Security Logs
Security logs allow Platform operators to see what security-related actions were triggered, when, and by whom, providing a sense of accountability in every step of a process. This may be relevant for security auditing in the context of e.g. KRITIS. The creation of these logs is disabled by default. In the following sections, we will explain how security logs can be enabled for specific components for the a9s Data Service Bundle.
a9s PostgreSQL
The easiest way to access the relevant information is by accessing the PG virtual machine(VM) via SSH and check the files
under /var/vcap/sys/log/postgresql-ha/
.
Alternatively, the collocated Logstash process on each node of the PostgreSQL cluster can be used to stream
the logs to an external log endpoint. This can be setup by the following Ops file:
---
- type: replace
path: /instance_groups/name=pg/jobs/name=logstash/properties/logstash/syslog_endpoint
value: ["<syslog_endpoint>"]
a9s Service Broker
Audit logs can be enabled, which should contain already enough observable information. An Ops file is used to enable the collocated logstash instance and then stream the logs to an external endpoint, e.g. the collection endpoint of a Splunk installation.
Audit logs are disabled by default.
BOSH Director
For viewing and collecting BOSH Director events, please see the following BOSH document.
a9s Backup Manager
Audit logs can also be enabled in the a9s Backup Manager, which should contain already enough observable information. An Ops file is used to enable the collocated Logstash instance and then stream the logs to an external syslog endpoint.
Audit logs are disabled by default.
a9s Public API and a9s Service Dashboard
As we are using the a9s SSO Proxy in front of the
a9s Public API, every access attempt
is logged in the upstream.access.log
file, which is created by the Nginx that is part of the a9s SSO-Proxy.
You can stream these logs to an external log sink by using the a9s Logstash BOSH release and collocate a logstash
process on the service-dashboard
VM. The following Ops file can be used to achieve that::
---
# Collocate the a9s Logstash on the same VM as the service-dashboard
# and stream access logs via syslog protocol to the syslog_endpoint endpoint.
- type: replace
path: /instance_groups/name=service-dashboard/jobs/-
value:
name: logstash
release: logstash6
properties:
logstash:
input:
plugins:
file:
path:
- /var/vcap/sys/log/nginx-sso-proxy/upstream.access.log
sincedb_path: /tmp/sincedb
start_position: beginning
syslog:
endpoints: ["<syslog_endpoint>"]
consul:
dc: dc1
domain: ((iaas.consul.domain))