From d83169c5e807d3f23b14b99bcd6fc41234fdd4c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Kone=C4=8Dn=C3=BD?= Date: Fri, 10 Sep 2021 15:37:10 +0200 Subject: [PATCH] Review syslog SOP MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michal Konečný --- modules/sysadmin_guide/nav.adoc | 2 +- modules/sysadmin_guide/pages/syslog.adoc | 24 ++++++++---------------- 2 files changed, 9 insertions(+), 17 deletions(-) diff --git a/modules/sysadmin_guide/nav.adoc b/modules/sysadmin_guide/nav.adoc index f6b5812..9c9ac31 100644 --- a/modules/sysadmin_guide/nav.adoc +++ b/modules/sysadmin_guide/nav.adoc @@ -104,7 +104,7 @@ ** xref:sshknownhosts.adoc[SSH known hosts Infrastructure - SOP] ** xref:staging.adoc[Staging - SOP] ** xref:status-fedora.adoc[Fedora Status Service - SOP] -** xref:syslog.adoc[syslog - SOP in review ] +** xref:syslog.adoc[Log Infrastructure - SOP] ** xref:tag2distrepo.adoc[tag2distrepo - SOP in review ] ** xref:torrentrelease.adoc[torrentrelease - SOP in review ] ** xref:unbound.adoc[unbound - SOP in review ] diff --git a/modules/sysadmin_guide/pages/syslog.adoc b/modules/sysadmin_guide/pages/syslog.adoc index a481644..3dfcadf 100644 --- a/modules/sysadmin_guide/pages/syslog.adoc +++ b/modules/sysadmin_guide/pages/syslog.adoc @@ -13,10 +13,8 @@ Owner::: Fedora Infrastructure Team Contact::: #fedora-admin, sysadmin-main -Location::: - Phoenix Servers::: - log01.phx2.fedoraproject.org + log01.iad2.fedoraproject.org Purpose::: Provides our central logs and reporting @@ -38,14 +36,11 @@ These logs are maintained forever, practically, or for as long as we possibly can. They are broken out into a `$hostname/$YEAR/$MON/$DAY` directory structure so we can locate a specific day's log immediately. * Log reports generated by epylog: Log reports generated by epylog are -outputted to /srv/web/epylog/merged -+ -The reports are accessible via a web browser from -https://admin.fedoraproject.org/epylog/merged/ +outputted to `/srv/web/epylog/merged` + This path requires a username and a password to access. To add your username and password you must first join the sysadmin-logs group then -login to `log01.phx2.fedoraproject.org` and run this command: +login to `log01.iad2.fedoraproject.org` and run this command: + .... htpasswd -m /srv/web/epylog/.htpasswd $your_username @@ -55,20 +50,19 @@ when prompted for a password please input a password which is NOT YOUR FEDORA ACCOUNT SYSTEM PASSWORD. [IMPORTANT] -.Important ==== Let's say that again to be sure you got it: -DO _link:[NOT] HAVE THIS BE THE SAME AS YOUR FAS PASSWORD +DO *NOT* HAVE THIS BE THE SAME AS YOUR FAS PASSWORD ==== -== Configs: +== Configs Epylog configs are controlled by ansible - please see the ansible epylog module for more details. Specifically the files in `roles/epylog/files/merged/` -=== Generating a one-off epylog report: +=== Generating a one-off epylog report If you wish to generate a specific log report you will need to run the following command on log01: @@ -81,7 +75,7 @@ You can replace '5h' with other time measurements to control the amount of time you want to view from the merged logs. This will mail a report notification to all the people in the sysadmin-logs group. -=== Audit logs, centrally: +=== Audit logs, centrally We've taken the audit logs and enabled our rsyslogd on the hosts to relay the audit log contents to our central log server. @@ -114,7 +108,6 @@ allow syslogd_t auditd_log_t:file { getattr read open }; END selinux policy module ____ -[arabic, start=2] . add config to rsyslog on the clients to repeatedly send all changes to their audit.log file to the central syslog server as local6: + @@ -135,7 +128,6 @@ ____ then modify your emitter to the syslog server to send local6.* there ____ -[arabic, start=3] . on the syslog server - setup log destinations for: * merged audit logs of all hosts explicitly drop any non-AVC audit message here) magic exclude line is: @@ -161,7 +153,7 @@ grep 'hostname' /var/log/merged/audit.log | sed 's/^.*tag_audit_log: //' | audit the sed is to remove the log prefix garbage from syslog transferring the msg -== Future: +== Future * additional log reports for errors from http processes or servers * SEC Simple Event Coordinator to report, immediately, on events from a