feat: add comprehensive access logging to Graylog with GeoIP

- Add fluent-bit inputs for Caddy access logs (JSON) and SSH logs - Create GeoIP task to download MaxMind GeoLite2-City database - Mount GeoIP database in Graylog container - Enable Gitea access logging via environment variables - Add parsers.conf for Caddy JSON log parsing - Remove unused nosql/redis container and configuration Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-09 15:16:21 -05:00
parent 8685676109
commit 6af3c5dc69
10 changed files with 167 additions and 58 deletions
--- a/ansible/roles/podman/templates/fluent-bit/fluent-bit.conf.j2
+++ b/ansible/roles/podman/templates/fluent-bit/fluent-bit.conf.j2
@@ -4,27 +4,72 @@
    Log_Level    info
    Parsers_File parsers.conf

-# Read from systemd journal - filter for Podman container logs
+# =============================================================================
+# INPUT: Podman container logs
+# =============================================================================
 # Container logs come from conmon process with CONTAINER_NAME field
 [INPUT]
    Name            systemd
-    Tag             journal.*
+    Tag             podman.*
    Systemd_Filter  _COMM=conmon
    Read_From_Tail  On
    Strip_Underscores On

-# Extract container name for better filtering in Graylog
+# =============================================================================
+# INPUT: SSH logs for security monitoring
+# =============================================================================
+[INPUT]
+    Name            systemd
+    Tag             ssh.*
+    Systemd_Filter  _SYSTEMD_UNIT=sshd.service
+    Read_From_Tail  On
+    Strip_Underscores On
+
+# =============================================================================
+# INPUT: Caddy access logs (JSON format)
+# =============================================================================
+{% for log_name in caddy_log_names %}
+[INPUT]
+    Name            tail
+    Tag             caddy.{{ log_name }}
+    Path            {{ caddy_log_path }}/{{ log_name }}.log
+    Parser          caddy_json
+    Read_From_Head  False
+    Refresh_Interval 5
+    DB              /var/lib/fluent-bit/caddy_{{ log_name }}.db
+
+{% endfor %}
+# =============================================================================
+# FILTERS: Add metadata for Graylog categorization
+# =============================================================================
 [FILTER]
    Name          record_modifier
-    Match         journal.*
+    Match         podman.*
    Record        host {{ ansible_hostname }}
    Record        source podman
+    Record        log_type container

-# Output to Graylog GELF UDP (local, port 12203)
-# Graylog needs a GELF UDP input configured on this port
+[FILTER]
+    Name          record_modifier
+    Match         ssh.*
+    Record        host {{ ansible_hostname }}
+    Record        source sshd
+    Record        log_type security
+
+[FILTER]
+    Name          record_modifier
+    Match         caddy.*
+    Record        host {{ ansible_hostname }}
+    Record        source caddy
+    Record        log_type access
+
+# =============================================================================
+# OUTPUT: All logs to Graylog GELF UDP
+# =============================================================================
+# Graylog needs a GELF UDP input configured on port 12203
 [OUTPUT]
    Name          gelf
-    Match         journal.*
+    Match         *
    Host          127.0.0.1
    Port          12203
    Mode          udp
--- a/ansible/roles/podman/templates/fluent-bit/parsers.conf.j2
+++ b/ansible/roles/podman/templates/fluent-bit/parsers.conf.j2
@@ -0,0 +1,5 @@
+[PARSER]
+    Name        caddy_json
+    Format      json
+    Time_Key    ts
+    Time_Format %s.%L