crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

[firewall] Handle logs locally

certbot_on_virtu
_shirenn 2022-01-15 17:43:41 +01:00 committed by pa
parent 810ea88dbc
commit 7b4e4cf1e0
7 changed files with 66 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
roles/logall/handlers/main.yml 100644
View File

@ -0,0 +1,10 @@
---
- name: systemctl restart rsyslog.service
systemd:
name: rsyslog
state: restarted
- name: systemctl restart logrotate.service
systemd:
name: logrotate
state: restarted

21
roles/logall/tasks/main.yml
View File

@ -22,24 +22,3 @@
mode: 0644 mode: 0644
owner: root owner: root
group: root group: root
- name: Create logs directory
file:
path: /logs
mode: 0755
owner: root
group: root
state: directory
- name: Deploy nfs systemd mount
template:
src: systemd/system/logs.mount.j2
dest: /etc/systemd/system/logs.mount
mode: 0644
- name: Load and activate nfs systemd mount
systemd:
name: logs.mount
daemon_reload: true
enabled: true
state: started

29
roles/logall/templates/logrotate.d/firewall.j2
View File

@ -1,29 +1,24 @@
{{ ansible_header | comment }} {{ ansible_header | comment }}
/var/log/firewall/trace.log /var/log/firewall/logall.prerouting.log
/var/log/firewall/filtre.log /var/log/firewall/logall.prerouting.json.log
/var/log/firewall/iptables.err /var/log/firewall/logall.srv.log
/var/log/firewall/iptables.log { /var/log/firewall/logall.srv.json.log
rotate 1 /var/log/firewall/logall.adh.log
weekly /var/log/firewall/logall.adh.json.log {
missingok
notifempty
compress
postrotate
/usr/sbin/invoke-rc.d rsyslog rotate >/dev/null;
endscript
}
/var/log/firewall/logall.log {
daily daily
compress compress
compresscmd /bin/bzip2 compresscmd /bin/bzip2
uncompresscmd /bin/bunzip2 uncompresscmd /bin/bunzip2
compressext .bz2 compressext .bz2
rotate 10 create 0640 root root
rotate 365
notifempty notifempty
sharedscripts sharedscripts
dateext
dateformat %Y-%m-%d.
extension log
postrotate postrotate
/usr/sbin/invoke-rc.d rsyslog rotate >/dev/null; usr/lib/rsyslog/rsyslog-rotate
QUIET=y /logs/firewall-logrotate-script.sh;
endscript endscript
} }

58
roles/logall/templates/rsyslog.d/10-firewall.conf.j2
View File

@ -1,32 +1,42 @@
{{ ansible_header | comment }} {{ ansible_header | comment }}
#$ModLoad imklog #Déjà présent dans rsyslog.conf template(name="logall" type="list" option.jsonf="on"){
property(outname="@timestamp" name="timereported" dateFormat="rfc3339" format="jsonf")
property(outname="host" name="hostname" format="jsonf")
property(outname="message" name="msg" format="jsonf")
}
# Messages du firewall (ie de sa génération) module(load="omprog")
if $programname == 'firewall' and $syslogseverity <= '3' then /var/log/firewall/iptables.err
if $programname == 'firewall' then /var/log/firewall/iptables.log if ($syslogfacility == '0' and $msg contains 'LOG_ALL_PREROUTING')
then {
action(type="omprog"
binary="/usr/bin/python3 /usr/local/src/scripts/firewall/logs_to_json.py"
template="logall"
output="/var/log/firewall/logall.prerouting.json.log")
action(type="omfile" file="/var/log/firewall/logall.prerouting.log" template="logall")
stop
}
if ($syslogfacility == '0' and $msg contains 'LOG_ALL_ADH')
then {
action(type="omprog"
binary="/usr/bin/python3 /usr/local/src/scripts/firewall/logs_to_json.py"
template="logall"
output="/var/log/firewall/logall.adh.json.log")
action(type="omfile" file="/var/log/firewall/logall.adh.log" template="logall")
stop
}
# kernel (facility = 0): if ($syslogfacility == '0' and $msg contains 'LOG_ALL_SRV')
# Discard broadcast (sinon trop de spam) then {
# Note: on discard tout au final, sinon, on risquerait d'envoyer du contenu action(type="omprog"
# (LOG_ALL est dans PREROUTING donc je sais pas si ça compte, mais je veux binary="/usr/bin/python3 /usr/local/src/scripts/firewall/logs_to_json.py"
# pas essayer) template="logall"
if $syslogfacility == '0' and $msg contains 'ff:ff:ff:ff:ff:ff' then ~ output="/var/log/firewall/logall.srv.json.log")
action(type="omfile" file="/var/log/firewall/logall.srv.log" template="logall")
stop
}
# LOG_ALL pour … je sais plus à quoi ça sert … # Legacy LOG_ALL
if $syslogfacility == '0' and $msg contains 'LOG_ALL' then /var/log/firewall/logall.log if $syslogfacility == '0' and $msg contains 'LOG_ALL' then /var/log/firewall/logall.log
& ~ & ~
# LOG_MAC_IP pour l'association mac_ip en ipv6
if $syslogfacility == '0' and $msg contains 'LOG_MAC_IP' then ~
# TRACE
if $syslogfacility == '0' and $msg contains 'TRACE:' then /var/log/firewall/trace.log
& ~
# filtre.log était parsé par un script pour gérer les déconnexions
#if $syslogfacility == '0' and $msg contains 'DST=' then /var/log/firewall/filtre.log
#& ~
if $syslogfacility == '0' and $msg contains 'LOG_ALL' then ~

14
roles/logall/templates/systemd/system/logs.mount.j2
View File

@ -1,14 +0,0 @@
{{ ansible_header | comment }}
[Unit]
Description=Mount home
Wants=network-online.target
After=network-online.target
[Mount]
What=172.16.10.1:/pool/logs
Where=/logs
Type=nfs
Options=rw,nosuid
[Install]
WantedBy=multi-user.target

5
roles/nfs-common/tasks/main.yml
View File

@ -16,10 +16,9 @@
- name: Disable and mask rpcbind.service - name: Disable and mask rpcbind.service
systemd: systemd:
name: rpcbind.service name: rpcbind.service
enabled: false masked: false
masked: true
- name: - name:
systemd: systemd:
name: rpcbind.socket name: rpcbind.socket
masked: true masked: false

2
roles/nfs-common/templates/nfs-common.j2
View File

@ -14,7 +14,7 @@ NEED_STATD=
STATDOPTS= STATDOPTS=
# Do you want to start the idmapd daemon? It is only needed for NFSv4. # Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=no NEED_IDMAPD=
# Do you want to start the gssd daemon? It is required for Kerberos mounts. # Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD= NEED_GSSD=