diff options
-rw-r--r-- | manifests/client.pp | 14 | ||||
-rw-r--r-- | manifests/init.pp | 4 | ||||
-rw-r--r-- | manifests/install.pp | 6 | ||||
-rw-r--r-- | manifests/params.pp | 6 | ||||
-rw-r--r-- | manifests/server.pp | 10 | ||||
-rw-r--r-- | manifests/snippet.pp | 2 | ||||
-rw-r--r-- | spec/defines/rsyslog_snippet_spec.rb | 6 | ||||
-rw-r--r-- | templates/client.conf.erb | 13 | ||||
-rw-r--r-- | templates/server/_default-header.conf.erb | 13 |
9 files changed, 66 insertions, 8 deletions
diff --git a/manifests/client.pp b/manifests/client.pp index 624dfe8..37be590 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -14,6 +14,7 @@ # [*custom_params*] # [*server*] # [*port*] +# [*ssl_ca*] # # === Variables # @@ -30,7 +31,8 @@ class rsyslog::client ( $custom_config = undef, $custom_params = undef, $server = 'log', - $port = '514' + $port = '514', + $ssl_ca = undef, ) inherits rsyslog { $content_real = $custom_config ? { @@ -41,6 +43,14 @@ class rsyslog::client ( rsyslog::snippet {'client': ensure => present, content => $content_real, - } + } + + if $rsyslog::ssl and $ssl_ca == undef { + fail('You need to define $ssl_ca in order to use SSL.') + } + + if $rsyslog::ssl and $remote_type != 'tcp' { + fail('You need to enable tcp in order to use SSL.') + } } diff --git a/manifests/init.pp b/manifests/init.pp index 05b9943..7064c65 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -15,6 +15,7 @@ class rsyslog ( $relp_package_name = $rsyslog::params::relp_package_name, $mysql_package_name = $rsyslog::params::mysql_package_name, $pgsql_package_name = $rsyslog::params::pgsql_package_name, + $gnutls_package_name = $rsyslog::params::gnutls_package_name, $package_status = $rsyslog::params::package_status, $rsyslog_d = $rsyslog::params::rsyslog_d, $purge_rsyslog_d = $rsyslog::params::purge_rsyslog_d, @@ -30,7 +31,8 @@ class rsyslog ( $spool_dir = $rsyslog::params::spool_dir, $service_name = $rsyslog::params::service_name, $client_conf = $rsyslog::params::client_conf, - $server_conf = $rsyslog::params::server_conf + $server_conf = $rsyslog::params::server_conf, + $ssl = $rsyslog::params::ssl, ) inherits rsyslog::params { class { 'rsyslog::install': } class { 'rsyslog::config': } diff --git a/manifests/install.pp b/manifests/install.pp index 3e9ad1a..9798b3f 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -23,4 +23,10 @@ class rsyslog::install { } } + if $rsyslog::gnutls_package_name != false { + package { $rsyslog::gnutls_package_name: + ensure => $rsyslog::package_status + } + } + } diff --git a/manifests/params.pp b/manifests/params.pp index 1ca23d5..8f9b639 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -18,6 +18,7 @@ class rsyslog::params { $relp_package_name = 'rsyslog-relp' $mysql_package_name = 'rsyslog-mysql' $pgsql_package_name = 'rsyslog-pgsql' + $gnutls_package_name = 'rsyslog-gnutls' $package_status = 'latest' $rsyslog_d = '/etc/rsyslog.d/' $purge_rsyslog_d = false @@ -34,6 +35,7 @@ class rsyslog::params { $service_name = 'rsyslog' $client_conf = "${rsyslog_d}client.conf" $server_conf = "${rsyslog_d}server.conf" + $ssl = false } redhat: { $rsyslog_package_name = 'rsyslog' @@ -44,6 +46,7 @@ class rsyslog::params { } $mysql_package_name = 'rsyslog-mysql' $pgsql_package_name = 'rsyslog-pgsql' + $gnutls_package_name = 'rsyslog-gnutls' $package_status = 'latest' $rsyslog_d = '/etc/rsyslog.d/' $rsyslog_conf = '/etc/rsyslog.conf' @@ -59,12 +62,14 @@ class rsyslog::params { $service_name = 'rsyslog' $client_conf = "${rsyslog_d}client.conf" $server_conf = "${rsyslog_d}server.conf" + $ssl = false } freebsd: { $rsyslog_package_name = 'sysutils/rsyslog5' $relp_package_name = 'sysutils/rsyslog5-relp' $mysql_package_name = 'sysutils/rsyslog5-mysql' $pgsql_package_name = 'sysutils/rsyslog5-pgsql' + $gnutls_package_name = 'sysutils/rsyslog5-gnutls' $package_status = 'present' $rsyslog_d = '/etc/syslog.d/' $rsyslog_conf = '/etc/syslog.conf' @@ -80,6 +85,7 @@ class rsyslog::params { $service_name = 'syslogd' $client_conf = "${rsyslog_d}client.conf" $server_conf = "${rsyslog_d}server.conf" + $ssl = false } default: { case $::operatingsystem { diff --git a/manifests/server.pp b/manifests/server.pp index 0cb7de8..36ee898 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -10,6 +10,9 @@ # [*server_dir*] # [*custom_config*] # [*high_precision_timestamps*] +# [*ssl_ca*] +# [*ssl_cert*] +# [*ssl_key*] # # === Variables # @@ -33,6 +36,9 @@ class rsyslog::server ( $custom_config = undef, $port = '514', $high_precision_timestamps = false, + $ssl_ca = undef, + $ssl_cert = undef, + $ssl_key = undef, ) inherits rsyslog { $real_content = $custom_config ? { @@ -44,4 +50,8 @@ class rsyslog::server ( ensure => present, content => $real_content, } + + if $rsyslog::ssl and (!$enable_tcp or $ssl_ca == undef or $ssl_cert == undef or $ssl_key == undef) { + fail('You need to define all the ssl options and enable tcp in order to use SSL.') + } } diff --git a/manifests/snippet.pp b/manifests/snippet.pp index 26cfa76..bb0468e 100644 --- a/manifests/snippet.pp +++ b/manifests/snippet.pp @@ -26,7 +26,7 @@ define rsyslog::snippet( ensure => $ensure, owner => $rsyslog::run_user, group => $rsyslog::run_group, - content => "${content}\n", + content => "# file managed by puppet\n${content}\n", require => Class['rsyslog::config'], notify => Class['rsyslog::service'], } diff --git a/spec/defines/rsyslog_snippet_spec.rb b/spec/defines/rsyslog_snippet_spec.rb index 91d75c1..a8f2575 100644 --- a/spec/defines/rsyslog_snippet_spec.rb +++ b/spec/defines/rsyslog_snippet_spec.rb @@ -19,7 +19,7 @@ describe 'rsyslog::snippet', :type => :define do let(:title) { 'rsyslog-snippet-basic' } it 'should compile' do - should contain_file('/etc/rsyslog.d/rsyslog-snippet-basic.conf').with_content("Random Content\n") + should contain_file('/etc/rsyslog.d/rsyslog-snippet-basic.conf').with_content("# file managed by puppet\nRandom Content\n") end end end @@ -41,7 +41,7 @@ describe 'rsyslog::snippet', :type => :define do let(:title) { 'rsyslog-snippet-basic' } it 'should compile' do - should contain_file('/etc/rsyslog.d/rsyslog-snippet-basic.conf').with_content("Random Content\n") + should contain_file('/etc/rsyslog.d/rsyslog-snippet-basic.conf').with_content("# file managed by puppet\nRandom Content\n") end end end @@ -63,7 +63,7 @@ describe 'rsyslog::snippet', :type => :define do let(:title) { 'rsyslog-snippet-basic' } it 'should compile' do - should contain_file('/etc/syslog.d/rsyslog-snippet-basic.conf').with_content("Random Content\n") + should contain_file('/etc/syslog.d/rsyslog-snippet-basic.conf').with_content("# file managed by puppet\nRandom Content\n") end end end diff --git a/templates/client.conf.erb b/templates/client.conf.erb index e5dfb8c..d86a271 100644 --- a/templates/client.conf.erb +++ b/templates/client.conf.erb @@ -8,6 +8,17 @@ $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # run asynchronously $ActionResumeRetryCount -1 # infinety retries if host is down +<% if scope.lookupvar('rsyslog::client::ssl') -%> +# Setup SSL connection. +# CA/Cert +$DefaultNetStreamDriverCAFile <%= scope.lookupvar('rsyslog::client::ssl_ca') %> + +# Connection settings. +$DefaultNetstreamDriver gtls +$ActionSendStreamDriverMode 1 +$ActionSendStreamDriverAuthMode anon +<% end -%> + <% if scope.lookupvar('rsyslog::client::log_remote') -%> # Log to remote syslog server using <%= scope.lookupvar('rsyslog::client::remote_type') %> <% if scope.lookupvar('rsyslog::client::remote_type') == 'tcp' -%> @@ -79,7 +90,7 @@ news.notice -/var/log/news/news.notice # The named pipe /dev/xconsole is for the `xconsole' utility. To use it, # you must invoke `xconsole' with the `-file' option: -# +# # $ xconsole -file /dev/xconsole [...] # # NOTE: adjust the list below, or you'll go crazy if you have a reasonably diff --git a/templates/server/_default-header.conf.erb b/templates/server/_default-header.conf.erb index 19eb173..95391ce 100644 --- a/templates/server/_default-header.conf.erb +++ b/templates/server/_default-header.conf.erb @@ -16,5 +16,18 @@ $ModLoad imtcp $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat <% end -%> +<% if scope.lookupvar('rsyslog::server::ssl') -%> +# Server side SSL. +$DefaultNetstreamDriver gtls + +# Cert files. +$DefaultNetstreamDriverCAFile <%= scope.lookupvar('rsyslog::server::ssl_ca') %> +$DefaultNetstreamDriverCertFile <%= scope.lookupvar('rsyslog::server::ssl_cert') %> +$DefaultNetstreamDriverKeyFile <%= scope.lookupvar('rsyslog::server::ssl_key') %> + +$InputTCPServerStreamDriverMode 1 +$InputTCPServerStreamDriverAuthMode anon +<% end -%> + # Switch to remote ruleset $RuleSet remote |