Review syslog SOP
Signed-off-by: Michal Konečný <mkonecny@redhat.com>
This commit is contained in:
Michal Konečný
parent
cca7f7cf6b
commit
d83169c5e8
2 changed files with 9 additions and 17 deletions
|
|
@ -13,10 +13,8 @@ Owner:::
|
|||
Fedora Infrastructure Team
|
||||
Contact:::
|
||||
#fedora-admin, sysadmin-main
|
||||
Location:::
|
||||
Phoenix
|
||||
Servers:::
|
||||
log01.phx2.fedoraproject.org
|
||||
log01.iad2.fedoraproject.org
|
||||
Purpose:::
|
||||
Provides our central logs and reporting
|
||||
|
||||
|
|
@ -38,14 +36,11 @@ These logs are maintained forever, practically, or for as long as we
|
|||
possibly can. They are broken out into a `$hostname/$YEAR/$MON/$DAY`
|
||||
directory structure so we can locate a specific day's log immediately.
|
||||
* Log reports generated by epylog: Log reports generated by epylog are
|
||||
outputted to /srv/web/epylog/merged
|
||||
+
|
||||
The reports are accessible via a web browser from
|
||||
https://admin.fedoraproject.org/epylog/merged/
|
||||
outputted to `/srv/web/epylog/merged`
|
||||
+
|
||||
This path requires a username and a password to access. To add your
|
||||
username and password you must first join the sysadmin-logs group then
|
||||
login to `log01.phx2.fedoraproject.org` and run this command:
|
||||
login to `log01.iad2.fedoraproject.org` and run this command:
|
||||
+
|
||||
....
|
||||
htpasswd -m /srv/web/epylog/.htpasswd $your_username
|
||||
|
|
@ -55,20 +50,19 @@ when prompted for a password please input a password which is NOT YOUR
|
|||
FEDORA ACCOUNT SYSTEM PASSWORD.
|
||||
|
||||
[IMPORTANT]
|
||||
.Important
|
||||
====
|
||||
Let's say that again to be sure you got it:
|
||||
|
||||
DO _link:[NOT] HAVE THIS BE THE SAME AS YOUR FAS PASSWORD
|
||||
DO *NOT* HAVE THIS BE THE SAME AS YOUR FAS PASSWORD
|
||||
====
|
||||
|
||||
== Configs:
|
||||
== Configs
|
||||
|
||||
Epylog configs are controlled by ansible - please see the ansible epylog
|
||||
module for more details. Specifically the files in
|
||||
`roles/epylog/files/merged/`
|
||||
|
||||
=== Generating a one-off epylog report:
|
||||
=== Generating a one-off epylog report
|
||||
|
||||
If you wish to generate a specific log report you will need to run the
|
||||
following command on log01:
|
||||
|
|
@ -81,7 +75,7 @@ You can replace '5h' with other time measurements to control the amount
|
|||
of time you want to view from the merged logs. This will mail a report
|
||||
notification to all the people in the sysadmin-logs group.
|
||||
|
||||
=== Audit logs, centrally:
|
||||
=== Audit logs, centrally
|
||||
|
||||
We've taken the audit logs and enabled our rsyslogd on the hosts to
|
||||
relay the audit log contents to our central log server.
|
||||
|
|
@ -114,7 +108,6 @@ allow syslogd_t auditd_log_t:file { getattr read open };
|
|||
END selinux policy module
|
||||
____
|
||||
|
||||
[arabic, start=2]
|
||||
. add config to rsyslog on the clients to repeatedly send all changes to
|
||||
their audit.log file to the central syslog server as local6:
|
||||
+
|
||||
|
|
@ -135,7 +128,6 @@ ____
|
|||
then modify your emitter to the syslog server to send local6.* there
|
||||
____
|
||||
|
||||
[arabic, start=3]
|
||||
. on the syslog server - setup log destinations for:
|
||||
* merged audit logs of all hosts explicitly drop any non-AVC audit
|
||||
message here) magic exclude line is:
|
||||
|
|
@ -161,7 +153,7 @@ grep 'hostname' /var/log/merged/audit.log | sed 's/^.*tag_audit_log: //' | audit
|
|||
the sed is to remove the log prefix garbage from syslog transferring the
|
||||
msg
|
||||
|
||||
== Future:
|
||||
== Future
|
||||
|
||||
* additional log reports for errors from http processes or servers
|
||||
* SEC Simple Event Coordinator to report, immediately, on events from a
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue