Manage /etc/rsyncd.conf

debops / ansible-rsyslog

Manage rsyslog configuration

GNU General Public License v3.0

14 stars 15 forks source link

Manage /etc/rsyncd.conf #6

Closed carlalexander closed 8 years ago

carlalexander commented 8 years ago

Ran into this working with debops.fail2ban. By default, rsyslogd compresses messages which messes with fail2ban. The solution is to change the RepeatedMsgReduction setting in /etc/rsyncd.conf.

debops.rsyslog doesn't manage this file at this time. Does it make sense to have it do it?

drybjed commented 8 years ago

I'm not sure what's the connection between fail2ban, rsyslog and rsync... I suppose that it's time to make a proper rsyslog role, with TLS and everything though. I'm working on gitlab-runner at the moment, after that I'll upgrade rsyslog role.

carlalexander commented 8 years ago

The rsyslog affects logs like /var/log/auth.log and compresses the log messages into this by default:

Mar 10 18:59:08 test wordpress[32325]: (wordpress.example.org) Authentication failure for guest
Mar 10 18:59:59 test wordpress[32325]: message repeated 3 times: [ (wordpress.example.org) Authentication failure for guest ]

This affects anything using that log like the default ssh jail. The recommendation is to disable that setting according to the community portal.

carlalexander commented 8 years ago

If you prefer to do it in debops.fail2ban, you could do something like this:

- name: Disable rsyslog message compression
  replace:
    dest: '/etc/rsyslog.conf'
    regexp: 'RepeatedMsgReduction on'
    replace: 'RepeatedMsgReduction off'
  notify: [ 'Restart fail2ban', 'Restart rsyslog' ]

You'd need an extra handler to restart rsyslog, but it gets the job done.

drybjed commented 8 years ago

In that case the debops.rsyslog role that manages /etc/rsyslog.conf will overwrite that change, so that won't be idempotent. But it will be definitely an option that can be set. I'm not sure if debops.rsyslog will expose some kind of interface for other roles to set those options. We'll see.

carlalexander commented 8 years ago

Well at the moment, debops.rsyslog doesn't manage /etc/rsyslog.conf so it's not an issue.

drybjed commented 8 years ago

@carlalexander The new debops.rsyslog role has the repeated message reduction disabled by default. That should fix this issue, can you confirm when you get the chance?

carlalexander commented 8 years ago

Sure, I'll close this and reopen if it doesn't work for some reason :)