From 37eb1b4bbffcfce401d9f65583f08a626dd2ddd2 Mon Sep 17 00:00:00 2001
From: jaskaransarkaria <jaskaran.sarkaria@digital.justice.gov.uk>
Date: Fri, 22 Sep 2023 12:17:13 +0100
Subject: [PATCH] =?UTF-8?q?docs:=20=E2=9C=8F=EF=B8=8F=20update=20modsec=20?=
 =?UTF-8?q?logging=20docs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../get-audit-log-from-modsec.html.md.erb     |  6 ++---
 .../source/resolve-opensearch-no-logs.md.erb  | 24 +++++++++++++++++++
 ...esolve-opensearch-shard-issues.html.md.erb | 10 ++++----
 3 files changed, 32 insertions(+), 8 deletions(-)
 create mode 100644 runbooks/source/resolve-opensearch-no-logs.md.erb

diff --git a/runbooks/source/get-audit-log-from-modsec.html.md.erb b/runbooks/source/get-audit-log-from-modsec.html.md.erb
index 091365f6..cc64c89c 100644
--- a/runbooks/source/get-audit-log-from-modsec.html.md.erb
+++ b/runbooks/source/get-audit-log-from-modsec.html.md.erb
@@ -1,13 +1,13 @@
 ---
 title: Get an audit log from modsec
 weight: 8600
-last_reviewed_on: 2023-05-19
-review_in: 3 months
+last_reviewed_on: 2023-09-22
+review_in: 6 months
 ---
 
 # Opensearch modsec setup
 
-We have introduced an opensearch dashboard which collects all modsec logs and has document level security enabled. This means users can only access the logs for the github team they are in (see here for more details)[https://user-guide.cloud-platform.service.justice.gov.uk/documentation/networking/modsecurity.html]. With this feature in place users can self serve and access their own modsec logs. In the case of a rare error, we may shut off logs to the dashboard (from fluent-bit) and then you must use the instructions below to access modsec logs on behalf of the user.
+We have introduced an opensearch dashboard which collects all modsec logs and has document level security enabled. This means users can only access the logs for the github team they are in [see here for more details](https://user-guide.cloud-platform.service.justice.gov.uk/documentation/networking/modsecurity.html). With this feature in place users can self serve and access their own modsec logs. In the case of a rare error and logs aren't flowing to OpenSearch, then you must use the instructions below to access modsec logs on behalf of the user.
 
 ## Get an audit log from modsec (when fluent-bit is not pushing to opensearch)
 
diff --git a/runbooks/source/resolve-opensearch-no-logs.md.erb b/runbooks/source/resolve-opensearch-no-logs.md.erb
new file mode 100644
index 00000000..d75b1324
--- /dev/null
+++ b/runbooks/source/resolve-opensearch-no-logs.md.erb
@@ -0,0 +1,24 @@
+---
+title: Resolving no logs in modsec Open Search
+weight: 190
+last_reviewed_on: 2023-09-22
+review_in: 6 months
+---
+
+# Modsec logging architecture
+
+[Please read up on the architecture first](https://github.com/ministryofjustice/cloud-platform-terraform-ingress-controller/#cloud-platform-terraform-ingress-controller)
+
+## Deebugging
+
+The first place to look is in the fluent bit side car logs
+
+```
+stern modsec --container flb-modsec-audit-logs -n ingress-controllers
+```
+
+This should give you a clue to the issue. Once you resolve this issue. Logs may not immediately come back, this might be because logs are stuck retrying, if this is the case then restart the deployment
+
+```bash
+kubectl rollout restart deployment/nginx-ingress-modsec-controller -n ingress-controllers
+```
diff --git a/runbooks/source/resolve-opensearch-shard-issues.html.md.erb b/runbooks/source/resolve-opensearch-shard-issues.html.md.erb
index 47dd02f7..764382de 100644
--- a/runbooks/source/resolve-opensearch-shard-issues.html.md.erb
+++ b/runbooks/source/resolve-opensearch-shard-issues.html.md.erb
@@ -1,7 +1,7 @@
 ---
 title: Resolving Open Search shard problems
 weight: 190
-last_reviewed_on: 2023-08-17
+last_reviewed_on: 2023-09-22
 review_in: 6 months
 ---
 
@@ -9,10 +9,10 @@ review_in: 6 months
 
 It's important to follow aws best practices around shard sizing for open search or elastic search, these links are helpful:
 
-* https://docs.aws.amazon.com/opensearch-service/latest/developerguide/bp.html
-* https://repost.aws/knowledge-center/opensearch-rebalance-uneven-shards
-* https://docs.aws.amazon.com/opensearch-service/latest/developerguide/sizing-domains.html#bp-sharding
-* https://aws.amazon.com/blogs/opensource/open-distro-elasticsearch-shard-allocation/
+* <https://docs.aws.amazon.com/opensearch-service/latest/developerguide/bp.html>
+* <https://repost.aws/knowledge-center/opensearch-rebalance-uneven-shards>
+* <https://docs.aws.amazon.com/opensearch-service/latest/developerguide/sizing-domains.html#bp-sharding>
+* <https://aws.amazon.com/blogs/opensource/open-distro-elasticsearch-shard-allocation/>
 
 ## Some general info about shards