Managing syslog and log forwarding with Puppet

I’ve recently begun to manage my Linux infrastructure with Puppet, and one of the first modules I created was one to manage the rsyslog daemon on all my servers. I run a centralized log server and wanted all other systems to forward their logs to that server.

One of the challenges in writing this module was that the majority of my systems are CentOS 5.x and have syslogd as their primary syslog daemon. I prefer rsyslog, and so this module had to ensure that syslogd was not running when rsyslog was enabled. One “gotcha” I ran into was that Puppet was checking my client’s process table looking for a process containing the “syslogd” string rather than one that matches it exactly. When it saw that string contained in the “rsyslogd” process it assumed syslogd was running, which it wasn’t. To work around that I had to tell Puppet that the syslog service hasstatus.

Also in the examples below I assign the value for my central syslog server. This can alternatively be done in the the node definitions of Puppet if you have multiple central log servers.

syslog/manifests/init.pp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
class syslog {

        $rsyslog_package = $operatingsystem ? {
            default => "rsyslog"
        }

        $syslogServer = "hostname.domain:514"
}

class syslog::base inherits syslog {

        package { $rsyslog_package:
            ensure   => installed
    }

        file { "/etc/rsyslog.conf":
                mode => "644",
                content => template("syslog/rsyslog_conf.erb"),
                notify => Service["rsyslog"],
                require => Package[$rsyslog_package]
        }

        service { rsyslog:
            ensure => running,
                enable => true,
                require => Package[$rsyslog_package]
        }

        service { syslog:
            ensure => stopped,
                enable => false,
                hasstatus => true
        }

        service { syslog-ng:
        ensure => stopped,
                enable => false
        }
}

syslog/templates/rsyslog_conf.erb

This is the default rsyslog.conf in CentOS 5.x with an additional line to forward a copy of all logs to my syslog server.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# Use traditional timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Provides kernel logging support (previously done by rklogd)
$ModLoad imklog
# Provides support for local system logging (e.g. via logger command)
$ModLoad imuxsock

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

# Forward to splunk server
*.*             @<%= syslogServer %>

Comments (0)

› No comments yet.

Leave a Reply


*

Allowed Tags - You may use these HTML tags and attributes in your comment.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Pingbacks (0)

› No pingbacks yet.