Init

.github/workflows/ansible_lint.yaml

@@ -0,0 +1,16 @@
+name: ansible-lint
+on:
+  pull_request:
+jobs:
+  build:
+    name: Ansible Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run ansible-lint
+        uses: ansible/ansible-lint@6178262c7e0d5e9792b5990d40029047760b8f09
+        with:
+          args: "--exclude .ansible/collections/"
+          setup_python: "true"
+          working_directory: "./ansible/"
+          requirements_file: ""

.github/workflows/deploy.yaml

@@ -0,0 +1,37 @@
+name: Deploy Environments
+permissions: read-all
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+    branches:
+      - main
+
+jobs:
+  # deploy_prod3:
+  #   name: Deploy prod3
+  #   uses: ./.github/workflows/deploy_syslog.yaml
+  #   with:
+  #     environment: prod3
+  #   secrets: inherit
+  #   #if: github.ref == 'refs/heads/main'
+
+  deploy_prod2:
+    name: Deploy prod2
+    uses: ./.github/workflows/deploy_syslog.yaml
+    with:
+      environment: prod2
+    secrets: inherit
+    # needs: deploy_prod3
+    if: github.ref == 'refs/heads/main'
+
+  deploy_prod1:
+    name: Deploy prod1
+    uses: ./.github/workflows/deploy_syslog.yaml
+    with:
+      environment: prod1
+    secrets: inherit
+    needs: deploy_prod2
+    if: github.ref == 'refs/heads/main'

.github/workflows/deploy_syslog.yaml

@@ -0,0 +1,87 @@
+name: Deploy Syslog Infra
+permissions: read-all
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+
+env:
+  # Secrets
+  TF_VAR_proxmox_host: ${{ secrets.TF_VAR_PROXMOX_HOST }}
+  TF_VAR_proxmox_token_id: ${{ secrets.TF_VAR_PROXMOX_TOKEN_ID }}
+  TF_VAR_proxmox_token_secret: ${{ secrets.TF_VAR_PROXMOX_TOKEN_SECRET }}
+  TF_VAR_local_password: ${{ secrets.TF_VAR_LOCAL_PASSWORD }}
+  TF_VAR_datadog_api_key: ${{ secrets.DATADOG_API_KEY }}
+  TF_VAR_datadog_site: ${{ secrets.DATADOG_SITE }}
+  # Credentials for deployment to AWS
+  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  # S3 bucket for the Terraform state
+  BUCKET_TF_STATE: ${{ secrets.BUCKET_TF_STATE}}
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # @v4
+
+      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #@v5
+        with:
+          python-version: '3.11'
+
+      - name: Setup ansible
+        run: pip install ansible passlib==1.7.4 && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install -r ansible/roles/requirements.yml
+
+      - name: Setup Terraform with specified version on the runner
+        uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # @v3
+        with:
+          terraform_version: 1.8.3
+
+      - name: Setup backend
+        run: |
+          echo "bucket = \"${{ secrets.BUCKET_TF_STATE }}\"" > backend.tfvars
+          echo "key    = \"terraform/state/syslog-${{ inputs.environment }}.tfstate\"" >> backend.tfvars
+        working-directory: ./terraform/
+
+      - name: Terraform init
+        id: init
+        run: terraform init -backend-config=backend.tfvars
+        working-directory: ./terraform/
+
+      - name: Terraform format
+        id: fmt
+        run: terraform fmt -check
+        working-directory: ./terraform/
+
+      - name: Terraform validate
+        run: |
+          echo "${{ secrets.SSH_PRIVATE_KEY }}" > logssh
+          echo "${{ secrets.SSH_PUBLIC_KEY }}" > logssh.pub
+          chmod 600 logssh
+          chmod 600 logssh.pub
+          terraform validate
+        working-directory: ./terraform/
+
+      - name: Setup WireGuard
+        run:  |
+          sudo apt-get update && sudo apt-get install -y wireguard
+          echo "${{ secrets.WIREGUARD_PRIVATE_KEY }}" > privatekey
+          sudo ip link add dev wg0 type wireguard
+          sudo ip address add dev wg0 ${{ secrets.WIREGUARD_OVERLAY_NETWORK_IP }} peer ${{ secrets.WIREGUARD_PEER }}
+          sudo wg set wg0 listen-port 48123 private-key privatekey peer ${{ secrets.WIREGUARD_PEER_PUBLIC_KEY }} allowed-ips 0.0.0.0/0 endpoint ${{ secrets.WIREGUARD_ENDPOINT }}
+          sudo ip link set up dev wg0
+          rm privatekey
+
+      - name: Terraform Apply
+        run: |
+          terraform apply -auto-approve -input=false -var-file=${{ inputs.environment }}.tfvars
+        working-directory: ./terraform/
+
+      - name: Run playbook
+        run: sleep 20 && export PATH="$HOME/.local/bin:$PATH" && ansible-playbook -i inventory.yaml syslog.yaml
+        working-directory: ./ansible/

.gitignore

@@ -0,0 +1,2 @@
+data/
+.vscode/

README.md

@@ -1 +1,20 @@
 # syslog-infra
+
+## Ports
+
+| Port        | Protocol           | Device Type |
+| ------------- | ------------- | ------------- |
+| 514 | UDP | Mikrotik Router OS + Siklu (opt in static IPs) |
+| 515 | UDP | APC UPS |
+| 516 | UDP | Ubiquiti airOS |
+| 517 | UDP | Brocade |
+| 518 | UDP | iLO |
+| 519 | UDP | iDRAC |
+| 520 | UDP | Netgear |
+
+## Add a new port
+
+1. Add a new file under [ansible/roles/log_collector/files/](./ansible/roles/log_collector/files/)
+2. Add the port + ruleset mapping to [ansible/roles/log_collector/files/rsyslog.conf](./ansible/roles/log_collector/files/rsyslog.conf)
+3. Add the 3 mappings in [ansible/roles/log_collector/tasks/main.yaml](./ansible/roles/log_collector/tasks/main.yaml) for DD ingestion, file creation, and config file transfer.
+4. Update the table in this file.

ansible/ansible.cfg

@@ -0,0 +1,8 @@
+[defaults]
+host_key_checking = False
+callbacks_enabled = timer, profile_tasks, profile_roles
+gathering = 'explicit'
+pipelining = True
+
+[ssh_connection]
+ssh_args = '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -o ControlMaster=auto -o ControlPersist=60s'

ansible/inventory.yaml

@@ -0,0 +1,3 @@
+---
+plugin: cloud.terraform.terraform_provider
+project_path: "../terraform"

ansible/roles/log_collector/files/10-port514.conf

@@ -0,0 +1,23 @@
+# Siklu + Mikrotik Logs Conf
+
+ruleset(name="port514"){
+    # Siklu nycmesh-162-eh8010-713
+    # Siklu nycmesh-713-eh8010-162
+    # Siklu nycmesh-5916-eh8010-1933
+    # Siklu nycmesh-1933-eh8010-5916
+    if 
+      ( $fromhost-ip == "10.96.40.189" ) or
+      ( $fromhost-ip == "10.70.95.67" ) or
+      ( $fromhost-ip == "10.70.181.10" ) or
+      ( $fromhost-ip == "10.70.188.69" )
+      then {
+        action(type="omfile" template="siklu" file="/var/log/siklu.log")
+    } else if 
+          ( $fromhost-ip == "10.96.131.248" )
+      then {
+        action(type="omfile" file="/var/log/cambium.log")
+    # Standard mikrotik
+    } else {
+        action(type="omfile" file="/var/log/mikrotik.log")
+    }
+}

ansible/roles/log_collector/files/20-apc.conf

@@ -0,0 +1,4 @@
+# UPS logs
+ruleset(name="apc"){
+    action(type="omfile" file="/var/log/apc.log")
+}

ansible/roles/log_collector/files/30-ubiquiti.conf

@@ -0,0 +1,4 @@
+# Ubiquiti airOS logs
+ruleset(name="ubiquiti"){
+    action(type="omfile" file="/var/log/ubiquiti.log")
+}

ansible/roles/log_collector/files/40-brocade.conf

@@ -0,0 +1,4 @@
+# Brocade logs
+ruleset(name="brocade"){
+    action(type="omfile" file="/var/log/brocade.log")
+}

ansible/roles/log_collector/files/50-ilo.conf

@@ -0,0 +1,4 @@
+# iLo logs
+ruleset(name="ilo"){
+    action(type="omfile" file="/var/log/ilo.log")
+}

ansible/roles/log_collector/files/60-idrac.conf

@@ -0,0 +1,4 @@
+# iDRAC logs
+ruleset(name="idrac"){
+    action(type="omfile" file="/var/log/idrac.log")
+}

ansible/roles/log_collector/files/70-netgear.conf

@@ -0,0 +1,4 @@
+# netgear logs
+ruleset(name="netgear"){
+    action(type="omfile" file="/var/log/netgear.log")
+}

ansible/roles/log_collector/files/rsyslog.conf

@@ -0,0 +1,130 @@
+# /etc/rsyslog.conf configuration file for rsyslog
+#
+# For more information install rsyslog-doc and see
+# /usr/share/doc/rsyslog-doc/html/configuration/index.html
+
+
+#################
+#### MODULES ####
+#################
+
+module(load="imuxsock") # provides support for local system logging
+#module(load="imklog")   # provides kernel logging support
+#module(load="immark")  # provides --MARK-- message capability
+
+# provides UDP syslog reception
+module(load="imudp")
+input(type="imudp" port="514" ruleset="port514")
+input(type="imudp" port="515" ruleset="apc")
+input(type="imudp" port="516" ruleset="ubiquiti")
+input(type="imudp" port="517" ruleset="brocade")
+input(type="imudp" port="518" ruleset="ilo")
+input(type="imudp" port="519" ruleset="idrac")
+input(type="imudp" port="520" ruleset="netgear")
+
+# provides TCP syslog reception
+module(load="imtcp")
+input(type="imtcp" port="514")
+
+###################
+#### TEMPLATES ####
+###################
+
+# Siklu
+template(name="siklu" type="list"){
+    property(name="timestamp" dateFormat="rfc3339")
+    constant(value=" ")
+    property(name="fromhost")
+    constant(value=" ")
+    property(name="syslogtag")
+    property(name="msg" controlcharacters="drop")
+    constant(value="\n")
+}
+
+# For debugging
+template(name="RSYSLOG_DebugFormat" type="list") {
+     constant(value="Debug line with all properties:\nFROMHOST: '")
+     property(name="fromhost")
+     constant(value="', fromhost-ip: '")
+     property(name="fromhost-ip")
+     constant(value="', HOSTNAME: '")
+     property(name="hostname")
+     constant(value="', PRI: '")
+     property(name="pri")
+     constant(value=",\nsyslogtag '")
+     property(name="syslogtag")
+     constant(value="', programname: '")
+     property(name="programname")
+     constant(value="', APP-NAME: '")
+     property(name="app-name")
+     constant(value="', PROCID: '")
+     property(name="procid")
+     constant(value="', MSGID: '")
+     property(name="msgid")
+     constant(value="',\nTIMESTAMP: '")
+     property(name="timereported")
+     constant(value="', STRUCTURED-DATA: '")
+     property(name="structured-data")
+     constant(value="',\nmsg: '")
+     property(name="msg")
+     constant(value="'\nescaped msg: '")
+     property(name="msg" controlcharacters="drop")
+     constant(value="'\ninputname: ")
+     property(name="inputname")
+     constant(value=" rawmsg: '")
+     property(name="rawmsg")
+     constant(value="'\n$!:")
+     property(name="$!")
+     constant(value="\n$.:")
+     property(name="$.")
+     constant(value="\n$/:")
+     property(name="$/")
+     constant(value="\n\n")
+}
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup dd-agent
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+#
+# Where to place spool and state files
+#
+$WorkDirectory /var/spool/rsyslog
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+
+###############
+#### RULES ####
+###############
+
+#
+# Log anything besides private authentication messages to a single log file
+#
+*.*;auth,authpriv.none          -/var/log/syslog
+
+#
+# Log commonly used facilities to their own log file
+#
+auth,authpriv.*                 /var/log/auth.log
+cron.*                          -/var/log/cron.log
+kern.*                          -/var/log/kern.log
+mail.*                          -/var/log/mail.log
+user.*                          -/var/log/user.log
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg                         :omusrmsg:*