Skip to main content
Version: Develop

Security Logs

Security logs allow Platform operators to see what security-related actions were triggered, when, and by whom, providing a sense of accountability in every step of a process. This may be relevant for security auditing in the context of e.g. KRITIS. The creation of these logs is disabled by default. In the following sections, we will explain how security logs can be enabled for specific components for the a9s Data Service Bundle.

a9s PostgreSQL

The easiest way to access the relevant information is by accessing the PG virtual machine(VM) via SSH and check the files under /var/vcap/sys/log/postgresql-ha/. Alternatively, the collocated Logstash process on each node of the PostgreSQL cluster can be used to stream the logs to an external log endpoint. This can be setup by the following Ops file:

---
- type: replace
path: /instance_groups/name=pg/jobs/name=logstash/properties/logstash/syslog_endpoint
value: ["<syslog_endpoint>"]

a9s Service Broker

Audit logs can be enabled, which should contain already enough observable information. An Ops file is used to enable the collocated logstash instance and then stream the logs to an external endpoint, e.g. the collection endpoint of a Splunk installation.

Audit logs are disabled by default.

BOSH Director

For viewing and collecting BOSH Director events, please see the following BOSH document.

a9s Backup Manager

Audit logs can also be enabled in the a9s Backup Manager, which should contain already enough observable information. An Ops file is used to enable the collocated Logstash instance and then stream the logs to an external syslog endpoint.

Audit logs are disabled by default.

a9s Public API and a9s Service Dashboard

As we are using the a9s SSO Proxy in front of the a9s Public API, every access attempt is logged in the upstream.access.log file, which is created by the Nginx that is part of the a9s SSO-Proxy.

You can stream these logs to an external log sink by using the a9s Logstash BOSH release and collocate a logstash process on the service-dashboard VM. The following Ops file can be used to achieve that::

---
# Collocate the a9s Logstash on the same VM as the service-dashboard
# and stream access logs via syslog protocol to the syslog_endpoint endpoint.
- type: replace
path: /instance_groups/name=service-dashboard/jobs/-
value:
name: logstash
release: logstash6
properties:
logstash:
input:
plugins:
file:
path:
- /var/vcap/sys/log/nginx-sso-proxy/upstream.access.log
sincedb_path: /tmp/sincedb
start_position: beginning
syslog:
endpoints: ["<syslog_endpoint>"]
consul:
dc: dc1
domain: ((iaas.consul.domain))