rsyslog
Version information
This version is compatible with:
- Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x
- Puppet >= 5.0.0 < 7.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-rsyslog', '7.6.1'
Learn more about managing modules with a PuppetfileDocumentation
#pupmod-simp-rsyslog
Table of Contents
- Overview
- Module Description - A Puppet module for managing RSyslog version 7 or later
- Setup - The basics of getting started with pupmod-simp-rsyslog
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Overview
pupmod-simp-rsyslog configures and manages RSyslog versions 7 and newer as built into either RHEL or CentOS versions 6 and 7. It is designed to work with Puppet version 3.4 or newer.
NOTE: This version of (pupmod-simp-rsyslog)[https://github.com/simp/pupmod-simp-rsyslog] is a complete re-write of the previous version, and as such there are no guarantees made about backwards compatibility.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
Module Description
This module follows the standard PuppetLabs module style guide with some SIMP-specific configuration items included for managing auditing, firewall rules, logging, SELinux, and TCPWrappers. All of these items are configurable and can be turned on or off as needed for each user environment.
pupmod-simp-rsyslog was designed to be as compatible with RSyslog v7-stable as possible, though the version that comes stock with RHEL or CentOS is slightly dated and as such legacy code still exists. Where possible, all legacy code is documented with the new configuration commented out to show how any updates going forward will look.
It is possible to use pupmod-simp-rsyslog on its own and configure all rules and settings as you like, but it is recommended that the SIMP Rsyslog Profile be used if possible. By default, this profile will setup security relevant logging rules and manage server/client configurations.
Setup
What pupmod-simp-rsyslog affects
Files managed by pupmod-simp-rsyslog:
- /etc/rsyslog.conf
- /etc/rsyslog.simp.d
In addition to these, the rsyslog::rule::<all>
definitions will create
numbered directories in the $rsyslog_rule_dir
, by default
/etc/rsyslog.simp.d
. These directories are included in alphanumeric order and
using the rsyslog::rule
definition, the user can specify any directory name
they want to impact order.
Services and operations managed or affected by pupmod-simp-rsyslog:
- rsyslogd
- auditd (configurable)
- iptables (configurable)
- TCPWrappers (configurable)
- SELinux (configurable)
- Logrotate (configurable)
Packages installed by pupmod-simp-rsyslog:
- rsyslog
- rsyslog-gnutls
Setup Requirements
NOTE: This version of pupmod-simp-rsyslog is a complete re-write of the previous version, and as such there are no guarantees made about backwards compatibility.
It is strongly recommended that the logging infrastructure be set up in a resilient manner. Failover in RSyslog is tricky and choosing the wrong kind of queuing with failover could mean losing logs. This module attempts to protect you from that but will allow you to change the queuing mechanism to meet your local requirements.
Beginning with pupmod-simp-rsyslog
Including rsyslog will install, configure, and start the rsyslog daemon on a client:
include ::rsyslog
Including rsyslog::server will additionally configure the system as an Rsyslog server.
include ::rsyslog::server
Usage
WARNING: The version of rsyslog that is included with EL6 and EL7 systems is not the final stable upstream release. In particular, TLS may only be enabled or disabled globally, not per ruleset or action!
pupmod-simp-rsyslog is meant to be extremely customizable, and as such there is no single best way to use it. For the SIMP specific recommendations on how to use RSyslog (and other modules as well), check out the SIMP profile.
I want standard remote logging on a client
An example of an RSyslog client configuration may look like the following, including possible file names and a simple remote rule to forward all logs on the system.
class {'rsyslog':
log_server_list => ['first.log.server','second.log.server'],
failover_log_servers => ['first.log.server','second.log.server'],
}
Alternatively, this can be set as the default via Hiera:
# Send to *all* of these servers!
log_servers:
- first.log.server
- second.log.server
failover_log_servers:
- first-failover.log.server
- second-failover.log.server
include ::rsyslog
I want to send everything to rsyslog from a client
NOTE: Everything must be in the form that would be in the middle of an
if/then
Rainerscript Expression.
For example, if you wanted to filter on the standard priority kern.err
, you
would put prifilt('kern.err')
in your rule
paramter.
This does not hold for a call to rsyslog::rule
since that is the
generic processor for all rules.
class my_rsyslog_client {
class {'rsyslog':
log_server_list => ['first.log.server','second.log.server'],
failover_log_servers => ['first.log.server','second.log.server'],
}
rsyslog::rule::remote { 'send_the_logs':
rule => 'prifilt(\'*.*\')'
}
}
I want to disable TLS/PKI/Logrotate
class my_rsyslog_client {
class {'rsyslog':
log_server_list => ['first.log.server','second.log.server'],
failover_log_servers => ['first.log.server','second.log.server'],
enable_tls_logging => false,
enable_logging => false,
pki => false,
}
I want to set up an RSyslog Server
class my_rsyslog_server {
class {'rsyslog':
log_server_list => ['first.log.server','second.log.server'],
failover_log_servers => ['first.log.server','second.log.server'],
}
include '::rsyslog::server'
rsyslog::template::string { 'store_the_logs':
string => '/var/log/hosts/%HOSTNAME%/everything.log'
}
}
Using the above, all possible logs sent from the client will be stored on the server in a single log file. Obviously this is not always an effective strategy, but it is at least enough to get started. Further customizations can be built to help manage more logs appropriately. To learn more about how to use the templates and rules, feel free to browse through the code.
While this setup does cover all of the basics, using the SIMP suggested RSyslog profile will setup templates and a large set of default rules to help organize and send logs where possible. Included would also be a comprehensive set of security relevant logs to help filter important information.
I want to set up an Rsyslog Server without logrotate/pki/firewall
class {'rsyslog::server':
use_iptables => false,
enable_selinux => false,
enable_tcpwrappers => false,
}
Central Log Forwarding
Following on from the first example, you may have an upstream server to which you want to send all logs from your collected hosts.
To do this, you would use a manifest similar to the following on your local log server to forward everything upstream. Note, the use of a custom template. Upstream systems may have their own requirements and this allows you to manipulate the log appropriately prior to forwarding the message along.
rsyslog::template::string { 'upstream':
string => 'I Love Logs! %msg%\n'
}
rsyslog::rule::remote { 'upstream':
# Send Everything
rule => 'prifilt(\'*.*\')',
# Use the 'upstream' template defined above
template => 'upstream',
# The Upstream Destination Server
dest => ['upstream.fq.dn'],
require => Rsyslog::Template::String['upstream']
}
Reference
Please refer to the REFERENCE.md.
Limitations
SIMP Puppet modules are generally intended for use on Red Hat Enterprise
Linux and compatible distributions, such as CentOS. Please see the
metadata.json
file for the most up-to-date list of
supported operating systems, Puppet versions, and module dependencies.
By default, pupmod-simp-rsyslog
tries to do the right thing during a failover
scenario and make sure that logs are always stored no matter what the state of
the remote log server(s) is. Be careful if you opt out of the default queuing
strategy for failover as it may cause undesirable results such as lost logs.
Development
Please read our Contribution Guide.
If you find any issues, they can be submitted to our JIRA.
Reference
Table of Contents
Classes
rsyslog
: Set up Rsyslog 7/8rsyslog::config
: Setup Rsyslog configurationrsyslog::config::logrotate
: Default log rotation for RSyslogrsyslog::install
: Installs the packages necessary for use of RSyslogrsyslog::server
: Sets up the RSyslog serverrsyslog::server::firewall
: Sets up the firewall rules for RSyslog with IPTablesrsyslog::server::selinux
: Sets up SELinux for RSyslogrsyslog::server::tcpwrappers
: Sets up TCPWrappers for RSyslog both plain TCP and TCP over TLS as necessaryrsyslog::service
: Manage the RSyslog service
Defined types
rsyslog::rule
: Adds a rulersyslog::rule::console
: Add a rule for writing logs to the consolersyslog::rule::data_source
: Add a rule for collecting logs from files on the systemrsyslog::rule::drop
: Add a rule to drop contentrsyslog::rule::local
: Add a rule targeting writing local system logsrsyslog::rule::other
: Adds an arbitrary rulersyslog::rule::remote
: Adds a rule to send messages to one or more remote systemrsyslog::template::list
: Add a template list to the rsyslog configuration filersyslog::template::plugin
: Add template plugins to the rsyslog configuration file.rsyslog::template::string
: Add template strings to the rsyslog configurationrsyslog::template::subtree
: Add template subtrees to the rsyslog configuration
Data types
Rsyslog::QueueType
: Rsyslog Queue Types
Classes
rsyslog
The configuration is particularly slanted toward the issues present in the versions of rsyslog included with Enterprise Linux systems. It should still work on other systems but they may have different/other bugs that have not been addressed.
Parameters
The following parameters are available in the rsyslog
class.
service_name
Data type: String
The name of the Rsyslog service; typically rsyslog
package_name
Data type: String
The name of the Rsyslog package to install; typically rsyslog
tls_package_name
Data type: String
The name of the Rsyslog package to install TLS utilities; typically rsyslog-gnutls
Default value: "${package_name}-gnutls"
trusted_nets
Data type: Simplib::Netlist
A whitelist of subnets (in CIDR notation) permitted access
- This will be used in conjunction with IPTables (if enabled) to allow connections from within the given subnets.
Default value: simplib::lookup('simp_options::trusted_nets', {'default_value' => ['127.0.0.1/32'] })
enable_tls_logging
Data type: Boolean
Enable the TLS libraries where applicable
- If enabled, clients will encrypt all log data being sent to the given log
servers. Also, all log servers specified to use TLS (see
rsyslog::server::tls_tcp_server
) will load theimtcp
libraries and set the necessary globalNetStreamDriver
information.
Default value: false
log_servers
Data type: Simplib::Netlist
A list of primary Rsyslog servers
- All nodes in this list will get a copy of all logs if remote logging is enabled.
Default value: simplib::lookup('simp_options::syslog::log_servers', { 'default_value' => [] })
failover_log_servers
Data type: Simplib::Netlist
A list of the failover Rsyslog servers
- This order-dependent list will serve as all of the possible failover
log servers for clients to send to if the servers in
log_servers
are unavailable.
Default value: simplib::lookup('simp_options::syslog::failover_log_servers', { 'default_value' => [] })
queue_spool_directory
Data type: Stdlib::Absolutepath
The path to the directory where Rsyslog should store disk message queues
Default value: '/var/spool/rsyslog'
rule_dir
Data type: Stdlib::Absolutepath
The path at which all managed rules will begin
Default value: '/etc/rsyslog.simp.d'
tcp_server
Data type: Boolean
Make this host listen for TCP
connections
- Ideally, all connections would be
TLS
enabled. Only enable this if necessary.
Default value: false
tcp_listen_port
Data type: Simplib::Port
The port upon which to listen for regular TCP
connections
Default value: 514
tls_tcp_server
Data type: Boolean
Make this host listen for TLS
enabled TCP
connections
Default value: false
tls_tcp_listen_port
Data type: Simplib::Port
The port upon which to listen for TLS
enabled TCP
connections
Default value: 6514
udp_server
Data type: Boolean
Make this host listend for UDP
connections
- This really should not be enabled unless you have devices that cannot
speak
TLS
Default value: false
udp_listen_address
Data type: String
The address upon which to listen for UDP
connections
- The default of
127.0.0.1
is set primariliy for supporting Java applications that cannot work with a modern method of logging.
Default value: '127.0.0.1'
udp_listen_port
Data type: Simplib::Port
The port upon which to listen for UDP
connections
Default value: 514
read_journald
Data type: Boolean
Enable the processing of journald
messages natively in Rsyslog
logrotate
Data type: Boolean
Ensure that logrotate
is enabled on this system
- You will need to configure specific logrotate settings via the
logrotate
module.
Default value: simplib::lookup('simp_options::logrotate', {'default_value' => false})
pki
Data type: Variant[Boolean,Enum['simp']]
- If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/rsyslog/x509
- If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/rsyslog/x509
- If false, do not include SIMP's pki module and do not use pki::copy
to manage certs. You will need to appropriately assign a subset of:
- app_pki_dir
- app_pki_key
- app_pki_cert
- app_pki_ca
- app_pki_ca_dir
Default value: simplib::lookup('simp_options::pki', {'default_value' => false})
app_pki_external_source
Data type: String
-
If pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.
-
If pki = false, this variable has no effect.
Default value: simplib::lookup('simp_options::pki::source', {'default_value' => '/etc/pki/simp/x509'})
app_pki_dir
Data type: Stdlib::Absolutepath
Basepath of $default_net_stream_driver_ca_file, default_net_stream_driver_cert_file, and $default_net_stream_driver_key_file
Default value: '/etc/pki/simp_apps/rsyslog/x509'
rsyslog::config
NOTE: THIS IS A PRIVATE CLASS
- When the host uses systemd, creates a rsyslog.service override file that fixes a service ordering problem present with older versions of rsyslog.
- Creates /etc/rsyslog.conf and includes all SIMP config subdirectories in /etc/rsyslog.simp.d.
NOTE Any undocumented parameters map directly to their counterparts in the Rsyslog configuration files.
Parameters
The following parameters are available in the rsyslog::config
class.
umask
Data type: String
The umask that should be applied to the running process
Default value: '0027'
localhostname
Data type: String
The Hostname that should be used on your syslog messages
Default value: $facts['fqdn']
preserve_fqdn
Data type: Boolean
Ensure that the fqdn
of the originating host is preserved in all log
messages
Default value: true
control_character_escape_prefix
Data type: String[1,1]
Default value: '#'
drop_msgs_with_malicious_dns_ptr_records
Data type: Enum['off','on']
Default value: 'off'
escape_control_characters_on_receive
Data type: Enum['off','on']
Default value: 'on'
default_template
Data type: String
The default template to use to output to various services
-
The provided template has been designed to work with external parsing tools that require the priority text
-
You can also choose from the following values in order to select from one of the built-in rsyslogd formats.
- forward -> RSYSLOG_Forward
- original -> RSYSLOG_FileFormat
- traditional -> RSYSLOG_TraditionalFileFormat
Default value: 'original'
syssock_ignore_timestamp
Data type: Boolean
Default value: true
syssock_ignore_own_messages
Data type: Boolean
Default value: true
syssock_use
Data type: Boolean
Default value: true
syssock_name
Data type: Optional[String]
Default value: undef
syssock_flow_control
Data type: Boolean
Default value: false
syssock_use_pid_from_system
Data type: Boolean
Default value: false
syssock_rate_limit_interval
Data type: Integer[0]
Default value: 0
syssock_rate_limit_burst
Data type: Integer[0]
Default value: 1000
syssock_rate_limit_severity
Data type: Integer[0]
Default value: 5
syssock_use_sys_timestamp
Data type: Boolean
Default value: true
syssock_annotate
Data type: Boolean
Default value: false
syssock_parse_trusted
Data type: Boolean
Default value: false
syssock_unlink
Data type: Boolean
Default value: true
main_msg_queue_type
Data type: Enum['LinkedList','FixedArray']
The type of queue that will be used
- It is highly recommended that you leave this as
LinkedList
unless you really know what you are doing.
Default value: 'LinkedList'
main_msg_queue_filename
Data type: String
Default value: 'main_msg_queue'
main_msg_queue_size
Data type: Optional[Integer[0]]
The size of the main (global) message queue
- By default, the minimum of 1% of physical memory or 1G, based on a 512B message size. The maximum number of messages that may be stored in the memory queue.
Default value: undef
main_msg_queue_high_watermark
Data type: Optional[Integer[0]]
The point at which the queue will start writing messages to disk as a number of messages
- By default, 90% of
$main_msg_queue_size
Default value: undef
main_msg_queue_low_watermark
Data type: Optional[Integer[0]]
The point at which the queue will stop writing messages to disk as a number of messages
- NOTE: This must be lower than
$main_msg_queue_high_watermark
- By default, 70% of
$main_msg_queue_size
Default value: undef
main_msg_queue_discardmark
Data type: Optional[Integer[0]]
The point at which the queue will discard messages
- By default, 98% of
$main_msg_queue_size
Default value: undef
main_msg_queue_worker_thread_minimum_messages
Data type: Optional[Integer[0]]
The minimum number of messages in the queue before a new thread can be spawned
- If left empty (the default), will calculate the value based on the
following formula:
$main_msg_queue_size/(($processorcount - 1)*4)
Default value: undef
main_msg_queue_worker_threads
Data type: Optional[Integer[0]]
The maximum number of threads to spawn on the system
- By default,
$processorcount - 1
Default value: undef
main_msg_queue_worker_timeout_thread_shutdown
Data type: Integer[0]
Default value: 5000
main_msg_queue_timeout_enqueue
Data type: Integer[0]
Default value: 100
main_msg_queue_dequeue_slowdown
Data type: Integer[0]
Default value: 0
main_msg_queue_save_on_shutdown
Data type: Enum['on','off']
Default value: 'on'
main_msg_queue_max_disk_space
Data type: Optional[Integer[0]]
The maximum amount of disk space to use for the disk queue.
-
Specified as a digit followed by a unit specifier. For example:
- 100 -> 100 Bytes
- 100K -> 100 Kilobytes
- 100M -> 100 Megabytes
- 100G -> 100 Gigabytes
- 100T -> 100 Terabytes
- 100P -> 100 Petabytes
-
If not specified, will default to
$main_msg_queue_size * 1024
Default value: undef
main_msg_queue_max_file_size
Data type: Integer[0]
The maximum file size, in Megabytes, that should be created when buffering to disk.
- NOTE: It is not recommended to make this excessively large
Default value: 5
repeated_msg_reduction
Data type: Enum['on','off']
Default value: 'on'
work_directory
Data type: Stdlib::Absolutepath
Default value: '/var/spool/rsyslog'
interval
Data type: Integer[0]
The mark
interval
Default value: 0
tls_tcp_max_sessions
Data type: Integer[0]
The maximum number of sessions to support
Default value: 200
tls_input_tcp_server_stream_driver_permitted_peers
Data type: Array[String]
A wildcard-capable Array of domains that should be allowed to talk to the
server over TLS
Default value: ["*.${facts['domain']}"]
default_net_stream_driver
Data type: Enum['gtls','ptcp']
When TLS
is enabled (client and/or server), used to set the global
DefaultNetStreamDriver configuration parameter.
Default value: 'gtls'
default_net_stream_driver_ca_file
Data type: Stdlib::Absolutepath
When TLS
is enabled (client and/or server), used to set the global
DefaultNetStreamDriverCAFile configuration parameter. Currently, this
is the ONLY mechanism available to set the CA file for TLS
.
Default value: "${rsyslog::app_pki_dir}/cacerts/cacerts.pem"
default_net_stream_driver_cert_file
Data type: Stdlib::Absolutepath
When TLS
is enabled (client and/or server), used to set the global
global DefaultNetStreamDriverCertFile configuration parameter. Currently,
this is the ONLY mechanism available to set the cert file for TLS
.
Default value: "${rsyslog::app_pki_dir}/public/${::fqdn}.pub"
default_net_stream_driver_key_file
Data type: Stdlib::Absolutepath
When TLS
is enabled (client and/or server), used to set the global
used to set the global DefaultNetStreamDriverKeyFile configuration
parameter. Currently, this is the ONLY mechanism available to set the
key file for TLS
.
Default value: "${rsyslog::app_pki_dir}/private/${::fqdn}.pem"
action_send_stream_driver_mode
Data type: Enum['1','0']
-
When
$rsyslog::tls_tcp_server = true
, used for imtcp module StreamDriver.Mode -
For Rsyslog 7, when
$rsyslog::enable_tls_logging = true
, used to set the deprecated, global rsyslog configuration, ActionSendStreamDriverMode. This setting and the corresponding send stream driver setting inrsyslog::rule::remote
are BOTH required for sending TLS-encrypted logs with Rsyslog 7.
Default value: (
action_send_stream_driver_auth_mode
Data type: Optional[String]
-
When
$rsyslog::tls_tcp_server = true
, used for imtcp module StreamDriver.AuthMode. If undefined, this value is set based on$action_send_stream_driver_mode
. -
Otherwise deprecated. Send stream driver authentication mode is configured for individual send streams via
rsyslog::rule::remote
.
Default value: undef
action_send_stream_driver_permitted_peers
Data type: Optional[Array[String]]
Deprecated and will be removed in a later version. Send stream driver
permitted peers are configured for individual send streams via
rsyslog::rule::remote
.
Default value: undef
ulimit_max_open_files
Data type: Variant[Enum['unlimited'],Integer[0]]
The maximum open files limit that should be set for the syslog server
1024
is fine for most purposes, but a collection server should bump this way up.
Default value: 'unlimited'
host_list
Data type: Array[String]
This option is only valid in rsyslog versions < 8.6.0 Hosts that should be logged with their simple hostname
- See the
-l
option inrsyslogd(8)
for more information
Default value: []
domain_list
Data type: Array[String]
This option is only valid in rsyslog versions < 8.6.0 Array of domains that should be stripped off before logging
- See the
-s
option inrsyslogd(8)
for more information
Default value: []
suppress_noauth_warn
Data type: Boolean
Suppress warnings due to hosts not in the ACL
- See the
-w
option inrsyslogd(8)
for more information
Default value: false
disable_remote_dns
Data type: Boolean
Disable DNS lookups for remote messages
- See the
-x
option inrsyslogd(8)
for more information
Default value: false
enable_default_rules
Data type: Boolean
Enables default rules for logging common services (e.g., iptables, puppet, slapd_auditd)
Default value: true
read_journald
Data type: Boolean
Enable the forwarding of the systemd
journal to syslog
Default value: $rsyslog::read_journald
include_rsyslog_d
Data type: Boolean
Include all configuration files in the system-standard /etc/rsyslog.d
- This will place the configuration files after the global configuration but before the SIMP applied configurations.
Default value: false
systemd_override_file
Data type: String
The basename of the systemd override file for the rsyslog service
Default value: 'unit.conf'
rsyslog::config::logrotate
NOTE: THIS IS A PRIVATE CLASS
The list that is managed here matches the list of default files that are managed on the system by this module.
Parameters map to their counterparts in the logrotate::rule
defined type.
Parameters
The following parameters are available in the rsyslog::config::logrotate
class.
rotate_compress
Data type: Optional[Boolean]
Default value: undef
rotate_compresscmd
Data type: Optional[String[1]]
Default value: undef
rotate_uncompresscmd
Data type: Optional[String[1]]
Default value: undef
rotate_compressext
Data type: Optional[String[1]]
Default value: undef
rotate_compressoptions
Data type: Optional[String[1]]
Default value: undef
rotate_copy
Data type: Boolean
Default value: false
rotate_copytruncate
Data type: Boolean
Default value: false
rotate_create
Data type: Pattern['\d{4} .+ .+']
Default value: '0640 root root'
rotate_period
Data type: Enum['daily','weekly','monthly','yearly']
Default value: 'daily'
rotate_dateext
Data type: Optional[Boolean]
Default value: undef
rotate_dateformat
Data type: String[1]
Default value: '-%Y%m%d.%s'
rotate_dateyesterday
Data type: Optional[Boolean]
Default value: undef
rotate_delaycompress
Data type: Optional[Boolean]
Default value: undef
rotate_extension
Data type: Optional[String[1]]
Default value: undef
rotate_ifempty
Data type: Boolean
Default value: false
rotate_ext_include
Data type: Optional[Array[String[1]]]
Default value: undef
rotate_mail
Data type: Optional[Simplib::EmailAddress]
Default value: undef
rotate_maillast
Data type: Boolean
Default value: true
rotate_maxage
Data type: Optional[Integer[0]]
Default value: undef
rotate_minsize
Data type: Optional[Integer[0]]
Default value: undef
rotate_missingok
Data type: Boolean
Default value: true
rotate_olddir
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
rotate_postrotate
Data type: Optional[String[1]]
Default value: undef
rotate_prerotate
Data type: Optional[String[1]]
Default value: undef
rotate_firstaction
Data type: Optional[String[1]]
Default value: undef
rotate_lastaction
Data type: Optional[String[1]]
Default value: undef
rotate_lastaction_restart_logger
Data type: Boolean
Default value: true
rotate_logger_service
Data type: Optional[String[1]]
Default value: simplib::lookup('logrotate::logger_service', {'default_value' => 'rsyslog'})
rotate_preserve
Data type: Integer[0]
Default value: 7
rotate_size
Data type: Optional[Integer[0]]
Default value: undef
rotate_sharedscripts
Data type: Boolean
Default value: true
rotate_shred
Data type: Optional[Boolean]
Default value: undef
rotate_shredcycles
Data type: Optional[Integer[0]]
Default value: undef
rotate_su
Data type: Boolean
Default value: false
rotate_su_user
Data type: Optional[String[1]]
Default value: undef
rotate_su_group
Data type: Optional[String[1]]
Default value: undef
rotate_start
Data type: Integer[0]
Default value: 1
rotate_tabooext
Data type: Optional[Array[String[1]]]
Default value: undef
rsyslog::install
NOTE: THIS IS A PRIVATE CLASS
Parameters
The following parameters are available in the rsyslog::install
class.
ensure
Data type: String
How to install the packages
- Accepts the same values as the
Package
resource'sensure
parameter
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
rsyslog::server
This class is designed to configure the externally facing interfaces for a
RSyslog system. If you do not need external connectivity, you should just use
the stock ::rsyslog
Class.
Parameters
The following parameters are available in the rsyslog::server
class.
enable_firewall
Data type: Boolean
Enable the SIMP firewall rules for RSyslog
Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false })
enable_selinux
Data type: Optional[Boolean]
Enable the SIMP SELinux rules for RSyslog
Default value: $facts['selinux_enforced']
enable_tcpwrappers
Data type: Boolean
Enable the SIMP TCPWrapper rules for RSyslog
Default value: simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false })
rsyslog::server::firewall
NOTE: THIS IS A PRIVATE CLASS
In ports will be openened for all systems inside of the
$rsyslog::trusted_nets
Array.
rsyslog::server::selinux
NOTE: THIS IS A PRIVATE CLASS
Switches on the nis_enabled
SELinux Boolean since this is required for
successful RSyslog connections.
- Note This MAY not be necessary any longer and should be validated
rsyslog::server::tcpwrappers
NOTE: THIS IS A PRIVATE CLASS
NOTE: This actually opens the TCPWrappers rules for RSyslog since testing has shown that it was prone to some odd connectivity errors. Both IPTables and an internal allow list protect RSyslog connections.
rsyslog::service
NOTE: THIS IS A PRIVATE CLASS
Parameters
The following parameters are available in the rsyslog::service
class.
enable
Data type: Boolean
Enable the rsyslog service
Default value: true
Defined types
rsyslog::rule
This is used by the various rsyslog::rule::*
Defined Types to apply rules
to the system.
Feel free to use this Defined Type to add your own rules but remember that order matters!
In general, the order will be:
-
05 - Data Source Rules
-
06 - Console Rules
-
07 - Drop Rules
-
10 - Remote Rules
-
20 - Other/Miscellaneous Rules
-
99 - Local Rules
-
See also https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-basic_configuration_of_rsyslog.html Red Hat Basic Rsyslog Configuration http://www.rsyslog.com/doc/expression.html Expressions in Rsyslog http://www.rsyslog.com/doc/rainerscript.html RainerScript Documentation
Examples
Collect All kern.err
Messages
rsyslog::rule { '99_collect_kernel_errors.conf':
rule => "if prifilt('kern.err') then /var/log/kernel_errors.log"
}
Discard All info
Messages
rsyslog::rule::other { '98_discard_info.conf':
rule => "if prifilt('*.info') then stop"
}
Parameters
The following parameters are available in the rsyslog::rule
defined type.
name
Data type: Pattern['^[^/]\S+/\S+\.conf$']
The filename that you will be dropping into place
- WARNING: This must NOT be an absolute path!
content
Data type: String
The exact content of the rule to place in the target file
rsyslog::rule::console
These rules first in priority. In general, the order will be:
-
Data Source Rules
-
Console Rules
-
Drop Rules
-
Remote Rules
-
Other/Miscellaneous Rules
-
Local Rules
-
See also https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-basic_configuration_of_rsyslog.html Red Hat Basic Rsyslog Configuration http://www.rsyslog.com/doc/expression.html Expressions in Rsyslog http://www.rsyslog.com/doc/rainerscript.html RainerScript Documentation
Examples
Log Emergency Messages to the Console
rsyslog::rule::console { 'emergency_rule':
rule => 'prifilt(\'*.emerg\'),
users => ['*']
}
Parameters
The following parameters are available in the rsyslog::rule::console
defined type.
name
Data type: String
The filename that you will be dropping into place
rule
Data type: String
The Rsyslog EXPRESSION
to filter on
users
Data type: Array[String]
Users to which to send the console messages
rsyslog::rule::data_source
In general, the order will be:
-
Data Source Rules
-
Console Rules
-
Drop Rules
-
Remote Rules
-
Other/Miscellaneous Rules
-
Local Rules
-
See also https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-basic_configuration_of_rsyslog.html Red Hat Basic Rsyslog Configuration http://www.rsyslog.com/doc/expression.html Expressions in Rsyslog http://www.rsyslog.com/doc/rainerscript.html RainerScript Documentation
The filename that you will be dropping into place.
Examples
Collect Logs From /opt/log/my_app
rsyslog::rule::data_source { 'new_input':
rule => @(EOM)
input(type="imfile"
File="/opt/log/my_app"
StateFile="my_app"
Tag="my_app"
Facility="local6"
Severity="notice"
)
|EOM
}
Parameters
The following parameters are available in the rsyslog::rule::data_source
defined type.
name
Data type: String
The filename that you will be dropping into place
rule
Data type: String
The Rsyslog EXPRESSION
to filter on
rsyslog::rule::drop
In general, the order will be:
-
Data Source Rules
-
Console Rules
-
Drop Rules
-
Remote Rules
-
Other/Miscellanious Rules
-
Local Rules
-
See also https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-basic_configuration_of_rsyslog.html Red Hat Basic Rsyslog Configuration http://www.rsyslog.com/doc/expression.html Expressions in Rsyslog http://www.rsyslog.com/doc/rainerscript.html RainerScript Documentation
The filename that you will be dropping into place.
Examples
Drop Logs Matching ^.*bad_stuff.*$
rsyslog::rule::drop { 'drop_bad_stuff':
rule => 're_match($msg, '^.*bad_stuff.*$')'
}
Parameters
The following parameters are available in the rsyslog::rule::drop
defined type.
name
Data type: String
The filename that you will be dropping into place
rule
Data type: String
The Rsyslog EXPRESSION
to filter on
rsyslog::rule::local
NOTE: Any option that is not explicitly documented here matches the
ruleset
options in the Rsyslog documentation.
In general, the order will be:
- Data Source Rules
- Console Rules
- Drop Rules
- Remote Rules
- Other/Miscellaneous Rules
- Local Rules
NOTE: Since many of the parameters here may need to be modified on a
case-by-base basis, this defined type uses capabilities presented by the
simplib::dlookup
function to allow for either global overrides or
instance-specific overrides.
Global overrides work the same way as classes
(rsyslog::rule::local::file_create_mode: '0644'
) but will affect all
instances of the defined type that are not specifically overridden as shown
below.
Instance specific overrides preclude the need for a resource collector in
that you can place the follwing in Hiera to affect a single instance named
my_rule
: Rsyslog::Rule::Local[my_rule]::file_create_mode: '0600'
- See also https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-basic_configuration_of_rsyslog.html Red Hat Basic Rsyslog Configuration http://www.rsyslog.com/doc/expression.html Expressions in Rsyslog http://www.rsyslog.com/doc/rainerscript.html RainerScript Documentation
Examples
Capture OpenLDAP Logs Then Stop Processing
rsyslog::rule::local { 'collect_openldap':
rule => "prifilt('local4.*')",
target_log_file => '/var/log/slapd.log',
stop_processing => true
}
Parameters
The following parameters are available in the rsyslog::rule::local
defined type.
name
Data type: String
The filename that you will be dropping into place
rule
Data type: Optional[String[1]]
The Rsyslog EXPRESSION
to filter on
-
NOTE: Do NOT include the leading
if/then
- Correct: ``rule => "prifilt('.')"
- Incorrect:
rule => "if prifilt('*.*') then"
-
This must be set if
$content
is left empty
Default value: undef
target_log_file
Data type: Optional[Stdlib::Absolutepath]
The target log file that omfile will be writing to
- This must be set if
$dyna_file
is left empty
Default value: undef
stop_processing
Data type: Boolean
Do not forward logs to any further ruleset
s after processing this ruleset
Default value: false
dyna_file
Data type: Optional[String[1]]
Set a dynamic
filename using the property replacer rules
-
NOTE: If you make this the filename path itself, a template will automatically be created for you. Otherwise, you must make sure to have a rsyslog template in place and pass the name of the template to this option
-
Rsyslog templates can be created using the
rsyslog::template::*
defined types
Default value: undef
template
Data type: Optional[String[1]]
Default value: undef
dyna_file_cache_size
Data type: Integer[0]
Default value: 10
zip_level
Data type: Integer[0,9]
Default value: 0
very_robust_zip
Data type: Boolean
Default value: true
flush_interval
Data type: Integer[0]
Default value: 0
async_writing
Data type: Boolean
Default value: false
flush_on_tx_end
Data type: Boolean
Default value: true
io_buffer_size
Data type: Optional[Integer[0]]
Default value: undef
dir_owner
Data type: Optional[String[1]]
Default value: undef
dir_owner_num
Data type: Optional[Integer[0]]
Default value: undef
dir_group
Data type: Optional[String[1]]
Default value: undef
dir_group_num
Data type: Optional[Integer[0]]
Default value: undef
file_owner
Data type: Optional[String[1]]
Default value: undef
file_owner_num
Data type: Optional[Integer[0]]
Default value: undef
file_group
Data type: Optional[String[1]]
Default value: undef
file_group_num
Data type: Optional[Integer[0]]
Default value: undef
file_create_mode
Data type: Stdlib::Filemode
Default value: simplib::dlookup('rsyslog::rule::local', 'file_create_mode', $name, { 'default_value' => '0640' })
dir_create_mode
Data type: Stdlib::Filemode
Default value: simplib::dlookup('rsyslog::rule::local', 'dir_create_mode', $name, { 'default_value' => '0750' })
fail_on_chown_failure
Data type: Boolean
Default value: true
create_dirs
Data type: Boolean
Default value: true
sync
Data type: Boolean
Default value: false
sig_provider
Data type: Optional[String[1]]
Default value: undef
cry_provider
Data type: Optional[String[1]]
Default value: undef
queue_filename
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
queue_spool_directory
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
queue_size
Data type: Optional[Integer[0]]
Default value: undef
queue_dequeue_batch_size
Data type: Integer[0]
Default value: 16
queue_max_disk_space
Data type: Optional[Integer[0]]
Default value: undef
queue_high_watermark
Data type: Optional[Integer[0]]
Default value: undef
queue_low_watermark
Data type: Integer[0]
Default value: 2000
queue_full_delay_mark
Data type: Optional[Integer[0]]
Default value: undef
queue_light_delay_mark
Data type: Optional[Integer[0]]
Default value: undef
queue_discard_mark
Data type: Integer[0]
Default value: 9750
queue_discard_severity
Data type: Integer[0]
Default value: 8
queue_checkpoint_interval
Data type: Optional[Integer[0]]
Default value: undef
queue_sync_queue_files
Data type: Boolean
Default value: false
queue_type
Data type: Rsyslog::QueueType
Default value: 'Direct'
queue_worker_threads
Data type: Integer[0]
Default value: 1
queue_timeout_shutdown
Data type: Integer[0]
Default value: 0
queue_timeout_action_completion
Data type: Integer[0]
Default value: 1000
queue_timeout_enqueue
Data type: Integer[0]
Default value: 2000
queue_timeout_worker_thread_shutdown
Data type: Integer[0]
Default value: 60000
queue_worker_thread_minimum_messages
Data type: Integer[0]
Default value: 100
queue_max_file_size
Data type: String[1]
Default value: simplib::dlookup('rsyslog::rule::local', 'queue_max_file_size', $name, { 'default_value' => '1m' })
queue_save_on_shutdown
Data type: Boolean
Default value: false
queue_dequeue_slowdown
Data type: Integer[0]
Default value: 0
queue_dequeue_time_begin
Data type: Optional[Integer[0]]
Default value: undef
queue_dequeue_time_end
Data type: Optional[Integer[0]]
Default value: undef
content
Data type: Optional[String[1]]
the *entire content of the rsyslog::rule
-
If you do not specify this,
$rule
is a required variable -
If you do specify this,
$rule
will be ignored
Default value: undef
rsyslog::rule::other
The main reason to use this is to ensure proper ordering in the stack. If you
want to insert a rule anywhere, use the $rsyslog::rule
Defined Type
In general, the order will be:
- Data Source Rules
- Console Rules
- Drop Rules
- Remote Rules
- Other/Miscellaneous Rules
- Local Rules
fine: rsyslog::rule::other
- See also https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-basic_configuration_of_rsyslog.html Red Hat Basic Rsyslog Configuration http://www.rsyslog.com/doc/expression.html Expressions in Rsyslog http://www.rsyslog.com/doc/rainerscript.html RainerScript Documentation
The filename that you will be dropping into place.
Examples
Send All local0
Messages to 1.2.3.4
via TCP
rsyslog::rule::other { 'send_local0_away':
rule => "if prifilt('local0.*') then @@1.2.3.4"
}
Parameters
The following parameters are available in the rsyslog::rule::other
defined type.
name
Data type: String
The filename that you will be dropping into place
rule
Data type: String
The Rsyslog EXPRESSION
to filter on
rsyslog::rule::remote
The rule will include a forwarding ('omfwd') action for each
primary and failover syslog server specified via $dest
and
$failover_log_servers
, respectively.
In general, the order will be:
- Data Source Rules
- Console Rules
- Drop Rules
- Remote Rules
- Other/Miscellaneous Rules
- Local Rules
In general, individual send stream driver settings are properly supported with the Rsyslog 8 EL versions available for CentOS 7 and the Rsyslog 7 EL versions available for CentOS 6. However, for TLS support, you must also configure global Rsyslog parameters as follows:
-
TLS sending and/or receiving requires the global DefaultNetStreamDriver, DefaultNetStreamDriverCAFile, DefaultNetStreamDriverCertFile, and DefaultNetStreamDriverKeyFile parameters to be configure via
rsyslog::config
. -
TLS sending for Rsyslog 7 EL versions requires the global ActionSendStreamDriverMode configuration parameter to be configured via
rsyslog::config
IN ADDITION TO the$stream_driver_mode
.
WARNING
If possible, this module will take pains to prevent adding a target that is equivalent to the current system to prevent syslog loops.
Unfortunately, there is no foolproof method for getting this correct 100% of the time so please take care when setting your destination targets.
WARNING
-
This must be set if
$content
is left empty -
See also https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-basic_configuration_of_rsyslog.html Red Hat Basic Rsyslog Configuration http://www.rsyslog.com/doc/expression.html Expressions in Rsyslog http://www.rsyslog.com/doc/rainerscript.html RainerScript Documentation https://simp.readthedocs.io/en/master/user_guide/HOWTO/Central_Log_Collection.html
Examples
Send All local0
Messages to 1.2.3.4
via TCP
rsyslog::rule::remote { 'send_local0_away':
rule => "prifilt('local0.*')",
dest => ['1.2.3.4']
}
Parameters
The following parameters are available in the rsyslog::rule::remote
defined type.
name
Data type: String
The filename that you will be dropping into place
rule
Data type: Optional[String[1]]
The Rsyslog EXPRESSION
to filter on
-
This should only be the matching part of the expression, the remaining parameters take care of ensuring that the material is properly routed.
-
NOTE: Do NOT include the leading
if/then
- Correct: ``rule => "prifilt('.')"
- Incorrect:
rule => "if prifilt('*.*') then"
Default value: undef
stop_processing
Data type: Boolean
Do not forward logs to any further ruleset
s after processing this ruleset
Default value: false
template
Data type: Optional[String[1]]
The template that should be used to format the content
Default value: undef
dest
Data type: Simplib::Netlist
If filled, logs matching $rule
will be sent to all hosts in this Array.
- WARNING: If using this, do NOT add a destination to your
rule
Default value: []
dest_type
Data type: Enum['tcp','udp','relp']
The destination type for all entries in $dest
- At this time, if you wish to have different types per destination, you
will need to either create a
rsyslog::rule::remote
for each destnation or craft your own ruleset and leave$dest
empty.
Default value: 'tcp'
failover_log_servers
Data type: Simplib::Netlist
The listed systems will be used as failover servers for all logs matching
this rule
- Uses
$dest_type
above
Default value: []
tcp_framing
Data type: Enum['traditional','octet-counted']
Default value: 'traditional'
zip_level
Data type: Integer[0,9]
Default value: 0
max_error_messages
Data type: Integer[0]
Default value: 5
compression_mode
Data type: Enum['none','single','stream:always']
Default value: 'none'
compression_stream_flush_on_tx_end
Data type: Boolean
Default value: true
rebind_interval
Data type: Optional[Integer[0]]
Default value: undef
action_resume_interval
Data type: Integer[0]
Default value: 30
action_resume_retry_count
Data type: Integer[-1]
Default value: -
stream_driver
Data type: Optional[String[1]]
-
This is only used to set the StreamDriver directive in the forwarding actions for remote servers if TLS is enabled and
$dest_type
is not UDP. -
Overridden by 'DefaultNetstreamDriver' global stream configuration specified by
rsyslog::config::default_net_stream_driver
.
Default value: undef
stream_driver_mode
Data type: Integer[0]
-
This is only used to set the StreamDriverMode directive in the forwarding actions for remote servers if TLS is enabled and
$dest_type
is not UDP. -
For Rsyslog 7, the stream driver mode must be ALSO be set by the 'ActionSendStreamDriverMode' global stream configuration via
rsyslog::config::action_send_stream_driver_mode
.
Default value: 1
stream_driver_auth_mode
Data type: String
This is only used to set the StreamDriverAuthMode directive in the
forwarding actions for remote servers if TLS is enabled and
$dest_type
is not UDP.
Default value: 'x509/name'
stream_driver_permitted_peers
Data type: Optional[String[1]]
-
This is only used to set the StreamDriverPermittedPeers directive in the forwarding actions for remote servers if TLS is enabled and
$dest_type
is not UDP. -
If this is set, the value will be used for all forwarding actions for the remote servers in
$dest
and$failover_log_servers
. -
If this is undefined,
-
If ALL of the remote servers in
$dest
and$failover_log_servers
are specified as a hostname variants, the StreamDriverPermittedPeers directive for the forwarding action for each server will be set to that server's hostname. -
If ANY and of the remote servers in
$dest
and$failover_log_servers
is specified as an IP address variant, the StreamDriverPermittedPeers directive for the forwarding action for each server will be set to the domain of the Puppet client. This behavior provides backward compatibility with earlier versions of this module.
-
-
rsyslog expects StreamDriverPermittedPeers to be a comma-separated list of fingerprints (SHA1) and/or names of remote peers, which it will use to match against the certificate presented from the remote server.
-
@see https://media.readthedocs.org/pdf/rsyslog/stable/rsyslog.pdf
Default value: undef
resend_last_msg_on_reconnect
Data type: Boolean
Default value: true
udp_send_to_all
Data type: Boolean
Default value: false
queue_filename
Data type: Optional[String[1]]
Default value: undef
queue_spool_directory
Data type: Optional[Stdlib::Absolutepath]
Default value: undef
queue_size
Data type: Optional[Integer[0]]
Default value: undef
queue_dequeue_batch_size
Data type: Integer[0]
Default value: 16
queue_max_disk_space
Data type: Optional[Integer[0]]
Default value: undef
queue_high_watermark
Data type: Optional[Integer[0]]
Default value: undef
queue_low_watermark
Data type: Integer[0]
Default value: 2000
queue_full_delay_mark
Data type: Optional[Integer[0]]
Default value: undef
queue_light_delay_mark
Data type: Optional[Integer[0]]
Default value: undef
queue_discard_mark
Data type: Integer[0]
Default value: 9750
queue_discard_severity
Data type: Integer[0]
Default value: 8
queue_checkpoint_interval
Data type: Optional[Integer[0]]
Default value: undef
queue_sync_queue_files
Data type: Boolean
Default value: false
queue_type
Data type: Enum['LinkedList','FixedArray','Direct','Disk']
Default value: 'LinkedList'
queue_worker_threads
Data type: Integer[0]
Default value: 1
queue_timeout_shutdown
Data type: Integer[0]
Default value: 0
queue_timeout_action_completion
Data type: Integer[0]
Default value: 1000
queue_timeout_enqueue
Data type: Integer[0]
Default value: 2000
queue_timeout_worker_thread_shutdown
Data type: Integer[0]
Default value: 60000
queue_worker_thread_minimum_messages
Data type: Integer[0]
Default value: 100
queue_max_file_size
Data type: String[1]
Default value: '1m'
queue_save_on_shutdown
Data type: Boolean
Default value: true
queue_dequeue_slowdown
Data type: Integer[0]
Default value: 0
queue_dequeue_time_begin
Data type: Optional[Integer[0]]
Default value: undef
queue_dequeue_time_end
Data type: Optional[Integer[0]]
Default value: undef
content
Data type: Optional[String[1]]
the *entire content of the rsyslog::rule
-
If you do not specify this,
$rule
is a required variable -
If you do specify this,
$rule
will be ignored
Default value: undef
rsyslog::template::list
RSyslog list templates can contain properties and constants. In order to capture this functionality, we have opted for making a hash of these. The Hash will be ordered as given to the content variable.
Examples
Content Settings
$content_hash = {
'constant' => 'values="Syslog MSG is: \'"',
'property' => 'name="msg"'
}
rsyslog::template::list { 'example_list':
$content => $content_hash
}
### Produces:
template(name="example_list" type="list") {
constant(value="Syslog MSG is: '")
property(name="msg")
}
Parameters
The following parameters are available in the rsyslog::template::list
defined type.
name
Data type: String
The literal name (not path) of the file
that will be written
content
Data type: Hash[String,String,1]
The rsyslog list content that you wish to add to the system, as a Hash
rsyslog::template::plugin
NOTE: Plugins are as-is. This means that you will only supply the plugin name and assume that the plugin has already been loaded by RSyslog.
Examples
Adding the my_plugin
Plugin to the System
rsyslog::template::string { 'example_plugin':
$plugin => 'my_plugin'
}
### Produces:
template(name="example_plugin" type="plugin" plugin="my_plugin")
Parameters
The following parameters are available in the rsyslog::template::plugin
defined type.
name
Data type: String
The literal name of the file
(not the full path) that will be used
plugin
Data type: String
The rsyslog plugin content that you wish to add to the system
- This is provided, without formatting, directly into the target file
rsyslog::template::string
You'll need to write the entire template line due to the complexity of the rsyslog configuration parameters.
Leading spaces will be removed.
Examples
Template String
rsyslog::template::string { 'example':
$content => '/var/log/hosts/%HOSTNAME%/example.log'
}
### Produces:
template(name="example" type="string" string="/var/log/hosts/%HOSTNAME%/example.log")
Parameters
The following parameters are available in the rsyslog::template::string
defined type.
name
Data type: String
The literal name of the file
(not file path) that will be used
string
Data type: String
The rsyslog template string that you wish to add to the system
- This is fed, without formatting, directly into the target file
rsyslog::template::subtree
You'll need to write the entire subtree line due to the complexity of the rsyslog configuration parameters.
Examples
Subtree (From the Official RSyslog Docs)
rsyslog::template::subtree { 'example_subtree':
$variables => ['$!usr!tp12!msg = $msg;', '$!usr!tp12!dataflow = field($msg, 58, 2);'],
$subtree => '$!usr!tp12'
}
### Produces:
set $!usr!tp12!msg = $msg;
set $!usr!tp12!dataflow = field($msg, 58, 2);
template(name="example" type="subtree" subtree="$!usr!tp12")
Parameters
The following parameters are available in the rsyslog::template::subtree
defined type.
name
Data type: String
The literal name of the file
(not a path) that will be used
subtree
Data type: String
The rsyslog subtree content that you wish to add to the system
- This is fed, without formatting, directly into the subtree parameter
variables
Data type: Array[String]
Variables to be set prior to the template being created
Default value: []
Data types
Rsyslog::QueueType
Rsyslog Queue Types
Alias of Enum['FixedArray', 'LinkedList', 'Direct', 'Disk']
- Tue May 26 2020 Kendall Moore kendall.moore@onyxpoint.com - 7.6.1-0
- Change local rule defined type to use the same package defaults for action queues that are in the remote rule defined type
- Wed Apr 15 2020 Kendall Moore kendall.moore@onyxpoint.com - 7.6.0-0
- Change remote rule defined type to use package defaults for action queues
- Mon Feb 03 2020 Trevor Vaughan tvaughan@onyxpoint.com - 7.6.0-0
- Add a default rule to log packets dropped by firewalld to /var/log/firewall.log
- Add /var/log/firewall.log to SIMP's 'syslog' logrotate rule
- Move iptables, logrotate, pki, and tcpwrappers to optional dependencies
- Cleaned up puppet strings support
- Removed params pattern and migrated to data in modules
- Fri Jan 10 2020 Liz Nemsick lnemsick.simp@gmail.com - 7.6.0-0
- Added EL8 support
- Wed Oct 16 2019 Adam Yohrling adam.yohrling@onyxpoint.com - 7.5.1-0
- Added logrotate::rule options to rsyslog::conf::logrotate class
- Wed Oct 16 2019 Kendall Moore kendall.moore@onyxpoint.com - 7.5.1-0
- Fixed a bug where including rsyslog.d parsed more than just .conf files
- Thu Jun 06 2019 Steven Pritchard steven.pritchard@onypoint.com - 7.5.0-0
- Add v2 compliance_markup data
- Mon Apr 15 2019 Trevor Vaughan tvaughan@onyxpoint.com - 7.4.0-0
- Set rsyslog::rule::local::file_create_mode to 0640 by default
- Allow the following to be set directly via Hiera using simplib::dlookup:
- rsyslog::rule::local::file_create_mode
- rsyslog::rule::local::dir_create_mode
- rsyslog::rule::local::queue_max_file_size
- Tue Mar 26 2019 Joseph Sharkey shark.bruhaha@gmail.com - 7.4.0-0
- Updated dependencies to use camptocamp/systemd
- Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 7.3.1-0
- Expanded the upper limit of the stdlib Puppet module version
- Updated a URL in the README.md
- Thu Oct 11 2018 Nick Miller nick.miller@onyxpoint.com - 7.3.0-0
- Changed rsyslog::install::ensure from 'latest' to 'installed'
- It will also respect
simp_options::package_ensure
- It will also respect
- Mon Oct 08 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 7.3.0-0
- Added logic to properly handle rsyslogd parameters for V8.6 and later as documented in CentOS 7.5 Release notes. These include moving -x and -w options to global.conf and issuing deprecation warning for -l and -s options.
- Fri Oct 05 2018 Trevor Vaughan tvaughan@onyxpoint.com - 7.3.0-0
- Fixed a bug in the systemd override file for rsyslog
- Added fact for version of rsyslogd
- Updated templates to use RainerScript rsyslogd v8 and later
- Fixed the MainMsgQueueDiscardMark and MainMsgQueueWorkerThreads parameters
- Wed Oct 03 2018 Liz Nemsick lnemsick.simp@gmail.com - 7.3.0-0
- Update range of simp/systemd to allow version with Hiera 5
- Tue Sep 11 2018 Nicholas Markowski nicholas.markowski@onyxpoint.com - 7.3.0-0
- Updated $app_pki_external_source to accept any string. This matches the functionality of pki::copy.
- Thu Aug 30 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com 7.3.0-0
- Updated rsyslog::rule::remote to select a more intelligent default
for StreamDriverPermittedPeers, when TLS is enabled. This improvement
fixes the bug in which forwarding of logs to servers in different domains
was not possible with the stream_driver_permitted_peers default. Now,
rsyslog::rule::remote::stream_driver_permitted_peers defaults to 'undef',
instead of the domain of the Puppet client, and has the following default
behavior:
- When all of the remote servers are specified with hostname variants, the StreamDriverPermittedPeers directive for the forwarding action for each server will be set to that server's hostname.
- If any of the remote servers is specified as an IP address variant, the StreamDriverPermittedPeers directive for the forwarding action for each server will be set to the domain of the Puppet client.
- Fri Aug 24 2018 Trevor Vaughan tvaughan@onyxpoint.com - 7.3.0-0
- Updated the tests to no longer reference sudosh as our custom test since we are moving away from using it and it could cause confusion.
- Fri Aug 17 2018 Liz Nemsick lnemsick.simp@gmail.com - 7.2.0-0
- Fixed a bug in which removal of a rsyslog::rule from the catalog did not cause the rsyslog service to restart, when other rules corresponding to files in the same rsyslog configuration subdirectory were present.
- Fri Aug 10 2018 Liz Nemsick lnemsick.simp@gmail.com - 7.2.0-0
- Reinstated ActionSendStreamDriverMode directive into the global configuration when sending TLS-encrypted messages for Rsyslog 7 version, only. The sending of TLS-encrypted messages for CentOS 6 will not work otherwise.
- Mon Jul 30 2018 ralph-wright ralph.wright@onyxpoint.com - 7.2.0-0
- Remove all ActionSendStreamDriver* directives from the global configuration, to allow individual actions to control their specific stream settings. This change was required to allow a host which is itself a syslog server to receive TLS-encrypted data, but forward these messages to a different remote syslog server as unencrypted data.
- Fri Jul 13 2018 Trevor Vaughan tvaughan@onyxpoint.com - 7.2.0-0
- Add support for Puppet5 and OEL
- Update acceptance tests to use environment variables
- Thu Jun 28 2018 Nick Miller nick.miller@onyxpoint.com - 7.1.3-0
- Update docs
- Update ci assets
- Tue May 22 2018 Liz Nemsick lnemsick.simp@gmail.com - 7.1.2-0
- Add a systemd rsyslog.service override file that fixes a service ordering problem present with older versions of rsyslog. The override ensures the network.target and network-online.target units are added to the 'Wants' and 'After' lists for the rsyslog.service.
- Fri Mar 16 2018 Philippe Muller philippe.muller@gmail.com - 7.1.1-0
- Fixed several cases where literal '\n' was contained in file output
- Mon Jul 31 2017 Liz Nemsick lnemsick.simp@gmail.com - 7.1.0-0
- Add ability to specify full rule content for rsyslog::rule::local and rsyslog::rule::remote defined types.
- Fixed bug in which ioBufferSize parameter was listed twice in the rsyslog rule generated by rsyslog::rule::local.
- Fri May 26 2017 Liz Nemsick lnemsick.simp@gmail.com - 7.0.3-0
- Fixed bug in which default iptables rsyslog rule did not work with rsyslog version 7.4.7. Some versions of rsyslog include the ' ' separator in the message payload, which impacts the startswith rule.
- Fixed bug whereby puppetserver log messages were not being collected in puppetserver-specific logs.
- Update puppet requirement in metadata.json
- Wed Apr 19 2017 Nick Markowski nmarkowski@keywcorp.com - 7.0.3-0
- rsyslog::server::enable_selinux now optional, for robustness
- Updated logrotate to use new lastaction API
- Tue Mar 28 2017 Nick Miller nick.miller@onyxpoint.com - 7.0.2-0
- rsyslog::server now uses the state of selinux on the system instead of simp_options
- Thu Mar 23 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 7.0.2-0
- Updated path for systemctl
- Thu Feb 09 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 7.0.1-0
- Updated path for service to /sbin/service
- Tue Feb 07 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 7.0.0-0
- Updated expression in logrotate for lastaction to evaluate correctly
- Wed Jan 11 2017 Nick Markowski nmarkowski@keywcorp.com - 7.0.0-0
- Updated pki to use new scheme
- Application certs now managed in /etc/pki/simp_apps/rsyslog/x509
- Added trailing newline to drop rules
- Sun Dec 11 2016 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.0-0
- Update to Puppet 4 compatibility
- Added strong typing
- Wed Nov 23 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 6.0.0-0
- update requirement versions
- Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 6.0.0-0
- Minor cleanup
- Wed Nov 16 2016 Liz Nemsick lnemsick.simp@gmail.com - 6.0.0-0
- Updated iptables dependency version
- Thu Nov 03 2016 Nick Miller nick.miller@onyxpoint.com - 6.0.0-0
- Added a feature to read journald, enabled by defauly on systems with systemd.
- Updated to use compliance mapper v2.0.0
- Mon Sep 26 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.1.1-0
- Fix a bug in which rules no longer managed by the module were not removed from the system.
- Mon Mar 21 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.1.0-0
- Migrated to Semantic Versioning 2.0
- Fixed a bug where the ability to use custom templates was omitted from the remote logging rules.
- Ensure that all components of the module are pulled onto the system via the RPM.
- Added support for the global $LocalHostName variable and set it to $::fqdn by default.
- Updated RPM requirements
- Sat Mar 19 2016 Trevor Vaughan tvaughan@onyxpoint.comm - 5.0.1-0
- Migrated use_simp_pki to a global catalyst.
- Thu Feb 25 2016 Ralph Wright ralph.wright@onyxpoint.com - 5.0.0-2
- Added compliance function support
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 5.0.0-1
- migration to simplib and simpcat (lib/ only)
- Tue Jul 21 2015 Kendall Moore kmoore@keywcorp.com - 5.0.0-0
- Support RSyslog versions >= 7
- Remove legacy style RainerScript where possible
- Use new style SIMP puppet module layout
- Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-13
- Migrated to the new 'simp' environment.
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-12
- Changed puppet-server requirement to puppet
- Sat Dec 06 2014 Chris Tessmer <chris.tessmer@onyxpoint.com - 4.1.0-11
- backported host_is_me protection from 4.0.X fixes
- Wed Nov 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-10
- This is a relatively large update to the rsyslog module that (hopefully) fixes the last vestiges of the issues seen with multi-server failover and native TLS encryption.
- The main change is that we no longer support using stunnel but, instead, rely on native Rsyslog encryption for all actions.
- Message throttling is now off by default. This is a site-specific need and we just can't guess correctly.
- Mon Nov 03 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9
- The lastaction restart of rsyslog in logrotate was changed to use the 'service' command for RHEL7 compatibility.
- Tue Oct 07 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8
- Ensure that MainMsgQueueSize is always > 0
- Ensure that the number of threads is always > 0
- Mon Sep 29 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-7
- Changed MainMsgQueueOnlyWhenPreviousIsSuspended and MainMsgQueueFileDefaultTemplate to be applied to the ActionQueue.
- Tue Sep 02 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-6
- Updated all instances of ActionQueue to MainMsgQueue in the global configuration. This makes the global disk queueing work as expected.
- Tue Jun 24 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-5
- Changed all checksums to sha256 instead of md5 in an effort to enable FIPS.
- Fri May 16 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-4
- Removed all stock classes and corresponding spec tests so they can be ported to the simp module.
- Tue May 13 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-4
- Updated to support most queueing options as applied to the default action queue.
- Sun May 04 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3
- Ensure that all managed rsyslog configurations are written to /etc/rsyslog.d/puppet_managed and that unmanaged rules are selectively purged.
- Added an rsyslog::stock class which properly multiplexes between the local and server stock classes.
- Updated spec tests
- Wed Apr 09 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-2
- Refactored manifests for puppet 3 and hiera compatibility.
- Added spec tests.
- Tue Apr 01 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1
- Changed all calls to stunnel::stunnel_add to stunnel:add.
- Removed the default size in rsyslog::stock::log_server since it conflicts with the default weekly rotation.
- Updated the default log format to be the Rsyslog default.
- Discovered a bug when enabling SELinux on both the client and server and moved the port for the log client to handle the SELinux rules.
- Added an stunnel rule for rsyslog that listens on the registered syslog-tls port.
- Flipped the singleton defines over to classes.
- Ensure that Stunnel traffic listens on all interfaces by default.
- Disabled the listeners on the log_local stock class since it is unnecessary and was interfering with Logstash.
- Added the ability to modify the rate limiting settings in rsyslog::global.
- Moved the include statement in the global conf template to after the definition of the default message template so that items in rsyslog.d can use it directly.
- Thu Feb 20 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-0
- Moved log forwarder rule (stock/log_server/forward.pp) from /etc/rsyslog.conf to /etc/rsyslog.d/remote.conf
- Wed Feb 12 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0
- Converted all string booleans to booleans
- Fixed all lint errors
- Thu Jan 02 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-13
- Ensure that only the cron.hourly logrotate script exists if using the stock::log_server class.
- Fri Nov 01 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-12
- Added support to the stock server class for audispd.
- Mon Oct 07 2013 Kendall Moore kmoore@keywcorp.com - 4.0.0-11
- Updated all erb templates to properly scope variables.
- Thu Sep 19 2013 Nick Markowski nmarkowski@keywcorp.com - 4.0.0-10
- Allowed default syslog logrotate missingok
- Thu Jan 31 2013 Maintenance 4.0.0-9
- Created a Cucumber test to setup an rsyslog server from the rsyslog module.
- Wed Nov 28 2012 Maintenance 4.0.0-8
- Updated the global config to turn $PreserveFQDN on by default.
- Mon Oct 22 2012 Maintenance 4.0.0-7
- Added compat level for 5 by default.
- Updated the stock rules to dump slapd audit logs to their own file.
- Fri Aug 10 2012 Maintenance 4.0.0-6
- Update to set max open files ulimit to unlimited using the new init_ulimit type.
- Added some options to the stock server class to ensure that collected logs are reasonably rotated and stored.
- Tue Jul 24 2012 Maintenance 4.0.0-5
- Fix all instances of 'IPT:' instead of "IPT:"
- Wed Apr 11 2012 Maintenance 4.0.0-4
- Fixed bug regarding stunnel module.
- Moved mit-tests to /usr/share/simp...
- Updated pp files to better meet Puppet's recommended style guide.
- Fri Mar 02 2012 Maintenance 4.0.0-3
- Updated to ensure that sudosh output goes to its own log file.
- Improved test stubs.
- Tue Jan 17 2012 Maintenance 4.0.0-2
- Added a rule to allow all syslog connections past tcpwrappers. I know this isn't least privilege, but it's already being checked in two different places.
- Fri Dec 23 2011 Maintenance 4.0.0-1
- Updated the spec file to not require a separate file list.
- Changed all instances of 'ipaddress' to 'primary_ipaddress'.
- Mon Nov 07 2011 Maintenance 4.0.0-0
- Fixed call to rsyslog restart for RHEL6.
- Mon Oct 10 2011 Maintenance 2.0.0-3
- Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.
- Tue Mar 29 2011 Maintenance - 2.0.0-2
- The 'onlyif' statement in concat_build was fixed to properly use /usr/bin/test.
- Modified the rsyslog rules to take apache into account.
- Fri Feb 11 2011 Maintenance - 2.0.0-1
- Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
- Removed 'daemon.log' references which will make logrotate stop trying to rotate it and fail.
- Updated rsyslog::stock::log_server iptables rule
- Updated to use concat_build and concat_fragment types
- Tue Jan 11 2011 Maintenance 2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
- Renamed puppet logs
- Fri Oct 29 2010 Maintenance - 1.0-3
- Replaced redundant rules with '& ~' which should improve performance.
- Moved the remote rsyslog security log rule into an 'if' that ensures that it is only activated when proper.
- Changed the module to call add_conf since those are loaded before the rest of the drop rules. Puppetmaster logs will now again flow to the remote log server.
- Tue Oct 26 2010 Maintenance - 1.0-2
- Converting all spec files to check for directories prior to copy.
- Thu Aug 05 2010 Maintenance 1.0-1
- rsyslog::log_server::allow was missing a '$' on the rhs of the udpServerAddress.
- Thu Jun 10 2010 Maintenance 1.0-0
- Removed data going to daemon.log by default. It was redundant with /var/log/messages.
- Full configuration of the daemon via /etc/sysconfig is now possible. Compatibility mode defaults to '3'.
- Added a new default log format with the priority included. Also provide for the capability to choose from one of the built-in rsyslog templates.
- Moved rsyslog::log_local and rsyslog::log_server to rsyslog::stock::log_local and rsyslog::stock::log_server respectively.
- Doc update and Code refactor.
- Fixed the default template by adding a '$' to the template entries.
- Wed May 12 2010 Maintenance 0.1-23
- Added a segment to remove the i386 version of rsyslog if you're on an x86_64 system.
- Mon May 10 2010 Maintenance 0.1-22
- Now split puppet/puppetmaster logs into their own files on both the server and the client
- Tue Apr 27 2010 Maintenance 0.1-21
- Made the system require rsyslog.$architecture instead of rsyslog
- Fixed a bug in the rsyslog::server::allow define that would not let you properly set the udpServerAddress. It is now set to '0.0.0.0' by default.
- Wed Mar 17 2010 Maintenance 0.1-20
- Fixed a bug in the default server ruleset that was using '' instead of '.*'.
- Thu Jan 14 2010 Maintenance 0.1-19
- Allow users to set the maximum number of open files when configuring the rsyslog globals.
- Wed Jan 06 2010 Maintenance 0.1-18
- Now fork off iptables logs to /var/log/iptables.log.
- Added a logrotate rule for rotating the iptables log file.
- Wed Dec 30 2009 Maintenance 0.1-17
- Fixed a bug that did not allow the proper raising of max TCP sessions in rsyslog.
- Tue Dec 15 2009 Maintenance 0.1-16
- Fixed a bug that resulted in the daemon.log file not being rotated.
- Now ensure that the rsyslog server default configuration actually listens on all external ports by default instead of binding to localhost.
- Log server class now properly checks for ":IPT" instead of " :IPT"
- Log server class now sets lastaction instead of postrotate
- Wed Nov 04 2009 Maintenance 0.1-15
- Now call the new logrotate module to set up the log rotation job.
- Thu Oct 08 2009 Maintenance 0.1-14
- Modified the default 'secure' configurations to use verify = 2 by default.
- Tue Oct 06 2009 Maintenance 0.1-13
- Added a 'fail safe' mode to rsyslog so that it will never get an empty config file.
- Added pupmod-stunnel as a requirement.
Dependencies
- camptocamp/systemd (>= 2.2.0 < 3.0.0)
- puppetlabs/stdlib (>= 4.13.1 < 7.0.0)
- simp/simplib (>= 3.12.0 < 5.0.0)
pupmod-simp-rsyslog - A Puppet Module for managing Rsyslog -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.