rsyslog centralized logging

[Samuel Vange]

I'm using SIMP 5.2.0-0 on RedHat.

I'm trying to enable logging to a centralized SIMP client rsyslog server. I've setup the server and I'm collecting logs from many non-SIMP client sources, but I'm unable to get any SIMP client except for the rsyslog server itself to log remotely to the rsyslog server.

In order to enable the rsyslog server I had to modify .../modules/rsyslog/params.pp to set tcp_logging, tls_tcp_logging, and udp_logging if site::stock::rsyslog::is_server was set to true. This allowed me to gather logs from anything that would send them to me. Please tell me if there is a way to enable this without modifying SIMP Puppet code.

Also, what do I need to do to get my SIMP clients to log to the server?

Thank you!

[Jeanne Greulich]

You should be able to set them in hiera

rsyslog::tls_tcp_server:  true
rsyslog::tcp_logging: false

add those lines in the hiera yaml file for the servers and the clients where appropriate and it will override the defaults set up in params.pp

[Jeanne Greulich]

The instructions for setting up the client for logging to remote servers are in the README in the rsyslog puppet module.   Did those not work for you?

[Samuel Vange]

Jeanne,

Thanks for the help! Here's how my system is currently configured:

#.../modules/site/manifests/rsyslog-client.pp
class site::rsyslog-client {
  include '::rsyslog'
  rsyslog::rule::remote { 'send_the_logs':
    rule => '*.*'
  }
}

#.../modules/site/manifests/rsyslog-server.pp
class site::rsyslog-server {
  include '::rsyslog'
  include '::rsyslog::server'

  rsyslog::template::string { 'store_the_logs':
    string => '/var/log/hosts/%HOSTNAME%/everything.log'
  }
}

#.../hieradata/hosts/syslog-server.domain.yaml
simp::rsyslog::stock::is_server: true
syslog::server::enable_firewall: true
syslog::server::enable_selinux: true
syslog::server::enable_tcpwrappers: true

classes:
  - 'simp::rsyslog::stock'
  - 'site::rsyslog-server'

#.../hieradata/default
rsyslog::enable_tls_logging: true
rsyslog::enable_logging: true
rsyslog::enable_pki: true

classes:
 - 'site::rsyslog-client

#.../hieradata/simp_classes.yaml
classes:
  - 'simp::rsyslog::stock'

#.../hieradata/simp_def.yaml
log_servers:
  - rsyslog-server.domain


To note: I am also pointing several other devices to the rsyslog server and I was unable to actually collect the logs from them until I forced rsyslog::tcp_logging and rsyslog::udp::logging to be true on the rsyslog server (within params.pp or init.pp). The hiera overrides didn't seem to work.

[Trevor Vaughan]

Hi Samuel,

Can you try setting the following in your log server's Hieradata?

rsyslog::tcp_server: true

rsyslog::tls_tcp_server: true

rsyslog::udp_server: true

Thanks,

Trevor

--
You received this message because you are subscribed to the Google Groups "SIMP Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simp-users+unsubscribe@googlegroups.com.
To post to this group, send email to simp-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/simp-users/18a220f0-4016-4151-a071-57fd8ae5c002%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Trevor Vaughan
Vice President, Onyx Point, Inc

(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --

[Samuel Vange]

Trevor,

I've reverted my changes to the SIMP rsyslog code so that it is as it was shipped.

I've also made the changes you suggested:

rsyslog::tcp_server: true

rsyslog::tls_tcp_server: true

rsyslog::udp_server: true

It looks like the ports are opened up and we are receiving logs. One problem solved, thank you.

I still have the issue that I'm not getting any logs in 'log.server:/var/log/hosts' from any SIMP clients except for the log server itself.

Here is my current configuration:

#.../modules/site/manifests/

rsyslog-client.pp
class site::rsyslog-client {
  include '::rsyslog'
  rsyslog::rule::remote { 'send_the_logs':
    rule => '*.*'
  }
}

#.../modules/site/manifests/rsyslog-server.pp
class site::rsyslog-server {
  include '::rsyslog'
  include '::rsyslog::server'

  rsyslog::template::string { 'store_the_logs':
    string => '/var/log/hosts/%HOSTNAME%/everything.log'
  }
}

#.../hieradata/hosts/syslog-server.domain.yaml
simp::rsyslog::stock::is_server: true
syslog::server::enable_firewall: true
syslog::server::enable_selinux: true
syslog::server::enable_tcpwrappers: true

rsyslog::tcp_server: true

rsyslog::tls_tcp_server: true

rsyslog::udp_server: true

classes:
  - 'simp::rsyslog::stock'
  - 'site::rsyslog-server'

#.../hieradata/default
rsyslog::enable_tls_logging: true
rsyslog::enable_logging: true
rsyslog::enable_pki: true

classes:
 - 'site::rsyslog-client

#.../hieradata/simp_classes.yaml
classes:
  - 'simp::rsyslog::stock'

#.../hieradata/simp_def.yaml
log_servers:
  - rsyslog-server.domain

[Trevor Vaughan]

Hi Samuel,

Sorry for taking so long to get back to you.

We did have some bugs in our rsyslog implementation that were fixed and you might need to check the client code, as present in /etc/rsyslog*, to determine exactly why logs aren't being processed.

What you're showing *should* work so I'm not quite sure what's happening here.

Thanks,

Trevor

To view this discussion on the web visit https://groups.google.com/d/msgid/simp-users/3a958c7d-b7a4-4aa2-993d-a4992096f08d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Samuel Vange]

Thanks Trevor,

I appreciate your help here. I suspect it might be a certificate issue as we're using our own certificates. I've noticed that our certificates do allow Puppet runs to complete, but looking more closely using "openssl s_client", it looks like something might actually be broken. I've noticed that there are rsyslog::pki and rsyslog::enable_tls_logging variables. How can I get rsyslog clients to just log over TCP for now? I imagine it's just a couple of hiera overrides. Can you help me by pointing out which ones?

Thanks again,

Samuel Vange 

On Monday, April 10, 2017 at 1:29:03 PM UTC-7, Samuel Vange wrote:

[Trevor Vaughan]

Hi Samuel,

You'll just need to turn off the 'tls' related variables in the rsyslog configuration.

There were some bugs in rsyslog that we were working around to get both TLS and non-TLS communications working at the same time that we still have not resolved at this point.

Thanks,

Trevor

--

You received this message because you are subscribed to the Google Groups "SIMP Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simp-users+unsubscribe@googlegroups.com.
To post to this group, send email to simp-...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/simp-users/32a6efa5-ac5c-45af-8007-ad4bb2d1ff87%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Samuel Vange]

Got it, that works, thank you!