From c864ecbe7a43ae9f1616880e43700e9f810fabe4 Mon Sep 17 00:00:00 2001 From: sj-williams Date: Wed, 27 Nov 2024 13:23:10 +0000 Subject: [PATCH 1/2] =?UTF-8?q?docs:=20=E2=9C=8F=EF=B8=8F=20update=20modse?= =?UTF-8?q?c=20log=20fetching?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../get-audit-log-from-modsec.html.md.erb | 21 ++++++++----------- 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/runbooks/source/get-audit-log-from-modsec.html.md.erb b/runbooks/source/get-audit-log-from-modsec.html.md.erb index 9211340a..ca494e17 100644 --- a/runbooks/source/get-audit-log-from-modsec.html.md.erb +++ b/runbooks/source/get-audit-log-from-modsec.html.md.erb @@ -7,36 +7,33 @@ review_in: 6 months # OpenSearch modsec setup -We have introduced an openSearch dashboard which collects all modsec logs and has document level security enabled. This means users can only access the logs for the github team they are in [see here for more details](https://user-guide.cloud-platform.service.justice.gov.uk/documentation/networking/modsecurity.html). With this feature in place users can self serve and access their own modsec logs. In the case of a rare error and logs aren't flowing to OpenSearch, then you must use the instructions below to access modsec logs on behalf of the user. +We have introduced an OpenSearch dashboard which collects all modsec logs and has document level security enabled. This means users can only access the logs for the github team they are in [see here for more details](https://user-guide.cloud-platform.service.justice.gov.uk/documentation/networking/modsecurity.html). With this feature in place users can self serve and access their own modsec logs. In the case of a rare error and logs aren't flowing to OpenSearch, then you must use the instructions below to access modsec logs on behalf of the user. ## Get an audit log from modsec (when fluent-bit is not pushing to OpenSearch) -On occasion users may need you to provide them with audit log information on an modsec event from our ingress-controllers. This information may be sensitive so it can't be placed in our org-wide Elasticsearch cluster. You'll need to fetch this information from the pod that generated the log. +In the event that audit logs have failed to ship to OpenSearch, you'll need to fetch this information from the pod that generated the log. ### How do I check the audit log -As mentioned above, the audit log cannot be placed into Elasticsearch so you'll need the following: - -- A Kibana event from the user. A request will come into the ask-cloud-platform channel asking something like: +- An OpenSearch ingress event from the user. A request will come into the ask-cloud-platform channel asking something like: ``` Good afternoon, could I ask for the detailed logs for this block from ModSecurity, please? -https://kibana.cloud-platform.service.justice.gov.uk/_plugin/kibana/app/kibana#/doc/fb2e6550-0186-11ec-a2cf-6b21[…]lue:0),time:(from:now-3h,to:now)) -(I need to find out which rules triggered the block, it has 2 critical fails) +https://app-logs.cloud-platform.service.justice.gov.uk/_dashboards/app/data-explorer/discover#?[SOME-SEARCH-QUERY.....] +(I need to find out which rules triggered the block) -example: https://mojdt.slack.com/archives/C57UPMZLY/p1630936971082200 ``` -- The Kibana event above should provide you with the following key information +- The OpenSearch event above should provide you with the following key information ``` - modsec pod name (optional): This will allow you to hone in on the correct pod. - unique_id: This is a hash of the event in question, e.g. 16494071776.005464 + kubernetes.pod_name (optional): This will allow you to hone in on the modsec ingress correct pod. + unique_id: This is a hash of the event in question, e.g. 16494071776.005464, and can be located in the log entry. ``` - Kubectl access to the live cluster and access to the `ingress-controllers` namespace. -### Perform a search for the unique-id (obtained from the Kibana entry) +### Perform a search for the unique-id (obtained from the OpenSearch entry) ``` # assuming the event id is 16494071776.005464 From 582c54edf68ec40ef8017488f043d337c8f217b4 Mon Sep 17 00:00:00 2001 From: sj-williams Date: Wed, 27 Nov 2024 13:23:48 +0000 Subject: [PATCH 2/2] =?UTF-8?q?chore:=20=F0=9F=A4=96=20update=20review=20d?= =?UTF-8?q?ate?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- runbooks/source/get-audit-log-from-modsec.html.md.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/runbooks/source/get-audit-log-from-modsec.html.md.erb b/runbooks/source/get-audit-log-from-modsec.html.md.erb index ca494e17..b0616be7 100644 --- a/runbooks/source/get-audit-log-from-modsec.html.md.erb +++ b/runbooks/source/get-audit-log-from-modsec.html.md.erb @@ -1,7 +1,7 @@ --- title: Get an audit log from modsec weight: 8600 -last_reviewed_on: 2024-05-24 +last_reviewed_on: 2024-11-27 review_in: 6 months ---