diff --git a/addons/upgrade/to-12.0-rename-log-files.pl b/addons/upgrade/to-12.0-rename-log-files.pl new file mode 100755 index 000000000000..0f8c1c530a40 --- /dev/null +++ b/addons/upgrade/to-12.0-rename-log-files.pl @@ -0,0 +1,91 @@ +#!/usr/bin/perl + +=head1 NAME + +to-12.0-rename-log-files.pl + +=head1 DESCRIPTION + +Rename log files defined in logs= in syslog.conf + +=cut + +use strict; +use warnings; +use lib qw(/usr/local/pf/lib /usr/local/pf/lib_perl/lib/perl5); +use pf::util; +use pf::IniFiles; +use pf::constants::config; +use pf::file_paths qw( + $conf_dir + $syslog_config_file +); +use List::MoreUtils qw(any); + +run_as_pf(); + +my %remap = ( + 'mariadb_error.log' => 'mariadb.log', + 'httpd.aaa.access' => 'httpd.apache', + 'httpd.aaa.error' => 'httpd.apache', + 'httpd.collector.log' => 'httpd.apache', + 'httpd.collector.error' => 'httpd.apache', + 'httpd.portal.error' => 'httpd.apache', + 'httpd.portal.access' => 'httpd.apache', + 'httpd.portal.catalyst' => 'httpd.apache', + 'httpd.proxy.error' => 'httpd.apache', + 'httpd.proxy.access' => 'httpd.apache', + 'httpd.webservices.error' => 'httpd.apache', + 'httpd.webservices.access' => 'httpd.apache', + 'httpd.api-frontend.access' => 'httpd.apache', +); + +my $ini = pf::IniFiles->new( -file => $syslog_config_file, -allowempty => 1); +my $i = 0; + +for my $section ($ini->Sections()) { + if (my $logs = $ini->val($section, 'logs')) { + $logs = [ split(/,/, $logs) ]; + + if(any {exists $remap{$_}} @$logs) { + print "Renaming log files in section $section in file $syslog_config_file\n"; + $logs = [ map { exists($remap{$_}) ? $remap{$_} : $_ } @$logs ]; + $ini->setval($section, 'logs', join(',', @$logs)); + $i |= 1; + } + } +} +if ($i) { + $ini->RewriteConfig(); + print "All done\n"; +} else { + print "Nothing to be done\n"; +} + +=head1 AUTHOR + +Inverse inc. + +=head1 COPYRIGHT + +Copyright (C) 2005-2022 Inverse inc. + +=head1 LICENSE + +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License +as published by the Free Software Foundation; either version 2 +of the License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +USA. + +=cut + diff --git a/conf/monitoring/statsd.d/packetfence.conf.example b/conf/monitoring/statsd.d/packetfence.conf.example index 3eb1855da091..5be1a376da79 100644 --- a/conf/monitoring/statsd.d/packetfence.conf.example +++ b/conf/monitoring/statsd.d/packetfence.conf.example @@ -163,15 +163,15 @@ type = line dimension = pattern 'source.packetfence.radius_log.*' '' last 1 1 -[logs.mariadb_error_log] - name = packetfence.mariadb_error_log - title = mariadb_error.log file events +[logs.mariadb_log] + name = packetfence.mariadb_log + title = mariadb.log file events family = packetfence context = chart.context units = Events priority = 91000 type = line - dimension = pattern 'source.packetfence.mariadb_error_log.*' '' last 1 1 + dimension = pattern 'source.packetfence.mariadb_log.*' '' last 1 1 [logs.pfcron_log] name = packetfence.pfcron_log diff --git a/conf/stats.conf.defaults b/conf/stats.conf.defaults index 15e521e8b8bd..513fefe1d271 100644 --- a/conf/stats.conf.defaults +++ b/conf/stats.conf.defaults @@ -239,11 +239,11 @@ match=ERROR statsd_ns=source.packetfence.radius_acct_log.error management=false -[metric 'Events in mariadb_error.log'] +[metric 'Events in mariadb.log'] type=tail_file -file=/usr/local/pf/logs/mariadb_error.log +file=/usr/local/pf/logs/mariadb.log match=DESYNCED -statsd_ns=source.packetfence.mariadb_error_log.desynced +statsd_ns=source.packetfence.mariadb_log.desynced management=false [metric 'Events in pfcron.log'] diff --git a/containers/daemon.json b/containers/daemon.json index 6b12b8a8df1b..83aba4657d88 100644 --- a/containers/daemon.json +++ b/containers/daemon.json @@ -1,4 +1,5 @@ { + "log-driver": "none", "default-address-pools": [ { "base": "100.64.0.0/10", diff --git a/debian/packetfence-redis-cache.postinst b/debian/packetfence-redis-cache.postinst index 9882e29f2665..80cc8031e6c7 100644 --- a/debian/packetfence-redis-cache.postinst +++ b/debian/packetfence-redis-cache.postinst @@ -22,9 +22,7 @@ DIST=$(lsb_release -c -s) case "$1" in configure) export PACKETFENCE=/usr/local/pf - chmod 2775 -R $PACKETFENCE/logs chmod 2775 -R $PACKETFENCE/var - chown pf:pf $PACKETFENCE/logs chown pf:pf $PACKETFENCE/var if [ ${DIST} = "wheezy" ] || [ ${DIST} = "precise" ]; then update-rc.d packetfence-redis-cache defaults 60 || exit 0 diff --git a/debian/packetfence.postinst b/debian/packetfence.postinst index 3144555ec328..abacfb0133f4 100644 --- a/debian/packetfence.postinst +++ b/debian/packetfence.postinst @@ -32,7 +32,6 @@ case "$1" in chmod 2775 -R $PACKETFENCE/var find $PACKETFENCE/var/conf -type f -exec chmod 664 '{}' \; find $PACKETFENCE/var/conf -type d -exec chmod 775 '{}' \; - chmod 2775 -R $PACKETFENCE/logs chmod 0755 $PACKETFENCE/addons/*.pl chmod 0755 $PACKETFENCE/addons/*.sh chmod 0755 $PACKETFENCE/addons/upgrade/*.pl @@ -42,7 +41,8 @@ case "$1" in chmod ug+s $PACKETFENCE/bin/pfcmd chown pf:pf $PACKETFENCE - find $PACKETFENCE '(' -type d -or -type f ')' -not -name pfcmd -print0 | xargs -0 chown pf:pf + find $PACKETFENCE '(' -type d -or -type f ')' -not -name pfcmd -not -path "$PACKETFENCE/logs*" -print0 | xargs -0 chown pf:pf + chgrp pf $PACKETFENCE/logs # link to latest SQL schema if [ -h "$PACKETFENCE/db/pf-schema.sql" ]; then @@ -52,15 +52,6 @@ case "$1" in VERSIONSQL=$(ls pf-schema-* |sort --version-sort -r | head -1) ln -f -s $VERSIONSQL ./pf-schema.sql - #Check if log files exist and create them with the correct owner - for fic_log in packetfence.log - do - if [ ! -e /usr/local/pf/logs/$fic_log ]; then - touch /usr/local/pf/logs/$fic_log - chown pf.pf /usr/local/pf/logs/$fic_log - fi - done - #Make ssl certificate cd /usr/local/pf make conf/ssl/server.pem @@ -140,8 +131,12 @@ case "$1" in echo "Setting packetfence.target as the default systemd target." /bin/systemctl set-default packetfence.target fi + + systemctl daemon-reload echo "Restarting journald to enable persistent logging" /bin/systemctl restart systemd-journald + echo "Restarting rsyslog" + systemctl restart rsyslog # get containers image and tag them locally /usr/local/pf/containers/manage-images.sh @@ -152,7 +147,6 @@ case "$1" in systemctl disable packetfence-iptables systemctl enable packetfence-haproxy-admin systemctl enable packetfence-tracking-config.path - systemctl daemon-reload systemctl restart docker systemctl start packetfence-config /usr/local/pf/bin/pfcmd generatemariadbconfig --force @@ -162,9 +156,6 @@ case "$1" in printf '[client-server]\nsocket = /var/lib/mysql/mysql.sock\n' > /etc/mysql/mariadb.conf.d/999-socket-override.cnf sed -i 's#^socket\s*=.*#socket=/var/lib/mysql/mysql.sock#' /etc/mysql/my.cnf - echo "Restarting rsyslog" - systemctl restart rsyslog - perl /usr/local/pf/addons/upgrade/add-default-params-to-auth.pl set +e /usr/local/pf/bin/pfcmd configreload diff --git a/debian/rules b/debian/rules index f4694edaa247..968d08338f8e 100755 --- a/debian/rules +++ b/debian/rules @@ -92,7 +92,7 @@ install: build install -d -m0700 $(CURDIR)/debian/packetfence$(PREFIX)/$(NAME)/conf/ssl install -d -m0700 $(CURDIR)/debian/packetfence$(PREFIX)/$(NAME)/conf/ssl/acme-challenge install -d -m0700 $(CURDIR)/debian/packetfence$(PREFIX)/$(NAME)/raddb/sites-enabled - install -d -m2770 $(CURDIR)/debian/packetfence$(PREFIX)/$(NAME)/logs + install -d -m0750 $(CURDIR)/debian/packetfence$(PREFIX)/$(NAME)/logs install -d -m2770 $(CURDIR)/debian/packetfence$(PREFIX)/$(NAME)/var/conf install -d -m2770 $(CURDIR)/debian/packetfence$(PREFIX)/$(NAME)/var/cache install -d -m2770 $(CURDIR)/debian/packetfence$(PREFIX)/$(NAME)/var/cache/ntlm_cache_users diff --git a/docs/cluster/appendix.asciidoc b/docs/cluster/appendix.asciidoc index c722c473e074..980eb315b93e 100644 --- a/docs/cluster/appendix.asciidoc +++ b/docs/cluster/appendix.asciidoc @@ -323,7 +323,7 @@ mysql -u root -p pf -h localhost ---- If its not, make sure you check the MariaDB log -([filename]`/usr/local/pf/logs/mariadb_error.log`) +([filename]`/usr/local/pf/logs/mariadb.log`) ===== Sync nodes A and B @@ -337,7 +337,7 @@ rm -fr /var/lib/mysql/* systemctl start packetfence-mariadb ---- -Should there be any issues during the sync, make sure you look into the MariaDB log ([filename]`/usr/local/pf/logs/mariadb_error.log`) +Should there be any issues during the sync, make sure you look into the MariaDB log ([filename]`/usr/local/pf/logs/mariadb.log`) Once both nodes have completely synced (try connecting to it using the MariaDB command line), then you can break the cluster election command you have diff --git a/docs/cluster/troubleshooting_a_cluster.asciidoc b/docs/cluster/troubleshooting_a_cluster.asciidoc index 8fb9ab05dded..22851ddccff4 100644 --- a/docs/cluster/troubleshooting_a_cluster.asciidoc +++ b/docs/cluster/troubleshooting_a_cluster.asciidoc @@ -33,7 +33,7 @@ Important variables: * `wsrep_last_committed`: Sequence number of the most recently committed transaction. You can identify the most advanced node with this value. * `wsrep_local_state_comment`: Current sync state of the cluster. A healthy state is 'Synced'. Refer to the Galera cluster documentation for the meaning of the other values this can have. -In order for the cluster to be considered healthy, all nodes must be listed under `wsrep_incoming_addresses` and `wsrep_local_state_comment` must be `Synced`. Otherwise look in the MariaDB log ([filename]`/usr/local/pf/logs/mariadb_error.log`) +In order for the cluster to be considered healthy, all nodes must be listed under `wsrep_incoming_addresses` and `wsrep_local_state_comment` must be `Synced`. Otherwise look in the MariaDB log ([filename]`/usr/local/pf/logs/mariadb.log`) === Automatic clustering resolution service: galera-autofix @@ -123,7 +123,7 @@ systemctl start packetfence-mariadb You should then see `/var/lib/mysql` be populated again with the data and once MariaDB becomes available again on the server, it means the sync has completed. In case of issues, look in the MariaDB log file -(`/usr/local/pf/logs/mariadb_error.log`) +(`/usr/local/pf/logs/mariadb.log`) WARNING: After stopping the `packetfence-mariadb` service, be sure there is no more `mysql` process running. diff --git a/docs/cluster/understanding_the_galera_cluster_synchronization.asciidoc b/docs/cluster/understanding_the_galera_cluster_synchronization.asciidoc index 9f470f535da6..814474b45d5e 100644 --- a/docs/cluster/understanding_the_galera_cluster_synchronization.asciidoc +++ b/docs/cluster/understanding_the_galera_cluster_synchronization.asciidoc @@ -18,7 +18,7 @@ endif::[] The Galera cluster stack used by PacketFence resembles a lot to how a normal MariaDB Galera cluster behaves but it contains hooks to auto-correct some issues that can occur. -NOTE: A lot of useful information is logged in the MariaDB log which can be found in `/usr/local/pf/logs/mariadb_error.log` +NOTE: A lot of useful information is logged in the MariaDB log which can be found in `/usr/local/pf/logs/mariadb.log` === Quorum behavior diff --git a/docs/installation/appendix.asciidoc b/docs/installation/appendix.asciidoc index 321e0a00067b..53cb41cdbfe4 100644 --- a/docs/installation/appendix.asciidoc +++ b/docs/installation/appendix.asciidoc @@ -93,7 +93,7 @@ For Mariabackup: # chown -R mysql: /var/lib/mysql # service packetfence-mariadb start -Should the service fail to start, make sure you look into the MariaDB error logs. +Should the service fail to start, make sure you look into the MariaDB logs. [appendix] === How to restore a standalone PacketFence server ? diff --git a/docs/installation/best_practices.asciidoc b/docs/installation/best_practices.asciidoc index b46a7bc24305..4685156ac38a 100644 --- a/docs/installation/best_practices.asciidoc +++ b/docs/installation/best_practices.asciidoc @@ -24,7 +24,7 @@ IPTables is now entirely managed by PacketFence. However, if you need to perform === Log Rotations -PacketFence can generate a lot of log entries in huge production environments. This is why we recommend to use `logrotate` to periodically rotate your logs. A working logrotate script is provided with the PacketFence package. This script is located under the `/usr/local/pf/packetfence.logrotate` file, and it's configured to do a daily log rotation and keeping old logs with compression. It has been added during PacketFence initial installation. +PacketFence can generate a lot of log entries in huge production environments. This is why we recommend to use `logrotate` to periodically rotate your logs. A working logrotate script is provided with the PacketFence package. This script is located inside the logrotate directory (`/etc/logrotate.d/`), and it's configured to do a daily log rotation and keeping old logs with compression. It has been added during PacketFence initial installation. === Large Registration Network diff --git a/docs/installation/troubleshooting_packetfence.asciidoc b/docs/installation/troubleshooting_packetfence.asciidoc index 876358369a12..9965edb706d0 100644 --- a/docs/installation/troubleshooting_packetfence.asciidoc +++ b/docs/installation/troubleshooting_packetfence.asciidoc @@ -24,20 +24,9 @@ PacketFence provides a RADIUS auditing module which allows you to be aware of al === Log files -Here are the most important PacketFence log files: - -[options="compact"] -* `/usr/local/pf/logs/packetfence.log` — PacketFence Core Log -* `/usr/local/pf/logs/httpd.portal.access` — Apache – Captive Portal Access Log -* `/usr/local/pf/logs/httpd.portal.error` — Apache – Captive Portal Error Log -* `/usr/local/pf/logs/httpd.admin.access` — Apache – Web Admin/Services Access Log -* `/usr/local/pf/logs/httpd.admin.error` — Apache – Web Admin/Services Error Log -* `/usr/local/pf/logs/httpd.webservices.access` — Apache – Webservices Access Log -* `/usr/local/pf/logs/httpd.webservices.error` — Apache – Webservices Error Log -* `/usr/local/pf/logs/httpd.aaa.access` — Apache – AAA Access Log -* `/usr/local/pf/logs/httpd.aaa.error` — Apache – AAA Error Log - -There are other log files in [filename]`/usr/local/pf/logs/` that could be relevant depending on what issue you are experiencing. Make sure you take a look at them. +Log files are located under [filename]`/usr/local/pf/logs`. Except +[filename]`packetfence.log` which contains logs from different services, each +service has its own log file. You can see full list of log files available when using _Audit -> Live logs_ menu in web admin. The main logging configuration file is [filename]`/usr/local/pf/conf/log.conf`. It contains the configuration for the `packetfence.log` file (`Log::Log4Perl`) and you normally don't need to modify it. The logging configuration files for every service are located under [filename]`/usr/local/pf/conf/log.conf.d/`. diff --git a/html/pfappserver/root/src/views/Status/dashboard/_config/logs.js b/html/pfappserver/root/src/views/Status/dashboard/_config/logs.js index 75759db08668..e3cd8bad5908 100644 --- a/html/pfappserver/root/src/views/Status/dashboard/_config/logs.js +++ b/html/pfappserver/root/src/views/Status/dashboard/_config/logs.js @@ -53,11 +53,11 @@ export default [ ] }, { - name: 'mariadb_error.log', + name: 'mariadb.log', items: [ { title: 'Number of events', // i18n defer - metric: 'packetfence.logs.mariadb_error_log', + metric: 'packetfence.logs.mariadb_log', mode: modes.COMBINED, library: libraries.DYGRAPH, cols: 12 @@ -90,4 +90,4 @@ export default [ } ] } -] \ No newline at end of file +] diff --git a/lib/pf/action.pm b/lib/pf/action.pm index bf0167679734..4b47667226e1 100644 --- a/lib/pf/action.pm +++ b/lib/pf/action.pm @@ -90,7 +90,6 @@ use pf::class qw(class_view); use pf::security_event qw(security_event_force_close); use pf::Connection::ProfileFactory; use pf::constants::scan qw($POST_SCAN_SECURITY_EVENT_ID $PRE_SCAN_SECURITY_EVENT_ID $SCAN_SECURITY_EVENT_ID); -use pf::file_paths qw($security_event_log); our $logger = get_logger(); diff --git a/lib/pf/cmd/pf/fixpermissions.pm b/lib/pf/cmd/pf/fixpermissions.pm index 46e56cf9ec0e..47a8fc636544 100644 --- a/lib/pf/cmd/pf/fixpermissions.pm +++ b/lib/pf/cmd/pf/fixpermissions.pm @@ -60,14 +60,13 @@ Fix the permissions on pf and fingerbank files sub action_all { my $pfcmd = "${bin_dir}/pfcmd"; my @extra_var_dirs = map { catfile($var_dir,$_) } qw(run cache conf sessions redis_cache redis_queue); - _changeFilesToOwner('pf',@log_files, @stored_config_files, $install_dir, $bin_dir, $conf_dir, $var_dir, $lib_dir, $log_dir, $generated_conf_dir, $tt_compile_cache_dir, $pfconfig_cache_dir, @extra_var_dirs, $config_version_file, $iptable_config_file); + _changeFilesToOwner('pf', @stored_config_files, $install_dir, $bin_dir, $conf_dir, $var_dir, $lib_dir, $generated_conf_dir, $tt_compile_cache_dir, $pfconfig_cache_dir, @extra_var_dirs, $config_version_file, $iptable_config_file); _changePathToOwnerRecursive('pf', $html_dir); _changeFilesToOwner('root',$pfcmd); chmod($PFCMD_MODE, $pfcmd); chmod(0664, @stored_config_files, $iptable_config_file, $config_version_file); - chmod($DIR_MODE, $conf_dir, $var_dir, $log_dir, "$var_dir/redis_cache", "$var_dir/redis_queue"); + chmod($DIR_MODE, $conf_dir, $var_dir, "$var_dir/redis_cache", "$var_dir/redis_queue"); _fingerbank(); - find({ wanted => \&wanted,untaint => 1}, $log_dir); print "Fixed permissions.\n"; return $EXIT_SUCCESS; } @@ -164,12 +163,6 @@ sub _fingerbank { fingerbank::Util::fix_permissions(); } -sub wanted { - return if $File::Find::name eq $log_dir; - my $perm = -d $File::Find::name ? 02775 : 0664; - chmod $perm, untaint_chain($File::Find::name); -} - =head1 AUTHOR Inverse inc. diff --git a/lib/pf/constants/syslog.pm b/lib/pf/constants/syslog.pm index 9a93ace699d7..0bde4dc8300b 100644 --- a/lib/pf/constants/syslog.pm +++ b/lib/pf/constants/syslog.pm @@ -22,72 +22,46 @@ our @SyslogInfo = ( { 'description' => 'Fingerbank log', 'name' => 'fingerbank.log', - 'conditions' => [ '$syslogtag contains "fingerbank"' ] - }, - { - 'description' => 'httpd.aaa Apache error log', - 'name' => 'httpd.aaa.error', - 'conditions' => [ '$programname contains "httpd_aaa_err"' ] - }, - { - 'description' => 'httpd.aaa Apache access log', - 'name' => 'httpd.aaa.access', - 'conditions' => [ '$programname contains "httpd_aaa"' ] - }, - { - 'description' => 'httpd.collector Apache error log', - 'name' => 'httpd.collector.error', - 'conditions' => [ '$syslogtag contains "httpd_collector_err"' ] - }, - { - 'description' => 'httpd.collector general log', - 'name' => 'httpd.collector.log', - 'conditions' => [ '$syslogtag contains "httpd_collector"' ] - }, - { - 'description' => 'httpd.portal Apache error log', - 'name' => 'httpd.portal.error', - 'conditions' => [ '$syslogtag contains "httpd_portal_err"' ] - }, - { - 'description' => 'httpd.portal Apache access log', - 'name' => 'httpd.portal.access', - 'conditions' => [ '$syslogtag contains "httpd_portal"' ] - }, - { - 'description' => 'httpd.portal Catalyst log', - 'name' => 'httpd.portal.catalyst', - 'conditions' => [ '$syslogtag contains "portal_catalyst"' ] - }, - { - 'description' => 'httpd.proxy Apache error log', - 'name' => 'httpd.proxy.error', - 'conditions' => [ '$syslogtag contains "httpd_proxy_err"' ] - }, - { - 'description' => 'httpd.proxy Apache access log', - 'name' => 'httpd.proxy.access', - 'conditions' => [ '$syslogtag contains "httpd_proxy"' ] - }, - { - 'description' => 'httpd.webservices Apache error log', - 'name' => 'httpd.webservices.error', - 'conditions' => [ '$programname contains "httpd_webservices_err"' ] + 'conditions' => [ + '$syslogtag contains "fingerbank"', + '$msg contains "[GIN]"', + ] }, { - 'description' => 'httpd.webservices Apache access log', - 'name' => 'httpd.webservices.access', - 'conditions' => [ '$programname contains "httpd_webservices"' ] + 'description' => 'PacketFence general log', + 'name' => 'packetfence.log', + 'conditions' => [ + '$programname contains "packetfence"', + '$programname == "pfqueue-docker-wrapper"', + '($syslogtag == "pfhttpd" and not $msg contains "GET /api/v1/logs/tail/")', + '$programname == "pfipset"', + '$programname == "pfpki-docker-wrapper"', + '($programname == "httpd.aaa-docker-wrapper" and $msg contains "httpd.aaa")', + '($programname == "httpd.portal-docker-wrapper" and $msg contains "httpd.portal")', + '($programname == "httpd.webservices-docker-wrapper" and $msg contains "httpd.webservices")', + '($programname == "httpd.dispatcher-docker-wrapper" and $msg contains "httpd.dispatcher")', + '($programname == "httpd.admin_dispatcher-docker-wrapper" and $msg contains "httpd.admin_dispatcher")', + '($programname == "pfperl-api-docker-wrapper" and $msg contains "pfperl-api")', + ] }, { - 'description' => 'api-frontend access log', - 'name' => 'httpd.api-frontend.access', - 'conditions' => [ '$msg contains "api-frontend-access"' ], + 'description' => 'Apache logs', + 'name' => 'httpd.apache', + 'conditions' => [ + '$programname contains "httpd_collector"', + '$programname contains "httpd_proxy"', + '$programname == "httpd.aaa-docker-wrapper"', + '$programname == "httpd.portal-docker-wrapper"', + '$programname == "httpd.webservices-docker-wrapper"', + '$programname == "httpd.dispatcher-docker-wrapper"', + '$programname == "httpd.admin_dispatcher-docker-wrapper"', + '$msg contains "api-frontend-access"', + ] }, { 'description' => 'api-frontend general log', 'name' => 'api-frontend.log', - 'conditions' => [ '$programname == "api-frontend"' ], + 'conditions' => [ '$programname == "api-frontend-docker-wrapper"' ], }, { 'description' => 'pfacct general log', @@ -99,17 +73,6 @@ our @SyslogInfo = ( 'name' => 'pfstats.log', 'conditions' => [ '$programname == "pfstats"' ] }, - { - 'description' => 'PacketFence general log', - 'name' => 'packetfence.log', - 'conditions' => [ - '$syslogtag contains "packetfence"', - '$programname == "pfqueue"', - '($programname == "pfhttpd" and not $msg contains "GET /api/v1/logs/tail/")', - '$programname == "pfipset"', - '$programname == "pfpki"', - ] - }, { 'description' => 'pfdhcp general log', 'name' => 'pfdhcp.log', @@ -118,7 +81,7 @@ our @SyslogInfo = ( { 'description' => 'pfconfig general log', 'name' => 'pfconfig.log', - 'conditions' => [ '$programname == "pfconfig"' ] + 'conditions' => [ '$programname == "pfconfig-docker-wrapper"' ] }, { 'description' => 'pfdetect general log', @@ -128,7 +91,7 @@ our @SyslogInfo = ( { 'description' => 'pfdhcplistener general log', 'name' => 'pfdhcplistener.log', - 'conditions' => [ '$syslogtag contains "pfdhcplistener"' ] + 'conditions' => [ '$programname == "pfdhcplistener"' ] }, { 'description' => 'pfdns general log', @@ -143,61 +106,53 @@ our @SyslogInfo = ( { 'description' => 'pfcron general log', 'name' => 'pfcron.log', - 'conditions' => [ '$programname == "pfcron"' ] + 'conditions' => [ '$programname == "pfcron-docker-wrapper"' ] }, { 'description' => 'pfsso general log', 'name' => 'pfsso.log', - 'conditions' => [ '$programname == "pfsso"' ] + 'conditions' => [ '$programname == "pfsso-docker-wrapper"' ] }, { 'description' => 'FreeRADIUS accounting server log', 'name' => 'radius-acct.log', - 'conditions' => [ -'$programname contains "radius" and $syslogfacility-text == "local2"', - '$syslogtag contains "acct" and $syslogfacility-text == "local2"' - ] + 'conditions' => [ '$programname == "radiusd-acct-docker-wrapper"' ] }, { 'description' => 'FreeRADIUS CLI server log', - 'name' => 'radius-cli.log', - 'conditions' => - [ '$syslogtag contains "cli" and $syslogfacility-text == "local3"' ] + 'name' => 'radius-cli.log', + 'conditions' => [ '$programname == "radiusd-cli-docker-wrapper"' ] }, { 'description' => 'FreeRADIUS eduroam server log', - 'name' => 'radius-eduroam.log', - 'conditions' => [ '$syslogtag contains "eduroam" ' ] + 'name' => 'radius-eduroam.log', + 'conditions' => [ '$programname == "radiusd-eduroam-docker-wrapper"' ] }, { 'description' => 'FreeRADIUS load balancing server log (cluster only)', 'name' => 'radius-load_balancer.log', - 'conditions' => [ -'$syslogtag contains "load_balancer" and $syslogfacility-text == "local5"' - ] + 'conditions' => [ '$programname == "radiusd-load-balancer-docker-wrapper"' ] }, { 'description' => 'FreeRADIUS authentication server log', - 'name' => 'radius.log', - 'conditions' => [ - '$syslogtag contains "auth" and $syslogfacility-text == "local1"', -'$programname contains "radius" and $syslogfacility-text == "local1"' - ] + 'name' => 'radius.log', + 'conditions' => [ '$programname == "radiusd-auth-docker-wrapper"' ] + }, { 'description' => 'Redis global cache logs', 'name' => 'redis_cache.log', - 'conditions' => [ '$syslogtag contains "redis-cache"' ] + 'conditions' => [ '$programname == "redis-cache"' ] }, { 'description' => 'Redis NTLM cache logs', 'name' => 'redis_ntlm_cache.log', - 'conditions' => [ '$syslogtag contains "redis-ntlm-cache"' ] + 'conditions' => [ '$programname == "redis-ntlm-cache"' ] }, { 'description' => 'Redis queue logs', 'name' => 'redis_queue.log', - 'conditions' => [ '$syslogtag contains "redis-queue"' ] + 'conditions' => [ '$programname == "redis-queue"' ] }, { 'description' => 'Redis server logs', @@ -206,23 +161,68 @@ our @SyslogInfo = ( }, { 'description' => 'MariaDB log', - 'name' => 'mariadb_error.log', - 'conditions' => [ '$syslogtag contains "mysqld"' ], + 'name' => 'mariadb.log', + 'conditions' => [ + '$programname contains "mysqld"', + '$programname == "pf-mariadb"', + ] + }, + { + 'description' => 'MySQL probe log', + 'name' => 'mysql-probe.log', + 'conditions' => [ '$programname == "mysql-probe"' ] + }, + { + 'description' => 'galera-autofix log', + 'name' => 'galera-autofix.log', + 'conditions' => [ '$syslogtag contains "galera-autofix"' ] + }, + { + 'description' => 'ProxySQL log', + 'name' => 'proxysql.log', + 'conditions' => [ '$programname == "proxysql"' ] }, { 'description' => 'haproxy portal log', 'name' => 'haproxy_portal.log', - 'conditions' => [ '$programname == "haproxy" and ($msg contains "portal-http" or $msg contains "backend has no server available")' ], + 'conditions' => [ '$programname == "haproxy-portal-docker-wrapper"' ] }, { 'description' => 'haproxy DB log', 'name' => 'haproxy_db.log', - 'conditions' => [ '$programname == "haproxy" and ($msg contains "mysql" or $msg contains "backend has no server available")' ], + 'conditions' => [ '$programname == "haproxy" and ($msg contains "mysql" or $msg contains "backend has no server available")' ] }, { 'description' => 'haproxy admin log', 'name' => 'haproxy_admin.log', - 'conditions' => [ '$programname == "haproxy" and ($msg contains "admin-https" or $msg contains "backend has no server available")' ], + 'conditions' => [ '$programname == "haproxy" and ($msg contains "admin-https" or $msg contains "backend has no server available")' ] + }, + { + 'description' => 'haproxy general log', + 'name' => 'haproxy.log', + 'conditions' => [ '$programname == "haproxy"' ] + }, + { + 'description' => 'Firewall log', + 'name' => 'firewall.log', + 'conditions' => [ + '$programname == "docker_iptables.sh"', + ] + }, + { + 'description' => 'pfconnector client log', + 'name' => 'pfconnector-client.log', + 'conditions' => [ '$programname == "pfconnector-client-docker-wrapper"' ] + }, + { + 'description' => 'pfconnector server log', + 'name' => 'pfconnector-server.log', + 'conditions' => [ '$programname == "pfconnector-server-docker-wrapper"' ] + }, + { + 'description' => 'keepalived log', + 'name' => 'keepalived.log', + 'conditions' => [ '$programname contains "Keepalived"' ] }, ); diff --git a/lib/pf/file_paths.pm b/lib/pf/file_paths.pm index d4337ccbf55a..c79f1b555979 100644 --- a/lib/pf/file_paths.pm +++ b/lib/pf/file_paths.pm @@ -91,8 +91,6 @@ our ( $roles_config_file, $roles_default_config_file, $dns_filters_config_file, $dns_filters_default_config_file, - $admin_audit_log, - $security_event_log, $portal_modules_config_file, $portal_modules_default_config_file, $captiveportal_templates_path, $captiveportal_profile_templates_path, @@ -190,8 +188,6 @@ BEGIN { $roles_config_file $roles_default_config_file $dns_filters_config_file $dns_filters_default_config_file - $admin_audit_log - $security_event_log $portal_modules_config_file $portal_modules_default_config_file $captiveportal_templates_path $captiveportal_profile_templates_path @@ -330,8 +326,6 @@ $roles_config_file = catfile($conf_dir,"roles.conf"); $roles_default_config_file = catfile($conf_dir,"roles.conf.defaults"); $dns_filters_config_file = catfile($conf_dir,"dns_filters.conf"); $dns_filters_default_config_file = catfile($conf_dir,"dns_filters.conf.defaults"); -$admin_audit_log = catfile($log_dir, "httpd.admin.audit.log"); -$security_event_log = catfile($log_dir, "security_event.log"); $portal_modules_config_file = catfile($conf_dir,"portal_modules.conf"); $portal_modules_default_config_file = catfile($conf_dir,"portal_modules.conf.defaults"); $cron_config_file = catfile($conf_dir,"pfcron.conf"); @@ -365,13 +359,17 @@ $connectors_config_file = catdir($conf_dir,"connectors.conf"); @log_files = map {catfile($log_dir, $_)} qw( - httpd.admin.access httpd.admin.catalyst httpd.admin.error httpd.admin.log - httpd.portal.access httpd.admin.error httpd.portal.catalyst httpd.portal.log - httpd.proxy.access httpd.proxy.error httpd.proxy.log - httpd.proxy.reverse.access httpd.proxy.reverse.error - httpd.webservices.access httpd.webservices.error - packetfence.log pfdetect.log pfqueue.log - pfdhcplistener.log pfdns.log pfcron.log pfconfig.log httpd.admin.audit.log + fingerbank.log httpd.apache api-frontend.log + pfacct.log pfstats.log packetfence.log pfdhcp.log + pfdns.log pfconfig.log pfdetect.log pffilter.log + pfdhcplistener.log pfcron.log pfsso.log + radius-acct.log radius-eduroam.log radius-load_balancer.log + radius.log redis-cache.log redis_ntlm_cache.log + redis_queue.log redis_server.log mariadb.log + mysql-probe.log galera-autofix.log haproxy_portal.log + haproxy.log haproxy_db.log haproxy_admin.log proxysql.log + firewall.log pfconnector-client.log pfconnector-server.log keepalived.log + innobackup.log ); @stored_config_files = ( diff --git a/lib/pf/pfcmd/checkup.pm b/lib/pf/pfcmd/checkup.pm index d0c5a9519a01..592ba137c0de 100644 --- a/lib/pf/pfcmd/checkup.pm +++ b/lib/pf/pfcmd/checkup.pm @@ -64,7 +64,6 @@ use pf::file_paths qw( $network_config_file $bin_dir $sbin_dir - $log_dir @log_files $generated_conf_dir $pfdetect_config_file @@ -713,13 +712,14 @@ sub permissions { add_problem( $FATAL, "pfcmd needs setuid and setgid bit set to run properly. Fix with chmod ug+s $bin_dir/pfcmd" ); } - # log owner must be pf otherwise apache or pf daemons won't start foreach my $log_file (@log_files) { # if log doesn't exist it is created correctly so no need to complain - next if (!-f $log_dir . '/' . $log_file); + next if (!-f $log_file); + # file not managed by rsyslog, permissions are different + next if ($log_file eq "/usr/local/pf/logs/innobackup.log"); - add_problem( $FATAL, "$log_file must be owned by user pf. Fix with chown pf -R $log_dir/" ) - unless (getpwuid((stat($log_dir . '/' . $log_file))[4]) eq 'pf'); + add_problem( $FATAL, "$log_file must be owned by group pf. Check rsyslog configuration" ) + unless (getgrgid((stat($log_file))[5]) eq 'pf'); } } diff --git a/packetfence.logrotate b/packetfence.logrotate index 69ee2641c22c..015ccd8ae4d5 100644 --- a/packetfence.logrotate +++ b/packetfence.logrotate @@ -17,6 +17,25 @@ su root pf } +/usr/local/pf/logs/httpd.apache { + daily + rotate 7 + missingok + compress + copytruncate + + # Output logrotate return code for monitoring + sharedscripts + postrotate + echo $? >> /usr/local/pf/var/logrotate.status + endscript + + # This following line is required for RHEL / CentOS 7 but will be ignored on RHEL / CentOS 6 + su root pf +} + +# only keep to handle rotation of old log files after +# an upgrade to v12.0.0 /usr/local/pf/logs/httpd.*.access /usr/local/pf/logs/httpd.*.error /usr/local/pf/logs/httpd.*.catalyst { daily rotate 7 diff --git a/rpm/packetfence.spec b/rpm/packetfence.spec index 77ef9f63d20b..65601104ac2d 100644 --- a/rpm/packetfence.spec +++ b/rpm/packetfence.spec @@ -440,7 +440,7 @@ done %{__install} -d %{buildroot}/usr/local/pf/conf/radiusd %{__install} -d %{buildroot}/usr/local/pf/conf/ssl %{__install} -d %{buildroot}/usr/local/pf/conf/ssl/acme-challenge -%{__install} -d -m2775 %{buildroot}%logdir +%{__install} -d -m0750 %{buildroot}%logdir %{__install} -d %{buildroot}/usr/local/pf/raddb/sites-enabled %{__install} -d -m2775 %{buildroot}/usr/local/pf/var %{__install} -d -m2775 %{buildroot}/usr/local/pf/var/cache @@ -514,10 +514,6 @@ cp -r NEWS.old %{buildroot}/usr/local/pf/ cp -r README.md %{buildroot}/usr/local/pf/ cp -r README.network-devices %{buildroot}/usr/local/pf/ cp -r UPGRADE.old %{buildroot}/usr/local/pf/ -# logfiles -for LOG in %logfiles; do - touch %{buildroot}%logdir/$LOG -done #start create symlinks curdir=`pwd` @@ -659,15 +655,6 @@ gpg --import /etc/pki/rpm-gpg/RPM-GPG-KEY-PACKETFENCE-MONITORING # Remove the monit service from the multi-user target if its there rm -f /etc/systemd/system/multi-user.target.wants/monit.service -#Check if log files exist and create them with the correct owner -for fic_log in packetfence.log redis_cache.log security_event.log httpd.admin.audit.log -do -if [ ! -e /usr/local/pf/logs/$fic_log ]; then - touch /usr/local/pf/logs/$fic_log - chown pf.pf /usr/local/pf/logs/$fic_log - chmod g+w /usr/local/pf/logs/$fic_log -fi -done #Make ssl certificate cd /usr/local/pf @@ -1230,14 +1217,7 @@ fi /usr/local/pf/containers %attr(0755, pf, pf) /usr/local/pf/containers/*.sh -%dir %attr(02755, pf, pf) /usr/local/pf/logs -# logfiles -%ghost %logdir/packetfence.log -%ghost %logdir/snmptrapd.log -%ghost %logdir/security_event.log -%ghost %logdir/httpd.admin.audit.log -%ghost %logdir/pfdetect -%ghost %logdir/pfcron +%dir %attr(0750, root, pf) /usr/local/pf/logs %doc /usr/local/pf/NEWS.asciidoc %doc /usr/local/pf/NEWS.old %doc /usr/local/pf/README.md diff --git a/sbin/api-frontend-docker-wrapper b/sbin/api-frontend-docker-wrapper index 37cfc95c1844..2dff5fd84d96 100755 --- a/sbin/api-frontend-docker-wrapper +++ b/sbin/api-frontend-docker-wrapper @@ -7,6 +7,7 @@ name=api-frontend args=`base_args $name` args="$args -v /usr/local/pf/var/conf:/usr/local/pf/var/conf -v /usr/local/pf/conf:/usr/local/pf/conf" args="$args -v /usr/local/pf/logs:/usr/local/pf/logs" +args="$args -v /var/log:/var/log:ro" args="$args -p 9999:9999" run $name "$args"