From c44dfb926aed11f487b57d95551d46c547762442 Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Thu, 28 Nov 2024 17:06:21 +0100
Subject: [PATCH] Rsyslog: Add the option of a second rsyslog server You can
 now create multiple rsyslog central log servers to send your logs to. Some
 centOS7 compatibility is still maintained

---
 roles/rsyslog/tasks/main.yml                  |  17 ++-
 roles/rsyslog/templates/rsyslog.conf.j2       |  22 ---
 .../rsyslog/templates/rsyslog_centos7.conf.j2 | 125 ++++++++++++++++++
 .../templates/rsyslog_onlyforward.conf.j2     |  15 ++-
 4 files changed, 146 insertions(+), 33 deletions(-)
 create mode 100644 roles/rsyslog/templates/rsyslog_centos7.conf.j2

diff --git a/roles/rsyslog/tasks/main.yml b/roles/rsyslog/tasks/main.yml
index 6b267ef00..48f979866 100644
--- a/roles/rsyslog/tasks/main.yml
+++ b/roles/rsyslog/tasks/main.yml
@@ -51,21 +51,30 @@
   when: 
     - rsyslog_remote_server_relp is defined
 
-- name: put ryslog config file
+- name: put ryslog config file on central sysloghost
   template:
     src: "rsyslog.conf.j2"
     dest: "/etc/rsyslog.conf"
   notify:
     - "restart rsyslog"
-  when: ansible_os_family == 'RedHat'
+  when:  ('sysloghost' in group_names) 
+    
+    
+- name: put ryslog config file on centOS7 host
+  template:
+    src: "rsyslog_centos7.conf.j2"
+    dest: "/etc/rsyslog.conf"
+  notify:
+    - "restart rsyslog"
+  when: (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7') and  ('sysloghost' not in group_names)
 
-- name: put ryslog config file
+- name: put forwarding ryslog config file
   template:
     src: "rsyslog_onlyforward.conf.j2"
     dest: "/etc/rsyslog.conf"
   notify:
     - "restart rsyslog"
-  when: ansible_os_family == 'Debian'
+  when:  ('sysloghost' not in group_names) and not (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7')
 
 - name: include tasks for central syslog server
   include_tasks: rsyslog_central.yml
diff --git a/roles/rsyslog/templates/rsyslog.conf.j2 b/roles/rsyslog/templates/rsyslog.conf.j2
index cdccfde66..f2aa5d8b4 100644
--- a/roles/rsyslog/templates/rsyslog.conf.j2
+++ b/roles/rsyslog/templates/rsyslog.conf.j2
@@ -101,25 +101,3 @@ $IncludeConfig /etc/rsyslog.d/listeners/*.conf
 # Remote Logging (we use TCP for reliable delivery)
 #
 
-{% if rsyslog_remote_server_relp is defined and 'sysloghost' not in group_names %}
-# Forward all logs to the central logging server using relp
-module(load="omrelp")
-action(type="omrelp" 
-target="{{ rsyslog_remote_server_relp }}" 
-port="{{ rsyslog_remote_relp_port }}" 
-tls="on" 
-tls.caCert="/etc/pki/rsyslog/rsyslogclientca.crt" 
-tls.MyCert="/etc/pki/rsyslog/rsyslogclient.crt"
-tls.MyPrivKey="/etc/pki/rsyslog/rsyslogclient.key"
-tls.authmode="name" 
-tls.permittedpeer=["{{ rsyslog_remote_server_relp }}"]
-queue.type="LinkedList" 
-queue.filename="rsyslog_relp_q"
-queue.maxdiskspace="1G"
-queue.saveonshutdown="on" 
-action.resumeRetryCount="-1"
-action.resumeInterval="5")
-{% endif %}
-
-
-
diff --git a/roles/rsyslog/templates/rsyslog_centos7.conf.j2 b/roles/rsyslog/templates/rsyslog_centos7.conf.j2
new file mode 100644
index 000000000..460687456
--- /dev/null
+++ b/roles/rsyslog/templates/rsyslog_centos7.conf.j2
@@ -0,0 +1,125 @@
+# rsyslog configuration file
+
+# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
+# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
+
+#### MODULES ####
+$MaxMessageSize 32k
+# The imjournal module below is now used as a message source instead of imuxsock.
+$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
+$ModLoad imjournal # provides access to the systemd journal
+#$ModLoad imklog # reads kernel messages (the same are read from journald)
+$ModLoad immark  # provides --MARK-- message capability
+
+## Adjust Ratelimit
+$imjournalRatelimitInterval 30
+$imjournalRatelimitBurst 20000
+
+#### GLOBAL DIRECTIVES ####
+
+# Where to place auxiliary files
+$WorkDirectory /var/lib/rsyslog
+
+# Use default timestamp format
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+# File syncing capability is disabled by default. This feature is usually not required,
+# not useful and an extreme performance hit
+#$ActionFileEnableSync on
+
+# Turn off message reception via local log socket;
+# local messages are retrieved through imjournal now.
+$OmitLocalLogging on
+
+# File to store the position in the journal
+$IMJournalStateFile imjournal.state
+# MARK messages
+$ActionWriteAllMarkMessages on
+$MarkMessagePeriod 600
+
+$PreserveFQDN on
+# Order is important here: First the templates, then rules, then listerers, then forwarders 
+{% if 'sysloghost' in group_names %}
+# This directory contains templates for a central syslog host
+$IncludeConfig /etc/rsyslog.d/templates/*.conf
+{% endif %}
+
+#### RULES ####
+# The rules below make sure all local logging is also logged on local machines
+# Log all kernel messages to the console.
+# Logging much else clutters up the screen.
+#kern.*                                                 /dev/console
+
+# Log anything (except mail) of level info or higher.
+# Don't log private authentication messages!
+*.info;mail.none;authpriv.none;cron.none;local6.none    /var/log/messages
+
+# The authpriv file has restricted access.
+authpriv.*                                              /var/log/secure
+
+# Log all the mail messages in one place.
+mail.*                                                  -/var/log/maillog
+# Log cron stuff
+cron.*                                                  /var/log/cron
+
+# Everybody gets emergency messages
+*.emerg                                                 :omusrmsg:*
+
+# Save news errors of level crit and higher in a special file.
+uucp,news.crit                                          /var/log/spooler
+
+# Save boot messages also to boot.log
+local7.*                                                /var/log/boot.log
+
+{% if 'sysloghost' in group_names %}
+# Make the logs readable
+$DirCreateMode 0775
+$FileCreateMode 0640
+$FileOwner root
+$FileGroup {{ rsyslog_read_group }}
+$DirOwner root
+$DirGroup root
+
+# This directory contains all rulesets on the central syslog host
+$IncludeConfig /etc/rsyslog.d/rulesets/*.conf
+{% endif %}
+# Default listener for localhost
+module(load="imudp")
+input(type="imudp" port="514")
+
+
+{% if 'sysloghost' in group_names %}
+# Now we include all the listeners
+module(load="imrelp" )
+$IncludeConfig /etc/rsyslog.d/listeners/*.conf
+{% endif %}
+
+# ### begin forwarding rule ###
+# The statement between the begin ... end define a SINGLE forwarding
+# rule. They belong together, do NOT split them. If you create multiple
+# forwarding rules, duplicate the whole block!
+# Remote Logging (we use TCP for reliable delivery)
+#
+
+{% for syslogserver in relp_remote %}
+# Logs are forwarded to {{ syslogserver.name }}
+module(load="omrelp")
+action(type="omrelp"
+target="{{ syslogserver.host }}"
+port="{{ syslogserver.port }}"
+tls="on"
+tls.caCert="/etc/pki/rsyslog/rsyslogclientca.crt"
+tls.MyCert="/etc/pki/rsyslog/rsyslogclient.crt"
+tls.MyPrivKey="/etc/pki/rsyslog/rsyslogclient.key"
+tls.authmode="name"
+tls.permittedpeer=["{{ syslogserver.peer }}"]
+queue.type="LinkedList"
+queue.filename="{{ syslogserver.name }}"
+queue.spoolDirectory="/var/spool/rsyslog"
+queue.maxdiskspace="1G"
+queue.saveonshutdown="on"
+action.resumeRetryCount="-1"
+action.resumeInterval="5"
+action.writeAllMarkMessages="on")
+{% endfor %}
+
diff --git a/roles/rsyslog/templates/rsyslog_onlyforward.conf.j2 b/roles/rsyslog/templates/rsyslog_onlyforward.conf.j2
index 4196c526e..437a783f0 100644
--- a/roles/rsyslog/templates/rsyslog_onlyforward.conf.j2
+++ b/roles/rsyslog/templates/rsyslog_onlyforward.conf.j2
@@ -7,23 +7,24 @@ $PreserveFQDN on
 
 *.emerg                         :omusrmsg:* 
 
-{% if rsyslog_remote_server_relp is defined and 'sysloghost' not in group_names %}
-# Forward all logs to the central logging server using relp
+{% for syslogserver in relp_remote %}
+# Logs are forwarded to {{ syslogserver.name }}
 module(load="omrelp")
 action(type="omrelp" 
-target="{{ rsyslog_remote_server_relp }}" 
-port="{{ rsyslog_remote_relp_port }}" 
+target="{{ syslogserver.host }}" 
+port="{{ syslogserver.port }}" 
 tls="on" 
 tls.caCert="/etc/pki/rsyslog/rsyslogclientca.crt" 
 tls.MyCert="/etc/pki/rsyslog/rsyslogclient.crt"
 tls.MyPrivKey="/etc/pki/rsyslog/rsyslogclient.key"
 tls.authmode="name" 
-tls.permittedpeer=["{{ rsyslog_remote_server_relp }}"]
+tls.permittedpeer=["{{ syslogserver.peer }}"]
 queue.type="LinkedList" 
-queue.filename="rsyslog_relp_q"
+queue.filename="{{ syslogserver.name }}"
+queue.spoolDirectory="/var/spool/rsyslog"
 queue.maxdiskspace="1G"
 queue.saveonshutdown="on" 
 action.resumeRetryCount="-1"
 action.resumeInterval="5"
 action.writeAllMarkMessages="on")
-{% endif %}
+{% endfor %}