Adjust firewalld logging

bviktor · bviktor · commit 0cf8baa00631 · 2023-03-04T13:18:05.000+01:00
Refs #70 Refs #73
diff --git a/roles/install/files/firewalld-denied.conf b/roles/install/files/firewalld-denied.conf
@@ -0,0 +1,9 @@
+:msg, regex, ".*_DROP: .* DPT=7777 .*" /var/log/firewalld-denied-kf2.log
+& stop
+:msg, regex, ".*_REJECT: .* DPT=7777 .*" /var/log/firewalld-denied-kf2.log
+& stop
+
+:msg, contains, "_DROP: " /var/log/firewalld-denied.log
+& stop
+:msg, contains, "_REJECT: " /var/log/firewalld-denied.log
+& stop
diff --git a/roles/install/files/kf2-ddos.conf b/roles/install/files/kf2-ddos.conf
diff --git a/roles/install/handlers/main.yml b/roles/install/handlers/main.yml
@@ -12,3 +12,8 @@
   systemd:
     name: rsyslog.service
     state: restarted
+
+- name: Reload journald configuration
+  systemd:
+    name: systemd-journald.service
+    state: restarted
diff --git a/roles/install/tasks/firewalld.yml b/roles/install/tasks/firewalld.yml
@@ -10,21 +10,33 @@
     state: started
     enabled: true
 
-- name: Configure KF2 DDoS logging
+- name: Redirect logging of denied packets
   copy:
-    src: kf2-ddos.conf
-    dest: /etc/rsyslog.d/kf2-ddos.conf
+    src: firewalld-denied.conf
+    dest: /etc/rsyslog.d/firewalld-denied.conf
     owner: root
     group: root
     mode: '0644'
   notify: Reload rsyslog configuration
 
-- name: Log packets denied by firewalld
-  lineinfile:
-    path: /etc/firewalld/firewalld.conf
-    regexp: '^LogDenied='
-    line: LogDenied=all
-  notify: Reload firewalld configuration
+- name: Limit journald storage
+  ini_file:
+    path: /etc/systemd/journald.conf
+    section: Journal
+    option: SystemMaxUse
+    value: 100M
+    no_extra_spaces: true
+    create: false
+    backup: true
+  notify: Reload journald configuration
+
+# This will be enabled on-demand via klf
+#- name: Log packets denied by firewalld
+#  lineinfile:
+#    path: /etc/firewalld/firewalld.conf
+#    regexp: '^LogDenied='
+#    line: LogDenied=all
+#  notify: Reload firewalld configuration
 
 - include_role:
     name: bviktor.firewalld
@@ -41,6 +53,8 @@
 - include_role:
     name: bviktor.logrotate
   vars:
-    name: kf2-ddos
-    pattern: /var/log/kf2-ddos.log
+    name: firewalld-denied
+    pattern: |-
+      /var/log/firewalld-denied.log
+      /var/log/firewalld-denied-kf2.log
     retention: 7
