nicholasmhughes / pupmod-simp-simp_rsyslog Goto Github PK

1. Description
2. Setup - The basics of getting started with simp_rsyslog
   • What simp_rsyslog affects
3. Usage - Configuration options and additional functionality
4. Reference - An under-the-hood peek at what the module is doing and how
5. Limitations - OS compatibility, etc.
6. Development - Guide for contributing to the module
   • Acceptance Tests - Beaker env variables

This module is a SIMP Puppet profile for setting up common Rsyslog configurations as supported by the SIMP ecosystem

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they may be submitted to our bug tracker.

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

• When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
• If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review the parameters in simp/simp_options for details.

This module provides configurations for both Rsyslog local and Rsyslog server configurations.

To set up local logging, you can simply do the following:

include '::simp_rsyslog'

The $log_collection Hash provides an Rsyslog 7 compatible set of filters that you wish to collect. These will be considered security relevant and fed into /var/log/secure by default.

The Hash has the following format and all entries will be combined with a logical OR.

$log_collection = {
  'programs'   => [ <logged daemon names> ],
  'facilities' => [ <syslog facilities> ],
  'priorities' => [ <syslog priorities> ],
  'msg_starts' => [ <strings the message starts with> ],
  'msg_regex'  => [ <regular expression matches> ]
}

If you need something more complex than this, you will need to configure your own rsyslog rules using the ::rsyslog::rule defined type.

If you simply want to log EVERYTHING to your remote servers, set simp_rsyslog::collect_everything to true.

If you do this, it is highly recommended that you set simp_rsyslog::log_local to false so that you don't overwhelm your filesystem.

NOTE

If you do not capture the local6 syslog facility, you will lose a lot of SIMP-specific messaging

While we highly recommend using ELG for collecting your logs, we understand that this is not practical for all situations.

If you wish to collect logs from remote hosts, you can do the following:

Manifest:

include '::simp_rsyslog'

Hieradata:

---
simp_rsyslog::is_server : true

This will set your system up as an Rsyslog server, using TLS which is capable of collecting both TCP and UDP logs.

At this time, the version of Rsyslog that ships with EL systems cannot handle both TLS and non-TLS TCP connections at the same time. When it can, we will support this mode of log collection.

UDP logs will not be encrypted in transit but are supported for network device compatibility.

If you wish to set your system up to forward logs to a set of remote log servers, in either the server or client case, you should use the following:

include '::simp_rsyslog::log_shipper'

This will use the $simp_options::syslog::log_servers and $simp_options::syslog::failover_log_servers variables to set the targets for your logs. Alternatively, you can specify the targets in Hiera directly.

TLS and TCP connections will be used for log forwarding for security purposes.

WARNING

Be VERY careful when setting your simp_rsyslog::log_servers and simp_rsyslog::failover_log_servers Arrays!

There is no foolproof way to detect if you are setting your local log server as part of the Array. If you do this, you may end up with infinite log loops that fill your log server's disk space within minutes.

WARNING

See the API Documentation for full details.

This is a SIMP Profile. It will not expose all options of the underlying modules, only the ones that are conducive to a supported SIMP infrastructure. If you need to do things that this module does not cover, you may need to create your own profile or inherit this profile and extend it to meet your needs.

SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the metadata.json file for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.

Please read our Contribution Guide.

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:

bundle install
bundle exec rake beaker:suites

Please refer to the SIMP Beaker Helpers documentation for more information.