rsyslog: Update configuration of syslog server and nodes.

  Configure rsyslog server on all nodes to log to central logserver.
  Configure rsyslog server on logserver to split up logs according
  to prognames, hostname, src IPs or any other meaningful details.
  Make sure all logfiles are rotated.

Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>

rsyslog/ffho.logrotate

@@ -1,9 +1,16 @@
+/var/log/ap.log
 /var/log/bird.log
 /var/log/dhcp.log
 /var/log/fastd.log
+/var/log/influxdb.log
 /var/log/named.log
 /var/log/net.log
+/var/log/ntpd.log
 /var/log/openvpn.log
+/var/log/salt-master.log
+/var/log/snmpd.log
+/var/log/wbbl.log
+/var/log/yanic.log
 {
         rotate 7
         daily

rsyslog/ffho/20-named.conf → rsyslog/ffho/20-bind.conf

@@ -3,4 +3,4 @@ $FileOwner root
 $FileGroup adm
 
 if $programname == 'named' then /var/log/named.log
-& ~
+& stop

rsyslog/ffho/20-bird.conf

@@ -3,4 +3,4 @@ $FileOwner root
 $FileGroup adm
 
 if $programname == 'bird' or $programname == 'bird6' then /var/log/bird.log
-& ~
+& stop

rsyslog/ffho/20-dhcp.conf

@@ -3,4 +3,4 @@ $FileOwner root
 $FileGroup adm
 
 if $programname == 'dhcpd' then /var/log/dhcp.log
-& ~
+& stop

rsyslog/ffho/20-fastd.conf

@@ -2,5 +2,5 @@ $FileCreateMode 0640
 $FileOwner root
 $FileGroup adm
 
-if $programname == 'fastd' then /var/log/fastd.log
-& ~
+if $programname startswith 'fastd' then /var/log/fastd.log
+& stop

rsyslog/ffho/20-influxdb.conf

@@ -0,0 +1,6 @@
+$FileCreateMode 0640
+$FileOwner root
+$FileGroup adm
+
+if $programname == 'influxd' then /var/log/influxdb.log
+& stop

rsyslog/ffho/20-mail.conf

@@ -0,0 +1,6 @@
+$FileCreateMode 0640
+$FileOwner root
+$FileGroup adm
+
+if $syslogfacility-text == 'mail' then /var/log/mail.log
+& stop

rsyslog/ffho/20-ntpd.conf

@@ -0,0 +1,6 @@
+$FileCreateMode 0640
+$FileOwner root
+$FileGroup adm
+
+if $programname == 'ntpd' then /var/log/ntpd.log
+& stop

rsyslog/ffho/20-openvpn.conf

@@ -3,4 +3,4 @@ $FileOwner root
 $FileGroup adm
 
 if $programname startswith 'ovpn' then /var/log/openvpn.log
-& ~
+& stop

rsyslog/ffho/20-salt-master.conf

@@ -0,0 +1,6 @@
+$FileCreateMode 0640
+$FileOwner root
+$FileGroup adm
+
+if $programname == 'salt-master' then /var/log/salt-master.log
+& stop

rsyslog/ffho/20-snmpd.conf

@@ -0,0 +1,6 @@
+$FileCreateMode 0640
+$FileOwner root
+$FileGroup adm
+
+if $programname == 'snmpd' then /var/log/snmpd.log
+& stop

rsyslog/ffho/20-yanic.conf

@@ -0,0 +1,6 @@
+$FileCreateMode 0640
+$FileOwner root
+$FileGroup adm
+
+if $programname == 'yanic' then /var/log/yanic.log
+& stop

rsyslog/ffho/30-ap.conf

@@ -0,0 +1,6 @@
+$FileCreateMode 0640
+$FileOwner root
+$FileGroup adm
+
+if $hostname startswith 'ap-' then /var/log/ap.log
+& stop

rsyslog/ffho/30-net.conf

@@ -2,5 +2,5 @@ $FileCreateMode 0640
 $FileOwner root
 $FileGroup adm
 
-if $fromhost-ip startswith '172.30.' and $syslogfacility-text == 'local0' then /var/log/net.log
-& ~
+if $fromhost-ip startswith '172.30.' then /var/log/net.log
+& stop

rsyslog/ffho/50-auth.conf

@@ -3,4 +3,4 @@ $FileOwner root
 $FileGroup adm
 
 auth.*,authpriv.*                        /var/log/auth.log
-& ~
+& stop

rsyslog/ffho/50-kern.conf

@@ -3,4 +3,4 @@ $FileOwner root
 $FileGroup adm
 
 kern.*                          -/var/log/kern.log
-& ~
+& stop

rsyslog/ffho/50-user.conf

@@ -3,4 +3,4 @@ $FileOwner root
 $FileGroup adm
 
 user.*                          -/var/log/user.log
-& ~
+& stop

rsyslog/ffho/90-cron.conf

@@ -3,4 +3,4 @@ $FileOwner root
 $FileGroup adm
 
 #crons sollten nicht auf dem logserver geloggt werden. Falls doch bitte mit Einzelfilter und höherer Priorität
-cron.* ~ 
+cron.* stop

rsyslog/ffho/99-debug.conf

@@ -9,4 +9,4 @@ $FileGroup adm
 #fängt vorerst alle Nachrichten ab, die nicht in anderen Logs landen um rauszufinden was noch interessant sein könnte
 
 *.* /var/log/debug
-& ~
+& stop

rsyslog/init.sls

@@ -2,7 +2,7 @@
 # Rsyslog configuration
 #
 
-{% set roles = pillar.get ('roles', []) %}
+{% set roles = salt['pillar.get'] ('nodes:' ~ grains['id'] ~ ':roles') %}
 
 rsyslog:
   pkg.installed:
@@ -10,6 +10,14 @@ rsyslog:
   service.running:
     - enable: True
 
+
+/etc/rsyslog-early.d:
+  file.directory:
+    - user: root
+    - group: root
+    - mode: 0755
+
+
 /etc/rsyslog.conf:
   file.managed:
     - watch_in:

rsyslog/rsyslog.conf

@@ -1,4 +1,5 @@
-#  /etc/rsyslog.conf	Configuration file for rsyslog.
+#
+#  /etc/rsyslog.conf	Configuration file for rsyslog v3. (Salt managed)
 #
 #			For more information see
 #			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
@@ -9,7 +10,7 @@
 #################
 
 $ModLoad imuxsock # provides support for local system logging
-$ModLoad imklog   # provides kernel logging support
+$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
 #$ModLoad immark  # provides --MARK-- message capability
 
 # provides UDP syslog reception
@@ -26,7 +27,7 @@ $ModLoad imklog   # provides kernel logging support
 ###########################
 
 #
-# Use traditional timestamp format.
+# Use default timestamp format.
 # To enable high precision timestamps, comment out the following line.
 #
 $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
@@ -37,13 +38,15 @@ $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
 $FileOwner root
 $FileGroup adm
 $FileCreateMode 0640
-$DirCreateMode 0755
-$Umask 0022
 
 #
-# Where to place spool and state files
+# Include all config files in /etc/rsyslog-early.d/
 #
-$WorkDirectory /var/spool/rsyslog
+$IncludeConfig /etc/rsyslog-early.d/*.conf
+
+# Mirror all remaining logs to logserver
+
+*.*			@10.132.251.43
 
 #
 # Include all config files in /etc/rsyslog.d/
@@ -55,14 +58,6 @@ $IncludeConfig /etc/rsyslog.d/*.conf
 #### RULES ####
 ###############
 
-#
-# reduce dhcpd logging
-#
-:msg, contains, "DHCPDISCOVER" ~
-:msg, contains, "DHCPOFFER" ~
-:msg, contains, "DHCPREQUEST" ~
-:msg, contains, "DHCPACK" ~
-
 #
 # First some standard log files.  Log by facility.
 #
@@ -127,5 +122,3 @@ daemon.*;mail.*;\
 	news.err;\
 	*.=debug;*.=info;\
 	*.=notice;*.=warn	|/dev/xconsole
-
-*.*	@10.132.251.43

rsyslog/rsyslog.conf.logserver

@@ -96,7 +96,7 @@ $IncludeConfig /etc/rsyslog.d/*.conf
 #
 # Emergencies are sent to everybody logged in.
 #
-#*.emerg				:omusrmsg:*
+*.emerg				:omusrmsg:*
 
 #
 # I like to have messages displayed on the console, but only on a virtual

top.sls

@@ -13,6 +13,7 @@ base:
     - network
     - ntp
     - postfix
+    - rsyslog
     - screen
     - snmpd
     - ssh