From 2b3bd160053129500314d9a0f15c0fb617e24b79 Mon Sep 17 00:00:00 2001 From: Federico Stagni Date: Wed, 5 Jan 2022 17:11:39 +0100 Subject: [PATCH 1/5] feat: added a flag for disabling the use of SecurityLogging service --- .../Services/SecurityLogging/index.rst | 3 ++- .../Systems/Framework/Services/index.rst | 3 +++ src/DIRAC/Core/DISET/private/Service.py | 24 +++++++++++-------- .../Service/SecurityLoggingHandler.py | 3 +++ 4 files changed, 22 insertions(+), 11 deletions(-) diff --git a/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/SecurityLogging/index.rst b/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/SecurityLogging/index.rst index 05135bb9bb4..0e635e3be21 100644 --- a/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/SecurityLogging/index.rst +++ b/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/SecurityLogging/index.rst @@ -1,7 +1,8 @@ Systems / Framework / / Service / SecurityLogging - Sub-subsection ============================================================================= -SecurityLogging service is used by all server to log all connections. +SecurityLogging service can be used by all services to log all connections, for security-related purpose. +It can be disabled globally via flag ``/Operations///EnableSecurityLogging``, or per-service. +-----------------+------------------------------------------+---------------------------------+ | **Name** | **Description** | **Example** | diff --git a/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/index.rst b/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/index.rst index 11d4214f9aa..63b73a2b2e8 100644 --- a/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/index.rst +++ b/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/index.rst @@ -28,6 +28,9 @@ presented in the following table: +---------------------------------------------------------------------------+--------------------------------+ | *Authorization/Default* | Define to who is required the authorization | Default = all | +---------------------------------------------------------------------------+--------------------------------+ +| *EnableSecurityLogging* | This flag is used to disable the use of | EnableSecurityLogging = False | +| | the SecurityLogging service | | ++---------------------------------------------------------------------------+--------------------------------+ | *EnableActivityMonitoring* | This flag is used to enable ES | EnableActivityMonitoring = yes | | | based monitoring for agents and services | | +----------------------------+----------------------------------------------+--------------------------------+ diff --git a/src/DIRAC/Core/DISET/private/Service.py b/src/DIRAC/Core/DISET/private/Service.py index 5a946454d9b..181faaf3764 100644 --- a/src/DIRAC/Core/DISET/private/Service.py +++ b/src/DIRAC/Core/DISET/private/Service.py @@ -110,6 +110,9 @@ def initialize(self): "validNames": self._validNames, "csPaths": [PathFinder.getServiceSection(svcName) for svcName in self._validNames], } + self.securityLogging = Operations().getValue("EnableSecurityLogging", True) and getServiceOption( + self._serviceInfoDict, "EnableSecurityLogging", True + ) # Initialize Monitoring # This is a flag used to check whether "EnableActivityMonitoring" is enabled or not from the config file. self.activityMonitoring = Operations().getValue("EnableActivityMonitoring", False) or getServiceOption( @@ -512,16 +515,17 @@ def _authorizeProposal(self, actionTuple, trid, credDict): return S_ERROR("Client disconnected") sourceAddress = tr.getRemoteAddress() identity = self._createIdentityString(credDict) - Service.SVC_SECLOG_CLIENT.addMessage( - result["OK"], - sourceAddress[0], - sourceAddress[1], - identity, - self._cfg.getHostname(), - self._cfg.getPort(), - self._name, - "/".join(actionTuple), - ) + if self.securityLogging: + Service.SVC_SECLOG_CLIENT.addMessage( + result["OK"], + sourceAddress[0], + sourceAddress[1], + identity, + self._cfg.getHostname(), + self._cfg.getPort(), + self._name, + "/".join(actionTuple), + ) return result def _instantiateHandler(self, trid, proposalTuple=None): diff --git a/src/DIRAC/FrameworkSystem/Service/SecurityLoggingHandler.py b/src/DIRAC/FrameworkSystem/Service/SecurityLoggingHandler.py index 6b10f4f4aad..77a4690bde4 100644 --- a/src/DIRAC/FrameworkSystem/Service/SecurityLoggingHandler.py +++ b/src/DIRAC/FrameworkSystem/Service/SecurityLoggingHandler.py @@ -1,4 +1,7 @@ """ Handler for logging in security.log.csv files + + This service is kept for installations that are not using ES-based logs management + (see https://dirac.readthedocs.io/en/latest/AdministratorGuide/ServerInstallations/centralizedLogging.html) """ from __future__ import absolute_import from __future__ import division From fb2baf5b4f11ca2676a14f7ff6789baae4b45d6b Mon Sep 17 00:00:00 2001 From: fstagni Date: Thu, 6 Jan 2022 15:35:36 +0100 Subject: [PATCH 2/5] feat: added securityLog to TornadoService --- src/DIRAC/Core/DISET/private/Service.py | 3 ++- .../Core/Tornado/Server/TornadoService.py | 24 +++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/src/DIRAC/Core/DISET/private/Service.py b/src/DIRAC/Core/DISET/private/Service.py index 181faaf3764..b4b275bf4d9 100644 --- a/src/DIRAC/Core/DISET/private/Service.py +++ b/src/DIRAC/Core/DISET/private/Service.py @@ -416,7 +416,8 @@ def _processInThread(self, clientTransport): if monReport: self.__endReportToMonitoring(*monReport) - def _createIdentityString(self, credDict, clientTransport=None): + @staticmethod + def _createIdentityString(credDict, clientTransport=None): if "username" in credDict: if "group" in credDict: identity = "[%s:%s]" % (credDict["username"], credDict["group"]) diff --git a/src/DIRAC/Core/Tornado/Server/TornadoService.py b/src/DIRAC/Core/Tornado/Server/TornadoService.py index 1365d0b4ebd..e46226d12fa 100644 --- a/src/DIRAC/Core/Tornado/Server/TornadoService.py +++ b/src/DIRAC/Core/Tornado/Server/TornadoService.py @@ -25,10 +25,12 @@ from DIRAC import gConfig, gLogger, S_OK from DIRAC.ConfigurationSystem.Client import PathFinder +from DIRAC.ConfigurationSystem.Client.Helpers.Operations import Operations from DIRAC.Core.DISET.AuthManager import AuthManager from DIRAC.Core.Security.X509Chain import X509Chain # pylint: disable=import-error from DIRAC.Core.Utilities.JEncode import decode, encode from DIRAC.FrameworkSystem.Client.MonitoringClient import MonitoringClient +from DIRAC.FrameworkSystem.Client.SecurityLogClient import SecurityLogClient sLog = gLogger.getSubLogger(__name__) @@ -121,6 +123,8 @@ def export_streamToClient(self, myDataToSend, token): # We also need to add specific attributes for each service _monitor = None + SVC_SECLOG_CLIENT = SecurityLogClient() + @classmethod def _initMonitoring(cls, serviceName, fullUrl): """ @@ -255,6 +259,10 @@ def initialize(self): # pylint: disable=arguments-differ sLog.error("Error in initialization", repr(e)) raise + self.securityLogging = Operations().getValue("EnableSecurityLogging", True) and self.srv_getCSOption( + "EnableSecurityLogging", True + ) + def prepare(self): """ Prepare the request. It reads certificates and check authorizations. @@ -292,6 +300,22 @@ def prepare(self): # Check whether we are authorized to perform the query # Note that performing the authQuery modifies the credDict... authorized = self._authManager.authQuery(self.method, self.credDict, hardcodedAuth) + + if self.securityLogging: + from DIRAC.Core.DISET.private.Service import Service + + sourceAddress = self.getRemoteAddress() + TornadoService.SVC_SECLOG_CLIENT.addMessage( + authorized, + sourceAddress[0], + sourceAddress[1], + Service._createIdentityString(self.credDict), + "currentHost", + "8443", + "Tornado/%s" % self.serviceName, + self.method, + ) + if not authorized: sLog.error( "Unauthorized access", From 19f0ad30b578afd4e130da84083feee5a9ecaea7 Mon Sep 17 00:00:00 2001 From: fstagni Date: Tue, 25 Jan 2022 18:52:31 +0100 Subject: [PATCH 3/5] docs: added logstash example for securitylog index --- .../centralizedLogging.rst | 106 +++++++++++------- src/DIRAC/Core/DISET/private/Service.py | 28 ++--- .../Core/Tornado/Server/TornadoService.py | 24 ---- 3 files changed, 78 insertions(+), 80 deletions(-) diff --git a/docs/source/AdministratorGuide/ServerInstallations/centralizedLogging.rst b/docs/source/AdministratorGuide/ServerInstallations/centralizedLogging.rst index f9fec6abb3e..4943f1e1b3e 100644 --- a/docs/source/AdministratorGuide/ServerInstallations/centralizedLogging.rst +++ b/docs/source/AdministratorGuide/ServerInstallations/centralizedLogging.rst @@ -60,53 +60,67 @@ From the DIRAC point of view, that's all there is to do. Logstash and ELK configurations =============================== -The logstash configuration (``/etc/logstash/conf.d/configname``) is given here as an example only (`full documentation `_):: +The logstash configuration (``/etc/logstash/conf.d/configname``) is given here as an example only (`full documentation `_):: input { # This queue is used for dirac components - # you need one entry per broker - # Caution, alias are not resolved into multiple hosts ! + <% @logstash_config_args['mb_brokers'].each do |mbhost| %> stomp { - type => "stomp" - destination => "/queue/lhcb.dirac.logging" - host => messagebroker - port => 61713 - user => "myUser" - password => "myPassword" - codec => "json" + type => "stomp" + destination => "<%= @logstash_config_args['mb_destination'] %>" + host => "<%= mbhost %>" + port => 61713 + user => "<%= @logstash_config_args['mb_user'] %>" + password => "%TEIGI__DIRAC-Certification_mbPassword__%" + codec => "json" } - + <% end %> } filter{ if [type] == "stomp" { - # If there is an exception, print it multiline - # This is the way to test if a variable is defined - if "" in [exc_info]{ - mutate { - gsub => [ - "exc_info", "\\n", "\n" - ] - } - } else { - # otherwise, add the field as empty string so that it does not display - mutate { - add_field => {"exc_info" => ""} - } + # If there is an exception, print it multiline + # This is the way to test if a variable is defined + if "" in [exc_info]{ + mutate { + gsub => [ + "exc_info", "\\n", "\n" + ] } - # If levelname is not defined, we can infer that several other infos - # are missing, like asctime. So define them empty. - if !("" in [levelname]){ - mutate { - add_field => {"levelname" => "" - "asctime" => ""} - } + } + else { + # otherwise, add the field as empty string so that it does not display + mutate { + add_field => {"exc_info" => ""} } - date { - match => [ "asctime", "yyyy-MM-dd HH:mm:ss" ] - timezone => "UTC" + } + + # If levelname is not defined, we can infer that several other infos + # are missing, like asctime. So define them empty. + if !("" in [levelname]){ + mutate { + add_field => {"levelname" => "" + "asctime" => ""} } + } + date { + # DIRAC logs have microsec precision + match => [ "asctime", "yyyy-MM-dd HH:mm:ss,SSSSSS" ] + timezone => "UTC" + } + # Adding a label "sec_log" for those messages that we want to add + # also to the securitylog indices + if "Returning response" in [message] { + mutate { + replace => { sec_log => "true" } + } + } + if "Unauthorized query" in [message] { + mutate { + replace => { sec_log => "true" } + } + } # we want to create the index based on the component name # but the component name has a "/" in it, so replace it # with a "-", and set it lowercase @@ -121,20 +135,28 @@ The logstash configuration (``/etc/logstash/conf.d/configname``) is given here a ] lowercase => [ "componentindex" ] } - } } + output { - if [type] == "stomp" { - elasticsearch { - # We create one index per component per day - index => "lhcb-dirac-logs-%{componentindex}-%{+YYYY.MM.dd}" - hosts => ["https://my-elasticsearch-host.cern.ch:9203"] - user => "myESUser" + if [type] == "stomp" { + opensearch { + index => "dirac-logs-%{componentindex}-%{+xxxx.ww}" + hosts => <%= @logstash_config_args['es_hosts'] %> + user => "<%= @logstash_config_args['es_user'] %>" + template_name => "lhcb-dirac-logs_default" + manage_template => "false" + password => "%TEIGI__DIRAC-Certification_esPassword__%" + } + if [sec_log] == "true" { + opensearch { + index => "dirac-securitylog-%{+YYYY.MM}" + hosts => <%= @logstash_config_args['es_hosts'] %> + user => "<%= @logstash_config_args['es_user'] %>" template_name => "lhcb-dirac-logs_default" manage_template => "false" - password => "myESPassword" + password => "%TEIGI__DIRAC-Certification_esPassword__%" } } } diff --git a/src/DIRAC/Core/DISET/private/Service.py b/src/DIRAC/Core/DISET/private/Service.py index b4b275bf4d9..42609ecbc36 100644 --- a/src/DIRAC/Core/DISET/private/Service.py +++ b/src/DIRAC/Core/DISET/private/Service.py @@ -110,9 +110,9 @@ def initialize(self): "validNames": self._validNames, "csPaths": [PathFinder.getServiceSection(svcName) for svcName in self._validNames], } - self.securityLogging = Operations().getValue("EnableSecurityLogging", True) and getServiceOption( - self._serviceInfoDict, "EnableSecurityLogging", True - ) + self.securityLogging = Operations().getValue("EnableSecurityLogging", True) and getServiceOption( + self._serviceInfoDict, "EnableSecurityLogging", True + ) # Initialize Monitoring # This is a flag used to check whether "EnableActivityMonitoring" is enabled or not from the config file. self.activityMonitoring = Operations().getValue("EnableActivityMonitoring", False) or getServiceOption( @@ -516,17 +516,17 @@ def _authorizeProposal(self, actionTuple, trid, credDict): return S_ERROR("Client disconnected") sourceAddress = tr.getRemoteAddress() identity = self._createIdentityString(credDict) - if self.securityLogging: - Service.SVC_SECLOG_CLIENT.addMessage( - result["OK"], - sourceAddress[0], - sourceAddress[1], - identity, - self._cfg.getHostname(), - self._cfg.getPort(), - self._name, - "/".join(actionTuple), - ) + if self.securityLogging: + Service.SVC_SECLOG_CLIENT.addMessage( + result["OK"], + sourceAddress[0], + sourceAddress[1], + identity, + self._cfg.getHostname(), + self._cfg.getPort(), + self._name, + "/".join(actionTuple), + ) return result def _instantiateHandler(self, trid, proposalTuple=None): diff --git a/src/DIRAC/Core/Tornado/Server/TornadoService.py b/src/DIRAC/Core/Tornado/Server/TornadoService.py index e46226d12fa..1365d0b4ebd 100644 --- a/src/DIRAC/Core/Tornado/Server/TornadoService.py +++ b/src/DIRAC/Core/Tornado/Server/TornadoService.py @@ -25,12 +25,10 @@ from DIRAC import gConfig, gLogger, S_OK from DIRAC.ConfigurationSystem.Client import PathFinder -from DIRAC.ConfigurationSystem.Client.Helpers.Operations import Operations from DIRAC.Core.DISET.AuthManager import AuthManager from DIRAC.Core.Security.X509Chain import X509Chain # pylint: disable=import-error from DIRAC.Core.Utilities.JEncode import decode, encode from DIRAC.FrameworkSystem.Client.MonitoringClient import MonitoringClient -from DIRAC.FrameworkSystem.Client.SecurityLogClient import SecurityLogClient sLog = gLogger.getSubLogger(__name__) @@ -123,8 +121,6 @@ def export_streamToClient(self, myDataToSend, token): # We also need to add specific attributes for each service _monitor = None - SVC_SECLOG_CLIENT = SecurityLogClient() - @classmethod def _initMonitoring(cls, serviceName, fullUrl): """ @@ -259,10 +255,6 @@ def initialize(self): # pylint: disable=arguments-differ sLog.error("Error in initialization", repr(e)) raise - self.securityLogging = Operations().getValue("EnableSecurityLogging", True) and self.srv_getCSOption( - "EnableSecurityLogging", True - ) - def prepare(self): """ Prepare the request. It reads certificates and check authorizations. @@ -300,22 +292,6 @@ def prepare(self): # Check whether we are authorized to perform the query # Note that performing the authQuery modifies the credDict... authorized = self._authManager.authQuery(self.method, self.credDict, hardcodedAuth) - - if self.securityLogging: - from DIRAC.Core.DISET.private.Service import Service - - sourceAddress = self.getRemoteAddress() - TornadoService.SVC_SECLOG_CLIENT.addMessage( - authorized, - sourceAddress[0], - sourceAddress[1], - Service._createIdentityString(self.credDict), - "currentHost", - "8443", - "Tornado/%s" % self.serviceName, - self.method, - ) - if not authorized: sLog.error( "Unauthorized access", From d40252df5e19e428fc0011f82e848b8daf68e25f Mon Sep 17 00:00:00 2001 From: fstagni Date: Wed, 26 Jan 2022 18:27:20 +0100 Subject: [PATCH 4/5] docs: added link to logstash configuration, removed example --- .../Systems/Framework/Services/index.rst | 3 - .../centralizedLogging.rst | 104 +----------------- 2 files changed, 2 insertions(+), 105 deletions(-) diff --git a/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/index.rst b/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/index.rst index 63b73a2b2e8..11d4214f9aa 100644 --- a/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/index.rst +++ b/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/index.rst @@ -28,9 +28,6 @@ presented in the following table: +---------------------------------------------------------------------------+--------------------------------+ | *Authorization/Default* | Define to who is required the authorization | Default = all | +---------------------------------------------------------------------------+--------------------------------+ -| *EnableSecurityLogging* | This flag is used to disable the use of | EnableSecurityLogging = False | -| | the SecurityLogging service | | -+---------------------------------------------------------------------------+--------------------------------+ | *EnableActivityMonitoring* | This flag is used to enable ES | EnableActivityMonitoring = yes | | | based monitoring for agents and services | | +----------------------------+----------------------------------------------+--------------------------------+ diff --git a/docs/source/AdministratorGuide/ServerInstallations/centralizedLogging.rst b/docs/source/AdministratorGuide/ServerInstallations/centralizedLogging.rst index 4943f1e1b3e..be034db4f1e 100644 --- a/docs/source/AdministratorGuide/ServerInstallations/centralizedLogging.rst +++ b/docs/source/AdministratorGuide/ServerInstallations/centralizedLogging.rst @@ -60,109 +60,9 @@ From the DIRAC point of view, that's all there is to do. Logstash and ELK configurations =============================== -The logstash configuration (``/etc/logstash/conf.d/configname``) is given here as an example only (`full documentation `_):: +The suggested logstash configuration (``/etc/logstash/conf.d/configname``) can be found in https://gitlab.cern.ch/ai/it-puppet-module-dirac/-/blob/qa/code/templates/logstash.conf.erb (check the `full documentation `_) - input { - # This queue is used for dirac components - <% @logstash_config_args['mb_brokers'].each do |mbhost| %> - stomp { - type => "stomp" - destination => "<%= @logstash_config_args['mb_destination'] %>" - host => "<%= mbhost %>" - port => 61713 - user => "<%= @logstash_config_args['mb_user'] %>" - password => "%TEIGI__DIRAC-Certification_mbPassword__%" - codec => "json" - } - <% end %> - } - - filter{ - if [type] == "stomp" { - # If there is an exception, print it multiline - # This is the way to test if a variable is defined - if "" in [exc_info]{ - mutate { - gsub => [ - "exc_info", "\\n", "\n" - ] - } - } - else { - # otherwise, add the field as empty string so that it does not display - mutate { - add_field => {"exc_info" => ""} - } - } - - # If levelname is not defined, we can infer that several other infos - # are missing, like asctime. So define them empty. - if !("" in [levelname]){ - mutate { - add_field => {"levelname" => "" - "asctime" => ""} - } - } - date { - # DIRAC logs have microsec precision - match => [ "asctime", "yyyy-MM-dd HH:mm:ss,SSSSSS" ] - timezone => "UTC" - } - - # Adding a label "sec_log" for those messages that we want to add - # also to the securitylog indices - if "Returning response" in [message] { - mutate { - replace => { sec_log => "true" } - } - } - if "Unauthorized query" in [message] { - mutate { - replace => { sec_log => "true" } - } - } - # we want to create the index based on the component name - # but the component name has a "/" in it, so replace it - # with a "-", and set it lowercase - # We do it in two separate mutate filter to make sure - # of the order - mutate { - copy => { "componentname" => "componentindex" } - } - mutate { - gsub => [ - "componentindex", "/", "-" - ] - lowercase => [ "componentindex" ] - } - } - } - - - output { - if [type] == "stomp" { - opensearch { - index => "dirac-logs-%{componentindex}-%{+xxxx.ww}" - hosts => <%= @logstash_config_args['es_hosts'] %> - user => "<%= @logstash_config_args['es_user'] %>" - template_name => "lhcb-dirac-logs_default" - manage_template => "false" - password => "%TEIGI__DIRAC-Certification_esPassword__%" - } - if [sec_log] == "true" { - opensearch { - index => "dirac-securitylog-%{+YYYY.MM}" - hosts => <%= @logstash_config_args['es_hosts'] %> - user => "<%= @logstash_config_args['es_user'] %>" - template_name => "lhcb-dirac-logs_default" - manage_template => "false" - password => "%TEIGI__DIRAC-Certification_esPassword__%" - } - } - } - - -And the ElasticSearch template ``lhcb-dirac-logs_default`` looks like:: +The ElasticSearch template ``lhcb-dirac-logs_default`` looks like:: { "order": 1, From 7fc02cefaedf7d2e77876dcf122fea96d99ce3ec Mon Sep 17 00:00:00 2001 From: fstagni Date: Thu, 27 Jan 2022 09:16:53 +0100 Subject: [PATCH 5/5] docs: moved SecurityLogging flags to dirac.cfg and ConfigTemplate.cfg --- dirac.cfg | 2 ++ .../Framework/Services/SecurityLogging/index.rst | 11 ----------- .../Systems/Framework/Services/index.rst | 1 - src/DIRAC/FrameworkSystem/ConfigTemplate.cfg | 2 ++ 4 files changed, 4 insertions(+), 12 deletions(-) delete mode 100644 docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/SecurityLogging/index.rst diff --git a/dirac.cfg b/dirac.cfg index ef53df92d4c..094549be395 100644 --- a/dirac.cfg +++ b/dirac.cfg @@ -602,6 +602,8 @@ Operations { # This will globally enable ES based monitoring for Service and AgentModule. EnableActivityMonitoring = yes + # Flag for globally disabling the use of the SecurityLogging service + EnableSecurityLogging = False DataManagement { # see http://dirac.readthedocs.io/en/latest/AdministratorGuide/Resources/Catalog/index.html#multi-protocol diff --git a/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/SecurityLogging/index.rst b/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/SecurityLogging/index.rst deleted file mode 100644 index 0e635e3be21..00000000000 --- a/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/SecurityLogging/index.rst +++ /dev/null @@ -1,11 +0,0 @@ -Systems / Framework / / Service / SecurityLogging - Sub-subsection -============================================================================= - -SecurityLogging service can be used by all services to log all connections, for security-related purpose. -It can be disabled globally via flag ``/Operations///EnableSecurityLogging``, or per-service. - -+-----------------+------------------------------------------+---------------------------------+ -| **Name** | **Description** | **Example** | -+-----------------+------------------------------------------+---------------------------------+ -| *DataLocation* | Directory where log info is kept | DataLocation = data/securityLog | -+-----------------+------------------------------------------+---------------------------------+ diff --git a/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/index.rst b/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/index.rst index 11d4214f9aa..1ebf94ad456 100644 --- a/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/index.rst +++ b/docs/source/AdministratorGuide/Configuration/ConfReference/Systems/Framework/Services/index.rst @@ -41,6 +41,5 @@ Services associated with Framework system are: Monitoring/index Notification/index Plotting/index - SecurityLogging/index SystemAdministrator/index UserProfileManager/index diff --git a/src/DIRAC/FrameworkSystem/ConfigTemplate.cfg b/src/DIRAC/FrameworkSystem/ConfigTemplate.cfg index 77dc1e07924..356d39ee7d2 100644 --- a/src/DIRAC/FrameworkSystem/ConfigTemplate.cfg +++ b/src/DIRAC/FrameworkSystem/ConfigTemplate.cfg @@ -48,6 +48,8 @@ Services SecurityLogging { Port = 9153 + # Directory where log info is kept + DataLocation = data/securityLog Authorization { Default = authenticated