Add ability to configure rsyslog tls encription
Change-Id: Ifc4279dc9f556550a1957f108e5b335ce4784478
diff --git a/README.rst b/README.rst
index bd98749..cde963d 100644
--- a/README.rst
+++ b/README.rst
@@ -102,7 +102,7 @@
rabbitmq:
File: "/var/log/rabbitmq/*.log"
Tag: "rabbitmq__"
- Severitet: "notice"
+ Severity: "notice"
Facility: "local0"
PersistStateInterval: "0"
Ruleset: "myapp_logs"
@@ -117,6 +117,76 @@
myapp_logs:
description: 'set $.suffix=re_extract($!metadata!filename, "(.*)/([^/]*[^/.log])", 0, 2, "all.log"); call remote_logs'
+Rsyslog service with GNU TLS encryption for forwarding the messages (omfwd module with gtls network stream driver).
+
+.. code-block:: yaml
+
+ rsyslog:
+ client:
+ pkgs:
+ - rsyslog-gnutls
+ - rsyslog
+ run_user: syslog
+ run_group: adm
+ enabled: true
+ ssl:
+ enabled: true
+ engine: manual
+ key: |
+ -----BEGIN RSA PRIVATE KEY-----
+ -----END RSA PRIVATE KEY-----
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+ cacert_chain: |
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+ rainerscript:
+ global:
+ defaultNetstreamDriverCAFile: "/etc/rsyslog.d/rsyslog_ca.crt"
+ defaultNetstreamDriverKeyFile: "/etc/rsyslog.d/rsyslog_client.key"
+ defaultNetstreamDriverCertFile: "/etc/rsyslog.d/rsyslog_client.crt"
+ output:
+ remote:
+ somehost.domain:
+ action: 'action(type="omfwd" Target="172.16.10.92" Port="20514" Protocol="tcp" streamDriver="gtls" streamDriverauthMode="anon" streamDriverMode="1")'
+ filter: "*.*"
+ enabled: true
+
+Rsyslog service with RELP TLS encryption for forwarding the messages (omrelp module).
+
+.. code-block:: yaml
+
+ rsyslog:
+ client:
+ pkgs:
+ - rsyslog-relp
+ - rsyslog
+ run_user: syslog
+ run_group: adm
+ enabled: true
+ ssl:
+ enabled: true
+ engine: manual
+ key: |
+ -----BEGIN RSA PRIVATE KEY-----
+ -----END RSA PRIVATE KEY-----
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+ cacert_chain: |
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+ rainerscript:
+ module:
+ omrelp: {}
+ output:
+ remote:
+ somehost.domain:
+ action: 'action(type="omrelp" target="172.16.10.92" port="20514" tls="on" tls.caCert="/etc/rsyslog.d/rsyslog_ca.crt" tls.myCert="/etc/rsyslog.d/rsyslog_client.crt" tls.myPrivKey="/etc/rsyslog.d/rsyslog_client.key" tls.authmode="name" tls.permittedpeer=["remote.example.com"])'
+ filter: "*.*"
+ enabled: true
+
Custom templates
================
diff --git a/rsyslog/client.sls b/rsyslog/client.sls
index d84c826..403617e 100644
--- a/rsyslog/client.sls
+++ b/rsyslog/client.sls
@@ -23,6 +23,61 @@
- watch_in:
- service: rsyslog_service
+{%- if global.get('ssl', {'enabled': False}).enabled and global.get('ssl', {}).get('engine', 'salt') == 'manual' %}
+
+{%- set ca_file=global.ssl.get('ca_file', '/etc/rsyslog.d/rsyslog_ca.crt') %}
+{%- set key_file=global.ssl.get('key_file', '/etc/rsyslog.d/rsyslog_client.key') %}
+{%- set cert_file=global.ssl.get('cert_file', '/etc/rsyslog.d/rsyslog_client.crt') %}
+
+{%- if global.ssl.cert is defined %}
+
+rsyslog_public_cert_client:
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: rsyslog:client:ssl:cert
+ - owner: {{ global.run_user }}
+ - group: {{ global.run_group }}
+ - mode: 0400
+ - require:
+ - pkg: rsyslog_packages
+ - watch_in:
+ - service: rsyslog_service
+
+{%- endif %}
+
+{%- if global.ssl.key is defined %}
+
+rsyslog_private_key_client:
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: rsyslog:client:ssl:key
+ - owner: {{ global.run_user }}
+ - group: {{ global.run_group }}
+ - mode: 0400
+ - require:
+ - pkg: rsyslog_packages
+ - watch_in:
+ - service: rsyslog_service
+
+{%- endif %}
+
+{%- if global.ssl.cacert_chain is defined %}
+
+rsyslog_cacert_chain_client:
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: rsyslog:client:ssl:cacert_chain
+ - owner: {{ global.run_user }}
+ - group: {{ global.run_group }}
+ - mode: 0400
+ - require:
+ - pkg: rsyslog_packages
+ - watch_in:
+ - service: rsyslog_service
+
+{%- endif %}
+{%- endif %}
+
{% if global.manage_file_perms is defined and global.manage_file_perms == true %}
{% for output,type in global.output.file.iteritems() %}
{{ output }}:
diff --git a/rsyslog/files/rsyslog.default.conf b/rsyslog/files/rsyslog.default.conf
index 5199ccc..36de0e6 100644
--- a/rsyslog/files/rsyslog.default.conf
+++ b/rsyslog/files/rsyslog.default.conf
@@ -43,6 +43,10 @@
{%- set rainerscript = global.get('rainerscript', {}) -%}
+{% if rainerscript.global is defined -%}
+global({%- for parameter,value in rainerscript.get('global', {}).iteritems() %} {{parameter}}="{{ value }}"{%- endfor -%})
+{% endif -%}
+
{%- for mod,parameter in rainerscript.get('module', {}).iteritems() %}
module(load="{{ mod }}"{%- for name,value in parameter.iteritems() %} {{name}}="{{value}}"{%- endfor -%})
{%- endfor %}