Commit aa1bff03 authored by Bill MacAllister's avatar Bill MacAllister
Browse files

Add base::syslog::tls to support TLS/RELP

parent 727de8cc
release/003.028 (unreleased)
release/003.028 (2014-06-17)
Fix filter-syslog rules for rsyslog to ignore restart messages. (rra)
......@@ -10,7 +10,10 @@ release/003.028 (unreleased)
security support. (rra)
Adjust highWater marking settings for remote rsyslog queues based
on suggestions from rsyslog start messages.
on suggestions from rsyslog start messages. (whm)
Add base::syslog::tls to support TLS/RELP connections between
an rsyslog client and an rsyslog server. (whm)
release/003.027 (2014-05-23)
......
# Read log data from a file
module(load="imfile" PollingInterval="1")
# Install or remove an rsyslog fragment that supports TLS/RELP
# connections.
#
# The tricky part of setting up a TLS/RELP connection between a client
# and a syslog server is getting the required certificates installed.
# See the ikiwiki documentation for help in generating the client
# certificates.
#
# Fragment Example
# ----------------
#
# if $syslogfacility-text == 'local4' then {
# action(type="omfile"
# file="/var/log/ldap"
# template="FileFormat")
# action(type="omrelp"
# name="<%= @cert_subject %>Remote"
# Target="<%= @syslog_server %>"
# Port="10515"
# tls="on"
# tls.caCert="<%= @ca_cert_file %>"
# tls.myCert="<%= @client_cert %>"
# tls.myPrivKey="<%= @client_key %>"
# tls.authmode="name"
# tls.permittedpeer=["syslog.<%= @syslog_server %>"]
# queue.FileName="<%= @cert_subject %>Queue"
# template="ForwardFormat")
# stop
# }
#
# Simple Exmaple
# --------------
#
# base::syslog::tls { '50-ldap-remote.conf':
# ensure => 'present',
# content => 's_idg_test/etc/rsyslog.d/50-ldap-tls.conf.erb'),
# }
#
# Complex Example
# ---------------
#
# class s_idg_test::zoot-vm2 inherits defaults {
# include s_idg_test::zoot-vm2::syslog
# }
#
# class s_idg_test::zoot-vm2::syslog inherits base::syslog {
# Base::Syslog::Config::Rsyslog['/etc/rsyslog.conf'] {
# use_default => false,
# }
#
# base::syslog::tls { '50-ldap-tls.conf':
# ensure => 'present',
# syslog_server => 'logsink-dev.stanford.edu',
# content => 's_idg_test/etc/rsyslog.d/50-ldap-tls.conf.erb',
# }
#
# base::syslog::tls { '95-default-tls.conf':
# ensure => 'present',
# syslog_server => 'logsink-dev.stanford.edu',
# content => 's_idg_test/etc/rsyslog.d/95-default-tls.conf.erb',
# install_cert => false,
# }
# }
define base::syslog::tls(
$ensure = 'present',
$content = undef,
$syslog_server = 'logsink.stanford.edu',
$service_name = undef,
$install_cert = true
) {
include syslog::tls_support
$realname = "/etc/rsyslog.d/$name"
$basetmpl = "base/syslog/etc/rsyslog.d/${name}.erb"
$ca_cert_file = "/etc/ssl/certs/${syslog_server}.ca.pem"
# Require a template
if $content == undef {
fail('syslog fragment must be specified')
}
if $ensure == 'present' {
# Install the certificate for the service
if $service_name == undef {
$cert_subject = "syslog.${::fqdn}"
} else {
$cert_subject = "syslog.${service_name}"
}
if $install_cert == true {
apache::cert::other { $cert_subject:
ensure => present,
keyname => "ssl-key/${cert_subject}",
identity => "${cert_subject}.pem",
symlink => false,
notify => Service['syslog'],
}
}
# Install the rsyslog fragment from a template
$client_cert = "/etc/ssl/certs/${cert_subject}.pem"
$client_key = "/etc/ssl/private/${cert_subject}.key"
file { $realname:
ensure => $ensure,
content => template($content),
notify => Service['syslog'],
require => File["/etc/ssl/certs/${syslog_server}.ca.pem"],
}
} else {
file { $realname: ensure => $ensure }
}
}
# Packages and rsyslog fragmens required for TLS/RELP support
class base::syslog::tls_support {
package {
'rsyslog-gnutls': ensure => installed;
'rsyslog-relp': ensure => installed;
}
base::syslog::fragment { '10-outputs.conf':
ensure => present,
source => 'puppet:///modules/syslog/etc/rsyslog.d/10-outputs.conf';
}
# Install the CA certificate for the syslog server
$ca_cert_file = "/etc/ssl/certs/${syslog_server}.ca.pem"
file { $ca_cert_file:
ensure => present,
source => "puppet:///modules/cert-files/${syslog_server}.ca.pem",
notify => Service['syslog'],
}
apache::cert::hash { "${syslog_server}.ca.pem":
ensure => present,
require => File["/etc/ssl/certs/${syslog_server}.ca.pem"],
}
}
# 80-remote-default.conf
#
# Default remote logging when we don't have any other rules to
# direct the logging from remote hosts.
$template Remote, "/var/log/remote/default.log"
:source , !isequal , "<%= hostname %>" -?Remote
:source , !isequal , "<%= hostname %>" stop
# Write all syslog messages from any remote host to a default
# location. The expectation is that rules for specific hosts
# will be prefixed with numbers less than 80.
if $hostname != '<%= hostname %>' then {
action(type="omfile"
file="/var/log/remote/default.log"
template="FileFormat")
stop
}
# Default log processing using tls/relp to connect to remote syslog
# server.
*.emerg action(type="omusrmsg"
name="emerg"
users="root")
*.debug action(type="omfile"
name="defaultLocal"
file="/var/log/messages"
template="FileFormat")
*.debug action(type="omrelp"
name="defaultRemote"
Target="<%= syslog_server %>"
Port="10515"
tls="on"
tls.caCert="<%= @ca_cert_file %>"
tls.myCert="<%= @client_cert %>"
tls.myPrivKey="<%= @client_key %>"
tls.authmode="name"
tls.permittedpeer=["syslog.<%= @syslog_server %>"]
queue.FileName="<%= @cert_subject %>Queue"
queue.Type="LinkedList"
template="ForwardFormat")
*.err action(type="omfile"
name="err"
file="/dev/console")
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment