ansible: add base role g3proxy

ansible/g3proxy.yml

@@ -0,0 +1,5 @@
+---
+
+- hosts: "{{ group | default('g3proxy') }}"
+  roles:
+    - g3proxy

ansible/roles/g3proxy/defaults/main.yml

@@ -0,0 +1,10 @@
+---
+
+enterprise_id: 32473
+
+proxy_log_udp_port: 1514
+
+proxy_log_dir: /var/log/g3proxy
+proxy_log_rotate_count: 7
+proxy_log_rotate_minsize: 1G
+proxy_log_delaycompress: true

ansible/roles/g3proxy/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+
+- name: systemd daemon reload
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: Restart rsyslog
+  ansible.builtin.systemd:
+    name: rsyslog.service
+    state: restarted

ansible/roles/g3proxy/handlers/reload-escaper.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Reload escaper {{ escaper_name }}
+  ansible.builtin.command: "/usr/bin/g3proxy-ctl -G {{ daemon_group }} --control-dir /run/g3proxy reload-escaper {{ escaper_name }}"
+  register: reload
+  changed_when: reload.rc == 0
+  when: do_reload is defined and do_reload|bool

ansible/roles/g3proxy/handlers/reload-resolver.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Reload resolver {{ resolver_name }}
+  ansible.builtin.command: "/usr/bin/g3proxy-ctl -G {{ daemon_group }} --control-dir /run/g3proxy reload-resolver {{ resolver_name }}"
+  register: reload
+  changed_when: reload.rc == 0
+  when: do_reload is defined and do_reload|bool

ansible/roles/g3proxy/handlers/reload-server.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Reload server {{ server_name }}
+  ansible.builtin.command: "/usr/bin/g3proxy-ctl -G {{ daemon_group }} --control-dir /run/g3proxy reload-server {{ server_name }}"
+  register: reload
+  changed_when: reload.rc == 0
+  when: do_reload is defined and do_reload|bool

ansible/roles/g3proxy/handlers/reload-user-group.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Reload user group {{ user_group_name }}
+  ansible.builtin.command: "/usr/bin/g3proxy-ctl -G {{ daemon_group }} --control-dir /run/g3proxy reload-user-group {{ user_group_name }}"
+  register: reload
+  changed_when: reload.rc == 0
+  when: do_reload is defined and do_reload|bool

ansible/roles/g3proxy/handlers/restart.yml

@@ -0,0 +1,13 @@
+---
+
+- name: "Test config file for g3proxy instance {{ daemon_group }}"
+  ansible.builtin.command: "g3proxy -t -c /etc/g3proxy/{{ daemon_group }}/main.conf"
+  register: check
+  changed_when: check.rc == 0
+  listen: "Restart daemon"
+
+- name: "Restart g3proxy instance {{ daemon_group }}"
+  ansible.builtin.systemd:
+    name: "g3proxy@{{ daemon_group }}.service"
+    state: restarted
+  listen: "Restart daemon"

ansible/roles/g3proxy/tasks/clean-config.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Remove conf dir for "g3proxy@{{ daemon_group }}"
+  ansible.builtin.file:
+    path: "/etc/g3proxy/{{ daemon_group }}"
+    state: absent

ansible/roles/g3proxy/tasks/config-escaper-cert.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Install CA Root Certificate
+  ansible.builtin.copy:
+    src: "{{ inventory_dir }}/files/certs-client/rootCA.pem"
+    dest: "/etc/g3proxy/{{ daemon_group }}/escaper.d/{{ escaper_name }}-rootCA.pem"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Reload escaper {{ escaper_name }}
+
+- name: Install client certificate
+  ansible.builtin.copy:
+    src: "{{ inventory_dir }}/files/certs-client/{{ tls_name }}-client.pem"
+    dest: "/etc/g3proxy/{{ daemon_group }}/escaper.d/{{ escaper_name }}-{{ tls_name }}-client.pem"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Reload escaper {{ escaper_name }}
+
+- name: Install escaper private key
+  ansible.builtin.copy:
+    src: "{{ inventory_dir }}/files/certs-client/{{ tls_name }}-client-key.pem"
+    dest: "/etc/g3proxy/{{ daemon_group }}/escaper.d/{{ escaper_name }}-{{ tls_name }}-client-key.pem"
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload escaper {{ escaper_name }}

ansible/roles/g3proxy/tasks/config-escaper.yml

@@ -0,0 +1,10 @@
+---
+
+- name: "Install escaper conf for {{ escaper_name }}"
+  ansible.builtin.template:
+    src: "escaper.d/{{ template_name | default(escaper_name) }}.conf"
+    dest: "/etc/g3proxy/{{ daemon_group }}/escaper.d/{{ escaper_name }}.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Reload escaper {{ escaper_name }}

ansible/roles/g3proxy/tasks/config-log.yml

@@ -0,0 +1,29 @@
+---
+
+- name: "Create rfc5424 rsyslog conf"
+  ansible.builtin.template:
+    src: rsyslog.d/g3proxy-rfc5424.conf
+    dest: /etc/rsyslog.d/g3proxy.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Restart rsyslog
+  when: proxy_use_cee_log_syntax is not defined or not proxy_use_cee_log_syntax|bool
+
+- name: "Create rfc3164 rsyslog conf"
+  ansible.builtin.template:
+    src: rsyslog.d/g3proxy-rfc3164.conf
+    dest: /etc/rsyslog.d/g3proxy.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Restart rsyslog
+  when: proxy_use_cee_log_syntax is defined and proxy_use_cee_log_syntax|bool
+
+- name: "Create logrotate conf"
+  ansible.builtin.template:
+    src: logrotate.d/g3proxy
+    dest: /etc/logrotate.d/g3proxy
+    owner: root
+    group: root
+    mode: "0644"

ansible/roles/g3proxy/tasks/config-resolver.yml

@@ -0,0 +1,10 @@
+---
+
+- name: "Install resolver conf for {{ resolver_name }}"
+  ansible.builtin.template:
+    src: "resolver.d/{{ template_name | default(resolver_name) }}.conf"
+    dest: "/etc/g3proxy/{{ daemon_group }}/resolver.d/{{ resolver_name }}.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Reload resolver {{ resolver_name }}

ansible/roles/g3proxy/tasks/config-server-cert.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Install CA Root Certificate
+  ansible.builtin.copy:
+    src: "{{ inventory_dir }}/files/certs-server/rootCA.pem"
+    dest: "/etc/g3proxy/{{ daemon_group }}/server.d/{{ server_name }}-rootCA.pem"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Reload server {{ server_name }}
+
+- name: Install server certificate
+  ansible.builtin.copy:
+    src: "{{ inventory_dir }}/files/certs-server/{{ tls_name }}.pem"
+    dest: "/etc/g3proxy/{{ daemon_group }}/server.d/{{ server_name }}-{{ tls_name }}.pem"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Reload server {{ server_name }}
+
+- name: Install server private key
+  ansible.builtin.copy:
+    src: "{{ inventory_dir }}/files/certs-server/{{ tls_name }}-key.pem"
+    dest: "/etc/g3proxy/{{ daemon_group }}/server.d/{{ server_name }}-{{ tls_name }}-key.pem"
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload server {{ server_name }}

ansible/roles/g3proxy/tasks/config-server.yml

@@ -0,0 +1,10 @@
+---
+
+- name: "Install server conf for {{ server_name }}"
+  ansible.builtin.template:
+    src: "server.d/{{ template_name | default(server_name) }}.conf"
+    dest: "/etc/g3proxy/{{ daemon_group }}/server.d/{{ server_name }}.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Reload server {{ server_name }}

ansible/roles/g3proxy/tasks/config-user-group.yml

@@ -0,0 +1,10 @@
+---
+
+- name: "Install user group conf {{ user_group_name }}"
+  ansible.builtin.template:
+    src: "user-group.d/{{ template_name | default(user_group_name) }}.conf"
+    dest: "/etc/g3proxy/{{ daemon_group }}/user-group.d/{{ user_group_name }}.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Reload user group {{ user_group_name }}

ansible/roles/g3proxy/tasks/deploy-apt.yml

@@ -0,0 +1,12 @@
+---
+
+- name: Update apt cache
+  ansible.builtin.apt:
+    update_cache: true
+  ignore_errors: true
+
+- name: Install proxy package
+  ansible.builtin.apt:
+    name: g3proxy
+    state: latest
+  notify: Systemd daemon reload

ansible/roles/g3proxy/tasks/deploy-dnf.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Install proxy package
+  ansible.builtin.dnf:
+    name: g3proxy
+    state: latest
+  notify: Systemd daemon reload

ansible/roles/g3proxy/tasks/deploy-yum.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Install proxy package
+  ansible.builtin.yum:
+    name: g3proxy
+    state: latest
+  notify: Systemd daemon reload

ansible/roles/g3proxy/tasks/deploy.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Deploy via apt
+  ansible.builtin.include_tasks: deploy-apt.yml
+  when: ansible_pkg_mgr == "apt"
+
+- name: Deploy via yum
+  ansible.builtin.include_tasks: deploy-yum.yml
+  when: ansible_pkg_mgr == "yum"
+
+- name: Deploy via dnf
+  ansible.builtin.include_tasks: deploy-dnf.yml
+  when: ansible_pkg_mgr == "dnf"

ansible/roles/g3proxy/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+
+- name: "Check if the hosts are allowed to run role {{ role_name }}"
+  ansible.builtin.fail:
+    msg: "This host is not allowed to run role {{ role_name }}"
+  when: role_name not in allowed_roles
+  tags:
+    - always
+
+- name: Query installed version
+  ansible.builtin.import_tasks: query-installed-version.yml
+  tags:
+    - query-version
+
+- name: Deploy
+  ansible.builtin.import_tasks: deploy.yml
+  tags:
+    - never
+    - deploy
+
+- name: Config log
+  ansible.builtin.import_tasks: config-log.yml
+  tags:
+    - never
+    - config-log
+
+- name: Uninstall daemon
+  ansible.builtin.import_tasks: uninstall-daemon.yml
+  tags:
+    - never
+    - uninstall-daemon

ansible/roles/g3proxy/tasks/query-installed-version.yml

@@ -0,0 +1,15 @@
+---
+
+- name: "Query installed version of proxy"
+  ansible.builtin.command: "dpkg-query -W -f='${Version}' g3proxy"
+  register: proxy_installed_version
+  changed_when:
+    - proxy_installed_version.rc == 0
+
+- name: "Set fact proxy_installed_version"
+  ansible.builtin.set_fact:
+    proxy_installed_version: "{{ proxy_installed_version.stdout }}"
+
+- name: "Print proxy installed version"
+  ansible.builtin.debug:
+    msg: "proxy installed version: {{ proxy_installed_version }}"

ansible/roles/g3proxy/tasks/query-running-version.yml

@@ -0,0 +1,20 @@
+---
+
+- name: "Query running version for proxy instance {{ daemon_group }}"
+  ansible.builtin.command: "/usr/bin/g3proxy-ctl -G {{ daemon_group }} --control-dir /run/g3proxy version"
+  register: proxy_running_version
+  changed_when:
+    - proxy_running_version.rc == 0
+
+- name: "Set fact proxy_running_version"
+  ansible.builtin.set_fact:
+    proxy_running_version: "{{ proxy_running_version.stdout }}"
+
+- name: "Print proxy running version for instance {{ daemon_group }}"
+  ansible.builtin.debug:
+    msg: "proxy@{{ daemon_group }} running version: {{ proxy_running_version }}"
+
+- name: "Check if running version match expected version"
+  ansible.builtin.fail:
+    msg: "Running version {{ proxy_running_version }} doesn't match expected version {{ proxy_expected_version }}"
+  when: proxy_expected_version is defined and proxy_expected_version != proxy_running_version

ansible/roles/g3proxy/tasks/restart.yml

@@ -0,0 +1,11 @@
+---
+
+- name: "Test config file for g3proxy instance {{ daemon_group }}"
+  ansible.builtin.command: "g3proxy -t -c /etc/g3proxy/{{ daemon_group }}/main.conf"
+  register: check
+  changed_when: check.rc == 0
+
+- name: "Restart g3proxy instance {{ daemon_group }}"
+  ansible.builtin.systemd:
+    name: "g3proxy@{{ daemon_group }}.service"
+    state: restarted

ansible/roles/g3proxy/tasks/start-after-deploy.yml

@@ -0,0 +1,12 @@
+---
+
+- name: "Test config file for g3proxy instance {{ daemon_group }}"
+  ansible.builtin.command: "g3proxy -t -c /etc/g3proxy/{{ daemon_group }}/main.conf"
+  register: check
+  changed_when: check.rc == 0
+
+- name: "Start g3proxy instance {{ daemon_group }}"
+  ansible.builtin.systemd:
+    name: "g3proxy@{{ daemon_group }}.service"
+    state: started
+    enabled: true

ansible/roles/g3proxy/tasks/stop.yml

@@ -0,0 +1,11 @@
+---
+
+- name: "Test config file for g3proxy instance {{ daemon_group }}"
+  ansible.builtin.command: "g3proxy -t -c /etc/g3proxy/{{ daemon_group }}/main.conf"
+  register: check
+  changed_when: check.rc == 0
+
+- name: "Restart g3proxy instance {{ daemon_group }}"
+  ansible.builtin.systemd:
+    name: "g3proxy@{{ daemon_group }}.service"
+    state: stopped

ansible/roles/g3proxy/tasks/uninstall-daemon.yml

@@ -0,0 +1,22 @@
+---
+
+- name: User confirmation
+  ansible.builtin.pause:
+    prompt: "This will uninstall g3proxy@{{ daemon_group }}, continue (yes/no)?"
+  register: uninstall_confirm
+  run_once: true
+  delegate_to: localhost
+
+- name: Cancel?
+  ansible.builtin.fail:
+    msg: "User has cancelled uninstall of g3proxy@{{ daemon_group }}"
+  when: uninstall_confirm.user_input != "yes"
+
+- name: "Stop and disable service g3proxy@{{ daemon_group }}"
+  ansible.builtin.systemd:
+    name: "g3proxy@{{ daemon_group }}"
+    state: stopped
+    enabled: false
+
+- name: Clean config
+  ansible.builtin.include_tasks: clean-config.yml

ansible/roles/g3proxy/tasks/upgrade.yml

@@ -0,0 +1,15 @@
+---
+
+- name: "Query running version for proxy instance {{ daemon_group }}"
+  ansible.builtin.command: "/usr/bin/g3proxy-ctl -G {{ daemon_group }} --control-dir /run/g3proxy version"
+  register: proxy_running_version
+  changed_when:
+    - proxy_running_version.rc == 0
+
+- name: "Set fact proxy_running_version"
+  ansible.builtin.set_fact:
+    proxy_running_version: "{{ proxy_running_version.stdout }}"
+
+- name: "Upgrade from version {{ proxy_running_version }} to {{ proxy_expected_version }}"
+  ansible.builtin.include_tasks: restart.yml
+  when: proxy_expected_version != proxy_running_version

ansible/roles/g3proxy/templates/logrotate.d/g3proxy

@@ -0,0 +1,17 @@
+
+{{ proxy_log_dir }}/*/*.log {
+	rotate {{ proxy_log_rotate_count }}
+	daily
+	missingok
+	notifempty
+	minsize {{ proxy_log_rotate_minsize }}
+	compress
+{% if proxy_log_delaycompress is defined and proxy_log_delaycompress|bool %}
+	delaycompress
+{% endif %}
+	sharedscripts
+	postrotate
+		/usr/lib/rsyslog/rsyslog-rotate
+	endscript
+}
+

ansible/roles/g3proxy/templates/rsyslog.d/g3proxy-rfc3164.conf

@@ -0,0 +1,90 @@
+
+module(load="imudp" Threads="4")
+module(load="mmjsonparse")
+
+input(type="imudp"
+      Address="127.0.0.1"
+      Port="{{ proxy_log_udp_port }}"
+      Ruleset="g3proxy"
+      RcvBufSize="1m")
+
+# output filename templates
+template(name="ProxyTaskLogFile" type="string"
+         string="{{ proxy_log_dir }}/%$.sd!daemon_name%/task_%$.sd!server_name%_%$.sd!task_type%.log")
+template(name="ProxyTaskLogDrop" type="string"
+         string="{{ proxy_log_dir }}/%$.sd!daemon_name%/task_%$.sd!server_name%_drop.log")
+template(name="ProxyEscapeLogFile" type="string"
+         string="{{ proxy_log_dir }}/%$.sd!daemon_name%/escape_%$.sd!escaper_name%_%$.sd!escape_type%_err.log")
+template(name="ProxyEscapeLogDrop" type="string"
+         string="{{ proxy_log_dir }}/%$.sd!daemon_name%/escape_%$.sd!escaper_name%_drop.log")
+template(name="ProxyResolveLogFile" type="string"
+         string="{{ proxy_log_dir }}/%$.sd!daemon_name%/resolve_%$.sd!resolver_name%_err.log")
+template(name="ProxyResolveLogDrop" type="string"
+         string="{{ proxy_log_dir }}/%$.sd!daemon_name%/resolve_%$.sd!resolver_name%_drop.log")
+template(name="ProxyInspectLogFile" type="string"
+         string="{{ proxy_log_dir }}/%$.sd!daemon_name%/inspect_%$.sd!auditor_name%.log")
+template(name="ProxyInterceptLogFile" type="string"
+         string="{{ proxy_log_dir }}/%$.sd!daemon_name%/intercept_%$.sd!auditor_name%_%$.sd!intercept_type%.log")
+template(name="ProxyInterceptLogDrop" type="string"
+         string="{{ proxy_log_dir }}/%$.sd!daemon_name%/intercept_%$.sd!auditor_name%_drop.log")
+
+# output format templates
+template(name="LocalJsonDump" type="list") {
+    constant(value="{ ")
+    property(outname="timereported" name="timereported" DateFormat="rfc3339" format="jsonf")
+    constant(value=", \"sd\": ")
+    property(name="$!")
+    constant(value=" }\n")
+}
+template(name="LocalMsgDump" type="string" string="timereported: %timereported:::date-rfc3339%, sd: %$!%, msg: %msg%\n")
+
+template(name="RawMsgDump" type="string" string="%rawmsg%")
+
+ruleset(name="g3proxy"
+        queue.type="FixedArray"
+        queue.size="250000"
+        queue.dequeueBatchSize="4096"
+        queue.workerThreads="4"
+        queue.workerThreadMinimumMessages="60000"
+       ) {
+    action(type="mmjsonparse")
+    set $.sd!daemon_name = $!daemon_name;
+    if ($!log_type == "Task") then {
+        set $.sd!server_name = $!server_name;
+        set $.sd!task_type = $!task_type;
+        if $.sd!task_type != "" then {
+            action(type="omfile" dynafile="ProxyTaskLogFile" dynaFileCacheSize="10" template="LocalJsonDump")
+        } else {
+            action(type="omfile" dynafile="ProxyTaskLogDrop" dynaFileCacheSize="10" template="LocalMsgDump")
+        }
+    } else if ($!log_type == "Escape") then {
+        set $.sd!escaper_name = $!escaper_name;
+        set $.sd!escape_type = $!escape_type;
+        if $.sd!escape_type != "" then {
+            action(type="omfile" dynafile="ProxyEscapeLogFile" dynaFileCacheSize="10" template="LocalJsonDump")
+        } else {
+            action(type="omfile" dynafile="ProxyEscapeLogDrop" dynaFileCacheSize="10" template="LocalMsgDump")
+        }
+    } else if ($!log_type == "Resolve") then {
+        set $.sd!resolver_name = $!resolver_name;
+        set $.sd!error_type = $!error_type;
+        if $.sd!error_type != "" then {
+            action(type="omfile" dynafile="ProxyResolveLogFile" dynaFileCacheSize="10" template="LocalJsonDump")
+        } else {
+            action(type="omfile" dynafile="ProxyResolveLogDrop" dynaFileCacheSize="10" template="LocalMsgDump")
+        }
+    } else if ($!log_type == "Inspect") then {
+        set $.sd!auditor_name = $!auditor_name;
+        action(type="omfile" dynafile="ProxyInspectLogFile" dynaFileCacheSize="10" template="LocalJsonDump")
+    } else if ($!log_type == "Intercept") then {
+        set $.sd!auditor_name = $!auditor_name;
+        set $.sd!intercept_type = $!intercept_type;
+        if $.sd!intercept_type != "" then {
+            action(type="omfile" dynafile="ProxyInterceptLogFile" dynaFileCacheSize="10" template="LocalJsonDump")
+        } else {
+            action(type="omfile" dynafile="ProxyInterceptLogDrop" dynaFileCacheSize="10" template="LocalMsgDump")
+        }
+    }
+    stop
+}
+

ansible/roles/g3proxy/templates/rsyslog.d/g3proxy-rfc5424.conf

@@ -0,0 +1,92 @@
+
+module(load="imudp" Threads="4")
+module(load="mmpstrucdata")
+
+input(type="imudp"
+      Address="127.0.0.1"
+      Port="{{ proxy_log_udp_port }}"
+      Ruleset="g3proxy"
+      RcvBufSize="1m")
+
+# output filename templates
+template(name="ProxyTaskLogFile" type="string"
+         string="{{ proxy_log_dir }}/%$.sd!daemon_name%/task_%$.sd!server_name%_%$.sd!task_type%.log")
+template(name="ProxyTaskLogDrop" type="string"
+         string="{{ proxy_log_dir }}/%$.sd!daemon_name%/task_%$.sd!server_name%_drop.log")
+template(name="ProxyEscapeLogFile" type="string"
+         string="{{ proxy_log_dir }}/%$.sd!daemon_name%/escape_%$.sd!escaper_name%_%$.sd!escape_type%_err.log")
+template(name="ProxyEscapeLogDrop" type="string"
+         string="{{ proxy_log_dir }}/%$.sd!daemon_name%/escape_%$.sd!escaper_name%_drop.log")
+template(name="ProxyResolveLogFile" type="string"
+         string="{{ proxy_log_dir }}/%$.sd!daemon_name%/resolve_%$.sd!resolver_name%_err.log")
+template(name="ProxyResolveLogDrop" type="string"
+         string="{{ proxy_log_dir }}/%$.sd!daemon_name%/resolve_%$.sd!resolver_name%_drop.log")
+template(name="ProxyInspectLogFile" type="string"
+         string="{{ proxy_log_dir }}/%$.sd!daemon_name%/inspect_%$.sd!auditor_name%.log")
+template(name="ProxyInterceptLogFile" type="string"
+         string="{{ proxy_log_dir }}/%$.sd!daemon_name%/intercept_%$.sd!auditor_name%_%$.sd!intercept_type%.log")
+template(name="ProxyInterceptLogDrop" type="string"
+         string="{{ proxy_log_dir }}/%$.sd!daemon_name%/intercept_%$.sd!auditor_name%_drop.log")
+
+# output format templates
+template(name="LocalJsonDump" type="list") {
+    constant(value="{ ")
+    property(outname="timereported" name="timereported" DateFormat="rfc3339" format="jsonf")
+    constant(value=", \"sd\": ")
+    property(name="$!rfc5424-sd!g3proxy@{{ enterprise_id }}")
+    constant(value=", ")
+    property(outname="msg" name="msg" format="jsonf")
+    constant(value=" }\n")
+}
+template(name="LocalMsgDump" type="string" string="timereported: %timereported:::date-rfc3339%, sd: %$!rfc5424-sd%, msg: %msg%\n")
+
+template(name="RawMsgDump" type="string" string="%rawmsg%")
+
+ruleset(name="g3proxy"
+        queue.type="FixedArray"
+        queue.size="250000"
+        queue.dequeueBatchSize="4096"
+        queue.workerThreads="4"
+        queue.workerThreadMinimumMessages="60000"
+       ) {
+    action(type="mmpstrucdata")
+    set $.sd!daemon_name = $!rfc5424-sd!g3proxy@{{ enterprise_id }}!daemon_name;
+    if ($!rfc5424-sd!g3proxy@{{ enterprise_id }}!log_type == "Task") then {
+        set $.sd!server_name = $!rfc5424-sd!g3proxy@{{ enterprise_id }}!server_name;
+        set $.sd!task_type = $!rfc5424-sd!g3proxy@{{ enterprise_id }}!task_type;
+        if $.sd!task_type != "" then {
+            action(type="omfile" dynafile="ProxyTaskLogFile" dynaFileCacheSize="10" template="LocalJsonDump")
+        } else {
+            action(type="omfile" dynafile="ProxyTaskLogDrop" dynaFileCacheSize="10" template="LocalMsgDump")
+        }
+    } else if ($!rfc5424-sd!g3proxy@{{ enterprise_id }}!log_type == "Escape") then {
+        set $.sd!escaper_name = $!rfc5424-sd!g3proxy@{{ enterprise_id }}!escaper_name;
+        set $.sd!escape_type = $!rfc5424-sd!g3proxy@{{ enterprise_id }}!escape_type;
+        if $.sd!escape_type != "" then {
+            action(type="omfile" dynafile="ProxyEscapeLogFile" dynaFileCacheSize="10" template="LocalJsonDump")
+        } else {
+            action(type="omfile" dynafile="ProxyEscapeLogDrop" dynaFileCacheSize="10" template="LocalMsgDump")
+        }
+    } else if ($!rfc5424-sd!g3proxy@{{ enterprise_id }}!log_type == "Resolve") then {
+        set $.sd!resolver_name = $!rfc5424-sd!g3proxy@{{ enterprise_id }}!resolver_name;
+        set $.sd!error_type = $!rfc5424-sd!g3proxy@{{ enterprise_id }}!error_type;
+        if $.sd!error_type != "" then {
+            action(type="omfile" dynafile="ProxyResolveLogFile" dynaFileCacheSize="10" template="LocalJsonDump")
+        } else {
+            action(type="omfile" dynafile="ProxyResolveLogDrop" dynaFileCacheSize="10" template="LocalMsgDump")
+        }
+    } else if ($!rfc5424-sd!g3proxy@{{ enterprise_id }}!log_type == "Inspect") then {
+        set $.sd!auditor_name = $!rfc5424-sd!g3proxy@{{ enterprise_id }}!auditor_name;
+        action(type="omfile" dynafile="ProxyInspectLogFile" dynaFileCacheSize="10" template="LocalJsonDump")
+    } else if ($!rfc5424-sd!g3proxy@{{ enterprise_id }}!log_type == "Intercept") then {
+        set $.sd!auditor_name = $!rfc5424-sd!g3proxy@{{ enterprise_id }}!auditor_name;
+        set $.sd!intercept_type = $!rfc5424-sd!g3proxy@{{ enterprise_id }}!intercept_type;
+        if $.sd!intercept_type != "" then {
+            action(type="omfile" dynafile="ProxyInterceptLogFile" dynaFileCacheSize="10" template="LocalJsonDump")
+        } else {
+            action(type="omfile" dynafile="ProxyInterceptLogDrop" dynaFileCacheSize="10" template="LocalMsgDump")
+        }
+    }
+    stop
+}
+