Configure SAP services to log outsite of journald

Share
Share

Why should we do this – The story behind

Journald is an integral part of systemd. It is the centralized location for all messages logged by different components in a modern linux system. On a SUSE system all the messages are forwarded in addition to rsysylog. This means all logs are stored in systemd-journal and on a traditional logfile as well. But what is if we don’t want to have special logs in journald, maybe because of some security reason. In our, maybe not too illusory, scenario we have an admin who is allowed to read the normal journald logs but not any files under /var/log/. SAP HANA database is installed and configured to write audit policies to system log (https://me.sap.com/notes/2624117). Therefore confidential information are in the journal of the OS. The question is now, how can we avoid having those confidential information in the journal?

LogNamespace is our friend

Starting with systemd version 245 the feature LogNamespace was indroduced. It gives us the possibility to define a own, independent log stream managed by its own instance of systemd-journald. So all we need to do is, to define a LogNamespace and tell the new systemd-journald instance not to log the messages itself  but forward it to rsyslog (where, in our scenario the admins don’t have any rights).

The implementation

The implementation is quite easy. All we have to do is to create two files. An override file for the HANA systemd service and an include file for rsyslog.

Create a drop-in file

Let’s assume our SAP HANA service file is  SAPTS0_01.service. 
We can use the edit option of systemctl to create an override file for our changes.

 # systemctl edit SAPTS0_01.service
 [Service]
 LogNamespace=HANALog

The created override file is then:

 /etc/systemd/system/SAPTS0_01.service.d/override.conf

 

Configure the LogNamespace

A  LogNamespace instance can be configured through /etc/systemd/journald@NAMESPACE.conf. So we can configure our own instance individually.
In our example, we want to forward all the logs to rsyslog only. This means we have to set Storage to none in addition.

 # vi /etc/systemd/journald@HANALog.conf
 [Journal]
 ForwardToSyslog=yes
 Storage=none

 

Adapt rsyslog to listen to that namespace

On default rsyslog is listening on /run/systemd/journal/syslog. To get the HANALog stream into rsyslog we have to create an extra include file where we define the source /run/systemd/journal.HANALog/syslog in addition:

 # vi /etc/rsyslog.d/HANALog.conf
 $ModLoad imuxsock.so
 input(type="imuxsock" Socket="/run/systemd/journal.HANALog/syslog")

As an optional configuration, we can re-route all the audit logs (starting with HDB..)  to an extra file.

 if ($programname startswith 'HDB')
 then {
        -/var/log/auditredirect.log
        stop
 }

 

Reload and restart all the services

As a last step the systemd daemon should be reloaded and rsyslog should be restarted to get all the changes adopted.

 # systemctl daemon-reload
 # systemctl restart rsyslog.service

Please keep in mind that especially on a high log message rate, the restart of rsyslog can case lost of some messages.

Summary

Even if the solution above is using the journal in the first place, it is still possible to have special logs in a separate file only without having anything in the journal.
The example above should only give some inspiration what can be done with journald and rsyslog in general.

Share
(Visited 1 times, 1 visits today)
Avatar photo
663 views