Skip to content

Instantly share code, notes, and snippets.

@jessereynolds

jessereynolds/puppet-enterprise-security-logging.md

Last active November 2, 2018 00:15
Show Gist options
  • Save jessereynolds/594f3f910987a83e4740d970d22b2553 to your computer and use it in GitHub Desktop.
Save jessereynolds/594f3f910987a83e4740d970d22b2553 to your computer and use it in GitHub Desktop.
Download ZIP
puppet enterprise security logging
Raw
puppet-enterprise-security-logging.md

Puppet Enterprise Security Event Logging

Recommended log files to relay to arcsight in rsyslog:

  • /var/log/puppetlabs/nginx/access.log
  • /var/log/puppetlabs/console-services/console-services.log
  • /var/log/puppetlabs/puppetserver/puppetserver.log

Things we're interested in, by PE component:

console-services

console login - success

The below log examples require no special logback configuration.

console-services.log

2018-11-01T04:54:11.668Z [qtp1081382290-121840] INFO [p.r.s.authn] Authenticated user admin with realm [org.apache.shiro.realm.jdbc.JdbcRealm_1] in RBAC

console-services-access.log

127.0.0.1 - - [01/Nov/2018:04:54:11 +0000] "POST /auth/login HTTP/1.0" 200 0 "https://pe-201814-master.puppetdebug.vlan/auth/login?r edirect=/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" 399 10.16.132.203

nginx access.log

10.16.132.203 - - [01/Nov/2018:04:54:11 +0000] "POST /auth/login HTTP/1.1" 200 5 "https://pe-201814-master.puppetdebug.vlan/auth/login?redirect=/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" "-"

console login - unknown username or incorrect password

The below log examples require no special logback configuration.

console-services.log

2018-11-01T05:10:01.076Z [qtp1081382290-121804] WARN [p.r.utils] Authentication failed. 2018-11-01T05:10:01.080Z [qtp917791547-106667] INFO [p.p.routes] User bogususername failed to login.

console-services-access.log

127.0.0.1 - - [01/Nov/2018:05:10:01 +0000] "POST /auth/login HTTP/1.0" 401 78 "https://pe-201814-master.puppetdebug.vlan/auth/login?redirect=/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" 21 10.16.132.203

console-services-api-access.log

127.0.0.1 - - [01/Nov/2018:05:11:38 +0000] "POST /rbac-api/v1/auth/token HTTP/1.1" 401 78 "-" "Apache-HttpAsyncClient/4.1.2 (Java/1.8.0_181)" 356 -

nginx access.log

10.16.132.203 - - [01/Nov/2018:05:11:38 +0000] "POST /auth/login HTTP/1.1" 401 78 "https://pe-201814-master.puppetdebug.vlan/auth/login?redirect=/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" "-"

console-services / rbac

changes to users - creation

note that the username doesn't show up here - it was 'testuser'. The UUID of the user does show up however. This is with no customisation of logging.

==> /var/log/puppetlabs/console-services/console-services-api-access.log <== 127.0.0.1 - - [01/Nov/2018:05:41:15 +0000] "POST /rbac-api/v1/users HTTP/1.1" 303 0 "-" "Apache-HttpAsyncClient/4.1.2 (Java/1.8.0_181)" 59 - 127.0.0.1 - - [01/Nov/2018:05:41:15 +0000] "GET /rbac-api/v1/users/7a07a966-6d24-4d46-8b8e-a51ea67bcda5 HTTP/1.1" 200 209 "-" "Apache-HttpAsyncClient/4.1.2 (Java/1.8.0_181)" 36 -

==> /var/log/puppetlabs/console-services/console-services.log <== 2018-11-01T05:41:15.716Z [qtp917791547-124052] INFO [p.p.r.users] Successful request to create user via POST /api/rbac/users

==> /var/log/puppetlabs/console-services/console-services-access.log <== 127.0.0.1 - - [01/Nov/2018:05:41:15 +0000] "POST /api/rbac/users HTTP/1.0" 200 199 "https://pe-201814-master.puppetdebug.vlan/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" 141 10.16.132.203

Changes to users - generate password reset link

==> /var/log/puppetlabs/console-services/console-services-api-access.log <== 127.0.0.1 - - [01/Nov/2018:05:45:22 +0000] "POST /rbac-api/v1/users/7a07a966-6d24-4d46-8b8e-a51ea67bcda5/password/reset HTTP/1.1" 20 1 847 "-" "Apache-HttpAsyncClient/4.1.2 (Java/1.8.0_181)" 113 -

==> /var/log/puppetlabs/console-services/console-services.log <== 2018-11-01T05:45:22.536Z [qtp917791547-106667] INFO [p.p.r.users] Successful request to reset user password via POST /api/rbac/user s/7a07a966-6d24-4d46-8b8e-a51ea67bcda5/password/reset

==> /var/log/puppetlabs/console-services/console-services-access.log <== 127.0.0.1 - - [01/Nov/2018:05:45:22 +0000] "POST /api/rbac/users/7a07a966-6d24-4d46-8b8e-a51ea67bcda5/password/reset HTTP/1.0" 200 8 59 "https://pe-201814-master.puppetdebug.vlan/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" 167 10.16.132.203

==> /var/log/puppetlabs/console-services/console-services.log <==
2018-11-01T05:45:22.807Z [qtp917791547-124388] INFO [p.p.a.routes] Request activity for rbac users 7a07a966-6d24-4d46-8b8e-a51ea67b cda5

==> /var/log/puppetlabs/console-services/console-services-api-access.log <==

127.0.0.1 - - [01/Nov/2018:05:45:22 +0000] "GET /activity-api/v1/events?service_id=rbac&object_type=users&object_id=7a07a966-6d24-4d 46-8b8e-a51ea67bcda5&limit=21&offset=0 HTTP/1.1" 200 714 "-" "Apache-HttpAsyncClient/4.1.2 (Java/1.8.0_181)" 45 - ==> /var/log/puppetlabs/console-services/console-services-access.log <== 127.0.0.1 - - [01/Nov/2018:05:45:22 +0000] "GET /api/act/rbac/users/7a07a966-6d24-4d46-8b8e-a51ea67bcda5/events?limit=21&offset=0 HTTP/1.0" 200 945 "https://pe-201814-master.puppetdebug.vlan/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" 108 10.16.132.203

changes to user role definitions

changes to user role membership

changes to directory groups

console-services / classifier

changes to node groups

puppetserver / ca

certificate signing

certificate revocation

puppetserver / code-manager

puppet code deployments

rsyslog config to slurp up the logs

Specifying regular expressions is painful in rsyslog. There is a tester here that is also painful but helps: https://www.rsyslog.com/regex/

# PE
# About: https://gist.github.com/jessereynolds/594f3f910987a83e4740d970d22b2553                                                     # Rexex tester for rsyslog: https://www.rsyslog.com/regex/
module(load="imfile" mode="inotify") #needs to be done just once

input(type="imfile"
      File="/var/log/puppetlabs/nginx/access.log"
      startmsg.regex="^([[:digit:]]+)\\.([[:digit:]]+)\\.([[:digit:]]+)\\.([[:digit:]]+)"
      freshStartTail="on"                                                                                                                 Tag="pe-nginx-access")
                                                                                                                                    input(type="imfile"
      File="/var/log/puppetlabs/console-services/console-services.log"
      startmsg.regex="^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}T[[:digit:]]{2}:[[:digit:]]{2}:[[:digit:]]{2}"
      freshStartTail="on"
      Tag="pe-console-services")

After slurping up nginx access log it'll get written out to syslog file wrapped as follows:

Nov 1 23:56:31 pe-201814-master pe-nginx-access 10.16.132.203 - - [01/Nov/2018:23:56:30 +0000] "GET /auth/login?redirect=/ HTTP/1.1" 200 1640 "https://pe-201814-master.puppetdebug.vlan/auth/login?redirect=/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" "-"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment