From ee4345cfc93747587608f0a87497123a6cacb946 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 30 Jun 2014 03:34:50 +0200 Subject: Log SASL usernames for longer, but don't include mail.log into syslog. --- roles/common/files/etc/logrotate.d/fripost-mail | 17 +++ roles/common/files/etc/rsyslog.conf | 130 +++++++++++++++++++++ roles/common/handlers/main.yml | 3 + roles/common/tasks/logging.yml | 31 ++++- .../common/templates/etc/rsyslog.d/postfix.conf.j2 | 17 +++ 5 files changed, 193 insertions(+), 5 deletions(-) create mode 100644 roles/common/files/etc/rsyslog.conf create mode 100644 roles/common/templates/etc/rsyslog.d/postfix.conf.j2 (limited to 'roles') diff --git a/roles/common/files/etc/logrotate.d/fripost-mail b/roles/common/files/etc/logrotate.d/fripost-mail index 9ed2617..4fc1a85 100644 --- a/roles/common/files/etc/logrotate.d/fripost-mail +++ b/roles/common/files/etc/logrotate.d/fripost-mail @@ -15,3 +15,20 @@ invoke-rc.d rsyslog rotate > /dev/null endscript } + +# Keep a mapping Postfix's message ID -> SASL username for a month, to +# find authors of potential abuse emails (if we are shown the header of +# such emails.) +/var/log/mail.sasl +{ + rotate 4 + weekly + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + invoke-rc.d rsyslog rotate > /dev/null + endscript +} diff --git a/roles/common/files/etc/rsyslog.conf b/roles/common/files/etc/rsyslog.conf new file mode 100644 index 0000000..4f07d9b --- /dev/null +++ b/roles/common/files/etc/rsyslog.conf @@ -0,0 +1,130 @@ +# /etc/rsyslog.conf Configuration file for rsyslog. +# +# For more information see +# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html + + +################# +#### MODULES #### +################# + +$ModLoad imuxsock # provides support for local system logging +$ModLoad imklog # provides kernel logging support +#$ModLoad immark # provides --MARK-- message capability + +# provides UDP syslog reception +#$ModLoad imudp +#$UDPServerRun 514 + +# provides TCP syslog reception +#$ModLoad imtcp +#$InputTCPServerRun 514 + + +########################### +#### GLOBAL DIRECTIVES #### +########################### + +# +# Use traditional timestamp format. +# To enable high precision timestamps, comment out the following line. +# +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# +# Set the default permissions for all log files. +# +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +# +# Where to place spool and state files +# +$WorkDirectory /var/spool/rsyslog + +# +# Include all config files in /etc/rsyslog.d/ +# +$IncludeConfig /etc/rsyslog.d/*.conf + + +############### +#### RULES #### +############### + +# +# Logging for the mail system. Split it up so that +# it is easy to write scripts to parse these files. +# + +mail.* -/var/log/mail.log +mail.info -/var/log/mail.info +mail.warn -/var/log/mail.warn +mail.err /var/log/mail.err + +# To preserve the privacy of our users, we stop processing relevant log +# entries (eg, we don't put them into /var/log/syslog) that are of +# severity info and lower. Those lines are put into mail.log and +# mail.info for troubleshooting, but those files are rotated frequently. +# XXX: we should improve that: we shouldn't log envelopes and IPs unless +# the mail is bounced, for instance. +if ($programname startswith 'postfix-' or $programname == 'dovecot') and $syslogfacility-text == 'mail' and $syslogseverity >= 6 then ~ + +# +# Some standard log files. Log by facility. +# +auth,authpriv.* /var/log/auth.log +*.*;auth,authpriv.none -/var/log/syslog +#cron.* /var/log/cron.log +daemon.* -/var/log/daemon.log +kern.* -/var/log/kern.log +lpr.* -/var/log/lpr.log +user.* -/var/log/user.log + +# +# Logging for INN news system. +# +news.crit /var/log/news/news.crit +news.err /var/log/news/news.err +news.notice -/var/log/news/news.notice + +# +# Some "catch-all" log files. +# +*.=debug;\ + auth,authpriv.none;\ + news.none;mail.none -/var/log/debug +*.=info;*.=notice;*.=warn;\ + auth,authpriv.none;\ + cron,daemon.none;\ + mail,news.none -/var/log/messages + +# +# Emergencies are sent to everybody logged in. +# +*.emerg :omusrmsg:* + +# +# I like to have messages displayed on the console, but only on a virtual +# console I usually leave idle. +# +#daemon,mail.*;\ +# news.=crit;news.=err;news.=notice;\ +# *.=debug;*.=info;\ +# *.=notice;*.=warn /dev/tty8 + +# The named pipe /dev/xconsole is for the `xconsole' utility. To use it, +# you must invoke `xconsole' with the `-file' option: +# +# $ xconsole -file /dev/xconsole [...] +# +# NOTE: adjust the list below, or you'll go crazy if you have a reasonably +# busy site.. +# +#daemon.*;mail.*;\ +# news.err;\ +# *.=debug;*.=info;\ +# *.=notice;*.=warn |/dev/xconsole diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 89e4b6b..1e0a21e 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -26,6 +26,9 @@ # pattern=init as a dummy assumption. service: name=networking pattern=init state=reloaded +- name: Restart rsyslog + service: name=rsyslog state=restarted + - name: Restart ntp service: name=ntp state=restarted diff --git a/roles/common/tasks/logging.yml b/roles/common/tasks/logging.yml index 3215ebe..9430d0b 100644 --- a/roles/common/tasks/logging.yml +++ b/roles/common/tasks/logging.yml @@ -7,11 +7,36 @@ - logcheck-database - logrotate +- name: Configure rsyslog + copy: src=etc/rsyslog.conf + dest=/etc/rsyslog.conf + owner=root group=root + mode=0644 + register: r1 + notify: + - Restart rsyslog + tags: + - syslog + +- name: Configure postfix's custom rsyslog rules + template: src=etc/rsyslog.d/postfix.conf.j2 + dest=/etc/rsyslog.d/postfix.conf + owner=root group=root + mode=0644 + register: r2 + notify: + - Restart rsyslog + tags: + - syslog + - name: Start rsyslog service: name=rsyslog state=started + when: not (r1.changed or r2.changed) tags: - syslog +- meta: flush_handlers + - name: Configure logcheck copy: src=etc/logcheck/{{ item }} dest=/etc/logcheck/{{ item }} @@ -30,7 +55,7 @@ - name: Minimal logging policy (1) lineinfile: dest=/etc/logrotate.d/rsyslog - regexp="^/var/log/mail.(log|info)$" + regexp="^/var/log/mail\\.(log|info|sasl)$" state=absent - name: Minimal logging policy (2) @@ -40,7 +65,3 @@ mode=0644 tags: - logrotate - -# TODO: We also have specialized per-role logcheck rulesets, per-role -# logrotate configuration (/etc/logrotate.d), and per-role rsyslog -# configuration (/etc/rsyslog.d). diff --git a/roles/common/templates/etc/rsyslog.d/postfix.conf.j2 b/roles/common/templates/etc/rsyslog.d/postfix.conf.j2 new file mode 100644 index 0000000..5acb56d --- /dev/null +++ b/roles/common/templates/etc/rsyslog.d/postfix.conf.j2 @@ -0,0 +1,17 @@ +# Create an additional socket in postfix's chroot in order not to break +# mail logging when rsyslog is restarted. If the directory is missing, +# rsyslog will silently skip creating the socket. +$AddUnixListenSocket /var/spool/postfix/dev/log +{% for g in postfix_instance.keys() | sort %} +{% if g in group_names %} +$AddUnixListenSocket /var/spool/postfix-{{ postfix_instance[g].name }}/dev/log +{% endif %} +{% endfor %} + +{% if 'MSA' in group_names %} +# User of our Authenticated SMTP server can choose the envelope from and From: +# header of their choice. As the SASL username is not logged in the mail +# header, we keep a mapping Postfix's message ID -> SASL username in a separate +# log file that is only rotated monthly. +if $programname == 'postfix-msa' and $syslogfacility-text == 'mail' and $msg contains 'sasl_username=' then /var/log/mail.sasl +{% endif %} -- cgit v1.2.3