diff --git a/README.md b/README.md index c906c314..1ffe0634 100644 --- a/README.md +++ b/README.md @@ -115,11 +115,13 @@ This is a schematic logging configuration to show log messages from input_nameA **available options** - `udp_ports`: List of UDP port numbers to listen. Default to `514`. - `tcp_ports`: List of TCP port numbers to listen. Default to `514`. - - `pki`: Set to `tls` to use the `tls` enabled connection. Default to None. + - `tls`: Set to `true` to encrypt the connection using the default TLS implementation used by the provider. Default to `false`. - `pki_authmode`: Specifying the default network driver authentication mode. `x509/name`, `x509/fingerprint`, `anon` is accepted. Default to `x509/name`. - `permitted_clients`: List of hostnames, IP addresses, fingerprints(sha1), and wildcard DNS domains which will be allowed by the `logging` server to connect and send logs over TLS. Default to `['*.{{ logging_domain }}']` - There are 3 type of items in the remote type - udp, plain tcp and tls tcp. The udp type contains `udp_ports`; the plain tcp type contains `tcp_ports` but no `pki: tls`; the tls tcp type contains tcp_ports as well as `pki: tls`. Please note that it is not allowed for them to be conflicted. I.e., if there are 2 udp type items, it fails to deploy. + There are 3 type of items in the remote type - udp, plain tcp and tls tcp. The udp type contains `udp_ports`; the plain tcp type contains `tcp_ports` but no `tls: true`; the tls tcp type contains tcp_ports as well as `tls: true`. Please note that it is not allowed for them to be conflicted. I.e., if there are 2 udp type items, it fails to deploy. + + Sample valid configuration ``` - name: remote_udp type: remote @@ -130,7 +132,7 @@ This is a schematic logging configuration to show log messages from input_nameA - name: remote_tcp type: remote tcp_ports: [6514, ...] - pki: tls + tls: true pki_authmode: x509/name permitted_clients: ['*.example.com'] ``` @@ -184,7 +186,7 @@ This is a schematic logging configuration to show log messages from input_nameA - `target`: Target host (fqdn). **Required**. - `udp_port`: UDP port number. Default to `514`. - `tcp_port`: TCP port number. Default to `514`. - - `pki`: Set to `tls` to use the `tls` enabled connection. Default to None. + - `tls`: Set to `true` to encrypt the connection using the default TLS implementation used by the provider. Default to `false`. - `pki_authmode`: Specifying the default network driver authentication mode. `x509/name`, `x509/fingerprint`, `anon` is accepted. Default to `x509/name`. - `permitted_server`: Hostname, IP address, fingerprint(sha1) or wildcard DNS domain of the server which this client will be allowed to connect and send logs over TLS. Default to `*.{{ logging_domain }}` diff --git a/roles/rsyslog/tasks/inputs/remote/main.yml b/roles/rsyslog/tasks/inputs/remote/main.yml index 44568b37..adffb614 100644 --- a/roles/rsyslog/tasks/inputs/remote/main.yml +++ b/roles/rsyslog/tasks/inputs/remote/main.yml @@ -4,19 +4,23 @@ - name: Ensure Remote inputs contain no conflict connection type fail: msg: "Error: {{ item.0.name }} and {{ item.1.name }} conflict." - loop: "{{ [__logging_remote_udp, __logging_remote_tcp, __logging_remote_tls] }}" + loop: "{{ [__logging_remote_udp, __logging_remote_ptcp, __logging_remote_tlstcp] }}" when: - item | length > 1 vars: - __logging_remote_udp: "{{ logging_inputs | selectattr('type', '==', 'remote') | + __logging_remote: "{{ logging_inputs | selectattr('type', '==', 'remote') | list }}" + __logging_remote_udp: "{{ __logging_remote | selectattr('udp_ports', 'defined') | list }}" - __logging_remote_tcp: "{{ logging_inputs | selectattr('type', '==', 'remote') | - selectattr('tcp_ports', 'defined') | - selectattr('pki', 'undefined') | list }}" - __logging_remote_tls: "{{ logging_inputs | selectattr('type', '==', 'remote') | - selectattr('tcp_ports', 'defined') | - selectattr('pki', 'defined') | - selectattr('pki', '==', 'tls') | list }}" + __logging_remote_tcp: "{{ __logging_remote | + selectattr('tcp_ports', 'defined') | list }}" + __logging_remote_tls: "{{ __logging_remote_tcp | + selectattr('tls', 'defined') | list }}" + __logging_remote_ptcp: "{{ __logging_remote_tcp | + selectattr('tls', 'undefined') | list }} + + {{ __logging_remote_tls | + selectattr('tls', 'false') | list }}" + __logging_remote_tlstcp: "{{ __logging_remote_tls | + selectattr('tls', 'true') | list }}" - name: Install/Update remote input packages and generate configuration files in /etc/rsyslog.d vars: diff --git a/roles/rsyslog/tasks/main.yml b/roles/rsyslog/tasks/main.yml index 8b5a8417..9e30c5b1 100644 --- a/roles/rsyslog/tasks/main.yml +++ b/roles/rsyslog/tasks/main.yml @@ -209,12 +209,12 @@ vars: __logging_forwards_tls: "{{ logging_outputs | selectattr('type', '==', 'forwards') | - selectattr('pki', 'defined') | - selectattr('pki', '==', 'tls') | list }}" + selectattr('tls', 'defined') | + selectattr('tls', 'true') | list }}" __logging_remote_tls: "{{ logging_inputs | selectattr('type', '==', 'remote') | selectattr('tcp_ports', 'defined') | - selectattr('pki', 'defined') | - selectattr('pki', '==', 'tls') | list }}" + selectattr('tls', 'defined') | + selectattr('tls', 'true') | list }}" when: - __rsyslog_enabled | bool diff --git a/roles/rsyslog/templates/input_remote.j2 b/roles/rsyslog/templates/input_remote.j2 index 9dd55b45..fa3f8d25 100644 --- a/roles/rsyslog/templates/input_remote.j2 +++ b/roles/rsyslog/templates/input_remote.j2 @@ -15,7 +15,7 @@ input(name="{{ item.name }}" type="imudp" port=["{{ item.udp_ports | join('","') {% endfor %} {% for tport in item.tcp_ports | d([]) %} {% set __logging_loop_index = loop.index %} -{% if item.pki | d() != 'tls' %} +{% if not item.tls | d(false) | bool %} # Log messages from remote hosts over plain TCP input(name="{{ item.name }}_{{ __logging_loop_index }}" type="imptcp" port="{{ tport }}") {% else %} diff --git a/roles/rsyslog/templates/input_remote_module.j2 b/roles/rsyslog/templates/input_remote_module.j2 index 560efbb3..55406d51 100644 --- a/roles/rsyslog/templates/input_remote_module.j2 +++ b/roles/rsyslog/templates/input_remote_module.j2 @@ -4,7 +4,7 @@ module(load="imudp" threads="{{ logging_udp_threads }}" TimeRequery="{{ logging_udp_system_time_requery }}" BatchSize="{{ logging_udp_batch_size }}") {% elif item.tcp_ports is defined %} -{% if item.pki | d() != 'tls' %} +{% if not item.tls | d(false) | bool %} # Read messages sent over plain TCP module(load="imptcp" threads="{{ logging_tcp_threads }}") {% else %} diff --git a/roles/rsyslog/templates/output_forwards.j2 b/roles/rsyslog/templates/output_forwards.j2 index d286a061..61254ee0 100644 --- a/roles/rsyslog/templates/output_forwards.j2 +++ b/roles/rsyslog/templates/output_forwards.j2 @@ -16,7 +16,7 @@ ruleset(name="{{ item.name }}") { {% endif %} type="omfwd" Target="{{ item.target }}" -{% if item.pki | d() == "tls" %} +{% if item.tls | d(false) | bool %} StreamDriver="{{ __rsyslog_tls_netstream_driver }}" StreamDriverMode="1" StreamDriverAuthMode="{{ item.pki_authmode | d(__rsyslog_default_pki_authmode) }}" diff --git a/tests/tests_basics_forwards_cacert.yml b/tests/tests_basics_forwards_cacert.yml index c786f652..779befbf 100644 --- a/tests/tests_basics_forwards_cacert.yml +++ b/tests/tests_basics_forwards_cacert.yml @@ -53,7 +53,7 @@ severity: info target: host.domain tcp_port: 1514 - pki: tls + tls: true pki_authmode: anon permitted_server: '*.example.com' logging_inputs: diff --git a/tests/tests_basics_forwards_cert.yml b/tests/tests_basics_forwards_cert.yml index d0b56b50..e27e016d 100644 --- a/tests/tests_basics_forwards_cert.yml +++ b/tests/tests_basics_forwards_cert.yml @@ -67,7 +67,7 @@ severity: info target: host.domain tcp_port: 1514 - pki: tls + tls: true permitted_server: '*.example.com' logging_inputs: - name: basic_input diff --git a/tests/tests_basics_forwards_cert_missing.yml b/tests/tests_basics_forwards_cert_missing.yml index 074f61fb..3e828566 100644 --- a/tests/tests_basics_forwards_cert_missing.yml +++ b/tests/tests_basics_forwards_cert_missing.yml @@ -40,7 +40,7 @@ facility: local1 severity: info target: host.domain - pki: tls + tls: true tcp_port: 1514 logging_inputs: - name: basic_input diff --git a/tests/tests_server.yml b/tests/tests_server.yml index a0ce84e6..cdd9d1ab 100644 --- a/tests/tests_server.yml +++ b/tests/tests_server.yml @@ -43,14 +43,14 @@ - name: remote_tcp type: remote tcp_ports: [6514, 40000, 40001] - pki: tls + tls: true pki_authmode: x509/name permitted_clients: - '*.client.com' - '*.example.com' - name: remote_ptcp type: remote - tcp_ports: [514, 40010, 40011] + tcp_ports: [514, 40010, 40011, 40012] - name: remote_udp type: remote udp_ports: [514, 40020] diff --git a/tests/tests_server_conflict.yml b/tests/tests_server_conflict.yml index 48dda912..36eeeb79 100644 --- a/tests/tests_server_conflict.yml +++ b/tests/tests_server_conflict.yml @@ -44,7 +44,7 @@ - name: remote_tcp_0 type: remote tcp_ports: [6514, 40000, 40001] - pki: tls + tls: true pki_authmode: x509/name permitted_clients: - '*.client.com' @@ -52,7 +52,7 @@ - name: remote_tcp_1 type: remote tcp_ports: [514, 40010, 40011] - pki: tls + tls: true - name: remote_udp type: remote udp_ports: [514, 40020]