portfolio/infra-run/ansible/roles/cis-aix7-hardening/tasks/logging.yml

---
- name: Collect syslog SRC state
  ansible.builtin.command: lssrc -s syslogd
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_syslog_state

- name: Ensure syslog configuration exists
  ansible.builtin.stat:
    path: "{{ cis_syslog_config_path }}"
  register: cis_aix_syslog_config

- name: Start syslogd when installed but inactive
  ansible.builtin.command: startsrc -s syslogd
  changed_when: true
  when:
    - cis_aix_syslog_state.rc == 0
    - "'active' not in cis_aix_syslog_state.stdout"

- name: Validate syslog configuration has active entries
  ansible.builtin.shell: "awk 'NF && $1 !~ /^#/ {found=1} END {exit found ? 0 : 1}' {{ cis_syslog_config_path }}"
  args:
    executable: /bin/ksh
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_syslog_has_rules
  when: cis_aix_syslog_config.stat.exists

- name: Report logging status
  ansible.builtin.debug:
    msg:
      - >-
        {{ 'OK: syslogd SRC subsystem exists.'
           if cis_aix_syslog_state.rc == 0 else 'WARNING: syslogd SRC subsystem was not found.' }}
      - >-
        {{ 'OK: syslog configuration has active rules.'
           if cis_aix_syslog_has_rules.rc | default(1) == 0
           else 'WARNING: syslog configuration has no active rules or could not be validated.' }}