diff --git a/README b/README new file mode 100644 index 0000000..e2b265d --- /dev/null +++ b/README @@ -0,0 +1,10 @@ +syslog puppet module +#################### + +This module configures syslog-ng both as a client or as a server. + +# Syslog client +include syslog + +# Syslog server +include syslog::server diff --git a/manifests/classes/base.pp b/manifests/classes/base.pp new file mode 100644 index 0000000..bf8dac2 --- /dev/null +++ b/manifests/classes/base.pp @@ -0,0 +1,17 @@ +class syslog { + package {"syslog-ng": + ensure => installed, + } + + service {"syslog-ng": + ensure => running, + subscribe => File["/etc/syslog-ng/syslog-ng.conf"], + require => Package["syslog-ng"], + } + + file {"/etc/syslog-ng/syslog-ng.conf": + ensure => present, + content => template("syslog/syslog-ng.client.conf.erb"), + require => Package["syslog-ng"], + } +} diff --git a/manifests/classes/server.pp b/manifests/classes/server.pp new file mode 100644 index 0000000..53afbff --- /dev/null +++ b/manifests/classes/server.pp @@ -0,0 +1,27 @@ +class syslog::server inherits syslog { + package {"logrotate": + ensure => installed, + } + + File["/etc/syslog-ng/syslog-ng.conf"] { + ensure => present, + content => template("syslog/syslog-ng.server.conf.erb"), + } + + # Log repository + file {"/srv/syslog": + ensure => directory, + } + + file {"/srv/syslog/logs": + ensure => directory, + require => File["/srv/syslog"], + } + + # Log rotation + file {"/etc/logrotate.d/logserver": + ensure => present, + content => template("syslog/logserver.logrotate.erb"), + require => Package["logrotate"], + } +} diff --git a/manifests/init.pp b/manifests/init.pp new file mode 100644 index 0000000..6d5452c --- /dev/null +++ b/manifests/init.pp @@ -0,0 +1,2 @@ + +import "classes/*.pp" diff --git a/templates/logserver.logrotate.erb b/templates/logserver.logrotate.erb new file mode 100644 index 0000000..e6a86ec --- /dev/null +++ b/templates/logserver.logrotate.erb @@ -0,0 +1,6 @@ +/srv/syslog/logs/*/*.log { + weekly + rotate 52 + compress + missingok +} diff --git a/templates/syslog-ng.client.conf.erb b/templates/syslog-ng.client.conf.erb new file mode 100644 index 0000000..ba3f884 --- /dev/null +++ b/templates/syslog-ng.client.conf.erb @@ -0,0 +1,353 @@ +# +# Configuration file for syslog-ng under Debian +# +# attempts at reproducing default syslog behavior + +# the standard syslog levels are (in descending order of priority): +# emerg alert crit err warning notice info debug +# the aliases "error", "panic", and "warn" are deprecated +# the "none" priority found in the original syslogd configuration is +# only used in internal messages created by syslogd + + +###### +# options + +options { + # disable the chained hostname format in logs + # (default is enabled) + chain_hostnames(0); + + # the time to wait before a died connection is re-established + # (default is 60) + time_reopen(10); + + # the time to wait before an idle destination file is closed + # (default is 60) + time_reap(360); + + # the number of lines buffered before written to file + # you might want to increase this if your disk isn't catching with + # all the log messages you get or if you want less disk activity + # (say on a laptop) + # (default is 0) + #sync(0); + + # the number of lines fitting in the output queue + log_fifo_size(2048); + + # enable or disable directory creation for destination files + create_dirs(yes); + + # default owner, group, and permissions for log files + # (defaults are 0, 0, 0600) + #owner(root); + group(adm); + perm(0640); + + # default owner, group, and permissions for created directories + # (defaults are 0, 0, 0700) + #dir_owner(root); + #dir_group(root); + dir_perm(0755); + + # enable or disable DNS usage + # syslog-ng blocks on DNS queries, so enabling DNS may lead to + # a Denial of Service attack + # (default is yes) + use_dns(no); + + # maximum length of message in bytes + # this is only limited by the program listening on the /dev/log Unix + # socket, glibc can handle arbitrary length log messages, but -- for + # example -- syslogd accepts only 1024 bytes + # (default is 2048) + #log_msg_size(2048); + + #Disable statistic log messages. + stats_freq(0); +}; + + +###### +# sources + +# all known message sources +source s_all { + # message generated by Syslog-NG + internal(); + # standard Linux log source (this is the default place for the syslog() + # function to send logs to) + unix-stream("/dev/log"); + # messages from the kernel + file("/proc/kmsg" log_prefix("kernel: ")); + # use the following line if you want to receive remote UDP logging messages + # (this is equivalent to the "-r" syslogd flag) + # udp(); +}; + + +###### +# destinations + +# some standard log files +destination df_auth { file("/var/log/auth.log"); }; +destination df_syslog { file("/var/log/syslog"); }; +destination df_cron { file("/var/log/cron.log"); }; +destination df_daemon { file("/var/log/daemon.log"); }; +destination df_kern { file("/var/log/kern.log"); }; +destination df_lpr { file("/var/log/lpr.log"); }; +destination df_mail { file("/var/log/mail.log"); }; +destination df_user { file("/var/log/user.log"); }; +destination df_uucp { file("/var/log/uucp.log"); }; + +# these files are meant for the mail system log files +# and provide re-usable destinations for {mail,cron,...}.info, +# {mail,cron,...}.notice, etc. +destination df_facility_dot_info { file("/var/log/$FACILITY.info"); }; +destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); }; +destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); }; +destination df_facility_dot_err { file("/var/log/$FACILITY.err"); }; +destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); }; + +# these files are meant for the news system, and are kept separated +# because they should be owned by "news" instead of "root" +destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); }; +destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); }; +destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); }; + +# some more classical and useful files found in standard syslog configurations +destination df_debug { file("/var/log/debug"); }; +destination df_messages { file("/var/log/messages"); }; + +# pipes +# a console to view log messages under X +destination dp_xconsole { pipe("/dev/xconsole"); }; + +# consoles +# this will send messages to everyone logged in +destination du_all { usertty("*"); }; + + +###### +# filters + +# all messages from the auth and authpriv facilities +filter f_auth { facility(auth, authpriv); }; + +# all messages except from the auth and authpriv facilities +filter f_syslog { not facility(auth, authpriv); }; + +# respectively: messages from the cron, daemon, kern, lpr, mail, news, user, +# and uucp facilities +filter f_cron { facility(cron); }; +filter f_daemon { facility(daemon); }; +filter f_kern { facility(kern); }; +filter f_lpr { facility(lpr); }; +filter f_mail { facility(mail); }; +filter f_news { facility(news); }; +filter f_user { facility(user); }; +filter f_uucp { facility(uucp); }; + +# some filters to select messages of priority greater or equal to info, warn, +# and err +# (equivalents of syslogd's *.info, *.warn, and *.err) +filter f_at_least_info { level(info..emerg); }; +filter f_at_least_notice { level(notice..emerg); }; +filter f_at_least_warn { level(warn..emerg); }; +filter f_at_least_err { level(err..emerg); }; +filter f_at_least_crit { level(crit..emerg); }; + +# all messages of priority debug not coming from the auth, authpriv, news, and +# mail facilities +filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); }; + +# all messages of info, notice, or warn priority not coming form the auth, +# authpriv, cron, daemon, mail, and news facilities +filter f_messages { + level(info,notice,warn) + and not facility(auth,authpriv,cron,daemon,mail,news); +}; + +# messages with priority emerg +filter f_emerg { level(emerg); }; + +# complex filter for messages usually sent to the xconsole +filter f_xconsole { + facility(daemon,mail) + or level(debug,info,notice,warn) + or (facility(news) + and level(crit,err,notice)); +}; + + +###### +# logs +# order matters if you use "flags(final);" to mark the end of processing in a +# "log" statement + +# these rules provide the same behavior as the commented original syslogd rules + +# auth,authpriv.* /var/log/auth.log +log { + source(s_all); + filter(f_auth); + destination(df_auth); +}; + +# *.*;auth,authpriv.none -/var/log/syslog +log { + source(s_all); + filter(f_syslog); + destination(df_syslog); +}; + +# this is commented out in the default syslog.conf +# cron.* /var/log/cron.log +#log { +# source(s_all); +# filter(f_cron); +# destination(df_cron); +#}; + +# daemon.* -/var/log/daemon.log +log { + source(s_all); + filter(f_daemon); + destination(df_daemon); +}; + +# kern.* -/var/log/kern.log +log { + source(s_all); + filter(f_kern); + destination(df_kern); +}; + +# lpr.* -/var/log/lpr.log +log { + source(s_all); + filter(f_lpr); + destination(df_lpr); +}; + +# mail.* -/var/log/mail.log +log { + source(s_all); + filter(f_mail); + destination(df_mail); +}; + +# user.* -/var/log/user.log +log { + source(s_all); + filter(f_user); + destination(df_user); +}; + +# uucp.* /var/log/uucp.log +log { + source(s_all); + filter(f_uucp); + destination(df_uucp); +}; + +# mail.info -/var/log/mail.info +log { + source(s_all); + filter(f_mail); + filter(f_at_least_info); + destination(df_facility_dot_info); +}; + +# mail.warn -/var/log/mail.warn +log { + source(s_all); + filter(f_mail); + filter(f_at_least_warn); + destination(df_facility_dot_warn); +}; + +# mail.err /var/log/mail.err +log { + source(s_all); + filter(f_mail); + filter(f_at_least_err); + destination(df_facility_dot_err); +}; + +# news.crit /var/log/news/news.crit +log { + source(s_all); + filter(f_news); + filter(f_at_least_crit); + destination(df_news_dot_crit); +}; + +# news.err /var/log/news/news.err +log { + source(s_all); + filter(f_news); + filter(f_at_least_err); + destination(df_news_dot_err); +}; + +# news.notice /var/log/news/news.notice +log { + source(s_all); + filter(f_news); + filter(f_at_least_notice); + destination(df_news_dot_notice); +}; + + +# *.=debug;\ +# auth,authpriv.none;\ +# news.none;mail.none -/var/log/debug +log { + source(s_all); + filter(f_debug); + destination(df_debug); +}; + + +# *.=info;*.=notice;*.=warn;\ +# auth,authpriv.none;\ +# cron,daemon.none;\ +# mail,news.none -/var/log/messages +log { + source(s_all); + filter(f_messages); + destination(df_messages); +}; + +# *.emerg * +log { + source(s_all); + filter(f_emerg); + destination(du_all); +}; + + +# daemon.*;mail.*;\ +# news.crit;news.err;news.notice;\ +# *.=debug;*.=info;\ +# *.=notice;*.=warn |/dev/xconsole +log { + source(s_all); + filter(f_xconsole); + destination(dp_xconsole); +}; + +# +# Remote Logging +# + +destination d_remote { + udp("logserver.camptocamp.com", port(514)); +}; + +log { + source(s_all); + destination(d_remote); +}; diff --git a/templates/syslog-ng.server.conf.erb b/templates/syslog-ng.server.conf.erb new file mode 100644 index 0000000..3bdea15 --- /dev/null +++ b/templates/syslog-ng.server.conf.erb @@ -0,0 +1,364 @@ +# +# Configuration file for syslog-ng under Debian +# +# attempts at reproducing default syslog behavior + +# the standard syslog levels are (in descending order of priority): +# emerg alert crit err warning notice info debug +# the aliases "error", "panic", and "warn" are deprecated +# the "none" priority found in the original syslogd configuration is +# only used in internal messages created by syslogd + + +###### +# options + +options { + # disable the chained hostname format in logs + # (default is enabled) + chain_hostnames(no); + keep_hostname(no); + use_fqdn(yes); + + # the time to wait before a died connection is re-established + # (default is 60) + time_reopen(10); + + # the time to wait before an idle destination file is closed + # (default is 60) + time_reap(360); + + # the number of lines buffered before written to file + # you might want to increase this if your disk isn't catching with + # all the log messages you get or if you want less disk activity + # (say on a laptop) + # (default is 0) + #sync(0); + + # the number of lines fitting in the output queue + log_fifo_size(2048); + + # enable or disable directory creation for destination files + create_dirs(yes); + + # default owner, group, and permissions for log files + # (defaults are 0, 0, 0600) + #owner(root); + group(adm); + perm(0640); + + # default owner, group, and permissions for created directories + # (defaults are 0, 0, 0700) + #dir_owner(root); + #dir_group(root); + dir_perm(0755); + + # enable or disable DNS usage + # syslog-ng blocks on DNS queries, so enabling DNS may lead to + # a Denial of Service attack + # (default is yes) + use_dns(yes); + dns_cache(yes); + + # maximum length of message in bytes + # this is only limited by the program listening on the /dev/log Unix + # socket, glibc can handle arbitrary length log messages, but -- for + # example -- syslogd accepts only 1024 bytes + # (default is 2048) + #log_msg_size(2048); + + #Disable statistic log messages. + stats_freq(0); +}; + + +###### +# sources + +# all known message sources +source s_all { + # message generated by Syslog-NG + internal(); + # standard Linux log source (this is the default place for the syslog() + # function to send logs to) + unix-stream("/dev/log"); + # messages from the kernel + file("/proc/kmsg" log_prefix("kernel: ")); + # use the following line if you want to receive remote UDP logging messages + # (this is equivalent to the "-r" syslogd flag) +}; + +source s_remote { + udp(); + tcp(); +}; + +###### +# destinations + +# some standard log files +destination df_auth { file("/var/log/auth.log"); }; +destination df_syslog { file("/var/log/syslog"); }; +destination df_cron { file("/var/log/cron.log"); }; +destination df_daemon { file("/var/log/daemon.log"); }; +destination df_kern { file("/var/log/kern.log"); }; +destination df_lpr { file("/var/log/lpr.log"); }; +destination df_mail { file("/var/log/mail.log"); }; +destination df_user { file("/var/log/user.log"); }; +destination df_uucp { file("/var/log/uucp.log"); }; + +# these files are meant for the mail system log files +# and provide re-usable destinations for {mail,cron,...}.info, +# {mail,cron,...}.notice, etc. +destination df_facility_dot_info { file("/var/log/$FACILITY.info"); }; +destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); }; +destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); }; +destination df_facility_dot_err { file("/var/log/$FACILITY.err"); }; +destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); }; + +# these files are meant for the news system, and are kept separated +# because they should be owned by "news" instead of "root" +destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); }; +destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); }; +destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); }; + +# some more classical and useful files found in standard syslog configurations +destination df_debug { file("/var/log/debug"); }; +destination df_messages { file("/var/log/messages"); }; + +# pipes +# a console to view log messages under X +destination dp_xconsole { pipe("/dev/xconsole"); }; + +# consoles +# this will send messages to everyone logged in +destination du_all { usertty("*"); }; + + +###### +# filters + +# all messages from the auth and authpriv facilities +filter f_auth { facility(auth, authpriv); }; + +# all messages except from the auth and authpriv facilities +filter f_syslog { not facility(auth, authpriv); }; + +# respectively: messages from the cron, daemon, kern, lpr, mail, news, user, +# and uucp facilities +filter f_cron { facility(cron); }; +filter f_daemon { facility(daemon); }; +filter f_kern { facility(kern); }; +filter f_lpr { facility(lpr); }; +filter f_mail { facility(mail); }; +filter f_news { facility(news); }; +filter f_user { facility(user); }; +filter f_uucp { facility(uucp); }; + +# some filters to select messages of priority greater or equal to info, warn, +# and err +# (equivalents of syslogd's *.info, *.warn, and *.err) +filter f_at_least_info { level(info..emerg); }; +filter f_at_least_notice { level(notice..emerg); }; +filter f_at_least_warn { level(warn..emerg); }; +filter f_at_least_err { level(err..emerg); }; +filter f_at_least_crit { level(crit..emerg); }; + +# all messages of priority debug not coming from the auth, authpriv, news, and +# mail facilities +filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); }; + +# all messages of info, notice, or warn priority not coming form the auth, +# authpriv, cron, daemon, mail, and news facilities +filter f_messages { + level(info,notice,warn) + and not facility(auth,authpriv,cron,daemon,mail,news); +}; + +# messages with priority emerg +filter f_emerg { level(emerg); }; + +# complex filter for messages usually sent to the xconsole +filter f_xconsole { + facility(daemon,mail) + or level(debug,info,notice,warn) + or (facility(news) + and level(crit,err,notice)); +}; + + +###### +# logs +# order matters if you use "flags(final);" to mark the end of processing in a +# "log" statement + +# these rules provide the same behavior as the commented original syslogd rules + +# auth,authpriv.* /var/log/auth.log +log { + source(s_all); + filter(f_auth); + destination(df_auth); +}; + +# *.*;auth,authpriv.none -/var/log/syslog +log { + source(s_all); + filter(f_syslog); + destination(df_syslog); +}; + +# this is commented out in the default syslog.conf +# cron.* /var/log/cron.log +#log { +# source(s_all); +# filter(f_cron); +# destination(df_cron); +#}; + +# daemon.* -/var/log/daemon.log +log { + source(s_all); + filter(f_daemon); + destination(df_daemon); +}; + +# kern.* -/var/log/kern.log +log { + source(s_all); + filter(f_kern); + destination(df_kern); +}; + +# lpr.* -/var/log/lpr.log +log { + source(s_all); + filter(f_lpr); + destination(df_lpr); +}; + +# mail.* -/var/log/mail.log +log { + source(s_all); + filter(f_mail); + destination(df_mail); +}; + +# user.* -/var/log/user.log +log { + source(s_all); + filter(f_user); + destination(df_user); +}; + +# uucp.* /var/log/uucp.log +log { + source(s_all); + filter(f_uucp); + destination(df_uucp); +}; + +# mail.info -/var/log/mail.info +log { + source(s_all); + filter(f_mail); + filter(f_at_least_info); + destination(df_facility_dot_info); +}; + +# mail.warn -/var/log/mail.warn +log { + source(s_all); + filter(f_mail); + filter(f_at_least_warn); + destination(df_facility_dot_warn); +}; + +# mail.err /var/log/mail.err +log { + source(s_all); + filter(f_mail); + filter(f_at_least_err); + destination(df_facility_dot_err); +}; + +# news.crit /var/log/news/news.crit +log { + source(s_all); + filter(f_news); + filter(f_at_least_crit); + destination(df_news_dot_crit); +}; + +# news.err /var/log/news/news.err +log { + source(s_all); + filter(f_news); + filter(f_at_least_err); + destination(df_news_dot_err); +}; + +# news.notice /var/log/news/news.notice +log { + source(s_all); + filter(f_news); + filter(f_at_least_notice); + destination(df_news_dot_notice); +}; + + +# *.=debug;\ +# auth,authpriv.none;\ +# news.none;mail.none -/var/log/debug +log { + source(s_all); + filter(f_debug); + destination(df_debug); +}; + + +# *.=info;*.=notice;*.=warn;\ +# auth,authpriv.none;\ +# cron,daemon.none;\ +# mail,news.none -/var/log/messages +log { + source(s_all); + filter(f_messages); + destination(df_messages); +}; + +# *.emerg * +log { + source(s_all); + filter(f_emerg); + destination(du_all); +}; + + +# daemon.*;mail.*;\ +# news.crit;news.err;news.notice;\ +# *.=debug;*.=info;\ +# *.=notice;*.=warn |/dev/xconsole +log { + source(s_all); + filter(f_xconsole); + destination(dp_xconsole); +}; + +# +# Remote logs +# +destination d_hosts { + file("/srv/syslog/logs/$HOST/$FACILITY.log" + owner(root) + group(root) + perm(0644) + dir_perm(0755) + create_dirs(yes) + ); +}; + +log { + source(s_remote); + destination(d_hosts); +};