crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

[logall] Deploy rsyslogd config, logrotate and mount logs

certbot_on_virtu
_benjamin 2021-01-02 11:03:34 +01:00 committed by Benjamin Graillot
parent 834f8e34bd
commit 4a20b96da3
5 changed files with 48 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
plays/firewall.yml
View File

@ -2,6 +2,9 @@
--- ---
# Deploy sysctl config files # Deploy sysctl config files
- hosts: crans_routeurs - hosts: crans_routeurs
vars:
logs:
ip: 172.16.10.1
roles: roles:
- sysctl-forwarding - sysctl-forwarding
- logall - logall

29
roles/logall/tasks/main.yml
View File

@ -7,6 +7,14 @@
owner: root owner: root
group: root group: root
- name: Create firewall log directory
file:
path: /var/log/firewall
mode: 0755
owner: root
group: root
state: directory
- name: Deploy firewall logrotate - name: Deploy firewall logrotate
template: template:
src: logrotate.d/firewall.j2 src: logrotate.d/firewall.j2
@ -14,3 +22,24 @@
mode: 0644 mode: 0644
owner: root owner: root
group: root group: root
- name: Create logs directory
file:
path: /logs
mode: 0755
owner: root
group: root
state: directory
- name: Deploy nfs systemd mount
template:
src: systemd/system/logs.mount.j2
dest: /etc/systemd/system/logs.mount
mode: 0644
- name: Load and activate nfs systemd mount
systemd:
name: logs.mount
daemon_reload: true
enabled: true
state: started

2
roles/logall/templates/logrotate.d/firewall.j2
View File

@ -24,6 +24,6 @@
sharedscripts sharedscripts
postrotate postrotate
/usr/sbin/invoke-rc.d rsyslog rotate >/dev/null; /usr/sbin/invoke-rc.d rsyslog rotate >/dev/null;
QUIET=y /usr/scripts/firewall/firewall-logrotate-script.sh; QUIET=y /logs/firewall-logrotate-script.sh;
endscript endscript
} }

2
roles/logall/templates/rsyslog.d/10-firewall.conf.j2
View File

@ -15,7 +15,7 @@ if $programname == 'firewall' then /var/log/firewall/iptables.log
if $syslogfacility == '0' and $msg contains 'ff:ff:ff:ff:ff:ff' then ~ if $syslogfacility == '0' and $msg contains 'ff:ff:ff:ff:ff:ff' then ~
# LOG_ALL pour … je sais plus à quoi ça sert … # LOG_ALL pour … je sais plus à quoi ça sert …
if $syslogfacility == '0' and $msg contains 'LOG_ALL' and ($msg contains 'SRC=10.' or $msg contains 'SRC=185.230.76.' or $msg contains 'SRC=185.230.77.' or $msg contains 'SRC=185.230.78.' or $msg contains 'SRC=185.230.79.' or $msg contains 'SRC=136.231.' or $msg contains 'SRC=2a0c:0700:') then /var/log/firewall/logall.log if $syslogfacility == '0' and $msg contains 'LOG_ALL' and ($msg contains 'SRC=10.' or $msg contains 'SRC=100.64.' or $msg contains 'SRC=172.16.' or $msg contains 'SRC=185.230.76.' or $msg contains 'SRC=185.230.77.' or $msg contains 'SRC=185.230.78.' or $msg contains 'SRC=185.230.79.' or $msg contains 'SRC=2a0c:0700:') then /var/log/firewall/logall.log
& ~ & ~
# LOG_MAC_IP pour l'association mac_ip en ipv6 # LOG_MAC_IP pour l'association mac_ip en ipv6

14
roles/logall/templates/systemd/system/logs.mount.j2 100644
View File

@ -0,0 +1,14 @@
{{ ansible_header | comment }}
[Unit]
Description=Mount home
Wants=network-online.target
After=network-online.target
[Mount]
What={{ logs.ip }}:/pool/logs
Where=/logs
Type=nfs
Options=rw,nosuid
[Install]
WantedBy=multi-user.target