#pupmod-simp-simp_rsyslog
This module is a SIMP Puppet profile for setting up common Rsyslog configurations as supported by the SIMP ecosystem
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they may be submitted to our bug tracker.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- If used independently, all SIMP-managed security subsystems are disabled by
default and must be explicitly opted into by administrators. Please review
the parameters in
simp/simp_optionsfor details.
This module provides configurations for both Rsyslog local and Rsyslog server configurations.
To set up local logging, you can simply do the following:
include simp_rsyslogThe $log_collection Hash provides an Rsyslog 7 compatible set of
filters that you wish to collect. These will be considered security
relevant and fed into /var/log/secure by default.
The Hash has the following format and all entries will be combined with a
logical OR.
$log_collection = {
'programs' => [ <logged daemon names> ],
'facilities' => [ <syslog facilities> ],
'priorities' => [ <syslog priorities> ],
'msg_starts' => [ <strings the message starts with> ],
'msg_regex' => [ <regular expression matches> ]
}If you need something more complex than this, you will need to configure your
own rsyslog rules using the rsyslog::rule defined type.
If you simply want to log EVERYTHING to your remote servers, set
simp_rsyslog::collect_everything to true.
If you do this, it is highly recommended that you set
simp_rsyslog::log_local to false so that you don't overwhelm your
filesystem.
NOTE
If you do not capture the local6 syslog facility, you will lose a lot of
SIMP-specific messaging
If you wish to collect logs from remote hosts, you can do the following:
Manifest:
include simp_rsyslogHieradata:
---
simp_rsyslog::is_server : true
# If your system uses simp/iptables then you should also set the following
iptables::precise_match: trueThis will set your system up as an Rsyslog server, using TLS which is capable of collecting both TCP and UDP logs.
At this time, the version of Rsyslog that ships with EL systems cannot handle both TLS and non-TLS TCP connections at the same time. When it can, we will support this mode of log collection.
UDP logs will not be encrypted in transit but are supported for network device compatibility.
If you wish to set your system up to forward logs to a set of remote log servers, in either the server or client case, you should use the following in Hiera:
simp_rsyslog::forward_logs: trueThis will use the $simp_options::syslog::log_servers and
$simp_options::syslog::failover_log_servers variables to set the targets for
your logs. Alternatively, you can specify the targets in Hiera directly.
TLS and TCP connections will be used for log forwarding for security purposes.
WARNING
Be VERY careful when setting your
simp_rsyslog::log_serversandsimp_rsyslog::failover_log_serversArrays!There is no foolproof way to detect if you are setting your local log server as part of the Array. If you do this, you may end up with infinite log loops that fill your log server's disk space within minutes.
WARNING
The module reference can be found in the REFERENCE.md file.
This is a SIMP Profile. It will not expose all options of the underlying modules, only the ones that are conducive to a supported SIMP infrastructure.
If you need to do things that this module does not cover, you may need to create your own profile or inherit this profile and extend it to meet your needs.
SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux
and compatible distributions, such as CentOS. Please see the
metadata.json file for the most up-to-date list of
supported operating systems, Puppet versions, and module dependencies.
Please read our Contribution Guide.
If you find any issues, they can be submitted to our JIRA.
This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:
bundle install
bundle exec rake beaker:suitesPlease refer to the SIMP Beaker Helpers documentation for more information.