feat: add role fingerprints to syslog

[richm]

Feature: Add a fingerprint string to the system log to indicate when the role began
successfully, and when the role finished successfully. The fingerprint string indicates
the role name, a timestamp, and the platform.

Reason: Users can see when the role was used and if it was used successfully. This
information from the system log can be collected by log scanners and aggregators
for further analysis.

Result: The role logs fingerprints to the system log.

This also adds a test to check if the fingerprints were written upon a successful
role invocation.

Signed-off-by: Rich Megginson rmeggins@redhat.com

Summary by Sourcery

Add role fingerprint logging to syslog and verify it via system journal tests.

New Features:

• Introduce sr_fingerprint Ansible module to write fingerprint messages with timestamps to syslog.
• Record begin and success fingerprint messages for the logging system role including Ansible version and OS distribution metadata.

Enhancements:

• Ensure required Ansible facts are gathered before emitting role fingerprint messages.
• Add sanity ignore entries and a role-specific library directory to support the custom module across Ansible versions.

Tests:

• Extend default test playbook to verify that syslog/journal contains the expected begin and success fingerprints when the role runs successfully.

[sourcery-ai]

Reviewer's Guide

Implements a new Ansible module sr_fingerprint that writes timestamped role fingerprint messages to syslog, wires it into the logging role to record begin/success events, and adds a test that asserts the fingerprints are written by inspecting the system journal when /dev/log is available.

Sequence diagram for logging role fingerprints via sr_fingerprint module

sequenceDiagram
    actor Admin
    participant AnsibleController
    participant LoggingRole
    participant SrFingerprintModule
    participant Syslog

    Admin->>AnsibleController: Run playbook with logging role
    AnsibleController->>LoggingRole: Execute tasks

    rect rgb(235, 245, 255)
        LoggingRole->>LoggingRole: Ensure ansible_facts via setup
        LoggingRole->>SrFingerprintModule: Call sr_fingerprint
        activate SrFingerprintModule
        SrFingerprintModule->>SrFingerprintModule: _local_iso8601_no_microseconds
        SrFingerprintModule->>Syslog: module.log(begin fingerprint + timestamp)
        SrFingerprintModule-->>LoggingRole: exit_json(changed=False)
        deactivate SrFingerprintModule
    end

    LoggingRole->>LoggingRole: Configure logging (rsyslog or other)

    rect rgb(235, 245, 255)
        LoggingRole->>SrFingerprintModule: Call sr_fingerprint
        activate SrFingerprintModule
        SrFingerprintModule->>SrFingerprintModule: _local_iso8601_no_microseconds
        SrFingerprintModule->>Syslog: module.log(success fingerprint + timestamp)
        SrFingerprintModule-->>LoggingRole: exit_json(changed=False)
        deactivate SrFingerprintModule
    end

    Admin->>Syslog: Inspect logs for begin/success fingerprints

Loading

Class diagram for the new sr_fingerprint Ansible module

classDiagram
    class sr_fingerprint_module {
        +str sr_message
        +run_module()
        +main()
        +_local_iso8601_no_microseconds() str
    }

    class AnsibleModule {
        +dict params
        +bool supports_check_mode
        +log(msg)
        +exit_json(changed, message)
    }

    class datetime_module {
        +datetime now()
        +timezone utc
    }

    class time_module {
        +str strftime(format, t)
        +struct_time localtime()
    }

    sr_fingerprint_module ..> AnsibleModule : uses
    sr_fingerprint_module ..> datetime_module : uses
    sr_fingerprint_module ..> time_module : fallback uses

    sr_fingerprint_module : run_module()
    sr_fingerprint_module : main()
    sr_fingerprint_module : _local_iso8601_no_microseconds()
    sr_fingerprint_module : builds log_message = sr_message + ISO8601 timestamp
    sr_fingerprint_module : check_mode -> exit_json(changed=False, message)
    sr_fingerprint_module : normal -> module.log(log_message)
    sr_fingerprint_module : exit_json(changed=False)

Loading

File-Level Changes

Change	Details	Files
Introduce sr_fingerprint Ansible module for writing fingerprint messages to syslog with a local ISO-8601 timestamp and check-mode support.	Create custom module sr_fingerprint.py that accepts a required sr_message parameter and logs via module.log Implement helper to generate local ISO 8601 timestamps without microseconds with backward-compatible fallback for older Python versions Ensure module is check-mode safe and always reports changed=False to avoid spurious changes in role runs	library/sr_fingerprint.py
Integrate fingerprint logging into the logging role to record begin and success events with role, version, and platform context.	Ensure required ansible_facts subsets are gathered only when missing before using them in fingerprint messages Add a 'Record role begin fingerprint' task that logs a begin system_role:logging message including ansible version and distribution/version Add a 'Record role success fingerprint' task at the end of the main role flow with a similar success system_role:logging message	tasks/set_vars.yml tasks/main.yml
Add an end-to-end test that validates the fingerprints are written to the system journal when syslog is available.	Add tasks to detect /dev/log and capture a start time for subsequent journalctl queries Invoke the role as before using the existing run_role_with_clear_facts.yml include Add a shell-based assertion that uses journalctl since the captured time, filters out noisy 'Invoked with' entries, and checks for both begin and success fingerprint patterns, failing with clear error messages when missing Gate the journal check on /dev/log existence and mark it as not changing state	tests/tests_default.yml
Adjust Ansible sanity configuration and test layout to accommodate the new custom module for multiple Ansible versions.	Add .sanity-ansible-ignore files for Ansible 2.14 through 2.22 to suppress or adjust sanity checks for the role's layout and custom module Add tests/roles/linux-system-roles.logging/library symlink or directory entry to expose the custom module under the tests role path	.sanity-ansible-ignore-2.14.txt .sanity-ansible-ignore-2.16.txt .sanity-ansible-ignore-2.17.txt .sanity-ansible-ignore-2.18.txt .sanity-ansible-ignore-2.19.txt .sanity-ansible-ignore-2.20.txt .sanity-ansible-ignore-2.21.txt .sanity-ansible-ignore-2.22.txt tests/roles/linux-system-roles.logging/library

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• The sr_fingerprint messages for begin/success are duplicated in set_vars.yml and tasks/main.yml; consider centralizing the message formatting (e.g. via a variable or template) so changes to the format or contents only need to be made in one place.
• The journal check task assumes journalctl is available and systemd is in use whenever /dev/log exists; if this role may run on non-systemd systems with /dev/log, consider guarding the task with a systemd/journalctl availability check or handling the absence more gracefully.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `sr_fingerprint` messages for begin/success are duplicated in `set_vars.yml` and `tasks/main.yml`; consider centralizing the message formatting (e.g. via a variable or template) so changes to the format or contents only need to be made in one place.
- The journal check task assumes `journalctl` is available and systemd is in use whenever `/dev/log` exists; if this role may run on non-systemd systems with `/dev/log`, consider guarding the task with a systemd/journalctl availability check or handling the absence more gracefully.

## Individual Comments

### Comment 1
<location path="library/sr_fingerprint.py" line_range="10-12" />
<code_context>
+DOCUMENTATION = """
+---
+module: sr_fingerprint
+short_description: Write a message string to syslog using Ansible C(module.log) function.
+description:
+    - Writes the given string to the system log using Ansible C(module.log) function.
+    - Intended for role-internal or diagnostic use.
+author: Rich Megginson (@richm)
</code_context>
<issue_to_address>
**suggestion:** Clarify whether this logs to the controller log or actual system syslog on the managed host.

Since this uses `module.log`, the message is written to the Ansible controller log (which may or may not be syslog), not to the managed host’s system syslog. Please reword the description to make clear this is controller-side module logging so it’s not mistaken for host-local syslog behavior.

Suggested implementation:

```python
short_description: Write a message string to the Ansible controller log using Ansible C(module.log) function.

```

```python
    - Writes the given string to the Ansible controller log using Ansible C(module.log) function.
    - This uses controller-side logging and does not write to the managed host's local syslog directly.

```

```python
        description: Text to record in the Ansible controller log.

```

```python
- name: Record a fingerprint message in the Ansible controller log

```
</issue_to_address>

### Comment 2
<location path="library/sr_fingerprint.py" line_range="28" />
<code_context>
+    sr_message: "system_role:ROLENAME"
+"""
+
+RETURN = r""" # """
+
+from ansible.module_utils.basic import AnsibleModule
</code_context>
<issue_to_address>
**suggestion:** Use a proper RETURN block or remove it to avoid confusing tooling and readers.

The current sentinel value (`RETURN = r""" # """`) is non-standard and may confuse ansible-doc or other tooling that inspects `RETURN`. If you don’t need return docs, omit `RETURN` entirely, or use an empty but valid block such as `RETURN = r"""
"""` to keep module docs and sanity checks predictable.

```suggestion
RETURN = r"""
"""
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion: Clarify whether this logs to the controller log or actual system syslog on the managed host.

Since this uses module.log, the message is written to the Ansible controller log (which may or may not be syslog), not to the managed host’s system syslog. Please reword the description to make clear this is controller-side module logging so it’s not mistaken for host-local syslog behavior.

Suggested implementation:

short_description: Write a message string to the Ansible controller log using Ansible C(module.log) function.

    - Writes the given string to the Ansible controller log using Ansible C(module.log) function.
    - This uses controller-side logging and does not write to the managed host's local syslog directly.

        description: Text to record in the Ansible controller log.

- name: Record a fingerprint message in the Ansible controller log

[sourcery-ai]

suggestion: Use a proper RETURN block or remove it to avoid confusing tooling and readers.

The current sentinel value (RETURN = r""" # """) is non-standard and may confuse ansible-doc or other tooling that inspects RETURN. If you don’t need return docs, omit RETURN entirely, or use an empty but valid block such as RETURN = r""" """ to keep module docs and sanity checks predictable.

Suggested change

	RETURN = r""" # """
	RETURN = r"""
	"""

[richm]

[citest]