Commit c75fa72f authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

add use_logsink_server option

parent 366fe6e3
release/001.015 (2017-10-25)
Add $use_logsink_server parameter so that servers using Splunk, ELK,
or its like will have the option to not send log files to the logsink
server. (adamhl)
release/001.014 (2016-03-11)
When ensuring 'absent' also remove the audisp-simplify newsyslog
......
......@@ -14,6 +14,11 @@
# Example client server:
#
# audit::auditd { "{$::hostname}.stanford.edu": ensure => present }
#
# $use_sink_server: set to true if you want to forward auditd logs to the
# legacy log-sink server, false otherwise. Eventually, the log-sink
# server will go away as we are moving to Splunk and ELK.
# Default: true
define audit::auditd (
$content = 'NONE',
......@@ -25,6 +30,7 @@ define audit::auditd (
$num_logs = 5,
$simplify = 'true',
$syslog_server = 'logsink.stanford.edu',
$use_logsink_server = true,
$space_left = 5000,
$space_left_action = 'SYSLOG',
$ensure
......@@ -78,10 +84,19 @@ define audit::auditd (
source => "$afile/etc/audisp/plugins.d/syslog.conf",
require => Package['auditd'];
}
base::syslog::fragment {
'50-audisp-remote.conf':
ensure => 'present',
content => template('audit/etc/rsyslog.d/50-audisp-remote.conf.erb'),
# This fragment forwards to the log-sink server, so only
# provision if $use_logsink_server is true.
if ($use_logsink_server) {
base::syslog::fragment {
'50-audisp-remote.conf':
ensure => 'present',
content => template('audit/etc/rsyslog.d/50-audisp-remote.conf.erb'),
}
} else {
base::syslog::fragment {
'50-audisp-remote.conf': ensure => 'absent';
}
}
# Test the simplification of auditd logging
......@@ -130,6 +145,7 @@ define audit::auditd (
'15-input-simplify.conf': ensure => 'absent';
'40-simplify.conf': ensure => 'absent';
}
} else {
$syslog_tag = 'audispSimplify'
base::syslog::fragment {
......@@ -139,9 +155,20 @@ define audit::auditd (
'15-input-simplify.conf':
ensure => 'present',
content => template('audit/etc/rsyslog.d/15-input-simplify.conf.erb');
'40-simplify.conf':
ensure => 'present',
content => template('audit/etc/rsyslog.d/40-simplify.conf.erb');
}
# This fragment forwards to the log-sink server, so only
# provision if $use_logsink_server is true.
if ($use_logsink_server) {
base::syslog::fragment {
'40-simplify.conf':
ensure => 'present',
content => template('audit/etc/rsyslog.d/40-simplify.conf.erb');
}
} else {
base::syslog::fragment {
'40-simplify.conf': ensure => 'absent';
}
}
}
}
......
# audisp-simplify output
input(type="imfile" File="/var/log/audisp-simplify"
Tag="<%= @syslog_tag %>"
input(type="imfile" File="/var/log/audisp-simplify"
Tag="<%= @syslog_tag %>"
Severity="info"
PersistStateInterval="20000"
StateFile="stat-audisp-simplify")
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment