log_manager

An Ansible role for managing logs on various firewall devices.

Currently supported providers:

• Check Point
• Trend Micro

Requirements

This role works on Red Hat Enterprise Linux 7.x, or similar distributions like CentOS 7 and Scientific Linux 7.

To use the Trend Micro provider with log_manager, you need to have the Trend Micro DeepSecurity collection installed.

Functions

• forward_logs_to_syslog - Forwards logs from the firewall device to an outside syslog server.
• unforward_logs_to_syslog - Stops forwarding logs from the firewall device to an outside syslog server.

Example Playbook

• For Check Point:

- hosts: checkpoint
  connection: httpapi

  tasks: 
    - include_role:
        name: log_manager
        tasks_from: forward_logs_to_syslog
      vars:
        syslog_server: 192.168.0.1
        checkpoint_server_name: test
        firewall_provider: checkpoint

• For Trend Micro Deep Security:

1. First, set up the Syslog configuration as described in the TM Deepsec collection Readme. This configuration needs ansible_user and ansible_httpapi_pass in the inventory file due to the legacy TM REST API.

- hosts: deepsec
  connection: httpapi

  tasks:
    - include_role:
        name: log_manager
        tasks_from: create_syslog_config
      vars:
        syslog_server: 192.168.0.1
        trendmicro_syslog_config_name: test
        firewall_provider: trendmicro
        state: present

2. After creating the Syslog configuration, you need to register the policy in the System Settings under Event Forwarding. Remember, this uses the newer REST API, which requires api_key in the inventory file for the role to update the settings.

- hosts: deepsec
  connection: httpapi

  tasks:
    - include_role:
        name: log_manager
        tasks_from: forward_logs_to_syslog
      vars:
        firewall_provider: trendmicro
        state: present

License

GPLv3

Author Information

Ansible Security Automation Team