--- # file: roles/common/task/logging.yml - name: restrict dmesg access to only root sysctl: name: kernel.dmesg_restrict value: '1' state: present sysctl_set: true sysctl_file: "{{ common_sysctl_file }}" tags: - security - sysctl - name: ensure system journal is a system-log-daemon with our package apt: name: systemd-journal-persistent state: present when: - ansible_distribution_major_version|int(default=99) < 11 - journal_persistent_with_package tags: - syslog - journal - name: ensure systemd journal is persistent file: path: /var/log/journal state: directory when: - ansible_distribution_major_version|int(default=99) < 11 - not journal_persistent_with_package notify: - configure journal directory tags: - syslog - journal - name: ensure rsyslog is absent without broken dependecies apt: name: rsyslog state: absent purge: true dpkg_options: "force-confdef,force-confold,force-depends" when: - syslogserver is not defined or syslogserver.split(":")[0] != ansible_fqdn tags: - syslog - name: create systemd-journald config directory file: path: /etc/systemd/journald.conf.d state: directory mode: '0755' tags: - config - syslog - name: configure journal size and time limits template: src: size.conf.j2 dest: /etc/systemd/journald.conf.d/size.conf mode: '0644' notify: restart systemd-journald tags: - config - syslog - service - name: ensure our logrotate.conf is present template: src: logrotate.conf.j2 dest: /etc/logrotate.conf owner: root group: root mode: '0644' tags: - syslog