Puppet Class: profile::syslog::remote

Defined in:
modules/profile/manifests/syslog/remote.pp

Summary

Configure rsyslog to forward log events to a central server

Overview

Parameters:

  • enable (Boolean) (defaults to: lookup('profile::syslog::remote::enable'))

    Enable log forwarding. Should be set to false on the central server.

  • central_hosts_tls (Profile::Syslog::Hosts) (defaults to: lookup('profile::syslog::remote::central_hosts_tls'))

    Central TLS enabled syslog servers

  • send_logs (Enum['auth-logs', 'standard']) (defaults to: lookup('profile::syslog::remote::send_logs'))

    Types of logs to send. Possible values (string): 'standard' (default, send all logs with severity 'info', but exclude logs with facility 'cron', 'authpriv' or 'mail'), 'auth-logs' (send all logs with facility 'auth' or 'authpriv').

  • queue_size (Integer) (defaults to: lookup('profile::syslog::remote::queue_size'))

    Local queue size, unit is messages. Setting to 0 disables the local queue.

  • tls_client_auth

    Whether to authenticate to the syslog server using TLS. Note: this is only relevant for mutual authentication. Server verification (e.g. checks on certificate authority or the Subject Alt Names) is not affected. Defaults to true.

  • tls_server_auth (Enum['x509/certvalid', 'x509/name']) (defaults to: lookup('profile::syslog::remote::tls_server_auth'))

    Mode used to verify the authenticity of the leaf certificate presented by the syslog server. Can be either 'x509/certvalid' (default, cerficate path validation; a leaf certificate must be signed by the root CA listed in $tls_trusted_ca or its intermediate certificates is or 'x509/name'. In the latter mode, besides the constraint implied by 'x509/certvalid', the leaf certificate must contain an entry in its subjectAltName or common name field that matches StreamDriverPermittedPeers (defaults to the Target, but with the port number stripped). Per RFC 5425 ยง 5.2, 'x509/name' is strongly preferred, but 'x509/certvalid' can be used for legacy purposes.

  • tls_netstream_driver (Enum['gtls', 'ossl']) (defaults to: lookup('profile::syslog::remote::tls_netstream_driver'))

    Rsyslog Network Stream driver to use for TLS support. Can be either 'gtls' (GnuTLS, default) or 'ossl' (OpenSSL).

  • tls_trusted_ca (Stdlib::Unixpath) (defaults to: lookup('profile::syslog::remote::tls_trusted_ca'))

    ca file to use for netstream pki; defaults to using puppet CA

  • mtls_provider (Enum['disabled', 'puppet', 'cfssl']) (defaults to: lookup('profile::syslog::remote::mtls_provider')) 


32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
 
# File 'modules/profile/manifests/syslog/remote.pp', line 32

class profile::syslog::remote (
    Boolean                             $enable               = lookup('profile::syslog::remote::enable'),
    Profile::Syslog::Hosts              $central_hosts_tls    = lookup('profile::syslog::remote::central_hosts_tls'),
    Enum['auth-logs', 'standard']       $send_logs            = lookup('profile::syslog::remote::send_logs'),
    Integer                             $queue_size           = lookup('profile::syslog::remote::queue_size'),
    Enum['disabled', 'puppet', 'cfssl'] $mtls_provider        = lookup('profile::syslog::remote::mtls_provider'),
    Enum['x509/certvalid', 'x509/name'] $tls_server_auth      = lookup('profile::syslog::remote::tls_server_auth'),
    Enum['gtls', 'ossl']                $tls_netstream_driver = lookup('profile::syslog::remote::tls_netstream_driver'),
    Stdlib::Unixpath                    $tls_trusted_ca       = lookup('profile::syslog::remote::tls_trusted_ca'),
) {
    $owner = 'root'
    $group = 'root'
    # force ossl on buster #T351181
    $_tls_netstream_driver = debian::codename::le('buster').bool2str('ossl', $tls_netstream_driver)

    if $enable {
        if $central_hosts_tls.empty {
            fail('profile::syslog::remote: requires \$central_hosts_tls if enabled')
        }
        $_central_hosts_tls = pick($central_hosts_tls[$::site], $central_hosts_tls['default'])

        if $tls_netstream_driver == 'gtls' {
            ensure_packages('rsyslog-gnutls')
        } else {
            # for >= bullseye, available in debian main
            # otherwise through component/rsyslog-openssl (T324623)
            if debian::codename::eq('buster') {
                # On Buster syslog clients acting as syslog servers,
                # apt::package_from_component may have been defined
                # in rsyslog::receiver as well
                ensure_resource('apt::package_from_component', 'rsyslog-tls', {
                    component => 'component/rsyslog-openssl',
                    packages  => ['rsyslog-openssl', 'rsyslog-kafka', 'rsyslog'],
                    before    => Class['rsyslog'],
                })
            } else {
                ensure_packages('rsyslog-openssl')
            }
        }

        file { '/etc/rsyslog':
            ensure => 'directory',
            owner  => $owner,
            group  => $group,
            mode   => '0400',
        }

        case $mtls_provider {
            'puppet': {
                puppet::expose_agent_certs { '/etc/rsyslog':
                    provide_private => true,
                    user            => $owner,
                    group           => $group,
                    require         => File['/etc/rsyslog'],
                }
                $cert_file = '/etc/rsyslog/ssl/cert.pem'
                $key_file = '/etc/rsyslog/ssl/server.key'
            }
            'cfssl': {
                $ssl_paths = profile::pki::get_cert('syslog')
                $cert_file = $ssl_paths['chained']
                $key_file = $ssl_paths['key']
            }
            default: {
                $cert_file = undef
                $key_file = undef
            }
        }

        rsyslog::conf { 'remote_syslog':
            content  => template('profile/syslog/remote/syslog.conf.erb'),
            priority => 30,
        }
    }
    # No ensure=>absent handling is needed for the $enable == false case
    # because ::rsyslog uses recursive purge to manage the files in its config
    # directory. Simply not adding the file will cause Puppet to remove it if
    # present.
}