From c57e7cffdb59a2cfdfc2d79655b7f69963ecc396 Mon Sep 17 00:00:00 2001 From: David Mandelberg Date: Sun, 26 May 2024 20:11:28 -0400 Subject: [PATCH] Configure log server --- salt/file/log/server/init.sls | 106 ++++++++++++++++++++++ salt/file/log/server/syslog-ng.conf.jinja | 73 +++++++++++++++ salt/file/top.sls | 3 + 3 files changed, 182 insertions(+) create mode 100644 salt/file/log/server/init.sls create mode 100644 salt/file/log/server/syslog-ng.conf.jinja diff --git a/salt/file/log/server/init.sls b/salt/file/log/server/init.sls new file mode 100644 index 0000000..3a04c7c --- /dev/null +++ b/salt/file/log/server/init.sls @@ -0,0 +1,106 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +{% from 'common/map.jinja' import common %} +{% from 'crypto/x509/map.jinja' import x509 %} +{% from 'network/firewall/map.jinja' import nftables %} +{% from 'virtual_machine/guest/map.jinja' import require_running_on_vm_guest %} + + +{{ require_running_on_vm_guest() }} + + +include: +- crypto.x509 +- log.syslog_ng +- network.firewall +- virtual_machine.guest + + +log_server_pkgs: + pkg.installed: + - pkgs: + - jq # To read json-formatted logs. + + +{{ x509.boilerplate_certificate( + name=pillar.log.common.server.name, + warning_on_change='Update salt/pillar/log/common.sls', + group='syslog-ng', + keep_ca_cert=true, +) }} + + +/srv/logs: + test.nop: + - require: + - /srv/logs is mounted + - /srv/logs is backed up + +/srv/logs/current: + file.directory: + - user: syslog-ng + - group: adm + - mode: 0750 + - require: + - /srv/logs + - syslog-ng user and group + + +/etc/syslog-ng/conf.d/server-ca-certs.pem: + file.managed: + - user: root + - group: syslog-ng + - mode: 0640 + - contents: | + {%- for peer_name, peer in pillar.log.server.clients | dictsort %} + {{ peer.ca_certificate | indent(6) }} + {%- endfor %} + - require: + - /etc/syslog-ng/conf.d exists + - require_in: + - /etc/syslog-ng/conf.d is clean + - watch_in: + - syslog_ng_running + +/etc/syslog-ng/conf.d/server.conf: + file.managed: + - user: root + - group: syslog-ng + - mode: 0640 + - source: salt://log/server/syslog-ng.conf.jinja + - template: jinja + - require: + - /etc/syslog-ng/conf.d exists + - {{ common.local_etc }}/x509/{{ pillar.log.common.server.name }}/cert.pem + - {{ common.local_etc }}/x509/{{ pillar.log.common.server.name }}/privkey.pem + - /etc/syslog-ng/conf.d/server-ca-certs.pem + - /srv/logs/current + - require_in: + - /etc/syslog-ng/conf.d is clean + - watch_in: + - syslog_ng_running + + +{{ nftables.config_dir }}/50-log-server.conf: + file.managed: + - contents: | + add rule inet filter input tcp dport 6514 accept + - require: + - create_nftables_config_dir + - require_in: + - manage_nftables_config_dir + - onchanges_in: + - warn about firewall changes diff --git a/salt/file/log/server/syslog-ng.conf.jinja b/salt/file/log/server/syslog-ng.conf.jinja new file mode 100644 index 0000000..636e518 --- /dev/null +++ b/salt/file/log/server/syslog-ng.conf.jinja @@ -0,0 +1,73 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +{%- import 'log/syslog_ng/map.jinja' as syslog_ng %} + + +source s_remote { + syslog( + ip-protocol(6) + {{ syslog_ng.tls_config( + is_client=false, + local_cert_dir_name=pillar.log.common.server.name, + peers=pillar.log.server.clients, + ) | indent(4) }} + + # https://syslog-ng.github.io/admin-guide/080_Log/010_Flow_control/001_Configuring_flow_control#example-sizing-parameters-for-flow-control + max-connections(100) + log-fetch-limit(100) + log-iw-size({{ 100 * 100 }}) + + flags(empty-lines) + time-zone(UTC) + ); +}; + +destination d_file { + file( + # TODO(https://github.com/syslog-ng/syslog-ng/issues/4978): Remove + # .tls.x509_cn macros below. + "/srv/logs/current/${R_YEAR}-${R_MONTH}-${R_DAY}.${.tls.x509_cn:-unknown}.log" + owner(syslog-ng) + group(adm) + perm(0640) + local-time-zone(UTC) + ts-format(iso) + {%- set d_file_json_args = ( + '--key=.SDATA.*', + '--key=FACILITY', + '--key=HOST', + '--key=LOGHOST', + '--key=MESSAGE', + '--key=MSGID', + '--key=PID', + '--key=PRIORITY', + '--key=PROGRAM', + '--key=R_ISODATE', + '--key=SEQNUM', + '--key=SOURCEIP', + '--key=S_ISODATE', + '--key=TAGS', + '--pair=HOST_FROM=\\"${.tls.x509_cn}\\"', + ) %} + template("$(format-json {{ ' '.join(d_file_json_args) }})\n") + ); +}; + +log { + source(s_remote); + destination(d_file); + flags(flow-control); +}; diff --git a/salt/file/top.sls b/salt/file/top.sls index 7314363..12edbe8 100644 --- a/salt/file/top.sls +++ b/salt/file/top.sls @@ -80,6 +80,9 @@ base: 'G@role:irc:bouncer': - irc.bouncer + 'G@role:log:server': + - log.server + 'G@role:mail:inbound': - mail.inbound