Centralized Event Logging Support

Ubersmith can log system events to a syslog daemon, which can then be forwarded along to a centralized logging service. This is an important capability for PCI-DSS compliance as well as for security purposes.

By default, Ubersmith is not configured to log system events out to the main host's syslog daemon, so some configuration updates are required. This documentation assumes that your installation is in the default location of /usr/local/ubersmith.

Implementation

In Ubersmith's /usr/local/ubersmith/docker-compose.yml file, there is an rsyslog service defined, which is normally unused. When started, this service creates a socket in:

/usr/local/ubersmith/logs/rsyslog/

The php service, which executes Ubersmith's code, then mounts this socket as a volume and Ubersmith's code is able to send log messages to the syslog daemon.

Configuration

It is possible that upon the initial configuration of this feature, there will be unwanted contents in /usr/local/ubersmith/logs/rsyslog, which should be deleted. After deleting the contents of that directory, execute the following commands in your Ubersmith root:

The following commands will cause a brief interruption of service as the php container will not be online to process requests.

This will create the socket in /usr/local/ubersmith/logs/rsyslog/ and allow the php container to mount it. 

These logs will then appear on the main system, using journald. The logs will use the syslog tag ubersmith/ubersmith. The command

journalctl -f -t ubersmith/ubersmith

can be used to view these logs.

The main system's journald configuration can be updated to forward Ubersmith's logs on to a centralized logging system.

for documentation on the necessary configuration to forward journald logs on to a centralized logging system.

It may be necessary to edit the Ubersmith startup script ubersmith_start.sh to include the rsyslog service in the "docker-compose up" command. This will ensure the service is started when this script is executed.