Andreas Hamacher · Chris Hines · 1fa433d6 · 1fa433d6 · 1fa433d6 · 1fa433d6
6 changed files
--- a/CICD/heat/gc_HOT.yaml
+++ b/CICD/heat/gc_HOT.yaml
@@ -62,6 +62,11 @@ parameters:
    type: string
    label: Resource ID
    default: 070a32e2-858b-462a-b2b5-b3a92eec2669
+  SYSLOGSecGroupID:
+    type: string
+    label: Resource ID
+    default: 1de45b93-e5f6-4838-94f7-fc307752d6cb
+

 resources:

@@ -75,9 +80,9 @@ resources:
    flavor: m3.xsmall
    image: { get_param: centos_7_image_id }
    key_name: { get_param: ssh_key }
-    security_groups: [ { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: MySQLSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
+    security_groups: [ { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: MySQLSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID }, { get_param: SYSLOGSecGroupID } ]
    metadata:
-     ansible_host_groups: [ SQLNodes, NFSNodes, LDAPServer, CentosNodes ]
+     ansible_host_groups: [ SQLNodes, NFSNodes, LDAPServer, CentosNodes, LogNodes ]
     ansible_ssh_user: ec2-user
     project_name: { get_param: project_name }
    networks:
@@ -133,7 +138,7 @@ resources:
        mynodename:
         list_join: [ '-', [ { get_param: "OS::stack_name" }, 'mgmt%index%' ]]
        ssh_key: { get_param: ssh_key }
-        security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: MySQLSecGroupID } ]
+        security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: MySQLSecGroupID }, { get_param: SYSLOGSecGroupID } ]
        project_name: { get_param: project_name }

  MgmtNodesU:
@@ -150,7 +155,7 @@ resources:
        mynodename:
         list_join: [ '-', [ { get_param: "OS::stack_name" }, 'mgmtU%index%' ]]
        ssh_key: { get_param: ssh_key }
-        security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: MySQLSecGroupID } ]
+        security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: MySQLSecGroupID }, { get_param: SYSLOGSecGroupID } ]
        project_name: { get_param: project_name }

  LoginNodesC:
@@ -166,7 +171,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'login%index%' ]]
-      security_groups: [ default, { get_param: PublicSSHSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
+      security_groups: [ default, { get_param: PublicSSHSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID }, { get_param: SYSLOGSecGroupID } ]
      metadata:
       ansible_host_groups: [ LoginNodes, CentosNodes ]
       ansible_ssh_user: ec2-user
@@ -187,7 +192,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'loginU%index%' ]]
-      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
+      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID }, { get_param: SYSLOGSecGroupID } ]
      metadata:
       ansible_host_groups: [ LoginNodes, UbuntuNodes ]
       ansible_ssh_user: ubuntu
@@ -208,7 +213,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'desktopc%index%' ]]
-      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
+      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID }, { get_param: SYSLOGSecGroupID } ]
      metadata:
       ansible_host_groups: [ DesktopNodes, VisNodes, ComputeNodes, CentosNodes ]
       ansible_ssh_user: ec2-user
@@ -229,7 +234,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'computeU%index%' ]]
-      security_groups: [ default, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: SSHMonashSecGroupID }, { get_param: LDAPSecGroupID } ]
+      security_groups: [ default, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: SSHMonashSecGroupID }, { get_param: LDAPSecGroupID }, { get_param: SYSLOGSecGroupID } ]
      metadata:
       ansible_host_groups: [ ComputeNodes, UbuntuNodes ]
       ansible_ssh_user: ubuntu
@@ -250,7 +255,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'computec7%index%' ]]
-      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
+      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID }, { get_param: SYSLOGSecGroupID } ]
      metadata:
       ansible_host_groups: [ ComputeNodes, CentosNodes ]
       ansible_ssh_user: ec2-user
@@ -271,7 +276,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'gpudesktopu%index%' ]]
-      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
+      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID }, { get_param: SYSLOGSecGroupID } ]
      metadata:
       ansible_host_groups: [ DesktopNodes, GPU, ComputeNodes, VisNodes, UbuntuNodes ]
       ansible_ssh_user: ubuntu
@@ -292,7 +297,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'gpudesktopc%index%' ]]
-      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
+      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: SYSLOGSecGroupID } ]
      metadata:
       ansible_host_groups: [ DesktopNodes, GPU, ComputeNodes, K1, VisNodes, CentosNodes ]
       ansible_ssh_user: ec2-user
@@ -313,7 +318,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'computerhel%index%' ]]
-      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
+      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID }, { get_param: SYSLOGSecGroupID } ]
      metadata:
       ansible_host_groups: [ DGXRHELNodes, RedhatNodes ]
       ansible_ssh_user: cloud-user

--- a/CICD/plays/computenodes.yml
+++ b/CICD/plays/computenodes.yml
@@ -38,6 +38,7 @@
  - { role: postfix, tags: [ mail, other ] }
  - { role: set_semaphore_count, tags: [ semaphore ] }
  - { role: ldapclient, ssl: false, tags: [ ldapclient ] }
+  - { role: rsyslog_client, tags: [ syslog ] }
  - { role: ssh-keepalive, tags: [ ssh ] }
  - { role: enable_sudo_group, tags: [ authentication ] }


--- a/CICD/plays/nfssqlnodes.yml
+++ b/CICD/plays/nfssqlnodes.yml
@@ -83,3 +83,8 @@
  roles:
  - { role: nfs-server }
  tags: [ nfs,nfs-server ]
+
+- hosts: 'LogNodes'
+  roles:
+  - { role: etcHosts, tags: [ networking, etcHosts ] }
+  - { role: rsyslog_server }
--- a/CICD/vars/vars.yml
+++ b/CICD/vars/vars.yml
@@ -2,6 +2,7 @@
 sudo_group: systems
 nagios_home: "/var/lib/nagios"
 nvidia_version: "450.51.06"
+syslog_server: "{{ groups['SQLNodes'][0] }}"

 gpumap:
 'K1': 'K1'

--- a/roles/rsyslog_client/templates/rsyslog.conf.j2
+++ b/roles/rsyslog_client/templates/rsyslog.conf.j2
@@ -8,6 +8,7 @@
 # The imjournal module bellow is now used as a message source instead of imuxsock.
 $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
 $ModLoad imjournal # provides access to the systemd journal
+$ModLoad imfile
 #$ModLoad imklog # reads kernel messages (the same are read from journald)
 #$ModLoad immark  # provides --MARK-- message capability

@@ -79,7 +80,15 @@ uucp,news.crit                                          /var/log/spooler
 local7.*                                                /var/log/boot.log
 & @{{ syslog_server }}:514

-
+#https://trello.com/c/w0dBcu2t
+#https://www.thegeekdiary.com/how-to-send-audit-logs-to-remote-rsyslog-server-in-centos-rhel-67/
+$InputFileName /var/log/audit/audit.log
+$InputFileTag tag_audit_log:
+$InputFileStateFile audit_log
+$InputFileSeverity info
+$InputFileFacility local6
+$InputRunFileMonitor
+*.* @{{ syslog_server }}:514
 # ### begin forwarding rule ###
 # The statement between the begin ... end define a SINGLE forwarding
 # rule. They belong together, do NOT split them. If you create multiple

--- a/roles/rsyslog_server/templates/rsyslog.conf.j2
+++ b/roles/rsyslog_server/templates/rsyslog.conf.j2
@@ -72,6 +72,8 @@ uucp,news.crit                                          /var/log/spooler
 # Save boot messages also to boot.log
 local7.*                                                /var/log/boot.log

+$template HostAudit, "/var/log/rsyslog/%HOSTNAME%/audit_log"  
+local6.*

 # ### begin forwarding rule ###
 # The statement between the begin ... end define a SINGLE forwarding