Commit e0764e48 authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

add copy_to_syslog parameter

parent c75fa72f
unreleased (2017-XX-XX)
Add copy_to_syslog parameter to control whether or not audit logs are
sent to the syslog socket. (adamhl)
release/001.015 (2017-10-25)
Add $use_logsink_server parameter so that servers using Splunk, ELK,
Add use_logsink_server parameter so that servers using Splunk, ELK,
or its like will have the option to not send log files to the logsink
server. (adamhl)
......
......@@ -19,6 +19,10 @@
# legacy log-sink server, false otherwise. Eventually, the log-sink
# server will go away as we are moving to Splunk and ELK.
# Default: true
#
# $copy_to_syslog: set to true to send audit logs to the syslog socket.
# Default: false
define audit::auditd (
$content = 'NONE',
......@@ -33,6 +37,7 @@ define audit::auditd (
$use_logsink_server = true,
$space_left = 5000,
$space_left_action = 'SYSLOG',
$copy_to_syslog = false,
$ensure
) {
......@@ -75,16 +80,24 @@ define audit::auditd (
require => Package['auditd'],
}
# Where to send the audit
file {
'/etc/audisp/audispd.conf':
# Where to send the audit logs.
file { '/etc/audisp/audispd.conf':
source => "$afile/etc/audisp/audispd.conf",
require => Package['auditd'];
'/etc/audisp/plugins.d/syslog.conf':
}
if ($copy_to_syslog) {
file {'/etc/audisp/plugins.d/syslog.conf':
source => "$afile/etc/audisp/plugins.d/syslog.conf",
require => Package['auditd'];
require => Package['auditd'],
}
} else {
file {'/etc/audisp/plugins.d/syslog.conf':
ensure => absent,
}
}
# This fragment forwards to the log-sink server, so only
# provision if $use_logsink_server is true.
if ($use_logsink_server) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment