DIRACGrid · fstagni · Jan 27, 2022 · Jan 27, 2022
@@ -766,6 +766,8 @@ Operations
   {
     # This will globally enable ES based monitoring for Service and AgentModule.
     EnableActivityMonitoring = no
+    # Flag for globally disabling the use of the SecurityLogging service
+    EnableSecurityLogging = False
     DataManagement
     {
       # see http://dirac.readthedocs.io/en/latest/AdministratorGuide/Resources/Catalog/index.html#multi-protocol

@@ -41,6 +41,5 @@ Services associated with Framework system are:
    Monitoring/index
    Notification/index
    Plotting/index
-   SecurityLogging/index
    SystemAdministrator/index
    UserProfileManager/index
@@ -60,87 +60,9 @@ From the DIRAC point of view, that's all there is to do.
 Logstash and ELK configurations
 ===============================
 
-The logstash configuration (``/etc/logstash/conf.d/configname``) is given here as an example only (`full documentation <https://www.elastic.co/guide/en/logstash/current/configuration.html>`_)::
-
-  input {
-    # This queue is used for dirac components
-    # you need one entry per broker
-    # Caution, alias are not resolved into multiple hosts !
-    stomp {
-      type => "stomp"
-      destination => "/queue/lhcb.dirac.logging"
-      host => messagebroker
-      port => 61713
-      user => "myUser"
-      password => "myPassword"
-      codec => "json"
-    }
-
-  }
-
-  filter{
-    if [type] == "stomp" {
-        # If there is an exception, print it multiline
-        # This is the way to test if a variable is defined
-        if "" in [exc_info]{
-          mutate {
-            gsub => [
-              "exc_info", "\\n", "\n"
-            ]
-          }
-        } else {
-          # otherwise, add the field as empty string so that it does not display
-          mutate {
-            add_field => {"exc_info" => ""}
-          }
-        }
-        # If levelname is not defined, we can infer that several other infos
-        # are missing, like asctime. So define them empty.
-        if !("" in [levelname]){
-          mutate {
-            add_field => {"levelname" => ""
-                          "asctime" => ""}
-          }
-        }
-        date {
-          match => [ "asctime", "yyyy-MM-dd HH:mm:ss" ]
-          timezone => "UTC"
-        }
-
-      # we want to create the index based on the component name
-      # but the component name has a "/" in it, so replace it
-      # with a "-", and set it lowercase
-      # We do it in two separate mutate filter to make sure
-      # of the order
-      mutate {
-        copy => { "componentname" => "componentindex" }
-      }
-      mutate {
-        gsub => [
-          "componentindex", "/", "-"
-        ]
-        lowercase => [ "componentindex" ]
-      }
-
-    }
-  }
-
-  output {
-    if [type] == "stomp"  {
-      elasticsearch {
-          # We create one index per component per day
-          index    => "lhcb-dirac-logs-%{componentindex}-%{+YYYY.MM.dd}"
-          hosts    => ["https://my-elasticsearch-host.cern.ch:9203"]
-          user     => "myESUser"
-          template_name => "lhcb-dirac-logs_default"
-          manage_template => "false"
-          password => "myESPassword"
-      }
-    }
-  }
-
+The suggested logstash configuration (``/etc/logstash/conf.d/configname``) can be found in https://gitlab.cern.ch/ai/it-puppet-module-dirac/-/blob/qa/code/templates/logstash.conf.erb (check the `full documentation <https://opensearch.org/docs/latest/clients/logstash/index/>`_)
 
-And the ElasticSearch template ``lhcb-dirac-logs_default`` looks like::
+The ElasticSearch template ``lhcb-dirac-logs_default`` looks like::
 
   {
     "order": 1,

@@ -109,6 +109,9 @@ def initialize(self):
             "validNames": self._validNames,
             "csPaths": [PathFinder.getServiceSection(svcName) for svcName in self._validNames],
         }
+        self.securityLogging = Operations().getValue("EnableSecurityLogging", True) and getServiceOption(
+            self._serviceInfoDict, "EnableSecurityLogging", True
+        )
         # Initialize Monitoring
         # This is a flag used to check whether "EnableActivityMonitoring" is enabled or not from the config file.
         self.activityMonitoring = Operations().getValue("EnableActivityMonitoring", False) or getServiceOption(
@@ -410,7 +413,8 @@ def _processInThread(self, clientTransport):
             if monReport:
                 self.__endReportToMonitoring(*monReport)
 
-    def _createIdentityString(self, credDict, clientTransport=None):
+    @staticmethod
+    def _createIdentityString(credDict, clientTransport=None):
         if "username" in credDict:
             if "group" in credDict:
                 identity = "[%s:%s]" % (credDict["username"], credDict["group"])
@@ -509,16 +513,17 @@ def _authorizeProposal(self, actionTuple, trid, credDict):
             return S_ERROR("Client disconnected")
         sourceAddress = tr.getRemoteAddress()
         identity = self._createIdentityString(credDict)
-        Service.SVC_SECLOG_CLIENT.addMessage(
-            result["OK"],
-            sourceAddress[0],
-            sourceAddress[1],
-            identity,
-            self._cfg.getHostname(),
-            self._cfg.getPort(),
-            self._name,
-            "/".join(actionTuple),
-        )
+        if self.securityLogging:
+            Service.SVC_SECLOG_CLIENT.addMessage(
+                result["OK"],
+                sourceAddress[0],
+                sourceAddress[1],
+                identity,
+                self._cfg.getHostname(),
+                self._cfg.getPort(),
+                self._name,
+                "/".join(actionTuple),
+            )
         return result
 
     def _instantiateHandler(self, trid, proposalTuple=None):

diff --git a/src/DIRAC/FrameworkSystem/ConfigTemplate.cfg b/src/DIRAC/FrameworkSystem/ConfigTemplate.cfg
@@ -71,6 +71,8 @@ Services
   SecurityLogging
   {
     Port = 9153
+    # Directory where log info is kept
+    DataLocation = data/securityLog
     Authorization
     {
       Default = authenticated

diff --git a/src/DIRAC/FrameworkSystem/Service/SecurityLoggingHandler.py b/src/DIRAC/FrameworkSystem/Service/SecurityLoggingHandler.py
@@ -1,4 +1,7 @@
 """ Handler for logging in security.log.csv files
+
+    This service is kept for installations that are not using ES-based logs management
+    (see https://dirac.readthedocs.io/en/latest/AdministratorGuide/ServerInstallations/centralizedLogging.html)
 """
 import os