More logcheck-database tweaks.

1 files changed, 5 insertions, 1 deletions

diff --git a/roles/common/tasks/logging.yml b/roles/common/tasks/logging.yml
index 472bb3b..3215ebe 100644
--- a/roles/common/tasks/logging.yml
+++ b/roles/common/tasks/logging.yml
@@ -1,42 +1,46 @@
 - name: Install logging server & utilities
   apt: pkg={{ item }}
   with_items:
     - rsyslog
     - syslog-summary
     - logcheck
     - logcheck-database
     - logrotate
 
 - name: Start rsyslog
   service: name=rsyslog state=started
   tags:
     - syslog
 
 - name: Configure logcheck
   copy: src=etc/logcheck/{{ item }}
         dest=/etc/logcheck/{{ item }}
         owner=root group=logcheck
-        mode=0640
+        mode=0644
   with_items:
     - logcheck.conf
     - ignore.d.server/common-local
     - ignore.d.server/dovecot-local
     - ignore.d.server/postfix-local
+    # logcheck-sudo already exists, but changing the filename for our
+    # local modifications would defeat the ruleset
     - violations.ignore.d/logcheck-sudo
+  tags:
+    - logcheck
 
 - name: Minimal logging policy (1)
   lineinfile: dest=/etc/logrotate.d/rsyslog
               regexp="^/var/log/mail.(log|info)$"
               state=absent
 
 - name: Minimal logging policy (2)
   copy: src=etc/logrotate.d/fripost-mail
         dest=/etc/logrotate.d/fripost-mail
         owner=root group=root
         mode=0644
   tags:
     - logrotate
 
 # TODO: We also have specialized per-role logcheck rulesets, per-role
 # logrotate configuration (/etc/logrotate.d), and per-role rsyslog
 # configuration (/etc/rsyslog.d).