#1265 log forward to splunk
Merged 10 months ago by zlopez. Opened a year ago by seddik.
fedora-infra/ seddik/ansible rsyslog-to-splunk  into  main

@@ -35,7 +35,7 @@ 

  $UDPServerRun 514

  $InputTCPMaxSessions 2000

  $InputTCPServerRun 514

- $InputTCPServerRun 5000	

+ $InputTCPServerRun 5000

  $IMUXSockRateLimitInterval 0

  $SystemLogRateLimitInterval 0

  $WorkDirectory /var/lib/rsyslog
@@ -213,3 +213,10 @@ 

  # this is only for the merged logs from auditd

  :msg, !contains, "type=AVC" ~

  local6.*					?m_audit;MergeFormat

+ 

+ # forward to splunk host, over tls

+ *.* @splunk-syslog.corp.redhat.com:514

+ $DefaultNetstreamDriver gtls # use gtls netstream driver

+ $ActionSendStreamDriverMode 1 # require TLS for the connection

+ $ActionSendStreamDriverAuthMode anon # server is NOT authenticated

+ $DefaultNetstreamDriverCAFile {{private}}/files/splunk-certs/2022-IT-Root-CA.pem

file modified
+11 -1
@@ -230,6 +230,16 @@ 

    notify:

    - flush journald tmpfiles to persistent store

  

+ - name: ensure packages required for rsyslog are installed

+   package: name={{ item }} state=present

+   with_items:

+   - rsyslog-gnutls

+   tags:

+   - rsyslogd

+   - config

+   - base

+   when: inventory_hostname.startswith('log01')

+ 

  - name: rsyslog.conf

    copy: src={{ item }} dest=/etc/rsyslog.conf mode=0644

    with_first_found:
@@ -464,7 +474,7 @@ 

  # rhel8 hosts do not have /usr/bin/python, but there are a few things we call

  # with that because they also run the same on python2 hosts.

  # So, we set python3 to /usr/bin/python on those hosts:

- - name : ensure that platform-python is installed on EL8 boxes

+ - name: ensure that platform-python is installed on EL8 boxes

    package: name={{ item }} state=present

    with_items:

    - platform-python

Fedora Logs needs to be forwarded to REDHAT splunk instance.
Workaround here , we can start from this first config.

Related to this issue => https://pagure.io/fedora-infrastructure/issue/10120

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

rebased onto 759540964bac269a9d3149446fa1260c75e8f642

a year ago

Build succeeded.

We still need the actual CA file here, but otherwise this seems fine to me.

@kevin i have no idea where to get ca file.
any idea ? we should use ca-trust for the machine ?

@kevin Could you answer the question?

I don't know the answer. ;)

@aheath1992 hopefully can get this file for us. :)

I just checked in the CA and our client cert to ansible-private:

create mode 100644 files/splunk-certs/RH-IT-Root-CA.crt
create mode 100644 files/splunk-certs/rootrhcertchain

we need to adjust this to install those and use it.

Nope. We have been in beta freeze, so not pushing this. We can look at doing so after if time permits.

If you could rebase it and add the path to the CA and chain that would be lovely...

@kevin i only have this ca file /etc/pki/tls/certs/ca-bundle.crt on log01
could you put here the right path or CA and chain please ?

@kevin Could you answer the question from @seddik?

The CA is in our ansible-private repo. You can refer to it in ansible with:

{{ private }}/files/splunk-certs/2022-IT-Root-CA.pem

and the chain

{{ private }}/files/splunk-certs/rootrhcertchain

@seddik Do you need anything else from us?

@zlopez thank you, i will update previous commit and tell you

rebased onto de438395d058d9e00e4eba8ff02e905039b7d958

10 months ago

@zlopez or @kevin could you review this and merge it ??

Let me try to deploy this

rebased onto a1e6a14

10 months ago

Pull-Request has been merged by zlopez

10 months ago

Deployed by running ansible-playbook -t rsyslogd /srv/web/infra/ansible/playbooks/groups/logserver.yml

@seddik Could you check if everything works as expected?