Allow traffic from Fastly to 5141 instead and set up syslog-ng rules

diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp
index 7dca252..6b4fcea 100644 (file)
--- a/modules/ferm/manifests/per_host.pp
+++ b/modules/ferm/manifests/per_host.pp
@@ -46,7 +46,7 @@ class ferm::per_host {
                        }
                        @ferm::rule { 'fastly-syslog':
                                description     => 'Allow syslog access',
-                               rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_FASTLY)'
+                               rule            => '&SERVICE_RANGE(tcp, 5141, $HOST_FASTLY)'
                        }
                }
                kaufmann: {

diff --git a/modules/syslog_ng/templates/syslog-ng.conf.erb b/modules/syslog_ng/templates/syslog-ng.conf.erb
index 6a3688c..89c77ed 100644 (file)
--- a/modules/syslog_ng/templates/syslog-ng.conf.erb
+++ b/modules/syslog_ng/templates/syslog-ng.conf.erb
@@ -132,6 +132,16 @@ source s_network {
 };
 <%- end -%>
 
+<%- if (@hostname == "lully") -%>
+source s_network_fastly {
+       tcp6(port(5141) max-connections(100)
+               tls( key_file("/etc/exim4/ssl/thishost.key")
+                    cert_file("/etc/exim4/ssl/thishost.crt")
+                    peer-verify(optional-untrusted))
+       );
+};
+<%- end -%>
+
 
 ######
 # destinations
@@ -557,3 +567,11 @@ log { source(s_local);
       source(s_network);
       filter(f_syslog); destination(df_ALL_syslog); };
 <%- end -%>
+
+<%- if (@hostname == "lully") -%>
+destination fastly { file("/var/log/fastly.log" };
+
+log { source(s_network_fastly);
+      destination(fastly); };
+
+<%- end -%>