Add ability to configure rsyslog tls encription
Change-Id: Ie2d325830f2c8ff03a4b8f31058e53feb7b62a7d
diff --git a/README.rst b/README.rst
index bd98749..bddc125 100644
--- a/README.rst
+++ b/README.rst
@@ -102,7 +102,7 @@
rabbitmq:
File: "/var/log/rabbitmq/*.log"
Tag: "rabbitmq__"
- Severitet: "notice"
+ Severity: "notice"
Facility: "local0"
PersistStateInterval: "0"
Ruleset: "myapp_logs"
@@ -117,6 +117,72 @@
myapp_logs:
description: 'set $.suffix=re_extract($!metadata!filename, "(.*)/([^/]*[^/.log])", 0, 2, "all.log"); call remote_logs'
+Rsyslog service with GNU TLS encryption for forwarding the messages (omfwd module with gtls network stream driver).
+
+.. code-block:: yaml
+
+ rsyslog:
+ client:
+ pkgs:
+ - rsyslog-gnutls
+ - rsyslog
+ run_user: syslog
+ run_group: adm
+ enabled: true
+ certs:
+ /etc/rsyslog.d/key.pem: |
+ -----BEGIN RSA PRIVATE KEY-----
+ -----END RSA PRIVATE KEY-----
+ /etc/rsyslog.d/cert.pem: |
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+ /etc/rsyslog.d/ca.pem: |
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+ rainerscript:
+ global:
+ defaultNetstreamDriverCAFile: "/etc/rsyslog.d/ca.pem"
+ defaultNetstreamDriverKeyFile: "/etc/rsyslog.d/key.pem"
+ defaultNetstreamDriverCertFile: "/etc/rsyslog.d/cert.pem"
+ output:
+ remote:
+ somehost.domain:
+ action: 'action(type="omfwd" Target="172.16.10.92" Port="20514" Protocol="tcp" streamDriver="gtls" streamDriverauthMode="anon" streamDriverMode="1")'
+ filter: "*.*"
+ enabled: true
+
+Rsyslog service with RELP TLS encryption for forwarding the messages (omrelp module).
+
+.. code-block:: yaml
+
+ rsyslog:
+ client:
+ pkgs:
+ - rsyslog-relp
+ - rsyslog
+ run_user: syslog
+ run_group: adm
+ enabled: true
+ certs:
+ /etc/rsyslog.d/key.pem: |
+ -----BEGIN RSA PRIVATE KEY-----
+ -----END RSA PRIVATE KEY-----
+ /etc/rsyslog.d/cert.pem: |
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+ /etc/rsyslog.d/ca.pem: |
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+ rainerscript:
+ module:
+ omrelp: {}
+ output:
+ remote:
+ somehost.domain:
+ action: 'action(type="omrelp" target="172.16.10.92" port="20514" tls="on" tls.caCert="/etc/rsyslog.d/ca.pem" tls.myCert="/etc/rsyslog.d/cert.pem" tls.myPrivKey="/etc/rsyslog.d/key.pem" tls.authmode="name" tls.permittedpeer=["remote.example.com"])'
+ filter: "*.*"
+ enabled: true
+
Custom templates
================
diff --git a/rsyslog/client.sls b/rsyslog/client.sls
index d84c826..0eb1f42 100644
--- a/rsyslog/client.sls
+++ b/rsyslog/client.sls
@@ -23,6 +23,22 @@
- watch_in:
- service: rsyslog_service
+{%- for name, content in global.get('certs', {}).iteritems() %}
+
+rsyslog_cert_{{ name | replace('/', '_') }}_client:
+ file.managed:
+ - name: {{ name }}
+ - contents: {{ content | yaml_encode }}
+ - owner: {{ global.run_user }}
+ - group: {{ global.run_group }}
+ - mode: 0400
+ - require:
+ - pkg: rsyslog_packages
+ - watch_in:
+ - service: rsyslog_service
+
+{% endfor %}
+
{% if global.manage_file_perms is defined and global.manage_file_perms == true %}
{% for output,type in global.output.file.iteritems() %}
{{ output }}:
diff --git a/rsyslog/files/rsyslog.default.conf b/rsyslog/files/rsyslog.default.conf
index 5199ccc..36de0e6 100644
--- a/rsyslog/files/rsyslog.default.conf
+++ b/rsyslog/files/rsyslog.default.conf
@@ -43,6 +43,10 @@
{%- set rainerscript = global.get('rainerscript', {}) -%}
+{% if rainerscript.global is defined -%}
+global({%- for parameter,value in rainerscript.get('global', {}).iteritems() %} {{parameter}}="{{ value }}"{%- endfor -%})
+{% endif -%}
+
{%- for mod,parameter in rainerscript.get('module', {}).iteritems() %}
module(load="{{ mod }}"{%- for name,value in parameter.iteritems() %} {{name}}="{{value}}"{%- endfor -%})
{%- endfor %}