Create option to configure action() on a single line. #203
Description
What are you seeing
CIS/STIG products that audit rsyslog configurations use regular expression checks that expect the action() configuration to be on a single line. Regex such as:
^\s*([^#]+\s+)?action\(([^#]+\s+)?\btarget="?[^#"]+"?\b
and
^\s*\*\.\*\s+@
will fail even if the configuration is correct but spans multiple lines. For example, the following configuration will fail the regex even though the configuration is correct:
# all_logs_to_siem
*.*;local6.none action(type="omfwd"
target="siem-01.example.com"
protocol="udp"
port="514"
[root@cis-01d rsyslog.d]# egrep '^\s*([^#]+\s+)?action\(([^#]+\s+)?\btarget="?[^#"]+"?\b' siem.conf
However, if the configuration for action, 'omfwd' were on a single line, the regex would pass.
[root@cis-01d rsyslog.d]# cat siem.conf
# all_logs_to_siem
*.*;local6.none action(type="omfwd" target="siem-01.example.com" protocol="udp" port="514")
[root@cis-01d rsyslog.d]# egrep '^\s*([^#]+\s+)?action\(([^#]+\s+)?\btarget="?[^#"]+"?\b' siem.conf
*.*;local6.none action(type="omfwd" target="siem-01.example.com" protocol="udp" port="514")
[root@cis-01d rsyslog.d]#
I propose modifying the action.epp template so that it's possible to configure the action() section to be on a single line when desired.
Perhaps parameterizing this integer or this integer.