summaryrefslogtreecommitdiffstats
path: root/roles/common/tasks/logging.yml
blob: 2b4a42a2d58d2e67026c2349a5e4ecd970449a5e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
- name: Install logging server & utilities
  apt: pkg={{ packages }}
  vars:
    packages:
    - rsyslog
    - logcheck
    - logcheck-database
    - logrotate

- name: Configure rsyslog
  copy: src=etc/rsyslog.conf
        dest=/etc/rsyslog.conf
        owner=root group=root
        mode=0644
  register: r1
  notify:
    - Restart rsyslog
  tags:
    - syslog

- name: Configure postfix's custom rsyslog rules
  template: src=etc/rsyslog.d/postfix.conf.j2
            dest=/etc/rsyslog.d/postfix.conf
            owner=root group=root
            mode=0644
  register: r2
  notify:
    - Restart rsyslog
  tags:
    - syslog

- name: Start rsyslog
  service: name=rsyslog state=started
  when: not (r1.changed or r2.changed)
  tags:
    - syslog

- meta: flush_handlers

- name: Configure logcheck (1)
  copy: src=etc/logcheck/{{ item }}
        dest=/etc/logcheck/{{ item }}
        owner=root group=logcheck
        mode=0644
  with_items:
    - logcheck.conf
    - ignore.d.server/common-local
    - ignore.d.server/dovecot-local
    - ignore.d.server/postfix-local
    - ignore.d.server/strongswan-local
    # logcheck-sudo already exists, but changing the filename for our
    # local modifications would defeat the ruleset
    - violations.ignore.d/logcheck-sudo
  tags:
    - logcheck

- name: Configure logcheck (2)
  lineinfile: dest=/etc/logcheck/logcheck.logfiles
              line={{ item }}
              state=present
              create=yes
              owner=root group=logcheck
              mode=0640
  with_items:
    - /var/log/syslog
    - /var/log/auth.log
    - /var/log/mail.log
  tags:
    - logcheck

- name: Minimal logging policy (1)
  lineinfile: dest=/etc/logrotate.d/rsyslog
              regexp="^/var/log/mail\\.(log|info|sasl)$"
              state=absent
              owner=root group=root
              mode=0644

- name: Minimal logging policy (2)
  copy: src=etc/logrotate.d/fripost-mail
        dest=/etc/logrotate.d/fripost-mail
        owner=root group=root
        mode=0644
  tags:
    - logrotate