Configure log server

dseomn · May 27, 2024 · c57e7cf · c57e7cf
1 parent ca5b27d
commit c57e7cf
Show file tree

Hide file tree

Showing 3 changed files with 182 additions and 0 deletions.
diff --git a/salt/file/log/server/init.sls b/salt/file/log/server/init.sls
@@ -0,0 +1,106 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+{% from 'common/map.jinja' import common %}
+{% from 'crypto/x509/map.jinja' import x509 %}
+{% from 'network/firewall/map.jinja' import nftables %}
+{% from 'virtual_machine/guest/map.jinja' import require_running_on_vm_guest %}
+
+
+{{ require_running_on_vm_guest() }}
+
+
+include:
+- crypto.x509
+- log.syslog_ng
+- network.firewall
+- virtual_machine.guest
+
+
+log_server_pkgs:
+  pkg.installed:
+  - pkgs:
+    - jq  # To read json-formatted logs.
+
+
+{{ x509.boilerplate_certificate(
+    name=pillar.log.common.server.name,
+    warning_on_change='Update salt/pillar/log/common.sls',
+    group='syslog-ng',
+    keep_ca_cert=true,
+) }}
+
+
+/srv/logs:
+  test.nop:
+  - require:
+    - /srv/logs is mounted
+    - /srv/logs is backed up
+
+/srv/logs/current:
+  file.directory:
+  - user: syslog-ng
+  - group: adm
+  - mode: 0750
+  - require:
+    - /srv/logs
+    - syslog-ng user and group
+
+
+/etc/syslog-ng/conf.d/server-ca-certs.pem:
+  file.managed:
+  - user: root
+  - group: syslog-ng
+  - mode: 0640
+  - contents: |
+      {%- for peer_name, peer in pillar.log.server.clients | dictsort %}
+      {{ peer.ca_certificate | indent(6) }}
+      {%- endfor %}
+  - require:
+    - /etc/syslog-ng/conf.d exists
+  - require_in:
+    - /etc/syslog-ng/conf.d is clean
+  - watch_in:
+    - syslog_ng_running
+
+/etc/syslog-ng/conf.d/server.conf:
+  file.managed:
+  - user: root
+  - group: syslog-ng
+  - mode: 0640
+  - source: salt://log/server/syslog-ng.conf.jinja
+  - template: jinja
+  - require:
+    - /etc/syslog-ng/conf.d exists
+    - {{ common.local_etc }}/x509/{{ pillar.log.common.server.name }}/cert.pem
+    - {{ common.local_etc }}/x509/{{ pillar.log.common.server.name }}/privkey.pem
+    - /etc/syslog-ng/conf.d/server-ca-certs.pem
+    - /srv/logs/current
+  - require_in:
+    - /etc/syslog-ng/conf.d is clean
+  - watch_in:
+    - syslog_ng_running
+
+
+{{ nftables.config_dir }}/50-log-server.conf:
+  file.managed:
+  - contents: |
+      add rule inet filter input tcp dport 6514 accept
+  - require:
+    - create_nftables_config_dir
+  - require_in:
+    - manage_nftables_config_dir
+  - onchanges_in:
+    - warn about firewall changes
diff --git a/salt/file/log/server/syslog-ng.conf.jinja b/salt/file/log/server/syslog-ng.conf.jinja
@@ -0,0 +1,73 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+{%- import 'log/syslog_ng/map.jinja' as syslog_ng %}
+
+
+source s_remote {
+  syslog(
+    ip-protocol(6)
+    {{ syslog_ng.tls_config(
+        is_client=false,
+        local_cert_dir_name=pillar.log.common.server.name,
+        peers=pillar.log.server.clients,
+    ) | indent(4) }}
+
+    # https://syslog-ng.github.io/admin-guide/080_Log/010_Flow_control/001_Configuring_flow_control#example-sizing-parameters-for-flow-control
+    max-connections(100)
+    log-fetch-limit(100)
+    log-iw-size({{ 100 * 100 }})
+
+    flags(empty-lines)
+    time-zone(UTC)
+  );
+};
+
+destination d_file {
+  file(
+    # TODO(https://github.com/syslog-ng/syslog-ng/issues/4978): Remove
+    # .tls.x509_cn macros below.
+    "/srv/logs/current/${R_YEAR}-${R_MONTH}-${R_DAY}.${.tls.x509_cn:-unknown}.log"
+    owner(syslog-ng)
+    group(adm)
+    perm(0640)
+    local-time-zone(UTC)
+    ts-format(iso)
+    {%- set d_file_json_args = (
+        '--key=.SDATA.*',
+        '--key=FACILITY',
+        '--key=HOST',
+        '--key=LOGHOST',
+        '--key=MESSAGE',
+        '--key=MSGID',
+        '--key=PID',
+        '--key=PRIORITY',
+        '--key=PROGRAM',
+        '--key=R_ISODATE',
+        '--key=SEQNUM',
+        '--key=SOURCEIP',
+        '--key=S_ISODATE',
+        '--key=TAGS',
+        '--pair=HOST_FROM=\\"${.tls.x509_cn}\\"',
+    ) %}
+    template("$(format-json {{ ' '.join(d_file_json_args) }})\n")
+  );
+};
+
+log {
+  source(s_remote);
+  destination(d_file);
+  flags(flow-control);
+};
diff --git a/salt/file/top.sls b/salt/file/top.sls
@@ -80,6 +80,9 @@ base:
   'G@role:irc:bouncer':
   - irc.bouncer
 
+  'G@role:log:server':
+  - log.server
+
   'G@role:mail:inbound':
   - mail.inbound