Below is the module I wrote for puppet, the script I wrote to generate certificates for the client machine store the certificates into the files area of the module.

class rsyslog-client {

	package { "rsyslog":
		ensure => present,
	}

	package { "rsyslog-gnutls":
		ensure => present,
	}

	service { "rsyslog":
		ensure => running,
	}

	host { "loghost":
		ensure => present,
		name => "loghost",
		ip => "$loghost",
	}

	file { "/etc/rsyslog":
		ensure => directory,
	}	

	file { "/etc/rsyslog/$fqdn.key.pem":
		owner => root,
		group => root,
		source => "puppet:///rsyslog-client/$fqdn.key.pem",
		ensure => file,
		notify => service["rsyslog"],
	}

	file { "/etc/rsyslog/$fqdn.pem":
		owner => root,
		group => root,
		source => "puppet:///rsyslog-client/$fqdn.pem",
		ensure => file,
		notify => service["rsyslog"],
	}

	file { "/etc/rsyslog/ca.pem":
		owner => root,
		group => root,
		source => "puppet:///rsyslog-client/ca.pem",
		ensure => file,
		notify => service["rsyslog"],
	}

	file { "/etc/rsyslog.conf":
		owner 	=> root,
		group	=> root,
		content => template("rsyslog-client/rsyslog.conf.erb"),
		ensure  => file,
		require => package["rsyslog"],
		notify  => service["rsyslog"]
	}

}

I’ll post my rsyslog.conf of the central loghost when I have written a decent one.

For those who don’t know what puppet is, it’s a tool for sys admins. It’s written in ruby so it’s quite platform independent. You can use the tool to describe your it landscape, you can write classes and add them to various nodes in your network in a central place. For example you can write an ssh class where make sure the sshd only accepts public keys and disables keyboard interactive authentication, you can also transfer files with puppet thus distributing all your keys.

The beauty is that puppet will make sure your node complies to the classes assigned to them on specified intervals. When a change is made to your node by a developer or user that conflicts with your central policy puppet will correct it leaving your landscape in a known state.