diff --git a/dirac.cfg b/dirac.cfg index 87c8229384d..98eb31f461c 100644 --- a/dirac.cfg +++ b/dirac.cfg @@ -766,6 +766,8 @@ Operations { # This will globally enable ES based monitoring for Service and AgentModule. EnableActivityMonitoring = no + # Flag for globally disabling the use of the SecurityLogging service + EnableSecurityLogging = False DataManagement { # see http://dirac.readthedocs.io/en/latest/AdministratorGuide/Resources/Catalog/index.html#multi-protocol diff --git a/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/SecurityLogging/index.rst b/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/SecurityLogging/index.rst deleted file mode 100644 index 05135bb9bb4..00000000000 --- a/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/SecurityLogging/index.rst +++ /dev/null @@ -1,10 +0,0 @@ -Systems / Framework / / Service / SecurityLogging - Sub-subsection -============================================================================= - -SecurityLogging service is used by all server to log all connections. - -+-----------------+------------------------------------------+---------------------------------+ -| **Name** | **Description** | **Example** | -+-----------------+------------------------------------------+---------------------------------+ -| *DataLocation* | Directory where log info is kept | DataLocation = data/securityLog | -+-----------------+------------------------------------------+---------------------------------+ diff --git a/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/index.rst b/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/index.rst index 11d4214f9aa..1ebf94ad456 100644 --- a/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/index.rst +++ b/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/index.rst @@ -41,6 +41,5 @@ Services associated with Framework system are: Monitoring/index Notification/index Plotting/index - SecurityLogging/index SystemAdministrator/index UserProfileManager/index diff --git a/docs/source/AdministratorGuide/ServerInstallations/centralizedLogging.rst b/docs/source/AdministratorGuide/ServerInstallations/centralizedLogging.rst index 5ecffc3de7e..a2233aa64d6 100644 --- a/docs/source/AdministratorGuide/ServerInstallations/centralizedLogging.rst +++ b/docs/source/AdministratorGuide/ServerInstallations/centralizedLogging.rst @@ -60,87 +60,9 @@ From the DIRAC point of view, that's all there is to do. Logstash and ELK configurations =============================== -The logstash configuration (``/etc/logstash/conf.d/configname``) is given here as an example only (`full documentation `_):: - - input { - # This queue is used for dirac components - # you need one entry per broker - # Caution, alias are not resolved into multiple hosts ! - stomp { - type => "stomp" - destination => "/queue/lhcb.dirac.logging" - host => messagebroker - port => 61713 - user => "myUser" - password => "myPassword" - codec => "json" - } - - } - - filter{ - if [type] == "stomp" { - # If there is an exception, print it multiline - # This is the way to test if a variable is defined - if "" in [exc_info]{ - mutate { - gsub => [ - "exc_info", "\\n", "\n" - ] - } - } else { - # otherwise, add the field as empty string so that it does not display - mutate { - add_field => {"exc_info" => ""} - } - } - # If levelname is not defined, we can infer that several other infos - # are missing, like asctime. So define them empty. - if !("" in [levelname]){ - mutate { - add_field => {"levelname" => "" - "asctime" => ""} - } - } - date { - match => [ "asctime", "yyyy-MM-dd HH:mm:ss" ] - timezone => "UTC" - } - - # we want to create the index based on the component name - # but the component name has a "/" in it, so replace it - # with a "-", and set it lowercase - # We do it in two separate mutate filter to make sure - # of the order - mutate { - copy => { "componentname" => "componentindex" } - } - mutate { - gsub => [ - "componentindex", "/", "-" - ] - lowercase => [ "componentindex" ] - } - - } - } - - output { - if [type] == "stomp" { - elasticsearch { - # We create one index per component per day - index => "lhcb-dirac-logs-%{componentindex}-%{+YYYY.MM.dd}" - hosts => ["https://my-elasticsearch-host.cern.ch:9203"] - user => "myESUser" - template_name => "lhcb-dirac-logs_default" - manage_template => "false" - password => "myESPassword" - } - } - } - +The suggested logstash configuration (``/etc/logstash/conf.d/configname``) can be found in https://gitlab.cern.ch/ai/it-puppet-module-dirac/-/blob/qa/code/templates/logstash.conf.erb (check the `full documentation `_) -And the ElasticSearch template ``lhcb-dirac-logs_default`` looks like:: +The ElasticSearch template ``lhcb-dirac-logs_default`` looks like:: { "order": 1, diff --git a/src/DIRAC/Core/DISET/private/Service.py b/src/DIRAC/Core/DISET/private/Service.py index ea29298653a..a7cf5cc3b5c 100644 --- a/src/DIRAC/Core/DISET/private/Service.py +++ b/src/DIRAC/Core/DISET/private/Service.py @@ -109,6 +109,9 @@ def initialize(self): "validNames": self._validNames, "csPaths": [PathFinder.getServiceSection(svcName) for svcName in self._validNames], } + self.securityLogging = Operations().getValue("EnableSecurityLogging", True) and getServiceOption( + self._serviceInfoDict, "EnableSecurityLogging", True + ) # Initialize Monitoring # This is a flag used to check whether "EnableActivityMonitoring" is enabled or not from the config file. self.activityMonitoring = Operations().getValue("EnableActivityMonitoring", False) or getServiceOption( @@ -410,7 +413,8 @@ def _processInThread(self, clientTransport): if monReport: self.__endReportToMonitoring(*monReport) - def _createIdentityString(self, credDict, clientTransport=None): + @staticmethod + def _createIdentityString(credDict, clientTransport=None): if "username" in credDict: if "group" in credDict: identity = "[%s:%s]" % (credDict["username"], credDict["group"]) @@ -509,16 +513,17 @@ def _authorizeProposal(self, actionTuple, trid, credDict): return S_ERROR("Client disconnected") sourceAddress = tr.getRemoteAddress() identity = self._createIdentityString(credDict) - Service.SVC_SECLOG_CLIENT.addMessage( - result["OK"], - sourceAddress[0], - sourceAddress[1], - identity, - self._cfg.getHostname(), - self._cfg.getPort(), - self._name, - "/".join(actionTuple), - ) + if self.securityLogging: + Service.SVC_SECLOG_CLIENT.addMessage( + result["OK"], + sourceAddress[0], + sourceAddress[1], + identity, + self._cfg.getHostname(), + self._cfg.getPort(), + self._name, + "/".join(actionTuple), + ) return result def _instantiateHandler(self, trid, proposalTuple=None): diff --git a/src/DIRAC/FrameworkSystem/ConfigTemplate.cfg b/src/DIRAC/FrameworkSystem/ConfigTemplate.cfg index d75f956dcef..7b156f610d6 100644 --- a/src/DIRAC/FrameworkSystem/ConfigTemplate.cfg +++ b/src/DIRAC/FrameworkSystem/ConfigTemplate.cfg @@ -71,6 +71,8 @@ Services SecurityLogging { Port = 9153 + # Directory where log info is kept + DataLocation = data/securityLog Authorization { Default = authenticated diff --git a/src/DIRAC/FrameworkSystem/Service/SecurityLoggingHandler.py b/src/DIRAC/FrameworkSystem/Service/SecurityLoggingHandler.py index 70de7000cac..8c35efc8a29 100644 --- a/src/DIRAC/FrameworkSystem/Service/SecurityLoggingHandler.py +++ b/src/DIRAC/FrameworkSystem/Service/SecurityLoggingHandler.py @@ -1,4 +1,7 @@ """ Handler for logging in security.log.csv files + + This service is kept for installations that are not using ES-based logs management + (see https://dirac.readthedocs.io/en/latest/AdministratorGuide/ServerInstallations/centralizedLogging.html) """ import os