Added TCP/TLS support for rsyslog client

2011-10-04 16:43:15 +03:00 · 2011-10-04 16:43:15 +03:00 · da6f4df080
commit da6f4df080
parent ac6c7387d4
4 changed files with 34 additions and 6 deletions
--- a/syslog/manifests/init.pp
+++ b/syslog/manifests/init.pp
@ -10,11 +10,19 @@
 #   $syslog_server:
 #       Address of remote syslog server where to send logs.
 #
+#   $syslog_tlsserver:
+#       Address of remote syslog server where to send logs over TCP/TLS.
+#
 class syslog::client {

    if !$syslog_type {
        case $operatingsystem {
-            "centos": { $syslog_type = "syslogd" }
+            "centos": {
+                $syslog_type = $operatingsystemrelease ? {
+                    /^6/    => "rsyslog",
+                    default => "syslogd",
+                }
+            }
            "fedora": { $syslog_type = "rsyslog" }
            "openbsd": { $syslog_type = "syslogd" }
            "ubuntu": { $syslog_type = "rsyslog" }
@ -83,6 +91,12 @@ class syslog::client::rsyslog {
        ensure => installed,
    }

+    if $operatingsystem != "OpenBSD" {
+        package { "rsyslog-gnutls":
+            ensure => installed,
+        }
+    }
+
    file { "/etc/rsyslog.conf":
        ensure  => present,
        content => template("syslog/rsyslog.conf.erb",
--- a/syslog/templates/rsyslog.conf.erb
+++ b/syslog/templates/rsyslog.conf.erb
@ -7,10 +7,12 @@ $ModLoad immark
 $ModLoad imklog
 # Provides support for local system logging (e.g. via logger command)
 $ModLoad imuxsock
+
 <% if operatingsystem == "OpenBSD" -%>
 # Local sockets for chrooted services
 $AddUnixListenSocket /var/empty/dev/log
 $AddUnixListenSocket /var/named/dev/log
 $AddUnixListenSocket /var/nsd/dev/log
 $AddUnixListenSocket /var/www/dev/log
+
 <% end -%>
--- a/syslog/templates/syslog.conf.OpenBSD.erb
+++ b/syslog/templates/syslog.conf.OpenBSD.erb
@ -1,4 +1,3 @@
-
 *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none	/var/log/messages
 kern.debug;syslog,user.info				/var/log/messages
 auth.info						/var/log/authlog
@ -12,11 +11,11 @@ mail.info						/var/log/maillog

 # Uncomment this line to send "important" messages to the system
 # console: be aware that this could create lots of output.
-#*.err;auth.notice;authpriv.none;kern.debug;mail.crit   /dev/console
+#*.err;auth.notice;authpriv.none;kern.debug;mail.crit	/dev/console

 # Uncomment this to have all messages of notice level and higher
 # as well as all authentication messages sent to root.
-#*.notice;auth.debug                                    root
+#*.notice;auth.debug					root

 # Everyone gets emergency messages.
-*.emerg                                                 *
+*.emerg							*
--- a/syslog/templates/syslog.conf.client.erb
+++ b/syslog/templates/syslog.conf.client.erb
@ -1,8 +1,21 @@

 *.*		<% if operatingsystem != "OpenBSD" %>-<% end %>/var/log/all.log
 mark.*		<% if operatingsystem != "OpenBSD" %>-<% end %>/var/log/all.log
+<% if has_variable?('syslog_tlsserver') and syslog_type == "rsyslog" -%>
+
+$DefaultNetstreamDriver gtls
+$DefaultNetstreamDriverCAFile <%= puppet_ssldir %>/certs/ca.pem
+$DefaultNetstreamDriverCertFile <%= puppet_ssldir %>/certs/<%= homename %>.pem
+$DefaultNetstreamDriverKeyFile <%= puppet_ssldir %>/private_keys/<%= homename %>.pem
+
+$ActionSendStreamDriverMode 1
+$ActionSendStreamDriverAuthMode x509/name
+$ActionSendStreamDriverPermittedPeer <%= syslog_tlsserver %>
+
+*.*		@@<%= syslog_tlsserver %>
+mark.*		@@<%= syslog_tlsserver %>
+<% elsif has_variable?('syslog_server') -%>

-<% if has_variable?('syslog_server') -%>
 *.*		@<%= syslog_server %>
 mark.*		@<%= syslog_server %>
 <% end -%>