syslog: generate ruleset and template from simple(r) yaml config

Author: baszoetekouw

.ansible-lint

@@ -1,3 +1,6 @@
 ---
 profile: "production"
 offline: false
+
+skip_list:
+  - yaml[colons]

roles/rsyslog/defaults/main.yml

@@ -1,3 +1,4 @@
+---
 rsyslog_ca: /etc/pki/rsyslog/rsyslog_ca.pem
 rsyslog_dir: /opt/openconext/logs
 rsyslog_read_group: adm
@@ -40,3 +41,60 @@ rsyslog_checkemptylogs_cron_minute: "0"
 rsyslog_checkemptylogs_cron_hour: "9"
 rsyslog_checkemptylogs_cron_weekdays: "1-5"
 rsyslog_checkemptylogs_dir: "/usr/local/bin"
+
+# "program" matches the syslog identifier
+# "contains" and "startswith" match the syslog message
+rsyslog_central_apps:
+  haproxy:            { program: "haproxy",                target: "haproxy/haproxy.log" }
+  keepalived:         { program: "Keepalived_vrrp",        target: "keepalived/keepalived.log" }
+  galera:             { program: "mariadb",                target: "galera/galera.log" }
+  galera_garb:        { program: "garb-systemd",           target: "galera/galera_garb.log" }
+  mongo:              { program: "mongod",                 target: "mongo/mongo.log" }
+  traefik:            { program: "loadbalancer",           target: "traefik/traefik.log" }
+  eb_auth:            { program: "engineblock", contains: '"channel":"authentication"',
+                        dir: "log_logins",                 target: "eb-authentication.log" }
+  stepup_auth1:       { program: "gateway", contains: '"message":"Second Factor Authenticated"',
+                      dir: "log_logins",                 target: "stepup-authentication.log" }
+  stepup_auth2:       { program: "gateway", contains: '"message":"Intrinsic Loa Requested"',
+                        dir: "log_logins",                 target: "stepup-authentication.log" }
+  stepup_auth3:       { program: "stepup-authentication",
+                        dir: "log_logins",                 target: "stepup-authentication.log" }
+  eb_apache:          { program: "engineblock", startswith: "engine",
+                                                           target: "eb/apache.log" }
+  eb:                 { program: "engineblock",            target: "eb/eb.log" }
+  eb_log:             { program: "EBLOG",                  target: "eb/eb.log" }
+  eb_apache2:         { program: "Apache-EB",              target: "eb/apache.log" }  # probabaly ununsed
+  eb_api:             { program: "Apache-EBAPI",           target: "eb-api/apache.log" }  # probabaly ununsed
+  oidcng_server:      { program: "oidcngserver",           target: "oidcng/oidcng.log" }
+  oidcng_json:        { program: "oicdngjson",             target: "oidcng/oidcngjson.log" }
+  oidc_play_server:   { program: "oidcplaygroundserver",   target: "oidc-playground/oidc-playground.log" }
+  oidc_play_gui:      { program: "oidcplaygroundgui",      target: "oidc-playground/oidc-playground-apache.log" }
+  manage_server:      { program: "manageserver",           target: "manage/manage.log" }
+  manage_gui:         { program: "managegui",              target: "manage/apache.log" }
+  aa_server:          { program: "aaserver",               target: "aa/aa.log" }
+  aa_gui:             { program: "aagui",                  target: "aa/apache.log" }
+  aa_link:            { program: "aalink",                 target: "aa/apache.log" }
+  pdp:                { program: "pdp",                    target: "pdp/pdp.log" }
+  voot:               { program: "vootserver",             target: "voot/voot.log" }
+  eduid_server:       { program: "myconextserver",         target: "eduid/myconext.log" }
+  eduid_json:         { program: "myconextjson",           target: "eduid/myconextjson.log" }
+  eduid_gui:          { program: "myconextgui",            target: "eduid/myconext-apache.log" }
+  eduid_account:      { program: "accountgui",             target: "eduid/account-apache.log" }
+  eduid_servicedesk:  { program: "servicedeskgui",         target: "eduid/servicedesk-apache.log" }
+  invite_client:      { program: "inviteclient",           target: "invite/inviteclient.log" }
+  invite_welcome:     { program: "invitewelcome",          target: "invite/invitewelcome.log" }
+  invite_server:      { program: "inviteserver",           target: "invite/inviteserver.log" }
+  invite_json:        { program: "invitejson",             target: "invite/invitejson.log" }
+  invite_provmock:    { program: "inviteprovisioningmock", target: "invite/inviteprovisioningmock.log" }
+  teams_server:       { program: "teamsserver",            target: "teams/teams.log" }
+  teams_gui:          { program: "teamsgui",               target: "teams/apache.log" }
+  profile:            { program: "profile", startwith: "{",
+                                                           target: "profile/profile.log" }
+  profile_apache:     { program: "profile",                target: "profile/apache.log" }
+  spdashboard:        { program: "spdashboard", startwith: "spdashboard",
+                                                           target: "spdashboard/spdashboard.log" }
+  spdashboard_apache: { program: "spdashboard",            target: "spdashboard/apache.log" }
+  dashboard_server:   { program: "dashboardserver",        target: "dashboard/dashboard.log" }
+  dashboard_gui:      { program: "dashboardgui",           target: "dashboard/apache.log" }
+  static:             { program: "Apache-STATIC",          target: "static/apache.log" }
+  metadata:           { program: "Apache-METADATA",        target: "metadata/apache.log" }

roles/rsyslog/templates/sc_ruleset.conf.j2

@@ -1,68 +1,30 @@
+global({{ rsyslog_dir_file_modes }})
+
 $RuleSet {{ item.name }}
 {% if item.name != "mgnt_sc" %}
-if $programname == "engineblock" and $msg startswith " engine" then { action(type="omfile" DynaFile="apache-eb-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-if $programname == "engineblock" and $msg startswith "engine" then { action(type="omfile" DynaFile="apache-eb-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-if $programname == "engineblock" and $msg contains '{"channel":"authentication"' then { action(type="omfile" DynaFile="ebauth-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop  }
-:programname, isequal, "engineblock" { action(type="omfile" DynaFile="eblog-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "EBLOG" { action(type="omfile" DynaFile="eblog-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "Apache-EB" { action(type="omfile" DynaFile="apache-eb-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "EBAUTH" { action(type="omfile" DynaFile="ebauth-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "haproxy" { action(type="omfile" DynaFile="haproxy-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "aaserver" { action(type="omfile" DynaFile="aa-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "aagui" { action(type="omfile" DynaFile="apache-aa-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "aalink" { action(type="omfile" DynaFile="apache-aa-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "dashboardgui" { action(type="omfile" DynaFile="apache-dashboard-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "dashboardserver" { action(type="omfile" DynaFile="dashboard-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "Apache-EBAPI" { action(type="omfile" DynaFile="apache-eb-api-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "manageserver" { action(type="omfile" DynaFile="manage-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "managegui" { action(type="omfile" DynaFile="apache-manage-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "pdp" { action(type="omfile" DynaFile="pdp-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-if $programname == "profile" and $msg startswith "{" then { action(type="omfile" DynaFile="profile-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "profile" { action(type="omfile" DynaFile="apache-profile-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "teamsserver" { action(type="omfile" DynaFile="teams-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "teamsgui" { action(type="omfile" DynaFile="apache-teams-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "vootserver" { action(type="omfile" DynaFile="voot-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "mariadbd" { action(type="omfile" DynaFile="galera-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "garb-systemd" { action(type="omfile" DynaFile="haproxy-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "Keepalived_vrrp" { action(type="omfile" DynaFile="keepalived-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, startswith, "mongo" { action(type="omfile" DynaFile="mongo-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "Apache-STATIC" { action(type="omfile" DynaFile="apache-static-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "Apache-METADATA" { action(type="omfile" DynaFile="apache-metadata-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "oidcngserver" { action(type="omfile" DynaFile="oidcng-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "oidcngjson" { action(type="omfile" DynaFile="oidcngjson-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "oidcplaygroundserver" { action(type="omfile" DynaFile="oidc-playground-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "oidcplaygroundgui" { action(type="omfile" DynaFile="apache-oidcplayground-{{item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "myconextserver" { action(type="omfile" DynaFile="myconext-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "myconextjson" { action(type="omfile" DynaFile="myconextjson-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "myconextgui" { action(type="omfile" DynaFile="apache-myconext-{{item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "accountgui" { action(type="omfile" DynaFile="apache-account-{{item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "servicedeskgui" { action(type="omfile" DynaFile="apache-servicedesk-{{item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, startswith, "inviteclient" { action(type="omfile" DynaFile="inviteclient-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, startswith, "invitewelcome" { action(type="omfile" DynaFile="invitewelcome-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, startswith, "inviteserver" { action(type="omfile" DynaFile="inviteserver-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "invitejson" { action(type="omfile" DynaFile="invitejson-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, startswith, "inviteprovisioningmock" { action(type="omfile" DynaFile="inviteprovisioningmock-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, startswith, "loadbalancer" { action(type="omfile" DynaFile="loadbalancer-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
 
-if $programname == "gateway" and $msg contains '{"message":"Second Factor Authenticated"' then { action(type="omfile" DynaFile="stepup-authentication-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-if $programname == "gateway" and $msg contains '{"message":"Intrinsic Loa Requested"' then { action(type="omfile" DynaFile="stepup-authentication-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
+{% for app, config in rsyslog_central_apps.items() %}
+if $programname == "{{ config.program }}"
+  {%- if 'contains'   in config %} and $msg contains   {{ config.contains   }} {% endif -%}
+  {%- if 'startswith' in config %} and $msg startswith {{ config.startswith }} {% endif %}
+  then { action(type="omfile" DynaFile="{{ app }}-{{ item.name }}") stop }}
+{% endfor %}
 
 {% for stepupapp in stepupapps %}
-:programname, isequal, "stepup-{{ stepupapp }}" { action(type="omfile" DynaFile="stepup-{{ stepupapp }}-{{item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-if $programname == "{{ stepupapp }}" and $msg startswith "{{ stepupapp }}" then { action(type="omfile" DynaFile="apache-{{ stepupapp }}-{{item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "{{ stepupapp }}" { action(type="omfile" DynaFile="stepup-{{ stepupapp }}-{{item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "Apache-{{ stepupapp }}" { action(type="omfile" DynaFile="apache-{{ stepupapp }}-{{item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
+if $programname == "stepup-{{ stepupapp }}"                                then { action(type="omfile" DynaFile="stepup-{{ stepupapp }}-{{item.name }}") stop }
+if $programname == "{{ stepupapp }}" and $msg startswith "{{ stepupapp }}" then { action(type="omfile" DynaFile="apache-{{ stepupapp }}-{{item.name }}") stop }
+if $programname == "{{ stepupapp }}"                                       then { action(type="omfile" DynaFile="stepup-{{ stepupapp }}-{{item.name }}") stop }
+if $programname == "Apache-{{ stepupapp }}"                                then { action(type="omfile" DynaFile="apache-{{ stepupapp }}-{{item.name }}") stop }
 {% endfor %}
-:programname, isequal, "Apache-azuremfa" { action(type="omfile" DynaFile="apache-azure-mfa-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-if $programname == "spdashboard" and $msg startswith "spdashboard" then { action(type="omfile" DynaFile="apache-spdashboard-{{item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "spdashboard" { action(type="omfile" DynaFile="spdashboard-{{item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
+if $programname == "Apache-azuremfa"                                       then { action(type="omfile" DynaFile="apache-azure-mfa-{{ item.name }}") stop }
+
 
-:programname, isequal, "stepup-authentication" { action(type="omfile" DynaFile="stepup-authentication-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
 {% endif %}
-:programname, isequal, "audispd" { action(type="omfile" DynaFile="auditd-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "audit" { action(type="omfile" DynaFile="auditd-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "audisp-syslog" { action(type="omfile" DynaFile="auditd-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:programname, isequal, "-bash" { action(type="omfile" DynaFile="bash-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:syslogfacility-text, isequal, "authpriv" { action(type="omfile" dynafile="secure-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
-:msg, contains, "-- MARK --" { action(type="omfile" DynaFile="MARK-{{ item.name }}" {{ rsyslog_dir_file_modes }} ) stop }
+if $programname == "audispd"       then { action(type="omfile" DynaFile="auditd-{{ item.name }}") stop }
+if $programname == "audit"         then { action(type="omfile" DynaFile="auditd-{{ item.name }}") stop }
+if $programname == "audisp-syslog" then { action(type="omfile" DynaFile="auditd-{{ item.name }}") stop }
+if $programname == "-bash"         then { action(type="omfile" DynaFile="bash-{{ item.name }}") stop }
+if $programname == "authpriv"      then { action(type="omfile" dynafile="secure-{{ item.name }}") stop }
+if $msg contains "-- MARK --"      then { action(type="omfile" DynaFile="MARK-{{ item.name }}") stop }
+
 *.* ?hostleft-{{ item.name }}