- hosts: log-server
  become: true
  tasks:

    - name: enable UDP remote suslog
      lineinfile:
        path: /etc/rsyslog.conf
        regexp: '^#module\(load="imudp"\)'
        line: 'module(load="imudp")'
      notify: restart syslog

    - name: enable UDP remote suslog port
      lineinfile:
        path: /etc/rsyslog.conf
        regexp: '^#input\(type="imudp" port="514"\)'
        line: 'input(type="imudp" port="514")'
      notify: restart syslog

    - name: enable TCP remote suslog
      lineinfile:
        path: /etc/rsyslog.conf
        regexp: '^#module\(load="imtcp"\)'
        line: 'module(load="imtcp")'
      notify: restart syslog

    - name: enable TCP remote suslog port
      lineinfile:
        path: /etc/rsyslog.conf
        regexp: '^#input\(type="imtcp" port="514"\)'
        line: 'input(type="imtcp" port="514")'
      notify: restart syslog

    - name: conf remote suslog
      blockinfile:
        path: /etc/rsyslog.conf
        block: |
          if ($fromhost-ip != '127.0.0.1' and $msg contains 'msg=audit') then {
            set $.progname_change = "audit";
          } else {
            set $.progname_change = $programname;
          }

          $template RemoteLogs,"/var/log/rsyslog/%fromhost-ip%/%$.progname_change%.log"
          *.* ?RemoteLogs
          & ~
      notify: restart syslog

  handlers:
    - name: restart syslog
      systemd:
        name: syslog
        state: restarted


- hosts: nginx
  become: true
  tasks:

    - name: update 
      apt:
        update_cache: yes 

    - name: install nginx 
      apt:
        name: nginx

    - name: install auditd & audispd-plugins
      apt:
        name: 
          - auditd
          - audispd-plugins
        state: present

    - name: enable UDP remote suslog
      lineinfile:
        path: /etc/nginx/nginx.conf
        regexp: '^(\s*)access_log /var/log/nginx/access.log;'
        line: '\1access_log syslog:server=192.168.80.30:514,tag=nginx_access;'
        backrefs: yes
      notify: restart nginx

    - name: enable UDP remote suslog
      lineinfile:
        path: /etc/nginx/nginx.conf
        regexp: '(^(\s*)error_log /var/log/nginx/error.log;)'
        line: '\1\n\2error_log syslog:server=192.168.80.30:514,tag=nginx_error;'
        backrefs: yes
      notify: restart nginx

    - name: Create audit rule for nginx config
      blockinfile:
        path: /etc/audit/rules.d/audit.rules
        block: |
          -w /etc/nginx/nginx.conf -p wa -k nginx_config
          -w /etc/nginx/sites-available/ -p wa -k nginx_config
          -w /etc/nginx/sites-enabled/ -p wa -k nginx_config
      notify: restart auditd

    - name: change audisp-remote conf ip
      lineinfile:
        path: /etc/audit/audisp-remote.conf
        regexp: '^remote_server ='
        line: 'remote_server = 192.168.80.30'
      notify: restart auditd

    - name: change audisp-remote conf port
      lineinfile:
        path: /etc/audit/audisp-remote.conf
        regexp: '^port = 60'
        line: 'port = 514'
      notify: restart auditd

    - name: change audisp-remote conf format
      lineinfile:
        path: /etc/audit/audisp-remote.conf
        regexp: '^format = managed'
        line: 'format = ascii'
      notify: restart auditd

    - name: change au-remote conf
      lineinfile:
        path: /etc/audit/plugins.d/au-remote.conf
        regexp: '^active = no'
        line: 'active = yes'
      notify: restart auditd

  handlers:
    - name: restart nginx
      systemd:
        name: nginx
        state: restarted

    - name: restart auditd
      systemd:
        name: auditd
        state: restarted