From 16100cf94c6696415f747cfcb0b97ff9106e9598 Mon Sep 17 00:00:00 2001
From: admingit <pamphile.jocelyn@gmail.com>
Date: Thu, 17 Aug 2023 11:05:53 +0200
Subject: [PATCH] add_conf_Rsyslog

---
 Config_Rsyslog/01-Splunk_Forwarder.conf       | 63 +++++++++++++++++++
 Deploy_Conf_Rsyslog_Linux.yml                 |  7 +++
 .../tasks/Deploy_Confrsyslog-to-hf-uf.yml     |  8 +++
 3 files changed, 78 insertions(+)
 create mode 100644 Config_Rsyslog/01-Splunk_Forwarder.conf
 create mode 100644 Deploy_Conf_Rsyslog_Linux.yml
 create mode 100644 roles/splunk_deploy_uf/tasks/Deploy_Confrsyslog-to-hf-uf.yml

diff --git a/Config_Rsyslog/01-Splunk_Forwarder.conf b/Config_Rsyslog/01-Splunk_Forwarder.conf
new file mode 100644
index 0000000..3c12d4a
--- /dev/null
+++ b/Config_Rsyslog/01-Splunk_Forwarder.conf
@@ -0,0 +1,63 @@
+# Configuration rsyslog pour utiliser avec un Splunk Forwarder a copier dans /etc/rsyslog.d
+
+#--------------------------Modules-----------------------------
+
+$ModLoad imudp
+$ModLoad imtcp
+
+#--------------------------Protocoles--------------------------
+
+$UDPServerRun 514
+$UDPServerRun 5140
+$InputTCPServerRun 514
+
+#--------------------------Folder------------------------------
+
+$DirCreateMode 0755
+$FileCreateMode 0640
+$DirOwner splunk
+$DirGroup splunk
+$FileOwner splunk
+$FileGroup splunk
+
+$RuleSet RSYSLOG_DefaultRuleSet
+
+#--------------------------Templates---------------------------
+
+#Template Cisco
+#$template ciscoasa,"/var/rsyslog/%$myhostname%/ciscoasa/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"
+
+#Template Fortigate
+$template fortigate,"/var/rsyslog/%$myhostname%/fortigate/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"
+
+#Template Esxi
+$template esxi,"/var/rsyslog/%$myhostname%/esxi/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"
+
+#Template Linux
+$template linux,"/var/rsyslog/%$myhostname%/linux/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"
+
+#Template Switch
+#$template switch,"/var/rsyslog/%$myhostname%/switch/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"
+
+# Catch All
+$template catchother,"/var/rsyslog/%$myhostname%/catchother/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"
+
+#-------------------------Filtres------------------------------
+
+if $msg contains_i ' devid="FG' then -?fortigate
+& stop
+
+if $hostname contains_i 'srvesx' then -?esxi
+& stop
+
+if $hostname contains_i 'svl' then -?linux
+& stop
+
+#if $hostname contains 'SWI' then -?switch
+#& stop
+
+#if $syslogtag contains '%ASA' then -?ciscoasa
+#& stop
+
+if $fromhost != $$myhostname then -?catchother
+& stop
diff --git a/Deploy_Conf_Rsyslog_Linux.yml b/Deploy_Conf_Rsyslog_Linux.yml
new file mode 100644
index 0000000..bd7e0c2
--- /dev/null
+++ b/Deploy_Conf_Rsyslog_Linux.yml
@@ -0,0 +1,7 @@
+---
+- name: "Deploy Conf Rsyslog for Splunk UF/HF Linux"
+  become: yes
+  hosts:  splunk_uf_Linux
+  tasks:
+    - name: Deploy_Uf_LIN
+      include_tasks:  roles/splunk_deploy_uf/tasks/Deploy_Confrsyslog-to-hf-uf.yml
\ No newline at end of file
diff --git a/roles/splunk_deploy_uf/tasks/Deploy_Confrsyslog-to-hf-uf.yml b/roles/splunk_deploy_uf/tasks/Deploy_Confrsyslog-to-hf-uf.yml
new file mode 100644
index 0000000..bdb7fbd
--- /dev/null
+++ b/roles/splunk_deploy_uf/tasks/Deploy_Confrsyslog-to-hf-uf.yml
@@ -0,0 +1,8 @@
+- name: Copier la configuration Rsyslog
+  become: yes
+  become_user: "{{ privileged_user }}"
+    copy:
+      src: "{{ playbook_dir }}/Config_Rsyslog/01-Splunk_Forwarder.conf"
+      dest: /etc/rsyslog.d/
+      owner: root
+      group: root
\ No newline at end of file