From 97fbe9db0e85503cc47aaa740b376dd78217fe8e Mon Sep 17 00:00:00 2001
From: Bill MacAllister <whm@stanford.edu>
Date: Fri, 15 Nov 2013 00:56:38 -0800
Subject: [PATCH] syslog: First step in retiring /etc/syslog.conf
This change does not affect the current usage of the module. It does
allow manifests to choose to retire /etc/syslog.conf in favor or
fragments in /etc/rsyslog.d to control the syslog activity. One
default fragment, 90-local.conf, that writes syslog messages
locally.
This change also include a fragment define that is used for the
management of rsyslog fragments.
---
NEWS | 8 +++
files/syslog/etc/rsyslog.d/90-local.conf | 5 ++
manifests/syslog/config/rsyslog.pp | 31 +++++---
manifests/syslog/fragment.pp | 92 ++++++++++++++++++++++++
templates/syslog/rsyslog.conf.erb | 2 +
5 files changed, 130 insertions(+), 8 deletions(-)
create mode 100644 files/syslog/etc/rsyslog.d/90-local.conf
create mode 100644 manifests/syslog/fragment.pp
diff --git a/NEWS b/NEWS
index 50a05d1..42bb13a 100644
--- a/NEWS
+++ b/NEWS
@@ -24,6 +24,14 @@ release/003.000 (unreleased)
Add validation check in newsyslog config.
+ Updates to base::syslog. Retire /etc/syslog.conf. Modify
+ /etc/rsyslog.conf so that it contains no input/output
+ specifications. Create a fragments define to manage files in
+ /etc/rsyslog.d. Define one default fragment that replicates
+ current behavior if no additional fragments are added. (Bill
+ MacAllister <whm@stanford.edu>)
+
+
release/002.002 (2013-09-10)
Add support for a listen_addresses parameter to ssh::config::sshd that
diff --git a/files/syslog/etc/rsyslog.d/90-local.conf b/files/syslog/etc/rsyslog.d/90-local.conf
new file mode 100644
index 0000000..f1e4618
--- /dev/null
+++ b/files/syslog/etc/rsyslog.d/90-local.conf
@@ -0,0 +1,5 @@
+# 90-local.conf - Write syslog messages to the normal places locally
+
+*.emerg *
+*.debug /var/log/messages
+*.err /dev/console
diff --git a/manifests/syslog/config/rsyslog.pp b/manifests/syslog/config/rsyslog.pp
index 00ade7f..c4944b2 100644
--- a/manifests/syslog/config/rsyslog.pp
+++ b/manifests/syslog/config/rsyslog.pp
@@ -1,17 +1,32 @@
# create rsyslog.conf
define base::syslog::config::rsyslog(
- $ensure = 'present',
- $source = undef,
- $owner = 'root',
- $group = 'root',
- $mode = '0644',
- $replace = true,
+ $ensure = 'present',
+ $source = undef,
+ $owner = 'root',
+ $group = 'root',
+ $mode = '0644',
+ $replace = true,
+ $use_syslog_conf = true,
) {
if $source {
$template = undef
} else {
- $template = template('base/syslog/rsyslog.conf.erb')
+ if $use_syslog_conf
+ $template = template('base/syslog/rsyslog.conf.erb')
+ } else {
+ $template = template('base/syslog/rsyslog-nosyslog.conf.erb')
+ file {
+ '/etc/syslog.conf':
+ ensure => absent;
+ '/etc/rsyslog.d/90-local.conf':
+ ensure => present,
+ source => 'puppet:///modules/base/syslog/etc/rsyslog.d/90-local.conf';
+ owner => $owner,
+ group => $group,
+ mode => $mode;
+ }
+ }
}
file { $name:
ensure => $ensure,
@@ -23,4 +38,4 @@ define base::syslog::config::rsyslog(
replace => $replace,
notify => Service['syslog'],
}
-}
\ No newline at end of file
+}
diff --git a/manifests/syslog/fragment.pp b/manifests/syslog/fragment.pp
new file mode 100644
index 0000000..f2e2f8a
--- /dev/null
+++ b/manifests/syslog/fragment.pp
@@ -0,0 +1,92 @@
+# modules/syslog/manifests/fragment.pp - definition for
+# base::iptables::fragments ()
+#
+# Install or remove a syslog fragment. Recommented practice is to
+# include fragments in the syslog module, but they can be pulled from
+# any puppet manifest. The default is use puppet templates for
+# fragments which allows dynamic content without having to define all
+# possible substitutions as part of the define. Some default values
+# are provided for example syslog_target defaults to
+# logsink.stanford.edu.
+#
+# Example:
+#
+# syslog_target = 'logsink-dev.stanford.edu'
+# base::syslog::fragment { '50-tcp-output.conf': ensure => present }
+#
+# Example:
+#
+# base::syslog::fragment {
+# '90-default-remote.conf':
+# ensure => present;
+# '95-local.conf':
+# ensure => present,
+# source => 'puppet:///modules/s_audit/etc/rsyslog.d/95-local.conf',
+# }
+
+define base::syslog::fragment(
+ $ensure,
+ $source = NOSRC,
+ $content = NOCONTENT)
+{
+ $realname = "/etc/rsyslog.d/$name"
+ $codename = "syslog::fragment"
+ $basetmpl = "base/etc/rsyslog.d/${name}.erb"
+
+ # Useful default template values
+ if $syslog_target {
+ $logsink_server = $syslog_target
+ } else {
+ $logsink_server = 'logsink.stanford.edu'
+ }
+
+ case $ensure {
+
+ present: {
+ case $content {
+ 'NOCONTENT': {
+ case $source {
+ 'NOSRC': {
+ # Use default content
+ file { "$realname":
+ content => template($basetmpl),
+ notify => Service['syslog'],
+ }
+ }
+ default: {
+ # Source specificed
+ file { "$realname":
+ source => "$source",
+ notify => Service['syslog'],
+ }
+ }
+ }
+ }
+ default: {
+ case $source {
+ 'NOSRC': {
+ file { "$realname":
+ source => "$source",
+ notify => Service['syslog'],
+ }
+ }
+ default: {
+ fail "$codename - source or content, not both."
+ }
+ }
+ }
+ }
+ }
+
+ absent: {
+ file { "$realname":
+ ensure => absent,
+ notify => Service['syslog'],
+ }
+ }
+
+ default: {
+ crit "Invalid ensure value: $ensure"
+ }
+ }
+}
diff --git a/templates/syslog/rsyslog.conf.erb b/templates/syslog/rsyslog.conf.erb
index 089e01e..7acf902 100644
--- a/templates/syslog/rsyslog.conf.erb
+++ b/templates/syslog/rsyslog.conf.erb
@@ -28,8 +28,10 @@ $DirCreateMode 0755
$SystemLogRateLimitInterval 0
<% end -%>
+<% if use_syslog_conf -%>
# Include the syslog rules first so they can be overriden by rsyslog.d.
$IncludeConfig /etc/syslog.conf
+<% end -%>
# Include all config files in /etc/rsyslog.d.
$IncludeConfig /etc/rsyslog.d/*.conf
--
GitLab