Follow

Collecting secure logs - Scrubbing of identifying information

Subject:

We have added the ability to remove any user information or site environment identity information from the Support Logs when they are collected for upload to the OSNEXUS support team.

The logs will be collected on the local system and scrubbed of any identifying site information before being uploaded to the OSNEXUS support site.

 

Details:

New in the log collection script is an ability to scrub logs of identifying information which requires some accompanying files that go with this to make it work.

Those files are listed below:

/var/opt/osnexus/quantastor/qs_logsdonotcollect.list
/var/opt/osnexus/quantastor/qs_logsfilekeywords.domaingroup.list
/var/opt/osnexus/quantastor/qs_logsfilekeywords.domainname.list
/var/opt/osnexus/quantastor/qs_logsfilekeywords.domainuser.list
/var/opt/osnexus/quantastor/qs_logsfilekeywords.localgroup.list
/var/opt/osnexus/quantastor/qs_logsfilekeywords.localname.list

The above files act as simple databases (flat files) that contain information you do not want to appear in support logs.

 

Breaking down these files one by one, they serve the following purposes:

/var/opt/osnexus/quantastor/qs_logsdonotcollect.list

This file is used to blacklist file names that should not be collected. Each line contains a file name pattern which should be removed from logs.

For instance, if you want to be sure that 'syslog' does not appear in support logs, add a line by itself reading, 'syslog*' where the '*' adds other syslog entries such as 'syslog.2' and 'syslog.3.gz'

A good way to think about this is how you would remove the file using the 'rm' command in linux while operating in the local directory where the file(s) exist.

The next files are auto-populated by a script on the system:

/var/opt/osnexus/quantastor/qs_logsfilekeywords.domaingroup.list
/var/opt/osnexus/quantastor/qs_logsfilekeywords.domainname.list
/var/opt/osnexus/quantastor/qs_logsfilekeywords.domainuser.list
/var/opt/osnexus/quantastor/qs_logsfilekeywords.localgroup.list
/var/opt/osnexus/quantastor/qs_logsfilekeywords.localname.list

The word right before '.list' in each filename is the type of identifying information each file contains.

For instance, 'domaingroup' would contain a list of groups populated from your domain. This allows each replacement in log files to contain '[ domaingroup ]' instead of the domain group name every time a domain group name appears anywhere in logs.

There is one more shell script file that is required in order to populate the above files, using a cron job. This must be configured by the user and placed in "/opt/osnexus/quantastor/bin".

You can find the shell script that adds identifying information here: 

https://s3.amazonaws.com/qs-support-uploads/add_entries.sh

 

NOTE:

In order to run log collection with scrubbing enabled you will need to run the "qs-sendlogs" script with the "--scrub=1" option.

Example:

qs-sendlogs --scrub=1

 

By default, scrubbing of logs does not occur when you run the "qs-sendlogs" script.

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk