From 0cf8baa006310684b03fa43df52277337d2472d4 Mon Sep 17 00:00:00 2001 From: Viktor Berke Date: Sat, 4 Mar 2023 13:18:05 +0100 Subject: [PATCH] Adjust firewalld logging Refs #70 Refs #73 --- roles/install/files/firewalld-denied.conf | 9 ++++++ roles/install/files/kf2-ddos.conf | 4 --- roles/install/handlers/main.yml | 5 ++++ roles/install/tasks/firewalld.yml | 36 ++++++++++++++++------- 4 files changed, 39 insertions(+), 15 deletions(-) create mode 100644 roles/install/files/firewalld-denied.conf delete mode 100644 roles/install/files/kf2-ddos.conf diff --git a/roles/install/files/firewalld-denied.conf b/roles/install/files/firewalld-denied.conf new file mode 100644 index 0000000..7dc12c8 --- /dev/null +++ b/roles/install/files/firewalld-denied.conf @@ -0,0 +1,9 @@ +:msg, regex, ".*_DROP: .* DPT=7777 .*" /var/log/firewalld-denied-kf2.log +& stop +:msg, regex, ".*_REJECT: .* DPT=7777 .*" /var/log/firewalld-denied-kf2.log +& stop + +:msg, contains, "_DROP: " /var/log/firewalld-denied.log +& stop +:msg, contains, "_REJECT: " /var/log/firewalld-denied.log +& stop diff --git a/roles/install/files/kf2-ddos.conf b/roles/install/files/kf2-ddos.conf deleted file mode 100644 index da301c8..0000000 --- a/roles/install/files/kf2-ddos.conf +++ /dev/null @@ -1,4 +0,0 @@ -:msg, regex, ".*_DROP: .* DPT=7777 .*" /var/log/kf2-ddos.log -& stop -:msg, regex, ".*_REJECT: .* DPT=7777 .*" /var/log/kf2-ddos.log -& stop diff --git a/roles/install/handlers/main.yml b/roles/install/handlers/main.yml index 4d1fcd3..03ada07 100644 --- a/roles/install/handlers/main.yml +++ b/roles/install/handlers/main.yml @@ -12,3 +12,8 @@ systemd: name: rsyslog.service state: restarted + +- name: Reload journald configuration + systemd: + name: systemd-journald.service + state: restarted diff --git a/roles/install/tasks/firewalld.yml b/roles/install/tasks/firewalld.yml index 3b400a9..6c69862 100644 --- a/roles/install/tasks/firewalld.yml +++ b/roles/install/tasks/firewalld.yml @@ -10,21 +10,33 @@ state: started enabled: true -- name: Configure KF2 DDoS logging +- name: Redirect logging of denied packets copy: - src: kf2-ddos.conf - dest: /etc/rsyslog.d/kf2-ddos.conf + src: firewalld-denied.conf + dest: /etc/rsyslog.d/firewalld-denied.conf owner: root group: root mode: '0644' notify: Reload rsyslog configuration -- name: Log packets denied by firewalld - lineinfile: - path: /etc/firewalld/firewalld.conf - regexp: '^LogDenied=' - line: LogDenied=all - notify: Reload firewalld configuration +- name: Limit journald storage + ini_file: + path: /etc/systemd/journald.conf + section: Journal + option: SystemMaxUse + value: 100M + no_extra_spaces: true + create: false + backup: true + notify: Reload journald configuration + +# This will be enabled on-demand via klf +#- name: Log packets denied by firewalld +# lineinfile: +# path: /etc/firewalld/firewalld.conf +# regexp: '^LogDenied=' +# line: LogDenied=all +# notify: Reload firewalld configuration - include_role: name: bviktor.firewalld @@ -41,6 +53,8 @@ - include_role: name: bviktor.logrotate vars: - name: kf2-ddos - pattern: /var/log/kf2-ddos.log + name: firewalld-denied + pattern: |- + /var/log/firewalld-denied.log + /var/log/firewalld-denied-kf2.log retention: 7