From 2eef8b1a49854ffb36b733142faaf4c120be282a Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Sun, 19 Jun 2022 02:56:50 -0300
Subject: [PATCH] send syslog to a central server

---
 README.md                                 | 15 ++++-
 alpines.yml                               |  1 +
 tasks/post_install.yml                    |  3 +-
 templates/etc/syslog-ng/syslog-ng.conf.j2 | 73 +++++++++++++++++++++++
 4 files changed, 90 insertions(+), 2 deletions(-)
 create mode 100644 templates/etc/syslog-ng/syslog-ng.conf.j2

diff --git a/README.md b/README.md
index 6474134..a526876 100644
--- a/README.md
+++ b/README.md
@@ -100,7 +100,20 @@ ssh-copy-id root@your.host.name
 
 ## Configuring the playbook
 
-Create a vault password:
+### General configuration
+
+#### Syslog
+
+Syslog-ng is used to centralize logging into a single node.  Edit the IP
+address for your log server on `alpines.yml`:
+
+```yaml
+   vars:
+-    log_server: "EKU:MEN:IP:ADD::RESS"
++    log_server: "10.13.12.1"
+```
+
+### Create a vault password
 
 ```bash
 make vault.key
diff --git a/alpines.yml b/alpines.yml
index 811697a..36f561b 100644
--- a/alpines.yml
+++ b/alpines.yml
@@ -5,6 +5,7 @@
   vars:
     alpine_version: 3.16
     apk_version: 2.12.9-r3
+    log_server: "EKU:MEN:IP:ADD::RESS"
     packages:
     - alpine-base
     - linux-virt
diff --git a/tasks/post_install.yml b/tasks/post_install.yml
index 68cced5..92cfb04 100644
--- a/tasks/post_install.yml
+++ b/tasks/post_install.yml
@@ -25,7 +25,7 @@
   - runlevel: "boot"
     service: "bootmisc"
   - runlevel: "boot"
-    service: "syslog"
+    service: "syslog-ng"
   - runlevel: "shutdown"
     service: "mount-ro"
   - runlevel: "shutdown"
@@ -62,6 +62,7 @@
   - /etc/iptables/rules-save
   - /etc/ipset.d/blocklist4
   - /etc/ipset.d/blocklist6
+  - /etc/syslog-ng/syslog-ng.conf
 - name: "Create NTP directories."
   file:
     state: "directory"
diff --git a/templates/etc/syslog-ng/syslog-ng.conf.j2 b/templates/etc/syslog-ng/syslog-ng.conf.j2
new file mode 100644
index 0000000..f4a6826
--- /dev/null
+++ b/templates/etc/syslog-ng/syslog-ng.conf.j2
@@ -0,0 +1,73 @@
+@version:3.36
+@include "scl.conf"
+
+# syslog-ng configuration file.
+#
+# See syslog-ng(8) and syslog-ng.conf(5) for more information.
+#
+# Note: It also sources additional configuration files (*.conf)
+#	   located in /etc/syslog-ng/conf.d/.
+
+#
+# Options
+#
+options {
+	# Create destination directories if missing.
+	create_dirs(yes);
+
+	# The default action of syslog-ng is to log a MARK line to the file every
+	# 20 minutes. That's seems high for most people so turn it down to once an
+	# hour. Set it to zero if you don't want the functionality at all.
+	mark_freq(3600);
+
+	# The default action of syslog-ng is to log a STATS line to the file every
+	# 10 minutes. That's pretty ugly after a while. Change it to every 12 hours
+	# so you get a nice daily update of how many messages syslog-ng missed (0).
+	stats_freq(43200);
+
+	# Time to wait before a died connection is re-established (default is 60).
+	time_reopen(5);
+
+	# Disable DNS usage.
+	# syslog-ng blocks on DNS queries, so enabling DNS may lead to a DoS attack.
+	use_dns(no);
+	dns-cache(no);
+
+	# Default owner, group, and permissions for log files.
+	owner(root);
+	group(adm);
+	perm(0640);
+
+	# Default permissions for created directories.
+	dir_perm(0755);
+
+  keep_hostname(yes);
+};
+
+
+#
+# Templates
+#
+
+template t_file {
+	template("${YEAR}-${MONTH}-${DAY} ${HOUR}:${MIN}:${SEC} ${LEVEL} ${MSGHDR}${MSG}\n");
+};
+
+
+#
+# Sources
+#
+
+source s_sys {
+	# Standard system log source.
+	system();
+
+	# Messages generated by syslog-ng.
+	internal();
+};
+
+destination d_loghost { udp("{{ log_server }}" port(514)); };
+log { source(s_sys); destination(d_loghost); };
+
+# Source additional configuration files (.conf extension only)
+@include "/etc/syslog-ng/conf.d/*.conf"