olli/debian.ansible.basics
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

rsyslog in yml

Browse Source
This commit is contained in:
olli 2022-07-06 15:47:33 +02:00
parent 7a8dbb6456
commit 93ce462794
1 changed files with 184 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

190
basics.yml
View File

@ -429,14 +429,192 @@
notify: notify:
- Restart rsyslog - Restart rsyslog
- name: rsyslog-config local - name: /etc/rsyslog.d/01-services-local.conf
copy: blockinfile:
src: configs/etc/rsyslog.d/01-services-local.conf path: /etc/rsyslog.d/00-services-remote.conf
dest: /etc create: yes
mode: "0444"
owner: root owner: root
group: root group: root
mode: "0444" marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
# Additional Socket from chroot
input(type="imuxsock" HostName="vpn-share" Socket="/data-crypt/dev/log" CreatePath="on")
input(type="imuxsock" HostName="share" Socket="/data-crypt/share/dev/log" CreatePath="on")
# Auth success (for share-auth 2FA)
if $programname == 'nextcloud-audit' and $msg contains 'Login successful:' then /var/log/auth-success.log
if $programname == 'imaps' and $msg contains 'TLS User logged in' then /var/log/auth-success.log
# Nextcloud
if $msg contains '","level":0,"time":"' and $programname contains 'nextcloud' then stop
if $msg contains '","level":1,"time":"' and $programname contains 'nextcloud' then stop
if $programname == 'nextcloud' then /var/log/nextcloud.log
if $programname == 'nextcloud' then stop
if $programname == 'nextcloud-audit' then /var/log/nextcloud.log
if $programname == 'nextcloud-audit' then stop
if $programname == 'nextcloud-test' then /var/log/nextcloud-test.log
if $programname == 'nextcloud-test' then stop
if $programname == 'nextcloud-test-audit' then /var/log/nextcloud-test.log
if $programname == 'nextcloud-test-audit' then stop
# USV
if $programname == 'apcupsd' and $syslogseverity <= '6' then /var/log/usv-apcupsd.log
if $programname == 'apcupsd' then stop
# SMART HDD Überwachung
if $programname == 'smartd' and $syslogseverity <= '6' then /var/log/smartd.log
if $programname == 'smartd' then stop
# SSH TUNNEL
if $programname == 'sshd-tunnel' and $syslogseverity <= '6' then /var/log/sshd-tunnel.log
if $programname == 'sshd-tunnel' then stop
# SSH SFTP
if $programname == 'sshd-sftp' and $syslogseverity <= '6' then /var/log/sshd-sftp.log
if $programname == 'sshd-sftp' then stop
# SSH Share
if $programname == 'sshd' and $syslogfacility-text == 'local7' then /var/log/sshd-share.log
if $programname == 'sshd' and $syslogfacility-text == 'local7' then stop
# firewall
if $programname == 'kernel' and $msg contains 'PROTO' then /var/log/firewall.log
if $programname == 'kernel' and $msg contains 'PROTO' then stop
# SSH rsyncbackup
if $programname == 'sshd-rsyncbackup' and $syslogseverity <= '6' then /var/log/sshd-rsyncbackup.log
if $programname == 'sshd-rsyncbackup' then stop
# SSH
if $programname == 'sshd' and $syslogseverity <= '6' then /var/log/sshd.log
if $programname == 'sshd' then stop
# SFTP
if $programname == 'internal-sftp' and $msg contains 'sent status ' then stop
if $programname == 'internal-sftp' and $msg contains 'lstat name ' then stop
if $programname == 'internal-sftp' and $msg contains '/.kodi/' then stop
if $programname == 'internal-sftp' then /var/log/sftpaccess.log
if $programname == 'internal-sftp' then stop
# Cron
if $programname == 'cron' and $syslogseverity <= '6' then /var/log/cron.log
if $programname == 'cron' then stop
if $programname == 'run-crons' and $syslogseverity <= '6' then /var/log/cron.log
if $programname == 'run-crons' then stop
if $programname == 'crontab' and $syslogseverity <= '6' then /var/log/cron.log
if $programname == 'crontab' then stop
# rsync
if $programname == 'rsyncd' and $syslogseverity <= '6' then /var/log/rsyncd.log
if $programname == 'rsyncd' then stop
# DNS
if $programname == 'named' and $msg contains ' 127.0.0.1#' then stop
if $programname == 'named' and $msg contains ': sending notifies' then stop
if $programname == 'named' and $msg contains ' loaded serial ' then stop
if $programname == 'named' and $syslogseverity <= '6' then /var/log/bind.log
if $programname == 'named' then stop
# DHCP
if $programname == 'dhcpd' and $syslogseverity <= '6' then /var/log/dhcpd.log
if $programname == 'dhcpd' then stop
# NFS
if $programname == 'rpc.mountd' and $syslogseverity <= '6' then /var/log/nfs.log
if $programname == 'rpc.mountd' then stop
if $programname == 'rpc.idmapd' and $syslogseverity <= '6' then /var/log/nfs.log
if $programname == 'rpc.idmapd' then stop
if $programname == 'rpc.statd' and $syslogseverity <= '6' then /var/log/nfs.log
if $programname == 'rpc.statd' then stop
if $programname == 'rpcbind' and $syslogseverity <= '6' then /var/log/nfs.log
if $programname == 'rpcbind' then stop
# NTP
if $programname == 'ntpd' and $syslogseverity <= '6' then /var/log/ntp.log
if $programname == 'ntpd' then stop
if $programname == 'ntpdate' and $syslogseverity <= '6' then /var/log/ntp.log
if $programname == 'ntpdate' then stop
# Mail
if $msg contains 'auxpropfunc error invalid parameter supplied' then stop
if $msg contains '_sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb' then stop
if $msg contains 'seen_db: user ' then stop
if $msg contains 'SQUAT ' then stop
if $msg contains 'indexing mailbox ' then stop
if $msg contains 'fetching user_deny.db' then stop
if $programname == 'lmtpunix' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'lmtpunix' then stop
if $programname == 'imap' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'imap' then stop
if $programname == 'imaps' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'imaps' then stop
if $programname == 'master' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'master' then stop
if $programname == 'ctl_cyrusdb' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'ctl_cyrusdb' then stop
if $programname == 'pop3' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'pop3' then stop
if $programname == 'pop3s' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'pop3s' then stop
if $programname == 'squatter' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'squatter' then stop
if $programname == 'tls_prune' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'tls_prune' then stop
if $programname == 'cyr_expire' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'cyr_expire' then stop
if $programname == 'sieve' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'sieve' then stop
if $programname == 'deliver' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'deliver' then stop
if $programname == 'ipurge' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'ipurge' then stop
if $programname == 'saslauthd' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'saslauthd' then stop
if $programname == 'amavis' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'amavis' then stop
if $programname == 'clamd' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'clamd' then stop
if $programname == 'freshclam' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'freshclam' then stop
if $programname == 'fetchmail' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'fetchmail' then stop
if $programname == 'spamd' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'spamd' then stop
if $programname contains 'postfix' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname contains 'postfix' then stop
if $programname == 'reconstruct' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'reconstruct' then stop
if $programname == 'policyd-spf' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'policyd-spf' then stop
# slapd
if $programname == 'slapd' then /var/log/slapd.log
if $programname == 'slapd' then stop
# PulseAudio
if $programname == 'pulseaudio' and $msg contains 'Denied access to client with invalid authentication data' then stop
if $programname == 'pulseaudio' then /var/log/pulseaudio.log
if $programname == 'pulseaudio' then stop
# hostapd
if $programname == 'hostapd' then /var/log/hostapd.log
if $programname == 'hostapd' then stop
# nscd
if $programname == 'nscd' then /var/log/nscd.log
if $programname == 'nscd' then stop
# arpwatch
if $programname == 'arpwatch' then /var/log/arpwatch.log
if $programname == 'arpwatch' then stop
# X
if $programname == 'mate-session' then /var/log/x.log
if $programname == 'mate-session' then stop
if $programname == 'Tor' then /var/log/x.log
if $programname == 'Tor' then stop
# xinetd
if $programname == 'xinetd' then /var/log/xinetd.log
if $programname == 'xinetd' then stop
# in.tftp
if $programname == 'in.tftpd' then /var/log/in.tftpd.log
if $programname == 'in.tftpd' then stop
# pppd
if $programname == 'dhcpcd' then /var/log/pppd.log
if $programname == 'dhcpcd' then stop
if $programname == 'radvd' then /var/log/pppd.log
if $programname == 'radvd' then stop
if $programname == 'pppd' then /var/log/pppd.log
if $programname == 'pppd' then stop
# wlan
if $programname == 'wpa_cli' then /var/log/messages
if $programname == 'wpa_cli' then stop
# cups
if $programname == 'cupsd' then /var/log/cupsd.log
if $programname == 'cupsd' then stop
# bash scripts using g-lib
if $programname contains 'g_bash-script' then /var/log/g_bash-scripts.log
if $programname contains 'g_bash-script' then stop
# Rest in messages
*.* /var/log/messages
backup: yes backup: yes
notify: notify:
- Restart rsyslog - Restart rsyslog