Recommended log files to relay to arcsight in rsyslog:
- /var/log/puppetlabs/nginx/access.log
- /var/log/puppetlabs/console-services/console-services.log
- /var/log/puppetlabs/puppetserver/puppetserver.log
Things we're interested in, by PE component:
The below log examples require no special logback configuration.
console-services.log
2018-11-01T04:54:11.668Z [qtp1081382290-121840] INFO [p.r.s.authn] Authenticated user admin with realm [org.apache.shiro.realm.jdbc.JdbcRealm_1] in RBAC
console-services-access.log
127.0.0.1 - - [01/Nov/2018:04:54:11 +0000] "POST /auth/login HTTP/1.0" 200 0 "https://pe-201814-master.puppetdebug.vlan/auth/login?r edirect=/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" 399 10.16.132.203
nginx access.log
10.16.132.203 - - [01/Nov/2018:04:54:11 +0000] "POST /auth/login HTTP/1.1" 200 5 "https://pe-201814-master.puppetdebug.vlan/auth/login?redirect=/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" "-"
The below log examples require no special logback configuration.
console-services.log
2018-11-01T05:10:01.076Z [qtp1081382290-121804] WARN [p.r.utils] Authentication failed. 2018-11-01T05:10:01.080Z [qtp917791547-106667] INFO [p.p.routes] User bogususername failed to login.
console-services-access.log
127.0.0.1 - - [01/Nov/2018:05:10:01 +0000] "POST /auth/login HTTP/1.0" 401 78 "https://pe-201814-master.puppetdebug.vlan/auth/login?redirect=/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" 21 10.16.132.203
console-services-api-access.log
127.0.0.1 - - [01/Nov/2018:05:11:38 +0000] "POST /rbac-api/v1/auth/token HTTP/1.1" 401 78 "-" "Apache-HttpAsyncClient/4.1.2 (Java/1.8.0_181)" 356 -
nginx access.log
10.16.132.203 - - [01/Nov/2018:05:11:38 +0000] "POST /auth/login HTTP/1.1" 401 78 "https://pe-201814-master.puppetdebug.vlan/auth/login?redirect=/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" "-"
note that the username doesn't show up here - it was 'testuser'. The UUID of the user does show up however. This is with no customisation of logging.
==> /var/log/puppetlabs/console-services/console-services-api-access.log <== 127.0.0.1 - - [01/Nov/2018:05:41:15 +0000] "POST /rbac-api/v1/users HTTP/1.1" 303 0 "-" "Apache-HttpAsyncClient/4.1.2 (Java/1.8.0_181)" 59 - 127.0.0.1 - - [01/Nov/2018:05:41:15 +0000] "GET /rbac-api/v1/users/7a07a966-6d24-4d46-8b8e-a51ea67bcda5 HTTP/1.1" 200 209 "-" "Apache-HttpAsyncClient/4.1.2 (Java/1.8.0_181)" 36 -
==> /var/log/puppetlabs/console-services/console-services.log <== 2018-11-01T05:41:15.716Z [qtp917791547-124052] INFO [p.p.r.users] Successful request to create user via POST /api/rbac/users
==> /var/log/puppetlabs/console-services/console-services-access.log <== 127.0.0.1 - - [01/Nov/2018:05:41:15 +0000] "POST /api/rbac/users HTTP/1.0" 200 199 "https://pe-201814-master.puppetdebug.vlan/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" 141 10.16.132.203
==> /var/log/puppetlabs/console-services/console-services-api-access.log <== 127.0.0.1 - - [01/Nov/2018:05:45:22 +0000] "POST /rbac-api/v1/users/7a07a966-6d24-4d46-8b8e-a51ea67bcda5/password/reset HTTP/1.1" 20 1 847 "-" "Apache-HttpAsyncClient/4.1.2 (Java/1.8.0_181)" 113 -
==> /var/log/puppetlabs/console-services/console-services.log <== 2018-11-01T05:45:22.536Z [qtp917791547-106667] INFO [p.p.r.users] Successful request to reset user password via POST /api/rbac/user s/7a07a966-6d24-4d46-8b8e-a51ea67bcda5/password/reset
==> /var/log/puppetlabs/console-services/console-services-access.log <== 127.0.0.1 - - [01/Nov/2018:05:45:22 +0000] "POST /api/rbac/users/7a07a966-6d24-4d46-8b8e-a51ea67bcda5/password/reset HTTP/1.0" 200 8 59 "https://pe-201814-master.puppetdebug.vlan/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" 167 10.16.132.203
==> /var/log/puppetlabs/console-services/console-services.log <==
2018-11-01T05:45:22.807Z [qtp917791547-124388] INFO [p.p.a.routes] Request activity for rbac users 7a07a966-6d24-4d46-8b8e-a51ea67b
cda5
==> /var/log/puppetlabs/console-services/console-services-api-access.log <==
127.0.0.1 - - [01/Nov/2018:05:45:22 +0000] "GET /activity-api/v1/events?service_id=rbac&object_type=users&object_id=7a07a966-6d24-4d 46-8b8e-a51ea67bcda5&limit=21&offset=0 HTTP/1.1" 200 714 "-" "Apache-HttpAsyncClient/4.1.2 (Java/1.8.0_181)" 45 - ==> /var/log/puppetlabs/console-services/console-services-access.log <== 127.0.0.1 - - [01/Nov/2018:05:45:22 +0000] "GET /api/act/rbac/users/7a07a966-6d24-4d46-8b8e-a51ea67bcda5/events?limit=21&offset=0 HTTP/1.0" 200 945 "https://pe-201814-master.puppetdebug.vlan/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" 108 10.16.132.203
Specifying regular expressions is painful in rsyslog. There is a tester here that is also painful but helps: https://www.rsyslog.com/regex/
# PE
# About: https://gist.github.com/jessereynolds/594f3f910987a83e4740d970d22b2553 # Rexex tester for rsyslog: https://www.rsyslog.com/regex/
module(load="imfile" mode="inotify") #needs to be done just once
input(type="imfile"
File="/var/log/puppetlabs/nginx/access.log"
startmsg.regex="^([[:digit:]]+)\\.([[:digit:]]+)\\.([[:digit:]]+)\\.([[:digit:]]+)"
freshStartTail="on" Tag="pe-nginx-access")
input(type="imfile"
File="/var/log/puppetlabs/console-services/console-services.log"
startmsg.regex="^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}T[[:digit:]]{2}:[[:digit:]]{2}:[[:digit:]]{2}"
freshStartTail="on"
Tag="pe-console-services")
After slurping up nginx access log it'll get written out to syslog file wrapped as follows:
Nov 1 23:56:31 pe-201814-master pe-nginx-access 10.16.132.203 - - [01/Nov/2018:23:56:30 +0000] "GET /auth/login?redirect=/ HTTP/1.1" 200 1640 "https://pe-201814-master.puppetdebug.vlan/auth/login?redirect=/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" "-"