#pupmod-simp-rsyslog

Table of Contents

1. Overview
2. Module Description - A Puppet module for managing RSyslog version 7 or later
3. Setup - The basics of getting started with pupmod-simp-rsyslog
   • What pupmod-simp-rsyslog affects
   • Setup requirements
   • Beginning with pupmod-simp-rsyslog
4. Usage - Configuration options and additional functionality
5. Reference - An under-the-hood peek at what the module is doing and how
6. Limitations - OS compatibility, etc.
7. Development - Guide for contributing to the module

Overview

pupmod-simp-rsyslog configures and manages RSyslog versions 7 and newer as built into either RHEL or CentOS versions 6 and 7. It is designed to work with Puppet version 3.4 or newer.

NOTE: This version of (pupmod-simp-rsyslog)[https://github.com/simp/pupmod-simp-rsyslog] is a complete re-write of the previous version, and as such there are no guarantees made about backwards compatibility.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

Module Description

This module follows the standard PuppetLabs module style guide with some SIMP-specific configuration items included for managing auditing, firewall rules, logging, SELinux, and TCPWrappers. All of these items are configurable and can be turned on or off as needed for each user environment.

pupmod-simp-rsyslog was designed to be as compatible with RSyslog v7-stable as possible, though the version that comes stock with RHEL or CentOS is slightly dated and as such legacy code still exists. Where possible, all legacy code is documented with the new configuration commented out to show how any updates going forward will look.

It is possible to use pupmod-simp-rsyslog on its own and configure all rules and settings as you like, but it is recommended that the SIMP Rsyslog Profile be used if possible. By default, this profile will setup security relevant logging rules and manage server/client configurations.

Setup

What pupmod-simp-rsyslog affects

Files managed by pupmod-simp-rsyslog:

• /etc/rsyslog.conf
• /etc/rsyslog.simp.d

In addition to these, the rsyslog::rule::<all> definitions will create numbered directories in the $rsyslog_rule_dir, by default /etc/rsyslog.simp.d. These directories are included in alphanumeric order and using the rsyslog::rule definition, the user can specify any directory name they want to impact order.

Services and operations managed or affected by pupmod-simp-rsyslog:

• rsyslogd
• auditd (configurable)
• iptables (configurable)
• TCPWrappers (configurable)
• SELinux (configurable)
• Logrotate (configurable)

Packages installed by pupmod-simp-rsyslog:

• rsyslog
• rsyslog-gnutls

Setup Requirements

NOTE: This version of pupmod-simp-rsyslog is a complete re-write of the previous version, and as such there are no guarantees made about backwards compatibility.

It is strongly recommended that the logging infrastructure be set up in a resilient manner. Failover in RSyslog is tricky and choosing the wrong kind of queuing with failover could mean losing logs. This module attempts to protect you from that but will allow you to change the queuing mechanism to meet your local requirements.

Beginning with pupmod-simp-rsyslog

Including rsyslog will install, configure, and start the rsyslog daemon on a client:

  include ::rsyslog

Including rsyslog::server will additionally configure the system as an Rsyslog server.

  include ::rsyslog::server

Usage

WARNING: The version of rsyslog that is included with EL6 and EL7 systems is not the final stable upstream release. In particular, TLS may only be enabled or disabled globally, not per ruleset or action!

pupmod-simp-rsyslog is meant to be extremely customizable, and as such there is no single best way to use it. For the SIMP specific recommendations on how to use RSyslog (and other modules as well), check out the SIMP profile.

I want standard remote logging on a client

An example of an RSyslog client configuration may look like the following, including possible file names and a simple remote rule to forward all logs on the system.

  class {'rsyslog':
    log_server_list      => ['first.log.server','second.log.server'],
    failover_log_servers => ['first.log.server','second.log.server'],
  }

Alternatively, this can be set as the default via Hiera:

# Send to *all* of these servers!
log_servers:
  - first.log.server
  - second.log.server
failover_log_servers:
  - first-failover.log.server
  - second-failover.log.server

  include ::rsyslog

I want to send everything to rsyslog from a client

NOTE: Everything must be in the form that would be in the middle of an if/then Rainerscript Expression.

For example, if you wanted to filter on the standard priority kern.err, you would put prifilt('kern.err') in your rule paramter.

This does not hold for a call to rsyslog::rule since that is the generic processor for all rules.

class my_rsyslog_client {
  class {'rsyslog':
    log_server_list      => ['first.log.server','second.log.server'],
    failover_log_servers => ['first.log.server','second.log.server'],
  }

  rsyslog::rule::remote { 'send_the_logs':
    rule => 'prifilt(\'*.*\')'
  }
}

I want to disable TLS/PKI/Logrotate

class my_rsyslog_client {
  class {'rsyslog':
    log_server_list      => ['first.log.server','second.log.server'],
    failover_log_servers => ['first.log.server','second.log.server'],
    enable_tls_logging   => false,
    enable_logging       => false,
    pki                  => false,
  }

I want to set up an RSyslog Server

class my_rsyslog_server {
  class {'rsyslog':
    log_server_list      => ['first.log.server','second.log.server'],
    failover_log_servers => ['first.log.server','second.log.server'],
  }

  include '::rsyslog::server'

  rsyslog::template::string { 'store_the_logs':
    string => '/var/log/hosts/%HOSTNAME%/everything.log'
  }
}

Using the above, all possible logs sent from the client will be stored on the server in a single log file. Obviously this is not always an effective strategy, but it is at least enough to get started. Further customizations can be built to help manage more logs appropriately. To learn more about how to use the templates and rules, feel free to browse through the code.

While this setup does cover all of the basics, using the SIMP suggested RSyslog profile will setup templates and a large set of default rules to help organize and send logs where possible. Included would also be a comprehensive set of security relevant logs to help filter important information.

I want to set up an Rsyslog Server without logrotate/pki/firewall

  class {'rsyslog::server':
    use_iptables       => false,
    enable_selinux     => false,
    enable_tcpwrappers => false,
  }

Central Log Forwarding

Following on from the first example, you may have an upstream server to which you want to send all logs from your collected hosts.

To do this, you would use a manifest similar to the following on your local log server to forward everything upstream. Note, the use of a custom template. Upstream systems may have their own requirements and this allows you to manipulate the log appropriately prior to forwarding the message along.

rsyslog::template::string { 'upstream':
  string => 'I Love Logs! %msg%\n'
}

rsyslog::rule::remote { 'upstream':
  # Send Everything
  rule     => 'prifilt(\'*.*\')',
  # Use the 'upstream' template defined above
  template => 'upstream',
  # The Upstream Destination Server
  dest     => ['upstream.fq.dn'],
  require  => Rsyslog::Template::String['upstream']
}

Reference

Please refer to the REFERENCE.md.

Limitations

SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the metadata.json file for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.

By default, pupmod-simp-rsyslog tries to do the right thing during a failover scenario and make sure that logs are always stored no matter what the state of the remote log server(s) is. Be careful if you opt out of the default queuing strategy for failover as it may cause undesirable results such as lost logs.

Development

Please read our Contribution Guide.

If you find any issues, they can be submitted to our JIRA.

System Integrity Management Platform

Reference

Table of Contents

Classes

• rsyslog: Set up Rsyslog 7/8
• rsyslog::config: Setup Rsyslog configuration
• rsyslog::config::logrotate: Default log rotation for RSyslog
• rsyslog::install: Installs the packages necessary for use of RSyslog
• rsyslog::server: Sets up the RSyslog server
• rsyslog::server::firewall: Sets up the firewall rules for RSyslog with IPTables
• rsyslog::server::selinux: Sets up SELinux for RSyslog
• rsyslog::server::tcpwrappers: Sets up TCPWrappers for RSyslog both plain TCP and TCP over TLS as necessary
• rsyslog::service: Manage the RSyslog service

Defined types

• rsyslog::rule: Adds a rule
• rsyslog::rule::console: Add a rule for writing logs to the console
• rsyslog::rule::data_source: Add a rule for collecting logs from files on the system
• rsyslog::rule::drop: Add a rule to drop content
• rsyslog::rule::local: Add a rule targeting writing local system logs
• rsyslog::rule::other: Adds an arbitrary rule
• rsyslog::rule::remote: Adds a rule to send messages to one or more remote system
• rsyslog::template::list: Add a template list to the rsyslog configuration file
• rsyslog::template::plugin: Add template plugins to the rsyslog configuration file.
• rsyslog::template::string: Add template strings to the rsyslog configuration
• rsyslog::template::subtree: Add template subtrees to the rsyslog configuration

Data types

• Rsyslog::QueueType: Rsyslog Queue Types

Classes

rsyslog

The configuration is particularly slanted toward the issues present in the versions of rsyslog included with Enterprise Linux systems. It should still work on other systems but they may have different/other bugs that have not been addressed.

Parameters

The following parameters are available in the rsyslog class.

service_name

Data type: String

The name of the Rsyslog service; typically rsyslog

package_name

Data type: String

The name of the Rsyslog package to install; typically rsyslog

tls_package_name

Data type: String

The name of the Rsyslog package to install TLS utilities; typically rsyslog-gnutls

Default value: "${package_name}-gnutls"

trusted_nets

Data type: Simplib::Netlist

A whitelist of subnets (in CIDR notation) permitted access

• This will be used in conjunction with IPTables (if enabled) to allow connections from within the given subnets.

Default value: simplib::lookup('simp_options::trusted_nets', {'default_value' => ['127.0.0.1/32'] })

enable_tls_logging

Data type: Boolean

Enable the TLS libraries where applicable

• If enabled, clients will encrypt all log data being sent to the given log servers. Also, all log servers specified to use TLS (see rsyslog::server::tls_tcp_server) will load the imtcp libraries and set the necessary global NetStreamDriver information.

Default value: false

log_servers

Data type: Simplib::Netlist

A list of primary Rsyslog servers

• All nodes in this list will get a copy of all logs if remote logging is enabled.

Default value: simplib::lookup('simp_options::syslog::log_servers', { 'default_value' => [] })

failover_log_servers

Data type: Simplib::Netlist

A list of the failover Rsyslog servers

• This order-dependent list will serve as all of the possible failover log servers for clients to send to if the servers in log_servers are unavailable.

Default value: simplib::lookup('simp_options::syslog::failover_log_servers', { 'default_value' => [] })

queue_spool_directory

Data type: Stdlib::Absolutepath

The path to the directory where Rsyslog should store disk message queues

Default value: '/var/spool/rsyslog'

rule_dir

Data type: Stdlib::Absolutepath

The path at which all managed rules will begin

Default value: '/etc/rsyslog.simp.d'

tcp_server

Data type: Boolean

Make this host listen for TCP connections

• Ideally, all connections would be TLS enabled. Only enable this if necessary.

Default value: false

tcp_listen_port

Data type: Simplib::Port

The port upon which to listen for regular TCP connections

Default value: 514

tls_tcp_server

Data type: Boolean

Make this host listen for TLS enabled TCP connections

Default value: false

tls_tcp_listen_port

Data type: Simplib::Port

The port upon which to listen for TLS enabled TCP connections

Default value: 6514

udp_server

Data type: Boolean

Make this host listend for UDP connections

• This really should not be enabled unless you have devices that cannot speak TLS

Default value: false

udp_listen_address

Data type: String

The address upon which to listen for UDP connections

• The default of 127.0.0.1 is set primariliy for supporting Java applications that cannot work with a modern method of logging.

Default value: '127.0.0.1'

udp_listen_port

Data type: Simplib::Port

The port upon which to listen for UDP connections

Default value: 514

read_journald

Data type: Boolean

Enable the processing of journald messages natively in Rsyslog

logrotate

Data type: Boolean

Ensure that logrotate is enabled on this system

• You will need to configure specific logrotate settings via the logrotate module.

Default value: simplib::lookup('simp_options::logrotate', {'default_value' => false})

pki

Data type: Variant[Boolean,Enum['simp']]

• If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/rsyslog/x509
• If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/rsyslog/x509
• If false, do not include SIMP's pki module and do not use pki::copy to manage certs. You will need to appropriately assign a subset of:
  • app_pki_dir
  • app_pki_key
  • app_pki_cert
  • app_pki_ca
  • app_pki_ca_dir

Default value: simplib::lookup('simp_options::pki', {'default_value' => false})

app_pki_external_source

Data type: String

• If pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.

• If pki = false, this variable has no effect.

Default value: simplib::lookup('simp_options::pki::source', {'default_value' => '/etc/pki/simp/x509'})

app_pki_dir

Data type: Stdlib::Absolutepath

Basepath of $default_net_stream_driver_ca_file, default_net_stream_driver_cert_file, and $default_net_stream_driver_key_file

Default value: '/etc/pki/simp_apps/rsyslog/x509'

rsyslog::config

NOTE: THIS IS A PRIVATE CLASS

• When the host uses systemd, creates a rsyslog.service override file that fixes a service ordering problem present with older versions of rsyslog.
• Creates /etc/rsyslog.conf and includes all SIMP config subdirectories in /etc/rsyslog.simp.d.

NOTE Any undocumented parameters map directly to their counterparts in the Rsyslog configuration files.

Parameters

The following parameters are available in the rsyslog::config class.

umask

Data type: String

The umask that should be applied to the running process

Default value: '0027'

localhostname

Data type: String

The Hostname that should be used on your syslog messages

Default value: $facts['fqdn']

preserve_fqdn

Data type: Boolean

Ensure that the fqdn of the originating host is preserved in all log messages

Default value: true

control_character_escape_prefix

Data type: String[1,1]

Default value: '#'

drop_msgs_with_malicious_dns_ptr_records

Data type: Enum['off','on']

Default value: 'off'

escape_control_characters_on_receive

Data type: Enum['off','on']

Default value: 'on'

default_template

Data type: String

The default template to use to output to various services

• The provided template has been designed to work with external parsing tools that require the priority text

• You can also choose from the following values in order to select from one of the built-in rsyslogd formats.

  • forward -> RSYSLOG_Forward
  • original -> RSYSLOG_FileFormat
  • traditional -> RSYSLOG_TraditionalFileFormat

Default value: 'original'

syssock_ignore_timestamp

Data type: Boolean

Default value: true

syssock_ignore_own_messages

Data type: Boolean

Default value: true

syssock_use

Data type: Boolean

Default value: true

syssock_name

Data type: Optional[String]

Default value: undef

syssock_flow_control

Data type: Boolean

Default value: false

syssock_use_pid_from_system

Data type: Boolean

Default value: false

syssock_rate_limit_interval

Data type: Integer[0]

Default value: 0

syssock_rate_limit_burst

Data type: Integer[0]

Default value: 1000

syssock_rate_limit_severity

Data type: Integer[0]

Default value: 5

syssock_use_sys_timestamp

Data type: Boolean

Default value: true

syssock_annotate

Data type: Boolean

Default value: false

syssock_parse_trusted

Data type: Boolean

Default value: false

syssock_unlink

Data type: Boolean

Default value: true

main_msg_queue_type

Data type: Enum['LinkedList','FixedArray']

The type of queue that will be used

• It is highly recommended that you leave this as LinkedList unless you really know what you are doing.

Default value: 'LinkedList'

main_msg_queue_filename

Data type: String

Default value: 'main_msg_queue'

main_msg_queue_size

Data type: Optional[Integer[0]]

The size of the main (global) message queue

• By default, the minimum of 1% of physical memory or 1G, based on a 512B message size. The maximum number of messages that may be stored in the memory queue.

Default value: undef

main_msg_queue_high_watermark

Data type: Optional[Integer[0]]

The point at which the queue will start writing messages to disk as a number of messages

• By default, 90% of $main_msg_queue_size

Default value: undef

main_msg_queue_low_watermark

Data type: Optional[Integer[0]]

The point at which the queue will stop writing messages to disk as a number of messages

• NOTE: This must be lower than $main_msg_queue_high_watermark
• By default, 70% of $main_msg_queue_size

Default value: undef

main_msg_queue_discardmark

Data type: Optional[Integer[0]]

The point at which the queue will discard messages

• By default, 98% of $main_msg_queue_size

Default value: undef

main_msg_queue_worker_thread_minimum_messages

Data type: Optional[Integer[0]]

The minimum number of messages in the queue before a new thread can be spawned

• If left empty (the default), will calculate the value based on the following formula: $main_msg_queue_size/(($processorcount - 1)*4)

Default value: undef

main_msg_queue_worker_threads

Data type: Optional[Integer[0]]

The maximum number of threads to spawn on the system

• By default, $processorcount - 1

Default value: undef

main_msg_queue_worker_timeout_thread_shutdown

Data type: Integer[0]

Default value: 5000

main_msg_queue_timeout_enqueue

Data type: Integer[0]

Default value: 100

main_msg_queue_dequeue_slowdown

Data type: Integer[0]

Default value: 0

main_msg_queue_save_on_shutdown

Data type: Enum['on','off']

Default value: 'on'

main_msg_queue_max_disk_space

Data type: Optional[Integer[0]]

The maximum amount of disk space to use for the disk queue.

• Specified as a digit followed by a unit specifier. For example:

  • 100 -> 100 Bytes
  • 100K -> 100 Kilobytes
  • 100M -> 100 Megabytes
  • 100G -> 100 Gigabytes
  • 100T -> 100 Terabytes
  • 100P -> 100 Petabytes

• If not specified, will default to $main_msg_queue_size * 1024

Default value: undef

main_msg_queue_max_file_size

Data type: Integer[0]

The maximum file size, in Megabytes, that should be created when buffering to disk.

• NOTE: It is not recommended to make this excessively large

Default value: 5

repeated_msg_reduction

Data type: Enum['on','off']

Default value: 'on'

work_directory

Data type: Stdlib::Absolutepath

Default value: '/var/spool/rsyslog'

interval

Data type: Integer[0]

The mark interval

Default value: 0

tls_tcp_max_sessions

Data type: Integer[0]

The maximum number of sessions to support

Default value: 200

tls_input_tcp_server_stream_driver_permitted_peers

Data type: Array[String]

A wildcard-capable Array of domains that should be allowed to talk to the server over TLS

Default value: ["*.${facts['domain']}"]

keep_alive

Data type: Optional[Boolean]

Default value: undef

keep_alive_probes

Data type: Optional[Integer[0]]

Default value: undef

keep_alive_time

Data type: Optional[Integer[0]]

Default value: undef

default_net_stream_driver

Data type: Enum['gtls','ptcp']

When TLS is enabled (client and/or server), used to set the global DefaultNetStreamDriver configuration parameter.

Default value: 'gtls'

default_net_stream_driver_ca_file

Data type: Stdlib::Absolutepath

When TLS is enabled (client and/or server), used to set the global DefaultNetStreamDriverCAFile configuration parameter. Currently, this is the ONLY mechanism available to set the CA file for TLS.

Default value: "${rsyslog::app_pki_dir}/cacerts/cacerts.pem"

default_net_stream_driver_cert_file

Data type: Stdlib::Absolutepath

When TLS is enabled (client and/or server), used to set the global global DefaultNetStreamDriverCertFile configuration parameter. Currently, this is the ONLY mechanism available to set the cert file for TLS.

Default value: "${rsyslog::app_pki_dir}/public/${::fqdn}.pub"

default_net_stream_driver_key_file

Data type: Stdlib::Absolutepath

When TLS is enabled (client and/or server), used to set the global used to set the global DefaultNetStreamDriverKeyFile configuration parameter. Currently, this is the ONLY mechanism available to set the key file for TLS.

Default value: "${rsyslog::app_pki_dir}/private/${::fqdn}.pem"

action_send_stream_driver_mode

Data type: Enum['1','0']

• When $rsyslog::tls_tcp_server = true, used for imtcp module StreamDriver.Mode

• For Rsyslog 7, when $rsyslog::enable_tls_logging = true, used to set the deprecated, global rsyslog configuration, ActionSendStreamDriverMode. This setting and the corresponding send stream driver setting in rsyslog::rule::remote are BOTH required for sending TLS-encrypted logs with Rsyslog 7.

Default value: (

action_send_stream_driver_auth_mode

Data type: Optional[String]

• When $rsyslog::tls_tcp_server = true, used for imtcp module StreamDriver.AuthMode. If undefined, this value is set based on $action_send_stream_driver_mode.

• Otherwise deprecated. Send stream driver authentication mode is configured for individual send streams via rsyslog::rule::remote.

Default value: undef

action_send_stream_driver_permitted_peers

Data type: Optional[Array[String]]

Deprecated and will be removed in a later version. Send stream driver permitted peers are configured for individual send streams via rsyslog::rule::remote.

Default value: undef

ulimit_max_open_files

Data type: Variant[Enum['unlimited'],Integer[0]]

The maximum open files limit that should be set for the syslog server

• 1024 is fine for most purposes, but a collection server should bump this way up.

Default value: 'unlimited'

host_list

Data type: Array[String]

This option is only valid in rsyslog versions < 8.6.0 Hosts that should be logged with their simple hostname

• See the -l option in rsyslogd(8) for more information

Default value: []

domain_list

Data type: Array[String]

This option is only valid in rsyslog versions < 8.6.0 Array of domains that should be stripped off before logging

• See the -s option in rsyslogd(8) for more information

Default value: []

suppress_noauth_warn

Data type: Boolean

Suppress warnings due to hosts not in the ACL

• See the -w option in rsyslogd(8) for more information

Default value: false

disable_remote_dns

Data type: Boolean

Disable DNS lookups for remote messages

• See the -x option in rsyslogd(8) for more information

Default value: false

enable_default_rules

Data type: Boolean

Enables default rules for logging common services (e.g., iptables, puppet, slapd_auditd)

Default value: true

read_journald

Data type: Boolean

Enable the forwarding of the systemd journal to syslog

Default value: $rsyslog::read_journald

include_rsyslog_d

Data type: Boolean

Include all configuration files in the system-standard /etc/rsyslog.d

• This will place the configuration files after the global configuration but before the SIMP applied configurations.

Default value: false

systemd_override_file

Data type: String

The basename of the systemd override file for the rsyslog service

Default value: 'unit.conf'

rsyslog::config::logrotate

NOTE: THIS IS A PRIVATE CLASS

The list that is managed here matches the list of default files that are managed on the system by this module.

Parameters map to their counterparts in the logrotate::rule defined type.

Parameters

The following parameters are available in the rsyslog::config::logrotate class.

rotate_compress

Data type: Optional[Boolean]

Default value: undef

rotate_compresscmd

Data type: Optional[String[1]]

Default value: undef

rotate_uncompresscmd

Data type: Optional[String[1]]

Default value: undef

rotate_compressext

Data type: Optional[String[1]]

Default value: undef

rotate_compressoptions

Data type: Optional[String[1]]

Default value: undef

rotate_copy

Data type: Boolean

Default value: false

rotate_copytruncate

Data type: Boolean

Default value: false

rotate_create

Data type: Pattern['\d{4} .+ .+']

Default value: '0640 root root'

rotate_period

Data type: Enum['daily','weekly','monthly','yearly']

Default value: 'daily'

rotate_dateext

Data type: Optional[Boolean]

Default value: undef

rotate_dateformat

Data type: String[1]

Default value: '-%Y%m%d.%s'

rotate_dateyesterday

Data type: Optional[Boolean]

Default value: undef

rotate_delaycompress

Data type: Optional[Boolean]

Default value: undef

rotate_extension

Data type: Optional[String[1]]

Default value: undef

rotate_ifempty

Data type: Boolean

Default value: false

rotate_ext_include

Data type: Optional[Array[String[1]]]

Default value: undef

rotate_mail

Data type: Optional[Simplib::EmailAddress]

Default value: undef

rotate_maillast

Data type: Boolean

Default value: true

rotate_maxage

Data type: Optional[Integer[0]]

Default value: undef

rotate_minsize

Data type: Optional[Integer[0]]

Default value: undef

rotate_missingok

Data type: Boolean

Default value: true

rotate_olddir

Data type: Optional[Stdlib::Absolutepath]

Default value: undef

rotate_postrotate

Data type: Optional[String[1]]

Default value: undef

rotate_prerotate

Data type: Optional[String[1]]

Default value: undef

rotate_firstaction

Data type: Optional[String[1]]

Default value: undef

rotate_lastaction

Data type: Optional[String[1]]

Default value: undef

rotate_lastaction_restart_logger

Data type: Boolean

Default value: true

rotate_logger_service

Data type: Optional[String[1]]

Default value: simplib::lookup('logrotate::logger_service', {'default_value' => 'rsyslog'})

rotate_preserve

Data type: Integer[0]

Default value: 7

rotate_size

Data type: Optional[Integer[0]]

Default value: undef

rotate_sharedscripts

Data type: Boolean

Default value: true

rotate_shred

Data type: Optional[Boolean]

Default value: undef

rotate_shredcycles

Data type: Optional[Integer[0]]

Default value: undef

rotate_su

Data type: Boolean

Default value: false

rotate_su_user

Data type: Optional[String[1]]

Default value: undef

rotate_su_group

Data type: Optional[String[1]]

Default value: undef

rotate_start

Data type: Integer[0]

Default value: 1

rotate_tabooext

Data type: Optional[Array[String[1]]]

Default value: undef

rsyslog::install

NOTE: THIS IS A PRIVATE CLASS

Parameters

The following parameters are available in the rsyslog::install class.

ensure

Data type: String

How to install the packages

• Accepts the same values as the Package resource's ensure parameter

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

rsyslog::server

This class is designed to configure the externally facing interfaces for a RSyslog system. If you do not need external connectivity, you should just use the stock ::rsyslog Class.

Parameters

The following parameters are available in the rsyslog::server class.

enable_firewall

Data type: Boolean

Enable the SIMP firewall rules for RSyslog

Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false })

enable_selinux

Data type: Optional[Boolean]

Enable the SIMP SELinux rules for RSyslog

Default value: $facts['selinux_enforced']

enable_tcpwrappers

Data type: Boolean

Enable the SIMP TCPWrapper rules for RSyslog

Default value: simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false })

rsyslog::server::firewall

NOTE: THIS IS A PRIVATE CLASS

In ports will be openened for all systems inside of the $rsyslog::trusted_nets Array.

rsyslog::server::selinux

NOTE: THIS IS A PRIVATE CLASS

Switches on the nis_enabled SELinux Boolean since this is required for successful RSyslog connections.

• Note This MAY not be necessary any longer and should be validated

rsyslog::server::tcpwrappers

NOTE: THIS IS A PRIVATE CLASS

NOTE: This actually opens the TCPWrappers rules for RSyslog since testing has shown that it was prone to some odd connectivity errors. Both IPTables and an internal allow list protect RSyslog connections.

rsyslog::service

NOTE: THIS IS A PRIVATE CLASS

Parameters

The following parameters are available in the rsyslog::service class.

enable

Data type: Boolean

Enable the rsyslog service

Default value: true

Defined types

rsyslog::rule

This is used by the various rsyslog::rule::* Defined Types to apply rules to the system.

Feel free to use this Defined Type to add your own rules but remember that order matters!

In general, the order will be:

• 05 - Data Source Rules

• 06 - Console Rules

• 07 - Drop Rules

• 10 - Remote Rules

• 20 - Other/Miscellaneous Rules

• 99 - Local Rules

• See also https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-basic_configuration_of_rsyslog.html Red Hat Basic Rsyslog Configuration http://www.rsyslog.com/doc/expression.html Expressions in Rsyslog http://www.rsyslog.com/doc/rainerscript.html RainerScript Documentation

Examples

Collect All kern.err Messages

rsyslog::rule { '99_collect_kernel_errors.conf':
  rule =>  "if prifilt('kern.err') then /var/log/kernel_errors.log"
}

Discard All info Messages

rsyslog::rule::other { '98_discard_info.conf':
  rule =>  "if prifilt('*.info') then stop"
}

Parameters

The following parameters are available in the rsyslog::rule defined type.

name

Data type: Pattern['^[^/]\S+/\S+\.conf$']

The filename that you will be dropping into place

• WARNING: This must NOT be an absolute path!

content

Data type: String

The exact content of the rule to place in the target file

rsyslog::rule::console

These rules first in priority. In general, the order will be:

• Data Source Rules

• Console Rules

• Drop Rules

• Remote Rules

• Other/Miscellaneous Rules

• Local Rules

• See also https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-basic_configuration_of_rsyslog.html Red Hat Basic Rsyslog Configuration http://www.rsyslog.com/doc/expression.html Expressions in Rsyslog http://www.rsyslog.com/doc/rainerscript.html RainerScript Documentation

Examples

Log Emergency Messages to the Console

rsyslog::rule::console { 'emergency_rule':
  rule  => 'prifilt(\'*.emerg\'),
  users => ['*']
}

Parameters

The following parameters are available in the rsyslog::rule::console defined type.

name

Data type: String

The filename that you will be dropping into place

rule

Data type: String

The Rsyslog EXPRESSION to filter on

users

Data type: Array[String]

Users to which to send the console messages

rsyslog::rule::data_source

In general, the order will be:

• Data Source Rules

• Console Rules

• Drop Rules

• Remote Rules

• Other/Miscellaneous Rules

• Local Rules

• See also https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-basic_configuration_of_rsyslog.html Red Hat Basic Rsyslog Configuration http://www.rsyslog.com/doc/expression.html Expressions in Rsyslog http://www.rsyslog.com/doc/rainerscript.html RainerScript Documentation

The filename that you will be dropping into place.

Examples

Collect Logs From /opt/log/my_app

rsyslog::rule::data_source { 'new_input':
  rule => @(EOM)
    input(type="imfile"
      File="/opt/log/my_app"
      StateFile="my_app"
      Tag="my_app"
      Facility="local6"
      Severity="notice"
    )
    |EOM
}

Parameters

The following parameters are available in the rsyslog::rule::data_source defined type.

name

Data type: String

The filename that you will be dropping into place

rule

Data type: String

The Rsyslog EXPRESSION to filter on

rsyslog::rule::drop

In general, the order will be:

• Data Source Rules

• Console Rules

• Drop Rules

• Remote Rules

• Other/Miscellanious Rules

• Local Rules

• See also https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-basic_configuration_of_rsyslog.html Red Hat Basic Rsyslog Configuration http://www.rsyslog.com/doc/expression.html Expressions in Rsyslog http://www.rsyslog.com/doc/rainerscript.html RainerScript Documentation

The filename that you will be dropping into place.

Examples

Drop Logs Matching ^.*bad_stuff.*$

rsyslog::rule::drop { 'drop_bad_stuff':
  rule => 're_match($msg, '^.*bad_stuff.*$')'
}

Parameters

The following parameters are available in the rsyslog::rule::drop defined type.

name

Data type: String

The filename that you will be dropping into place

rule

Data type: String

The Rsyslog EXPRESSION to filter on

rsyslog::rule::local

NOTE: Any option that is not explicitly documented here matches the ruleset options in the Rsyslog documentation.

In general, the order will be:

• Data Source Rules
• Console Rules
• Drop Rules
• Remote Rules
• Other/Miscellaneous Rules
• Local Rules

NOTE: Since many of the parameters here may need to be modified on a case-by-base basis, this defined type uses capabilities presented by the simplib::dlookup function to allow for either global overrides or instance-specific overrides.

Global overrides work the same way as classes (rsyslog::rule::local::file_create_mode: '0644') but will affect all instances of the defined type that are not specifically overridden as shown below.

Instance specific overrides preclude the need for a resource collector in that you can place the follwing in Hiera to affect a single instance named my_rule: Rsyslog::Rule::Local[my_rule]::file_create_mode: '0600'

• See also https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-basic_configuration_of_rsyslog.html Red Hat Basic Rsyslog Configuration http://www.rsyslog.com/doc/expression.html Expressions in Rsyslog http://www.rsyslog.com/doc/rainerscript.html RainerScript Documentation

Examples

Capture OpenLDAP Logs Then Stop Processing

rsyslog::rule::local { 'collect_openldap':
  rule            => "prifilt('local4.*')",
  target_log_file => '/var/log/slapd.log',
  stop_processing => true
}

Parameters

The following parameters are available in the rsyslog::rule::local defined type.

name

Data type: String

The filename that you will be dropping into place

rule

Data type: Optional[String[1]]

The Rsyslog EXPRESSION to filter on

• NOTE: Do NOT include the leading if/then

  • Correct: ``rule => "prifilt('.')"
  • Incorrect: rule => "if prifilt('*.*') then"

• This must be set if $content is left empty

Default value: undef

target_log_file

Data type: Optional[Stdlib::Absolutepath]

The target log file that omfile will be writing to

• This must be set if $dyna_file is left empty

Default value: undef

stop_processing

Data type: Boolean

Do not forward logs to any further rulesets after processing this ruleset

Default value: false

dyna_file

Data type: Optional[String[1]]

Set a dynamic filename using the property replacer rules

• NOTE: If you make this the filename path itself, a template will automatically be created for you. Otherwise, you must make sure to have a rsyslog template in place and pass the name of the template to this option

• Rsyslog templates can be created using the rsyslog::template::* defined types

Default value: undef

template

Data type: Optional[String[1]]

Default value: undef

dyna_file_cache_size

Data type: Integer[0]

Default value: 10

zip_level

Data type: Integer[0,9]

Default value: 0

very_robust_zip

Data type: Boolean

Default value: true

flush_interval

Data type: Integer[0]

Default value: 0

async_writing

Data type: Boolean

Default value: false

flush_on_tx_end

Data type: Boolean

Default value: true

io_buffer_size

Data type: Optional[Integer[0]]

Default value: undef

dir_owner

Data type: Optional[String[1]]

Default value: undef

dir_owner_num

Data type: Optional[Integer[0]]

Default value: undef

dir_group

Data type: Optional[String[1]]

Default value: undef

dir_group_num

Data type: Optional[Integer[0]]

Default value: undef

file_owner

Data type: Optional[String[1]]

Default value: undef

file_owner_num

Data type: Optional[Integer[0]]

Default value: undef

file_group

Data type: Optional[String[1]]

Default value: undef

file_group_num

Data type: Optional[Integer[0]]

Default value: undef

file_create_mode

Data type: Stdlib::Filemode

Default value: simplib::dlookup('rsyslog::rule::local', 'file_create_mode', $name, { 'default_value' => '0640' })

dir_create_mode

Data type: Stdlib::Filemode

Default value: simplib::dlookup('rsyslog::rule::local', 'dir_create_mode', $name, { 'default_value' => '0750' })

fail_on_chown_failure

Data type: Boolean

Default value: true

create_dirs

Data type: Boolean

Default value: true

sync

Data type: Boolean

Default value: false

sig_provider

Data type: Optional[String[1]]

Default value: undef

cry_provider

Data type: Optional[String[1]]

Default value: undef

queue_filename

Data type: Optional[Stdlib::Absolutepath]

Default value: undef

queue_spool_directory

Data type: Optional[Stdlib::Absolutepath]

Default value: undef

queue_size

Data type: Optional[Integer[0]]

Default value: undef

queue_dequeue_batch_size

Data type: Optional[Integer[0]]

Default value: undef

queue_max_disk_space

Data type: Optional[Integer[0]]

Default value: undef

queue_high_watermark

Data type: Optional[Integer[0]]

Default value: undef

queue_low_watermark

Data type: Optional[Integer[0]]

Default value: undef

queue_full_delay_mark

Data type: Optional[Integer[0]]

Default value: undef

queue_light_delay_mark

Data type: Optional[Integer[0]]

Default value: undef

queue_discard_mark

Data type: Optional[Integer[0]]

Default value: undef

queue_discard_severity

Data type: Optional[Integer[0]]

Default value: undef

queue_checkpoint_interval

Data type: Optional[Integer[0]]

Default value: undef

queue_sync_queue_files

Data type: Boolean

Default value: false

queue_type

Data type: Rsyslog::QueueType

Default value: 'Direct'

queue_worker_threads

Data type: Optional[Integer[0]]

Default value: undef

queue_timeout_shutdown

Data type: Optional[Integer[0]]

Default value: undef

queue_timeout_action_completion

Data type: Optional[Integer[0]]

Default value: undef

queue_timeout_enqueue

Data type: Optional[Integer[0]]

Default value: undef

queue_timeout_worker_thread_shutdown

Data type: Optional[Integer[0]]

Default value: undef

queue_worker_thread_minimum_messages

Data type: Optional[Integer[0]]

Default value: undef

queue_max_file_size

Data type: Optional[String[1]]

Default value: simplib::dlookup('rsyslog::rule::local', 'queue_max_file_size', $name, { 'default_value' => undef })

queue_save_on_shutdown

Data type: Boolean

Default value: false

queue_dequeue_slowdown

Data type: Optional[Integer[0]]

Default value: undef

queue_dequeue_time_begin

Data type: Optional[Integer[0]]

Default value: undef

queue_dequeue_time_end

Data type: Optional[Integer[0]]

Default value: undef

content

Data type: Optional[String[1]]

the *entire content of the rsyslog::rule

• If you do not specify this, $rule is a required variable

• If you do specify this, $rule will be ignored

Default value: undef

queue_validation_log_level

Data type: Simplib::PuppetLogLevel

Default value: simplib::dlookup('rsyslog::rule::local', 'queue_validation_log_level', $name, { 'default_value' => 'warning' })

rsyslog::rule::other

The main reason to use this is to ensure proper ordering in the stack. If you want to insert a rule anywhere, use the $rsyslog::rule Defined Type

In general, the order will be:

• Data Source Rules
• Console Rules
• Drop Rules
• Remote Rules
• Other/Miscellaneous Rules
• Local Rules

fine: rsyslog::rule::other

• See also https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-basic_configuration_of_rsyslog.html Red Hat Basic Rsyslog Configuration http://www.rsyslog.com/doc/expression.html Expressions in Rsyslog http://www.rsyslog.com/doc/rainerscript.html RainerScript Documentation

The filename that you will be dropping into place.

Examples

Send All local0 Messages to 1.2.3.4 via TCP

rsyslog::rule::other { 'send_local0_away':
  rule =>  "if prifilt('local0.*') then @@1.2.3.4"
}

Parameters

The following parameters are available in the rsyslog::rule::other defined type.

name

Data type: String

The filename that you will be dropping into place

rule

Data type: String

The Rsyslog EXPRESSION to filter on

rsyslog::rule::remote

The rule will include a forwarding ('omfwd') action for each primary and failover syslog server specified via $dest and $failover_log_servers, respectively.

In general, the order will be:

• Data Source Rules
• Console Rules
• Drop Rules
• Remote Rules
• Other/Miscellaneous Rules
• Local Rules

In general, individual send stream driver settings are properly supported with the Rsyslog 8 EL versions available for CentOS 7 and the Rsyslog 7 EL versions available for CentOS 6. However, for TLS support, you must also configure global Rsyslog parameters as follows:

• TLS sending and/or receiving requires the global DefaultNetStreamDriver, DefaultNetStreamDriverCAFile, DefaultNetStreamDriverCertFile, and DefaultNetStreamDriverKeyFile parameters to be configure via rsyslog::config.

• TLS sending for Rsyslog 7 EL versions requires the global ActionSendStreamDriverMode configuration parameter to be configured via rsyslog::config IN ADDITION TO the $stream_driver_mode.

---

WARNING

If possible, this module will take pains to prevent adding a target that is equivalent to the current system to prevent syslog loops.

Unfortunately, there is no foolproof method for getting this correct 100% of the time so please take care when setting your destination targets.

WARNING

---

• This must be set if $content is left empty

• See also https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-basic_configuration_of_rsyslog.html Red Hat Basic Rsyslog Configuration http://www.rsyslog.com/doc/expression.html Expressions in Rsyslog http://www.rsyslog.com/doc/rainerscript.html RainerScript Documentation https://simp.readthedocs.io/en/master/user_guide/HOWTO/Central_Log_Collection.html

Examples

Send All local0 Messages to 1.2.3.4 via TCP

rsyslog::rule::remote { 'send_local0_away':
  rule => "prifilt('local0.*')",
  dest => ['1.2.3.4']
}

Parameters

The following parameters are available in the rsyslog::rule::remote defined type.

name

Data type: String

The filename that you will be dropping into place

rule

Data type: Optional[String[1]]

The Rsyslog EXPRESSION to filter on

• This should only be the matching part of the expression, the remaining parameters take care of ensuring that the material is properly routed.

• NOTE: Do NOT include the leading if/then

  • Correct: ``rule => "prifilt('.')"
  • Incorrect: rule => "if prifilt('*.*') then"

Default value: undef

stop_processing

Data type: Boolean

Do not forward logs to any further rulesets after processing this ruleset

Default value: false

template

Data type: Optional[String[1]]

The template that should be used to format the content

Default value: undef

dest

Data type: Simplib::Netlist

If filled, logs matching $rule will be sent to all hosts in this Array.

• WARNING: If using this, do NOT add a destination to your rule

Default value: []

dest_type

Data type: Enum['tcp','udp','relp']

The destination type for all entries in $dest

• At this time, if you wish to have different types per destination, you will need to either create a rsyslog::rule::remote for each destnation or craft your own ruleset and leave $dest empty.

Default value: 'tcp'

failover_log_servers

Data type: Simplib::Netlist

The listed systems will be used as failover servers for all logs matching this rule

• Uses $dest_type above

Default value: []

tcp_framing

Data type: Enum['traditional','octet-counted']

Default value: 'traditional'

zip_level

Data type: Integer[0,9]

Default value: 0

max_error_messages

Data type: Integer[0]

Default value: 5

compression_mode

Data type: Enum['none','single','stream:always']

Default value: 'none'

compression_stream_flush_on_tx_end

Data type: Boolean

Default value: true

rebind_interval

Data type: Optional[Integer[0]]

Default value: undef

keep_alive

Data type: Optional[Boolean]

Default value: undef

keep_alive_probes

Data type: Optional[Integer[0]]

Default value: undef

keep_alive_interval

Data type: Optional[Integer[0]]

Default value: undef

keep_alive_time

Data type: Optional[Integer[0]]

Default value: undef

action_resume_interval

Data type: Integer[0]

Default value: 30

action_resume_retry_count

Data type: Integer[-1]

Default value: -

stream_driver

Data type: Optional[String[1]]

• This is only used to set the StreamDriver directive in the forwarding actions for remote servers if TLS is enabled and $dest_type is not UDP.

• Overridden by 'DefaultNetstreamDriver' global stream configuration specified by rsyslog::config::default_net_stream_driver.

Default value: undef

stream_driver_mode

Data type: Integer[0]

• This is only used to set the StreamDriverMode directive in the forwarding actions for remote servers if TLS is enabled and $dest_type is not UDP.

• For Rsyslog 7, the stream driver mode must be ALSO be set by the 'ActionSendStreamDriverMode' global stream configuration via rsyslog::config::action_send_stream_driver_mode.

Default value: 1

stream_driver_auth_mode

Data type: String

This is only used to set the StreamDriverAuthMode directive in the forwarding actions for remote servers if TLS is enabled and $dest_type is not UDP.

Default value: 'x509/name'

stream_driver_permitted_peers

Data type: Optional[String[1]]

• This is only used to set the StreamDriverPermittedPeers directive in the forwarding actions for remote servers if TLS is enabled and $dest_type is not UDP.

• If this is set, the value will be used for all forwarding actions for the remote servers in $dest and $failover_log_servers.

• If this is undefined,

  • If ALL of the remote servers in $dest and $failover_log_servers are specified as a hostname variants, the StreamDriverPermittedPeers directive for the forwarding action for each server will be set to that server's hostname.

  • If ANY and of the remote servers in $dest and $failover_log_servers is specified as an IP address variant, the StreamDriverPermittedPeers directive for the forwarding action for each server will be set to the domain of the Puppet client. This behavior provides backward compatibility with earlier versions of this module.

• rsyslog expects StreamDriverPermittedPeers to be a comma-separated list of fingerprints (SHA1) and/or names of remote peers, which it will use to match against the certificate presented from the remote server.

• @see https://media.readthedocs.org/pdf/rsyslog/stable/rsyslog.pdf

Default value: undef

resend_last_msg_on_reconnect

Data type: Boolean

Default value: true

udp_send_to_all

Data type: Boolean

Default value: false

queue_validation_log_level

Data type: Simplib::PuppetLogLevel

Default value: simplib::dlookup('rsyslog::rule::remote', 'queue_validation_log_level', $name, { 'default_value' => 'warning' })

queue_filename

Data type: Optional[String[1]]

Default value: undef

queue_spool_directory

Data type: Optional[Stdlib::Absolutepath]

Default value: undef

queue_size

Data type: Optional[Integer[0]]

Default value: undef

queue_dequeue_batch_size

Data type: Optional[Integer[0]]

Default value: undef

queue_max_disk_space

Data type: Optional[Integer[0]]

Default value: undef

queue_high_watermark

Data type: Optional[Integer[0]]

Default value: undef

queue_low_watermark

Data type: Optional[Integer[0]]

Default value: undef

queue_full_delay_mark

Data type: Optional[Integer[0]]

Default value: undef

queue_light_delay_mark

Data type: Optional[Integer[0]]

Default value: undef

queue_discard_mark

Data type: Optional[Integer[0]]

Default value: undef

queue_discard_severity

Data type: Optional[Integer[0]]

Default value: undef

queue_checkpoint_interval

Data type: Optional[Integer[0]]

Default value: undef

queue_sync_queue_files

Data type: Boolean

Default value: false

queue_type

Data type: Enum['LinkedList','FixedArray','Direct','Disk']

Default value: 'LinkedList'

queue_worker_threads

Data type: Optional[Integer[0]]

Default value: undef

queue_timeout_shutdown

Data type: Optional[Integer[0]]

Default value: undef

queue_timeout_action_completion

Data type: Optional[Integer[0]]

Default value: undef

queue_timeout_enqueue

Data type: Optional[Integer[0]]

Default value: undef

queue_timeout_worker_thread_shutdown

Data type: Optional[Integer[0]]

Default value: undef

queue_worker_thread_minimum_messages

Data type: Optional[Integer[0]]

Default value: undef

queue_max_file_size

Data type: Optional[String[1]]

Default value: undef

queue_save_on_shutdown

Data type: Boolean

Default value: true

queue_dequeue_slowdown

Data type: Optional[Integer[0]]

Default value: undef

queue_dequeue_time_begin

Data type: Optional[Integer[0]]

Default value: undef

queue_dequeue_time_end

Data type: Optional[Integer[0]]

Default value: undef

content

Data type: Optional[String[1]]

the *entire content of the rsyslog::rule

• If you do not specify this, $rule is a required variable

• If you do specify this, $rule will be ignored

Default value: undef

rsyslog::template::list

RSyslog list templates can contain properties and constants. In order to capture this functionality, we have opted for making a hash of these. The Hash will be ordered as given to the content variable.

Examples

Content Settings

$content_hash = {
  'constant' => 'values="Syslog MSG is: \'"',
  'property' => 'name="msg"'
}

rsyslog::template::list { 'example_list':
  $content => $content_hash
}

### Produces:

template(name="example_list" type="list") {
  constant(value="Syslog MSG is: '")
  property(name="msg")
}

Parameters

The following parameters are available in the rsyslog::template::list defined type.

name

Data type: String

The literal name (not path) of the file that will be written

content

Data type: Hash[String,String,1]

The rsyslog list content that you wish to add to the system, as a Hash

rsyslog::template::plugin

NOTE: Plugins are as-is. This means that you will only supply the plugin name and assume that the plugin has already been loaded by RSyslog.

Examples

Adding the my_plugin Plugin to the System

rsyslog::template::string { 'example_plugin':
  $plugin => 'my_plugin'
}

### Produces:

template(name="example_plugin" type="plugin" plugin="my_plugin")

Parameters

The following parameters are available in the rsyslog::template::plugin defined type.

name

Data type: String

The literal name of the file (not the full path) that will be used

plugin

Data type: String

The rsyslog plugin content that you wish to add to the system

• This is provided, without formatting, directly into the target file

rsyslog::template::string

You'll need to write the entire template line due to the complexity of the rsyslog configuration parameters.

Leading spaces will be removed.

Examples

Template String

rsyslog::template::string { 'example':
  $content => '/var/log/hosts/%HOSTNAME%/example.log'
}

### Produces:

template(name="example" type="string" string="/var/log/hosts/%HOSTNAME%/example.log")

Parameters

The following parameters are available in the rsyslog::template::string defined type.

name

Data type: String

The literal name of the file (not file path) that will be used

string

Data type: String

The rsyslog template string that you wish to add to the system

• This is fed, without formatting, directly into the target file

rsyslog::template::subtree

You'll need to write the entire subtree line due to the complexity of the rsyslog configuration parameters.

Examples

Subtree (From the Official RSyslog Docs)

rsyslog::template::subtree { 'example_subtree':
  $variables => ['$!usr!tp12!msg = $msg;', '$!usr!tp12!dataflow = field($msg, 58, 2);'],
  $subtree   => '$!usr!tp12'
}

### Produces:

set $!usr!tp12!msg = $msg;
set $!usr!tp12!dataflow = field($msg, 58, 2);
template(name="example" type="subtree" subtree="$!usr!tp12")

Parameters

The following parameters are available in the rsyslog::template::subtree defined type.

name

Data type: String

The literal name of the file (not a path) that will be used

subtree

Data type: String

The rsyslog subtree content that you wish to add to the system

• This is fed, without formatting, directly into the subtree parameter

variables

Data type: Array[String]

Variables to be set prior to the template being created

Default value: []

Data types

Rsyslog::QueueType

Rsyslog Queue Types

Alias of Enum['FixedArray', 'LinkedList', 'Direct', 'Disk']

• Tue Jun 30 2020 Trevor Vaughan tvaughan@onyxpoint.com - 7.6.3-0

• Update REFERENCE.md

• Mon Jun 22 2020 Kendall Moore kendall.moore@onyxpoint.com - 7.6.2-0

• Add support for KeepAlive variables for imtcp and omfwd actions

• Tue May 26 2020 Kendall Moore kendall.moore@onyxpoint.com - 7.6.1-0

• Change local rule defined type to use the same package defaults for action queues that are in the remote rule defined type

• Wed Apr 15 2020 Kendall Moore kendall.moore@onyxpoint.com - 7.6.0-0

• Change remote rule defined type to use package defaults for action queues

• Mon Feb 03 2020 Trevor Vaughan tvaughan@onyxpoint.com - 7.6.0-0

• Add a default rule to log packets dropped by firewalld to /var/log/firewall.log
• Add /var/log/firewall.log to SIMP's 'syslog' logrotate rule
• Move iptables, logrotate, pki, and tcpwrappers to optional dependencies
• Cleaned up puppet strings support
• Removed params pattern and migrated to data in modules

• Fri Jan 10 2020 Liz Nemsick lnemsick.simp@gmail.com - 7.6.0-0

• Added EL8 support

• Wed Oct 16 2019 Adam Yohrling adam.yohrling@onyxpoint.com - 7.5.1-0

• Added logrotate::rule options to rsyslog::conf::logrotate class

• Wed Oct 16 2019 Kendall Moore kendall.moore@onyxpoint.com - 7.5.1-0

• Fixed a bug where including rsyslog.d parsed more than just .conf files

• Thu Jun 06 2019 Steven Pritchard steven.pritchard@onypoint.com - 7.5.0-0

• Add v2 compliance_markup data

• Mon Apr 15 2019 Trevor Vaughan tvaughan@onyxpoint.com - 7.4.0-0

• Set rsyslog::rule::local::file_create_mode to 0640 by default
• Allow the following to be set directly via Hiera using simplib::dlookup:
  • rsyslog::rule::local::file_create_mode
  • rsyslog::rule::local::dir_create_mode
  • rsyslog::rule::local::queue_max_file_size

• Tue Mar 26 2019 Joseph Sharkey shark.bruhaha@gmail.com - 7.4.0-0

• Updated dependencies to use camptocamp/systemd

• Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 7.3.1-0

• Expanded the upper limit of the stdlib Puppet module version
• Updated a URL in the README.md

• Thu Oct 11 2018 Nick Miller nick.miller@onyxpoint.com - 7.3.0-0

• Changed rsyslog::install::ensure from 'latest' to 'installed'
  • It will also respect simp_options::package_ensure

• Mon Oct 08 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 7.3.0-0

• Added logic to properly handle rsyslogd parameters for V8.6 and later as documented in CentOS 7.5 Release notes. These include moving -x and -w options to global.conf and issuing deprecation warning for -l and -s options.

• Fri Oct 05 2018 Trevor Vaughan tvaughan@onyxpoint.com - 7.3.0-0

• Fixed a bug in the systemd override file for rsyslog
• Added fact for version of rsyslogd
• Updated templates to use RainerScript rsyslogd v8 and later
• Fixed the MainMsgQueueDiscardMark and MainMsgQueueWorkerThreads parameters

• Wed Oct 03 2018 Liz Nemsick lnemsick.simp@gmail.com - 7.3.0-0

• Update range of simp/systemd to allow version with Hiera 5

• Tue Sep 11 2018 Nicholas Markowski nicholas.markowski@onyxpoint.com - 7.3.0-0

• Updated $app_pki_external_source to accept any string. This matches the functionality of pki::copy.

• Thu Aug 30 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com 7.3.0-0

• Updated rsyslog::rule::remote to select a more intelligent default for StreamDriverPermittedPeers, when TLS is enabled. This improvement fixes the bug in which forwarding of logs to servers in different domains was not possible with the stream_driver_permitted_peers default. Now, rsyslog::rule::remote::stream_driver_permitted_peers defaults to 'undef', instead of the domain of the Puppet client, and has the following default behavior:
  • When all of the remote servers are specified with hostname variants, the StreamDriverPermittedPeers directive for the forwarding action for each server will be set to that server's hostname.
  • If any of the remote servers is specified as an IP address variant, the StreamDriverPermittedPeers directive for the forwarding action for each server will be set to the domain of the Puppet client.

• Fri Aug 24 2018 Trevor Vaughan tvaughan@onyxpoint.com - 7.3.0-0

• Updated the tests to no longer reference sudosh as our custom test since we are moving away from using it and it could cause confusion.

• Fri Aug 17 2018 Liz Nemsick lnemsick.simp@gmail.com - 7.2.0-0

• Fixed a bug in which removal of a rsyslog::rule from the catalog did not cause the rsyslog service to restart, when other rules corresponding to files in the same rsyslog configuration subdirectory were present.

• Fri Aug 10 2018 Liz Nemsick lnemsick.simp@gmail.com - 7.2.0-0

• Reinstated ActionSendStreamDriverMode directive into the global configuration when sending TLS-encrypted messages for Rsyslog 7 version, only. The sending of TLS-encrypted messages for CentOS 6 will not work otherwise.

• Mon Jul 30 2018 ralph-wright ralph.wright@onyxpoint.com - 7.2.0-0

• Remove all ActionSendStreamDriver* directives from the global configuration, to allow individual actions to control their specific stream settings. This change was required to allow a host which is itself a syslog server to receive TLS-encrypted data, but forward these messages to a different remote syslog server as unencrypted data.

• Fri Jul 13 2018 Trevor Vaughan tvaughan@onyxpoint.com - 7.2.0-0

• Add support for Puppet5 and OEL
• Update acceptance tests to use environment variables

• Thu Jun 28 2018 Nick Miller nick.miller@onyxpoint.com - 7.1.3-0

• Update docs
• Update ci assets

• Tue May 22 2018 Liz Nemsick lnemsick.simp@gmail.com - 7.1.2-0

• Add a systemd rsyslog.service override file that fixes a service ordering problem present with older versions of rsyslog. The override ensures the network.target and network-online.target units are added to the 'Wants' and 'After' lists for the rsyslog.service.

• Fri Mar 16 2018 Philippe Muller philippe.muller@gmail.com - 7.1.1-0

• Fixed several cases where literal '\n' was contained in file output

• Mon Jul 31 2017 Liz Nemsick lnemsick.simp@gmail.com - 7.1.0-0

• Add ability to specify full rule content for rsyslog::rule::local and rsyslog::rule::remote defined types.
• Fixed bug in which ioBufferSize parameter was listed twice in the rsyslog rule generated by rsyslog::rule::local.

• Fri May 26 2017 Liz Nemsick lnemsick.simp@gmail.com - 7.0.3-0

• Fixed bug in which default iptables rsyslog rule did not work with rsyslog version 7.4.7. Some versions of rsyslog include the ' ' separator in the message payload, which impacts the startswith rule.
• Fixed bug whereby puppetserver log messages were not being collected in puppetserver-specific logs.
• Update puppet requirement in metadata.json

• Wed Apr 19 2017 Nick Markowski nmarkowski@keywcorp.com - 7.0.3-0

• rsyslog::server::enable_selinux now optional, for robustness
• Updated logrotate to use new lastaction API

• Tue Mar 28 2017 Nick Miller nick.miller@onyxpoint.com - 7.0.2-0

• rsyslog::server now uses the state of selinux on the system instead of simp_options

• Thu Mar 23 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 7.0.2-0

• Updated path for systemctl

• Thu Feb 09 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 7.0.1-0

• Updated path for service to /sbin/service

• Tue Feb 07 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 7.0.0-0

• Updated expression in logrotate for lastaction to evaluate correctly

• Wed Jan 11 2017 Nick Markowski nmarkowski@keywcorp.com - 7.0.0-0

• Updated pki to use new scheme
• Application certs now managed in /etc/pki/simp_apps/rsyslog/x509
• Added trailing newline to drop rules

• Sun Dec 11 2016 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.0-0

• Update to Puppet 4 compatibility
• Added strong typing

• Wed Nov 23 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 6.0.0-0

• update requirement versions

• Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 6.0.0-0

• Minor cleanup

• Wed Nov 16 2016 Liz Nemsick lnemsick.simp@gmail.com - 6.0.0-0

• Updated iptables dependency version

• Thu Nov 03 2016 Nick Miller nick.miller@onyxpoint.com - 6.0.0-0

• Added a feature to read journald, enabled by defauly on systems with systemd.
• Updated to use compliance mapper v2.0.0

• Mon Sep 26 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.1.1-0

• Fix a bug in which rules no longer managed by the module were not removed from the system.

• Mon Mar 21 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.1.0-0

• Migrated to Semantic Versioning 2.0
• Fixed a bug where the ability to use custom templates was omitted from the remote logging rules.
• Ensure that all components of the module are pulled onto the system via the RPM.
• Added support for the global $LocalHostName variable and set it to $::fqdn by default.
• Updated RPM requirements

• Sat Mar 19 2016 Trevor Vaughan tvaughan@onyxpoint.comm - 5.0.1-0

• Migrated use_simp_pki to a global catalyst.

• Thu Feb 25 2016 Ralph Wright ralph.wright@onyxpoint.com - 5.0.0-2

• Added compliance function support

• Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 5.0.0-1

• migration to simplib and simpcat (lib/ only)

• Tue Jul 21 2015 Kendall Moore kmoore@keywcorp.com - 5.0.0-0

• Support RSyslog versions >= 7
• Remove legacy style RainerScript where possible
• Use new style SIMP puppet module layout

• Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-13

• Migrated to the new 'simp' environment.

• Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-12

• Changed puppet-server requirement to puppet

• Sat Dec 06 2014 Chris Tessmer <chris.tessmer@onyxpoint.com - 4.1.0-11

• backported host_is_me protection from 4.0.X fixes

• Wed Nov 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-10

• This is a relatively large update to the rsyslog module that (hopefully) fixes the last vestiges of the issues seen with multi-server failover and native TLS encryption.
• The main change is that we no longer support using stunnel but, instead, rely on native Rsyslog encryption for all actions.
• Message throttling is now off by default. This is a site-specific need and we just can't guess correctly.

• Mon Nov 03 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9

• The lastaction restart of rsyslog in logrotate was changed to use the 'service' command for RHEL7 compatibility.

• Tue Oct 07 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8

• Ensure that MainMsgQueueSize is always > 0
• Ensure that the number of threads is always > 0

• Mon Sep 29 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-7

• Changed MainMsgQueueOnlyWhenPreviousIsSuspended and MainMsgQueueFileDefaultTemplate to be applied to the ActionQueue.

• Tue Sep 02 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-6

• Updated all instances of ActionQueue to MainMsgQueue in the global configuration. This makes the global disk queueing work as expected.

• Tue Jun 24 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-5

• Changed all checksums to sha256 instead of md5 in an effort to enable FIPS.

• Fri May 16 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-4

• Removed all stock classes and corresponding spec tests so they can be ported to the simp module.

• Tue May 13 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-4

• Updated to support most queueing options as applied to the default action queue.

• Sun May 04 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3

• Ensure that all managed rsyslog configurations are written to /etc/rsyslog.d/puppet_managed and that unmanaged rules are selectively purged.
• Added an rsyslog::stock class which properly multiplexes between the local and server stock classes.
• Updated spec tests

• Wed Apr 09 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-2

• Refactored manifests for puppet 3 and hiera compatibility.
• Added spec tests.

• Tue Apr 01 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1

• Changed all calls to stunnel::stunnel_add to stunnel:add.
• Removed the default size in rsyslog::stock::log_server since it conflicts with the default weekly rotation.
• Updated the default log format to be the Rsyslog default.
• Discovered a bug when enabling SELinux on both the client and server and moved the port for the log client to handle the SELinux rules.
• Added an stunnel rule for rsyslog that listens on the registered syslog-tls port.
• Flipped the singleton defines over to classes.
• Ensure that Stunnel traffic listens on all interfaces by default.
• Disabled the listeners on the log_local stock class since it is unnecessary and was interfering with Logstash.
• Added the ability to modify the rate limiting settings in rsyslog::global.
• Moved the include statement in the global conf template to after the definition of the default message template so that items in rsyslog.d can use it directly.

• Thu Feb 20 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-0

• Moved log forwarder rule (stock/log_server/forward.pp) from /etc/rsyslog.conf to /etc/rsyslog.d/remote.conf

• Wed Feb 12 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0

• Converted all string booleans to booleans
• Fixed all lint errors

• Thu Jan 02 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-13

• Ensure that only the cron.hourly logrotate script exists if using the stock::log_server class.

• Fri Nov 01 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-12

• Added support to the stock server class for audispd.

• Mon Oct 07 2013 Kendall Moore kmoore@keywcorp.com - 4.0.0-11

• Updated all erb templates to properly scope variables.

• Thu Sep 19 2013 Nick Markowski nmarkowski@keywcorp.com - 4.0.0-10

• Allowed default syslog logrotate missingok

• Thu Jan 31 2013 Maintenance 4.0.0-9

• Created a Cucumber test to setup an rsyslog server from the rsyslog module.

• Wed Nov 28 2012 Maintenance 4.0.0-8

• Updated the global config to turn $PreserveFQDN on by default.

• Mon Oct 22 2012 Maintenance 4.0.0-7

• Added compat level for 5 by default.
• Updated the stock rules to dump slapd audit logs to their own file.

• Fri Aug 10 2012 Maintenance 4.0.0-6

• Update to set max open files ulimit to unlimited using the new init_ulimit type.
• Added some options to the stock server class to ensure that collected logs are reasonably rotated and stored.

• Tue Jul 24 2012 Maintenance 4.0.0-5

• Fix all instances of 'IPT:' instead of "IPT:"

• Wed Apr 11 2012 Maintenance 4.0.0-4

• Fixed bug regarding stunnel module.
• Moved mit-tests to /usr/share/simp...
• Updated pp files to better meet Puppet's recommended style guide.

• Fri Mar 02 2012 Maintenance 4.0.0-3

• Updated to ensure that sudosh output goes to its own log file.
• Improved test stubs.

• Tue Jan 17 2012 Maintenance 4.0.0-2

• Added a rule to allow all syslog connections past tcpwrappers. I know this isn't least privilege, but it's already being checked in two different places.

• Fri Dec 23 2011 Maintenance 4.0.0-1

• Updated the spec file to not require a separate file list.
• Changed all instances of 'ipaddress' to 'primary_ipaddress'.

• Mon Nov 07 2011 Maintenance 4.0.0-0

• Fixed call to rsyslog restart for RHEL6.

• Mon Oct 10 2011 Maintenance 2.0.0-3

• Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.

• Tue Mar 29 2011 Maintenance - 2.0.0-2

• The 'onlyif' statement in concat_build was fixed to properly use /usr/bin/test.
• Modified the rsyslog rules to take apache into account.

• Fri Feb 11 2011 Maintenance - 2.0.0-1

• Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
• Removed 'daemon.log' references which will make logrotate stop trying to rotate it and fail.
• Updated rsyslog::stock::log_server iptables rule
• Updated to use concat_build and concat_fragment types

• Tue Jan 11 2011 Maintenance 2.0.0-0

• Refactored for SIMP-2.0.0-alpha release
• Renamed puppet logs

• Fri Oct 29 2010 Maintenance - 1.0-3

• Replaced redundant rules with '& ~' which should improve performance.
• Moved the remote rsyslog security log rule into an 'if' that ensures that it is only activated when proper.
• Changed the module to call add_conf since those are loaded before the rest of the drop rules. Puppetmaster logs will now again flow to the remote log server.

• Tue Oct 26 2010 Maintenance - 1.0-2

• Converting all spec files to check for directories prior to copy.

• Thu Aug 05 2010 Maintenance 1.0-1

• rsyslog::log_server::allow was missing a '$' on the rhs of the udpServerAddress.

• Thu Jun 10 2010 Maintenance 1.0-0

• Removed data going to daemon.log by default. It was redundant with /var/log/messages.
• Full configuration of the daemon via /etc/sysconfig is now possible. Compatibility mode defaults to '3'.
• Added a new default log format with the priority included. Also provide for the capability to choose from one of the built-in rsyslog templates.
• Moved rsyslog::log_local and rsyslog::log_server to rsyslog::stock::log_local and rsyslog::stock::log_server respectively.
• Doc update and Code refactor.
• Fixed the default template by adding a '$' to the template entries.

• Wed May 12 2010 Maintenance 0.1-23

• Added a segment to remove the i386 version of rsyslog if you're on an x86_64 system.

• Mon May 10 2010 Maintenance 0.1-22

• Now split puppet/puppetmaster logs into their own files on both the server and the client

• Tue Apr 27 2010 Maintenance 0.1-21

• Made the system require rsyslog.$architecture instead of rsyslog
• Fixed a bug in the rsyslog::server::allow define that would not let you properly set the udpServerAddress. It is now set to '0.0.0.0' by default.

• Wed Mar 17 2010 Maintenance 0.1-20

• Fixed a bug in the default server ruleset that was using '' instead of '.*'.

• Thu Jan 14 2010 Maintenance 0.1-19

• Allow users to set the maximum number of open files when configuring the rsyslog globals.

• Wed Jan 06 2010 Maintenance 0.1-18

• Now fork off iptables logs to /var/log/iptables.log.
• Added a logrotate rule for rotating the iptables log file.

• Wed Dec 30 2009 Maintenance 0.1-17

• Fixed a bug that did not allow the proper raising of max TCP sessions in rsyslog.

• Tue Dec 15 2009 Maintenance 0.1-16

• Fixed a bug that resulted in the daemon.log file not being rotated.
• Now ensure that the rsyslog server default configuration actually listens on all external ports by default instead of binding to localhost.
• Log server class now properly checks for ":IPT" instead of " :IPT"
• Log server class now sets lastaction instead of postrotate

• Wed Nov 04 2009 Maintenance 0.1-15

• Now call the new logrotate module to set up the log rotation job.

• Thu Oct 08 2009 Maintenance 0.1-14

• Modified the default 'secure' configurations to use verify = 2 by default.

• Tue Oct 06 2009 Maintenance 0.1-13

• Added a 'fail safe' mode to rsyslog so that it will never get an empty config file.
• Added pupmod-stunnel as a requirement.