diff --git a/basics.yml b/basics.yml index f203556..bfcb260 100644 --- a/basics.yml +++ b/basics.yml @@ -429,14 +429,192 @@ notify: - Restart rsyslog - - - name: rsyslog-config local - copy: - src: configs/etc/rsyslog.d/01-services-local.conf - dest: /etc + + - name: /etc/rsyslog.d/01-services-local.conf + blockinfile: + path: /etc/rsyslog.d/00-services-remote.conf + create: yes + mode: "0444" owner: root group: root - mode: "0444" + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + # Additional Socket from chroot + input(type="imuxsock" HostName="vpn-share" Socket="/data-crypt/dev/log" CreatePath="on") + input(type="imuxsock" HostName="share" Socket="/data-crypt/share/dev/log" CreatePath="on") + # Auth success (for share-auth 2FA) + if $programname == 'nextcloud-audit' and $msg contains 'Login successful:' then /var/log/auth-success.log + if $programname == 'imaps' and $msg contains 'TLS User logged in' then /var/log/auth-success.log + # Nextcloud + if $msg contains '","level":0,"time":"' and $programname contains 'nextcloud' then stop + if $msg contains '","level":1,"time":"' and $programname contains 'nextcloud' then stop + if $programname == 'nextcloud' then /var/log/nextcloud.log + if $programname == 'nextcloud' then stop + if $programname == 'nextcloud-audit' then /var/log/nextcloud.log + if $programname == 'nextcloud-audit' then stop + if $programname == 'nextcloud-test' then /var/log/nextcloud-test.log + if $programname == 'nextcloud-test' then stop + if $programname == 'nextcloud-test-audit' then /var/log/nextcloud-test.log + if $programname == 'nextcloud-test-audit' then stop + # USV + if $programname == 'apcupsd' and $syslogseverity <= '6' then /var/log/usv-apcupsd.log + if $programname == 'apcupsd' then stop + # SMART HDD Überwachung + if $programname == 'smartd' and $syslogseverity <= '6' then /var/log/smartd.log + if $programname == 'smartd' then stop + # SSH TUNNEL + if $programname == 'sshd-tunnel' and $syslogseverity <= '6' then /var/log/sshd-tunnel.log + if $programname == 'sshd-tunnel' then stop + # SSH SFTP + if $programname == 'sshd-sftp' and $syslogseverity <= '6' then /var/log/sshd-sftp.log + if $programname == 'sshd-sftp' then stop + # SSH Share + if $programname == 'sshd' and $syslogfacility-text == 'local7' then /var/log/sshd-share.log + if $programname == 'sshd' and $syslogfacility-text == 'local7' then stop + # firewall + if $programname == 'kernel' and $msg contains 'PROTO' then /var/log/firewall.log + if $programname == 'kernel' and $msg contains 'PROTO' then stop + # SSH rsyncbackup + if $programname == 'sshd-rsyncbackup' and $syslogseverity <= '6' then /var/log/sshd-rsyncbackup.log + if $programname == 'sshd-rsyncbackup' then stop + # SSH + if $programname == 'sshd' and $syslogseverity <= '6' then /var/log/sshd.log + if $programname == 'sshd' then stop + # SFTP + if $programname == 'internal-sftp' and $msg contains 'sent status ' then stop + if $programname == 'internal-sftp' and $msg contains 'lstat name ' then stop + if $programname == 'internal-sftp' and $msg contains '/.kodi/' then stop + if $programname == 'internal-sftp' then /var/log/sftpaccess.log + if $programname == 'internal-sftp' then stop + # Cron + if $programname == 'cron' and $syslogseverity <= '6' then /var/log/cron.log + if $programname == 'cron' then stop + if $programname == 'run-crons' and $syslogseverity <= '6' then /var/log/cron.log + if $programname == 'run-crons' then stop + if $programname == 'crontab' and $syslogseverity <= '6' then /var/log/cron.log + if $programname == 'crontab' then stop + # rsync + if $programname == 'rsyncd' and $syslogseverity <= '6' then /var/log/rsyncd.log + if $programname == 'rsyncd' then stop + # DNS + if $programname == 'named' and $msg contains ' 127.0.0.1#' then stop + if $programname == 'named' and $msg contains ': sending notifies' then stop + if $programname == 'named' and $msg contains ' loaded serial ' then stop + if $programname == 'named' and $syslogseverity <= '6' then /var/log/bind.log + if $programname == 'named' then stop + # DHCP + if $programname == 'dhcpd' and $syslogseverity <= '6' then /var/log/dhcpd.log + if $programname == 'dhcpd' then stop + # NFS + if $programname == 'rpc.mountd' and $syslogseverity <= '6' then /var/log/nfs.log + if $programname == 'rpc.mountd' then stop + if $programname == 'rpc.idmapd' and $syslogseverity <= '6' then /var/log/nfs.log + if $programname == 'rpc.idmapd' then stop + if $programname == 'rpc.statd' and $syslogseverity <= '6' then /var/log/nfs.log + if $programname == 'rpc.statd' then stop + if $programname == 'rpcbind' and $syslogseverity <= '6' then /var/log/nfs.log + if $programname == 'rpcbind' then stop + # NTP + if $programname == 'ntpd' and $syslogseverity <= '6' then /var/log/ntp.log + if $programname == 'ntpd' then stop + if $programname == 'ntpdate' and $syslogseverity <= '6' then /var/log/ntp.log + if $programname == 'ntpdate' then stop + # Mail + if $msg contains 'auxpropfunc error invalid parameter supplied' then stop + if $msg contains '_sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb' then stop + if $msg contains 'seen_db: user ' then stop + if $msg contains 'SQUAT ' then stop + if $msg contains 'indexing mailbox ' then stop + if $msg contains 'fetching user_deny.db' then stop + if $programname == 'lmtpunix' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'lmtpunix' then stop + if $programname == 'imap' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'imap' then stop + if $programname == 'imaps' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'imaps' then stop + if $programname == 'master' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'master' then stop + if $programname == 'ctl_cyrusdb' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'ctl_cyrusdb' then stop + if $programname == 'pop3' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'pop3' then stop + if $programname == 'pop3s' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'pop3s' then stop + if $programname == 'squatter' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'squatter' then stop + if $programname == 'tls_prune' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'tls_prune' then stop + if $programname == 'cyr_expire' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'cyr_expire' then stop + if $programname == 'sieve' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'sieve' then stop + if $programname == 'deliver' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'deliver' then stop + if $programname == 'ipurge' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'ipurge' then stop + if $programname == 'saslauthd' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'saslauthd' then stop + if $programname == 'amavis' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'amavis' then stop + if $programname == 'clamd' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'clamd' then stop + if $programname == 'freshclam' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'freshclam' then stop + if $programname == 'fetchmail' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'fetchmail' then stop + if $programname == 'spamd' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'spamd' then stop + if $programname contains 'postfix' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname contains 'postfix' then stop + if $programname == 'reconstruct' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'reconstruct' then stop + if $programname == 'policyd-spf' and $syslogseverity <= '6' then /var/log/maillog.log + if $programname == 'policyd-spf' then stop + # slapd + if $programname == 'slapd' then /var/log/slapd.log + if $programname == 'slapd' then stop + # PulseAudio + if $programname == 'pulseaudio' and $msg contains 'Denied access to client with invalid authentication data' then stop + if $programname == 'pulseaudio' then /var/log/pulseaudio.log + if $programname == 'pulseaudio' then stop + # hostapd + if $programname == 'hostapd' then /var/log/hostapd.log + if $programname == 'hostapd' then stop + # nscd + if $programname == 'nscd' then /var/log/nscd.log + if $programname == 'nscd' then stop + # arpwatch + if $programname == 'arpwatch' then /var/log/arpwatch.log + if $programname == 'arpwatch' then stop + # X + if $programname == 'mate-session' then /var/log/x.log + if $programname == 'mate-session' then stop + if $programname == 'Tor' then /var/log/x.log + if $programname == 'Tor' then stop + # xinetd + if $programname == 'xinetd' then /var/log/xinetd.log + if $programname == 'xinetd' then stop + # in.tftp + if $programname == 'in.tftpd' then /var/log/in.tftpd.log + if $programname == 'in.tftpd' then stop + # pppd + if $programname == 'dhcpcd' then /var/log/pppd.log + if $programname == 'dhcpcd' then stop + if $programname == 'radvd' then /var/log/pppd.log + if $programname == 'radvd' then stop + if $programname == 'pppd' then /var/log/pppd.log + if $programname == 'pppd' then stop + # wlan + if $programname == 'wpa_cli' then /var/log/messages + if $programname == 'wpa_cli' then stop + # cups + if $programname == 'cupsd' then /var/log/cupsd.log + if $programname == 'cupsd' then stop + # bash scripts using g-lib + if $programname contains 'g_bash-script' then /var/log/g_bash-scripts.log + if $programname contains 'g_bash-script' then stop + # Rest in messages + *.* /var/log/messages backup: yes notify: - Restart rsyslog