log forward to splunk

roles/base/files/rsyslog/rsyslog.conf.log01.iad2.fedoraproject.org

@@ -213,3 +213,10 @@ local4.*					?m_http_apps;MergeFormat
 # this is only for the merged logs from auditd
 :msg, !contains, "type=AVC" ~
 local6.*					?m_audit;MergeFormat
+
+# forward to splunk host, over tls
+*.* @splunk-syslog.corp.redhat.com:514
+$DefaultNetstreamDriver gtls # use gtls netstream driver
+$ActionSendStreamDriverMode 1 # require TLS for the connection
+$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
+$DefaultNetstreamDriverCAFile {{private}}/files/splunk-certs/2022-IT-Root-CA.pem

roles/base/tasks/main.yml

@@ -230,6 +230,16 @@
   notify:
   - flush journald tmpfiles to persistent store
 
+- name: ensure packages required for rsyslog are installed
+  package: name={{ item }} state=present
+  with_items:
+  - rsyslog-gnutls
+  tags:
+  - rsyslogd
+  - config
+  - base
+  when: inventory_hostname.startswith('log01')
+
 - name: rsyslog.conf
   copy: src={{ item }} dest=/etc/rsyslog.conf mode=0644
   with_first_found: