commit 3f30a4bef318a620a97d3de3a731bed7764ee526
Author: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date:   Tue Mar 14 19:07:40 2023 +0100

    Initial commit

diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..4851a5a
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: reload syslog
+  service:
+    name: syslog-ng
+    state: reloaded
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..0bbaee9
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,18 @@
+---
+
+dependencies: []
+
+galaxy_info:
+  role_name: syslog
+  author: 'Pierre-Olivier Mercier <nemunaire+iac@nemunai.re>'
+  description: Setup and configure syslog-ng to a remote syslog-ng server
+  license: GPL-3.0-or-later
+  min_ansible_version: 2.9
+  platforms:
+    - name: Alpine
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+  galaxy_tags: []
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..85b0370
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,63 @@
+---
+- name: install syslog-ng package (alpine)
+  apk:
+    name:
+      - syslog-ng
+      - logrotate
+    state: present
+    update_cache: yes
+  when: ansible_distribution == 'Alpine'
+
+- name: remove rsyslog package (debian)
+  apt:
+    name:
+      - rsyslog
+    state: absent
+  when: ansible_distribution == 'Debian'
+
+- name: install syslog-ng package (debian)
+  apt:
+    name:
+      - syslog-ng
+      - logrotate
+    state: present
+    update_cache: yes
+  when: ansible_distribution == 'Debian'
+
+- name: Copy syslog configuration
+  template:
+    src: syslog-ng.conf.j2
+    dest: /etc/syslog-ng/syslog-ng.conf
+    mode: u+rw,g+r,o+r
+  notify:
+    - reload syslog
+
+- name: configure logrotate
+  lineinfile:
+    path: /etc/logrotate.conf
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+  with_items:
+    - { regexp: "^#?/var/log/messages {}", line: "#/var/log/messages {}" }
+    - { regexp: "^(daily|weekly|monthly|yearly)", line: "weekly" }
+    - { regexp: "^(size|maxsize).*", line: "maxsize 512M" }
+
+- name: ensure syslog is disabled
+  service:
+    name: syslog
+    enabled: no
+    state: stopped
+  when: ansible_distribution == 'Alpine'
+
+- name: "ensure destination directory exists on {{ item }}"
+  file:
+    path: "/var/log/{{ inventory_hostname }}"
+    state: directory
+  delegate_to: "{{ item }}"
+  with_items: "{{ log_hosts }}"
+
+- name: ensure syslog-ng is enabled
+  service:
+    name: syslog-ng
+    enabled: yes
+    state: started
diff --git a/templates/syslog-ng.conf.j2 b/templates/syslog-ng.conf.j2
new file mode 100644
index 0000000..a6590ac
--- /dev/null
+++ b/templates/syslog-ng.conf.j2
@@ -0,0 +1,105 @@
+@version:3.30
+@include "scl.conf"
+
+# syslog-ng configuration file.
+#
+# See syslog-ng(8) and syslog-ng.conf(5) for more information.
+#
+# Note: It also sources additional configuration files (*.conf)
+#          located in /etc/syslog-ng/conf.d/.
+
+#
+# Options
+#
+options {
+        # Create destination directories if missing.
+        create_dirs(yes);
+
+        # The default action of syslog-ng is to log a MARK line to the file every
+        # 20 minutes. That's seems high for most people so turn it down to once an
+        # hour. Set it to zero if you don't want the functionality at all.
+        mark_freq(3600);
+
+        # The default action of syslog-ng is to log a STATS line to the file every
+        # 10 minutes. That's pretty ugly after a while. Change it to every 12 hours
+        # so you get a nice daily update of how many messages syslog-ng missed (0).
+        stats_freq(43200);
+
+        # Time to wait before a died connection is re-established (default is 60).
+        time_reopen(5);
+
+        # Disable DNS usage.
+        # syslog-ng blocks on DNS queries, so enabling DNS may lead to a DoS attack.
+        use_dns(no);
+        dns-cache(no);
+
+        # Default owner, group, and permissions for log files.
+        owner(root);
+        group(adm);
+        perm(0640);
+
+        # Default permissions for created directories.
+        dir_perm(0755);
+};
+
+source src { system(); internal(); };
+
+filter f_auth { facility(auth, authpriv); };
+filter f_syslog { not facility(authpriv, mail) and not message("^grsec:( From [^:]+:)? exec of.*") and not (program("named") and message("^client ")); };
+filter f_cron { facility(cron); };
+filter f_daemon { facility(daemon); };
+filter f_kern { facility(kern); };
+filter f_mail { facility(mail, news); };
+filter f_user { facility(user); };
+filter f_debug { not facility(auth, authpriv, news, mail); };
+filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news) and not message("^grsec:( From [^:]+:)? exec of.*"); };
+filter f_emergency { level(emerg); };
+
+filter f_info { level(info); };
+
+filter f_notice { level(notice); };
+filter f_warn { level(warn); };
+filter f_crit { level(crit); };
+filter f_err { level(err); };
+
+filter f_audit { message("^audit.*"); };
+filter f_history { message(".*HISTORY*"); };
+
+filter f_sshguard { facility(auth, authpriv) and not program("sshguard"); };
+
+destination authlog { file("/var/log/auth.log"); };
+destination syslog { file("/var/log/syslog"); };
+destination kern { file("/var/log/kern.log"); };
+destination user { file("/var/log/user.log"); };
+
+destination mailinfo { file("/var/log/mail/mail.info"); };
+destination mailwarn { file("/var/log/mail/mail.warn"); };
+destination mailerr { file("/var/log/mail/mail.err"); };
+
+destination audit { file("/var/log/audit.log"); };
+destination messages { file("/var/log/messages"); };
+destination emergency { file("/var/log/emergency"); };
+
+#destination sshguard { program("/usr/sbin/sshguard -w 2a01:e35:8bb7:3c60::a -w 2a01:e35:8bb7:3c60::2" template("$DATE $FULLHOST $MSGHDR$MESSAGE\n") ); };
+
+log { source(src); filter(f_auth); destination(authlog); };
+#log { source(src); filter(f_syslog); destination(syslog); }; # Comment me!
+#log { source(kernsrc); filter(f_kern); destination(kern); };
+
+#log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
+#log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
+log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
+
+#log { source(src); filter(f_messages); destination(messages); };
+log { source(src); filter(f_emergency); destination(emergency); };
+
+#log { source(src); filter(f_sshguard); destination(sshguard); };
+
+# Remote loghost
+{% for host in log_hosts %}
+destination loghost{{ loop.index }} { tcp6("{{ host }}"); };
+log { source(src); destination(loghost{{ loop.index }}); };
+{% endfor %}
+
+# Source additional configuration files (.conf extension only)
+@include "/etc/syslog-ng/conf.d/*.conf"