LOG_MAC_IP' then ~
+
+# TRACE
+if $syslogfacility == '0' and $msg contains 'TRACE:' then /var/log/firewall/trace.log
+&   ~
+
+# filtre.log était parsé par un script pour gérer les déconnexions
+#if $syslogfacility == '0' and $msg contains 'DST=' then /var/log/firewall/filtre.log
+#&   ~
+
+if $syslogfacility == '0' and $msg contains 'LOG_ALL' then ~