From 1dc79cebc6d27a8f9d2f9ca9c2e0f2fd0809d940 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Mon, 8 May 2023 21:27:14 +0200
Subject: syslog: T2778: migrate to get_config_dict()

---
 data/templates/rsyslog/logrotate.j2    | 16 ++++++++
 data/templates/rsyslog/rsyslog.conf    | 59 ----------------------------
 data/templates/rsyslog/rsyslog.conf.j2 | 71 ++++++++++++++++++++++++++++++++++
 3 files changed, 87 insertions(+), 59 deletions(-)
 create mode 100644 data/templates/rsyslog/logrotate.j2
 delete mode 100644 data/templates/rsyslog/rsyslog.conf
 create mode 100644 data/templates/rsyslog/rsyslog.conf.j2

(limited to 'data/templates/rsyslog')

diff --git a/data/templates/rsyslog/logrotate.j2 b/data/templates/rsyslog/logrotate.j2
new file mode 100644
index 000000000..89d1a8a50
--- /dev/null
+++ b/data/templates/rsyslog/logrotate.j2
@@ -0,0 +1,16 @@
+### Autogenerated by system-syslog.py ###
+{% if file is vyos_defined %}
+{%     for file_name, file_options in file.items() %}
+/var/log/user/{{ file_name }} {
+  missingok
+  notifempty
+  create
+  rotate {{ file_options.archive.file }}
+  size={{ file_options.archive.size | int // 1024 }}k
+  postrotate
+    invoke-rc.d rsyslog rotate > /dev/null
+  endscript
+}
+
+{%     endfor %}
+{% endif %}
diff --git a/data/templates/rsyslog/rsyslog.conf b/data/templates/rsyslog/rsyslog.conf
deleted file mode 100644
index ab60fc0f0..000000000
--- a/data/templates/rsyslog/rsyslog.conf
+++ /dev/null
@@ -1,59 +0,0 @@
-#  /etc/rsyslog.conf    Configuration file for rsyslog.
-#
-
-#################
-#### MODULES ####
-#################
-
-$ModLoad imuxsock # provides support for local system logging
-$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
-#$ModLoad immark  # provides --MARK-- message capability
-
-$OmitLocalLogging off
-$SystemLogSocketName /run/systemd/journal/syslog
-
-$KLogPath /proc/kmsg
-
-# provides UDP syslog reception
-#$ModLoad imudp
-#$UDPServerRun 514
-
-# provides TCP syslog reception
-#$ModLoad imtcp
-#$InputTCPServerRun 514
-
-###########################
-#### GLOBAL DIRECTIVES ####
-###########################
-
-#
-# Use traditional timestamp format.
-# To enable high precision timestamps, comment out the following line.
-#
-$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
-
-# Filter duplicated messages
-$RepeatedMsgReduction on
-
-#
-# Set the default permissions for all log files.
-#
-$FileOwner root
-$FileGroup adm
-$FileCreateMode 0640
-$DirCreateMode 0755
-$Umask 0022
-
-
-#
-# Include all config files in /etc/rsyslog.d/
-#
-$IncludeConfig /etc/rsyslog.d/*.conf
-
-###############
-#### RULES ####
-###############
-# Emergencies are sent to everybody logged in.
-
-*.emerg                         :omusrmsg:*
-
diff --git a/data/templates/rsyslog/rsyslog.conf.j2 b/data/templates/rsyslog/rsyslog.conf.j2
new file mode 100644
index 000000000..0460ae5f0
--- /dev/null
+++ b/data/templates/rsyslog/rsyslog.conf.j2
@@ -0,0 +1,71 @@
+### Autogenerated by system-syslog.py ###
+
+{% if global.marker is vyos_defined %}
+$ModLoad immark
+{%     if global.marker.interval is vyos_defined %}
+$MarkMessagePeriod {{ global.marker.interval }}
+{%     endif %}
+{% endif %}
+{% if global.preserve_fqdn is vyos_defined %}
+$PreserveFQDN on
+{% endif %}
+
+# We always log to /var/log/messages
+$outchannel global,/var/log/messages,262144,/usr/sbin/logrotate {{ logrotate }}
+{% if global.facility is vyos_defined %}
+{%     set tmp = [] %}
+{%     for facility, facility_options in global.facility.items() %}
+{%         set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%     endfor %}
+{{ tmp | join(';') }} :omfile:$global
+{% endif %}
+
+{% if file is vyos_defined %}
+# File based configuration section
+{%     for file_name, file_options in file.items() %}
+$outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archive.size }},/usr/sbin/logrotate {{ logrotate }}
+{%         set tmp = [] %}
+{%         for facility, facility_options in file_options.facility.items() %}
+{%             set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%         endfor %}
+{{ tmp | join(';') }} :omfile:${{ file }}
+{%     endfor %}
+{% endif %}
+
+{% if console.facility is vyos_defined %}
+# Console logging
+{%     set tmp = [] %}
+{%     for facility, facility_options in console.facility.items() %}
+{%         set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%     endfor %}
+{{ tmp | join(';') }} /dev/console
+{% endif %}
+
+{% if host is vyos_defined %}
+# Remote logging
+{%     for host_name, host_options in host.items() %}
+{%         set tmp = [] %}
+{%         for facility, facility_options in host_options.facility.items() %}
+{%             set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%         endfor %}
+{%         if host_options.protocol is vyos_defined('tcp') %}
+{%             if host_options.oct_count is vyos_defined %}
+{{ tmp | join(';') }} @@(o){{ host_name | bracketize_ipv6 }}:{{ host_options.port }};RSYSLOG_SyslogProtocol23Format
+{%             else %}
+{{ tmp | join(';') }} @@{{ host_name | bracketize_ipv6 }}:{{ host_options.port }}
+{%             endif %}
+{%         else %}
+{{ tmp | join(';') }} @{{ host_name | bracketize_ipv6 }}:{{ host_options.port }}{{ ';RSYSLOG_SyslogProtocol23Format' if host_options.format.octet_counted is vyos_defined }}
+{%         endif %}
+{%     endfor %}
+{% endif %}
+
+{% if user is defined and user is not none %}
+# Log to user terminal
+{%     for username, user_options in user.items() %}
+{%         for facility, facility_options in user_options.facility.items() %}
+{%             set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%         endfor %}
+{{ tmp | join(';') }} :omusrmsg:{{ username }}
+{%     endfor %}
+{% endif %}
-- 
cgit v1.2.3


From 46d2bcdb0b500b4d1b9d973ab5b9ca3c6cf44e51 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Mon, 8 May 2023 22:34:22 +0200
Subject: syslog: T2769: add VRF support

Allow syslog messages to be sent through a VRF (e.g. management).
---
 data/templates/rsyslog/override.conf.j2    | 11 +++++++++++
 interface-definitions/system-syslog.xml.in |  1 +
 src/conf_mode/system-syslog.py             | 20 +++++++++++++++++++-
 src/etc/rsyslog.conf                       |  6 ++++++
 4 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 data/templates/rsyslog/override.conf.j2

(limited to 'data/templates/rsyslog')

diff --git a/data/templates/rsyslog/override.conf.j2 b/data/templates/rsyslog/override.conf.j2
new file mode 100644
index 000000000..5f6a87edf
--- /dev/null
+++ b/data/templates/rsyslog/override.conf.j2
@@ -0,0 +1,11 @@
+{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %}
+[Unit]
+StartLimitIntervalSec=0
+
+[Service]
+ExecStart=
+ExecStart={{ vrf_command }}/usr/sbin/rsyslogd -n -iNONE
+Restart=always
+RestartPreventExitStatus=
+RestartSec=10
+RuntimeDirectoryPreserve=yes
diff --git a/interface-definitions/system-syslog.xml.in b/interface-definitions/system-syslog.xml.in
index 17aa85706..cd5c514a8 100644
--- a/interface-definitions/system-syslog.xml.in
+++ b/interface-definitions/system-syslog.xml.in
@@ -147,6 +147,7 @@
               #include <include/syslog-facility.xml.i>
             </children>
           </node>
+          #include <include/interface/vrf.xml.i>
         </children>
       </node>
     </children>
diff --git a/src/conf_mode/system-syslog.py b/src/conf_mode/system-syslog.py
index dba29d152..e646fb0ae 100755
--- a/src/conf_mode/system-syslog.py
+++ b/src/conf_mode/system-syslog.py
@@ -20,6 +20,8 @@ from sys import exit
 
 from vyos.config import Config
 from vyos.configdict import dict_merge
+from vyos.configdict import is_node_changed
+from vyos.configverify import verify_vrf
 from vyos.util import call
 from vyos.template import render
 from vyos.xml import defaults
@@ -29,6 +31,7 @@ airbag.enable()
 
 rsyslog_conf = '/etc/rsyslog.d/00-vyos.conf'
 logrotate_conf = '/etc/logrotate.d/vyos-rsyslog'
+systemd_override = r'/run/systemd/system/rsyslog.service.d/override.conf'
 
 def get_config(config=None):
     if config:
@@ -43,6 +46,8 @@ def get_config(config=None):
                                   get_first_key=True, no_tag_node_value_mangle=True)
 
     syslog.update({ 'logrotate' : logrotate_conf })
+    tmp = is_node_changed(conf, base + ['vrf'])
+    if tmp: syslog.update({'restart_required': {}})
 
     # We have gathered the dict representation of the CLI, but there are default
     # options which we need to update into the dictionary retrived.
@@ -101,6 +106,8 @@ def verify(syslog):
     if not syslog:
         return None
 
+    verify_vrf(syslog)
+
 def generate(syslog):
     if not syslog:
         if os.path.exists(rsyslog_conf):
@@ -111,15 +118,26 @@ def generate(syslog):
         return None
 
     render(rsyslog_conf, 'rsyslog/rsyslog.conf.j2', syslog)
+    render(systemd_override, 'rsyslog/override.conf.j2', syslog)
     render(logrotate_conf, 'rsyslog/logrotate.j2', syslog)
 
+    # Reload systemd manager configuration
+    call('systemctl daemon-reload')
+    return None
+
 def apply(syslog):
     systemd_service = 'syslog.service'
     if not syslog:
         call(f'systemctl stop {systemd_service}')
         return None
 
-    call(f'systemctl reload-or-restart {systemd_service}')
+    # we need to restart the service if e.g. the VRF name changed
+    systemd_action = 'reload-or-restart'
+    if 'restart_required' in syslog:
+        systemd_action = 'restart'
+
+    call(f'systemctl {systemd_action} {systemd_service}')
+    return None
 
 if __name__ == '__main__':
     try:
diff --git a/src/etc/rsyslog.conf b/src/etc/rsyslog.conf
index 706ebb60d..c28e9b537 100644
--- a/src/etc/rsyslog.conf
+++ b/src/etc/rsyslog.conf
@@ -49,6 +49,12 @@ $FileCreateMode 0640
 $DirCreateMode 0755
 $Umask 0022
 
+#
+# Stop excessive logging of sudo
+#
+:msg, contains, " pam_unix(sudo:session): session opened for user root(uid=0) by" ~
+:msg, contains, "pam_unix(sudo:session): session closed for user root" ~
+
 #
 # Include all config files in /etc/rsyslog.d/
 #
-- 
cgit v1.2.3