@Scott Exton, things are working now. One more question, I apologize. Is there a way to add a custom JSON key value in the message, system, and/or anything that goes out of a container via stdout?
Here is why I ask: When things flow from our logs upstream, currently we use the remote syslog forwarder syslog tag value to tag them with an ID, which is specified in the remote syslog forwarder for each webseal instance. When we switch to this JSON logging, we obviously cannot do that anymore, so it would be good to know exactly which instance an event came from.
In the request-log-format I can easily add a static value per instance for the request logs. However, is there any way to do this for the message logs, and/or other log types such as the DSC and runtime logs? Even if I can specify an environment variable on the container's app config that would get put into that JSON.
If not, I'll probably open an idea for this.
Thanks again for your help.
------------------------------
Matt Jenkins
------------------------------
Original Message:
Sent: Wed February 09, 2022 05:55 PM
From: Matt Jenkins
Subject: PAM logging broke in lightweight containers - What are we supposed to use for pam-log-cfg?
Scott, understood. Yes I agree being like IAG would be better. After I started specifying the request-log-format, I realized I can keep these key names the same as what we currently use in our Splunk queries, so as long as the Splunk team ingests the JSON as-is with the key values I give, things should be golden.
Btw, there is a doc error in the knowledge center.
System Error
Error: DPWAP0014E The 'requests-file' configuration entry, in the [logging] stanza, is an unsupported configuration entry.
I used this instead:
[aznapi-configuration]
logcfg = http.clf:stdout
------------------------------
Matt Jenkins
Original Message:
Sent: Wed February 09, 2022 05:25 PM
From: Scott Exton
Subject: PAM logging broke in lightweight containers - What are we supposed to use for pam-log-cfg?
Matt,
By improvement of the request log output, I really mean adopting the IAG approach of sending the request log to the console, in JSON format, by default. At the moment the request log file does not perform automatic auto-rollover, and changing it to JSON format will be a little bit clunky. There is no nice way of configuring JSON output, you need to modify the request-log-format configuration to be JSON.
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
Original Message:
Sent: 2/9/2022 4:45:00 PM
From: Matt Jenkins
Subject: RE: PAM logging broke in lightweight containers - What are we supposed to use for pam-log-cfg?
Scott, I did find the request log at /var/pdweb/instance-name/log/request.log. Does this get rotated or will this fill up the overlay filesystem over time? For some reason it is not sending it to stdout. I've got to look into if anything special needs done to make that happen. I guess I assumed by default the lightweight containers would just send it to stdout by default. Maybe all I need to do is configure the request log to go to stdout in the webseal conf and enable JSON output.
What do you mean improvement in the control of the request log? Can you give an example? I thought there was an option now to turn that on to JSON output, and if we configure it to stdout, that is technically all we would need right (given if our orchestration and logging folks get the console logging in place for us)?
As far as the WAF log not in JSON, I'm personally not going to worry over that here, since you all have said the functionality is definitely going away end of year. I'll just tell our logging folks we need to deal with some lines not containing JSON. IMO this is important anyway because in the event something did come out the console that wasn't JSON, we don't want things going berserk.
------------------------------
Matt Jenkins
Original Message:
Sent: Wed February 09, 2022 04:31 PM
From: Scott Exton
Subject: PAM logging broke in lightweight containers - What are we supposed to use for pam-log-cfg?
Matt,
At the moment there are no plans to add JSON support to the WAF logging. Feel free to open an RFE, but I don't know how much traction it will get due to the fact that the capability is disappearing.
I believe that the request log is sent to '/var/pdweb/<instance name>/logs'. I think that some improvement in the control of the request log is required – did you want to open an RFE for this?
Thanks.
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
| |
| Phone: 61-7-5552-4008
E-mail: scotte@au1.ibm.com | 1 Corporate Court
Bundall, QLD 4217
Australia |
Original Message:
Sent: 2/9/2022 4:09:00 PM
From: Matt Jenkins
Subject: RE: PAM logging broke in lightweight containers - What are we supposed to use for pam-log-cfg?
Scott, are you all planning on addressing the WAF logs to get them to JSON? If not should I open an RFE? Or is this not a big concern since WAF/WCP disappears end of this year?
Do you by chance know the default location for the request log? The find command was removed from the lightweight containers and I do not see them under /var/application.logs/wrp
Thanks!
------------------------------
Matt Jenkins
Original Message:
Sent: Wed February 09, 2022 03:44 PM
From: Scott Exton
Subject: PAM logging broke in lightweight containers - What are we supposed to use for pam-log-cfg?
Matt,
Unfortunately, I misspoke in my last response – I was getting confused between IBM Application Gateway and WebSEAL. By default, WebSEAL will continue to log to a file, and will not log in JSON format.
In answer to your other question, at the moment there is no way to enable JSON formatting of PAM messages.
Thanks.
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
Original Message:
Sent: 2/9/2022 10:36:00 AM
From: Matt Jenkins
Subject: RE: PAM logging broke in lightweight containers - What are we supposed to use for pam-log-cfg?
Interesting, so if the request logs are only going to stdout now, I figured I could set pam-log-cfg to stdout and that worked on my containers. However, the format is in that XML format. Is there any way to make PAM log JSON like everything else?
For some reason I just realized out of the box the request logs for the WRP are also not going to stdout. Not sure what is causing that. Do you know off the top of your head if request logging has to be enabled specifically on these lightweight containers? The only logging option I set in the past was request-log-format under the logging stanza and it would by default dump the request.log file. On the lightweight v10.0.3.0 containers, nothing is going to stdout.
Thanks.
------------------------------
Matt Jenkins
Original Message:
Sent: Tue February 08, 2022 05:08 PM
From: Scott Exton
Subject: PAM logging broke in lightweight containers - What are we supposed to use for pam-log-cfg?
Matt,
By default, the request logs are sent to stdout, but you do have the option to configure the request logs to be sent to a file, or a remote syslog server (using the native WebSEAL logging mechanisms, and not the rsyslog forwarder).
Thanks
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
Original Message:
Sent: 2/8/2022 5:00:00 PM
From: Matt Jenkins
Subject: RE: PAM logging broke in lightweight containers - What are we supposed to use for pam-log-cfg?
Thanks Scott. L2 mentioned this was under IJ36897 but they don't currently have a fixpack for it.
How are you all handling request logs in the lightweight containers? Are you just piping them out to stdout and not storing them as a file anymore? I haven't been able to get the proxies running yet in my lab because of the WCP issue and I've been too buried in other things today to just disable it and see for myself how the other logs are being dealt with.
------------------------------
Matt Jenkins
Original Message:
Sent: Mon February 07, 2022 08:46 PM
From: Scott Exton
Subject: PAM logging broke in lightweight containers - What are we supposed to use for pam-log-cfg?
Matt,
This is a known problem, and a fix will be included in the upcoming 10.0.3.1 release (due out in the next couple of weeks). If you need a fix for this in the meantime you should be able to contact the support team about it.
Thanks.
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
Original Message:
Sent: 2/7/2022 8:45:00 PM
From: Matt Jenkins
Subject: PAM logging broke in lightweight containers - What are we supposed to use for pam-log-cfg?
The default PAM config doesn't work with the lightweight WRP image on v10.0.3.0.
The default config is as follows:
[PAM]
pam-log-cfg = file path=pam.log,flush_interval=20,rollover_size=2000000
When the lightweight container tries to start:
{"instant":{"epochSecond":1644284063},"threadId":"0x7f0387c10780","level":"ERROR","loggerName":"webseald","component":"wad.waf","message_id":"0x389834B2","source":{"file":"WSPamLogger.cpp","line":74}, "content":"DPWAD1202E An invalid configuration value was provided: file path=\/var\/application.logs.local\/wrp\/test.acme.org\/log\/pam.log,flush_interval=20,rollover_size=2000000"}
The bootstrap.sh script doesn't create that log directory when the container starts. Should we be modifying the pam-log-cfg to something else manually or is a fix needed here where I should engage L2?
Thanks.
------------------------------
Matt
------------------------------