Monitoring IBM Software Hub user activity

User activity monitoring helps you detect and stop potentially harmful or malicious activities. If you have an RSYSLOG server, you can configure IBM Software Hub to forward user activity information to the server.

Who needs to complete this task?

To complete this task, you must be either:

  • A cluster administrator
  • An instance administrator
When do you need to complete this task?

Complete this task if you want to implement user activity monitoring for IBM Software Hub.

Before you begin

Your RSYSLOG server can be inside or outside of the cluster.

Ensure that the following statements are true:
  • The RSYSLOG server is reachable from IBM Software Hub.
  • The UDP port on the server is open.
To complete this task you must have the following information:
  • The IP address, service address, or the fully qualified domain name of the server
  • The UPD port number

About this task

By default, IBM Software Hub sends JSON logs with the following information to your RSYSLOG server:
Parameter Description
req_userid The user's user ID.
http_referrer The page that the user accessed.
request The HTTP request type, such as GET, POST, PUT, and so on.
http_sec-fetch-dest The type of resource that the user accessed, such as an image, document, audio file, script, and so on.
http_x_forwarded_for The original IP address of a client before proxy.
time The time of the request in ISO 8601 format.
remote_addr The client address after the last proxy.
upstream_addr The IP address and port of the destination server.

You can optionally update the format of the logs to include the user's username (req_username).

Procedure

  1. Log in to Red Hat® OpenShift® Container Platform as a user with sufficient permissions to complete the task. 
    ${OC_LOGIN}
    Remember: OC_LOGIN is an alias for the oc login command.
  2. Set the following environment variables:
    1. Set the RSYSLOG_SERVER environment variable to the IP address, service address, or the fully qualified domain name of the RSYSLOG server: 
      export RSYSLOG_SERVER=<rsyslog-address>
    2. Set the RSYSLOG_UDP_PORT environment variable to the UPD port on the RSYSLOG: 
      export RSYSLOG_UDP_PORT=<udp_port>
  3. Create a YAML file that you will use to patch the zen-nginx-config-cm ConfigMap.

    The command that you run depends on whether you want the JSON payload to include only user IDs only or user IDs and user names:

    The payload includes only user IDs 
    cat <<EOF > zen-nginx-config-patch.yaml
data:
  http.conf: |-
    log_format json_combined escape=json '{"req_userid":"\$req_userid","http_referrer":"\$http_referer","request":"\$request","http_sec-fetch-dest":"\$http_sec_fetch_dest","http_x_forwarded_for":"\$http_x_forwarded_for","time": "\$time_iso8601","remote_addr":"\$remote_addr","upstream_addr": "\$upstream_addr"}';
    #access_log off;
    access_log syslog:server=${RSYSLOG_SERVER}:${RSYSLOG_UDP_PORT},facility=local7,tag=cpd_nginx json_combined;
EOF
    The payload includes user IDs and user names 
    cat <<EOF > zen-nginx-config-patch.yaml
data:
  http.conf: |-
    log_format json_combined escape=json '{"req_userid":"\$req_userid","req_username":"\$req_username","http_referrer":"\$http_referer","request":"\$request","http_sec-fetch-dest":"\$http_sec_fetch_dest","http_x_forwarded_for":"\$http_x_forwarded_for","time": "\$time_iso8601","remote_addr":"\$remote_addr","upstream_addr": "\$upstream_addr"}';
    #access_log off;
    access_log syslog:server=${RSYSLOG_SERVER}:${RSYSLOG_UDP_PORT},facility=local7,tag=cpd_nginx json_combined;
EOF
    Tip: You can optionally update the contents of the log_format parameter with other predefined nginx variables if you want to include additional information in the logs.
  4. Use the zen-nginx-config-patch.yaml file to patch the zen-nginx-config-cm ConfigMap: 
    oc patch cm zen-nginx-config-cm \
-n=${PROJECT_CPD_INST_OPERANDS} \
--patch-file=zen-nginx-config-patch.yaml
  5. Confirm that the changes were applied to the zen-nginx-config-cm ConfigMap: 
    oc get cm zen-nginx-config-cm \
-n=${PROJECT_CPD_INST_OPERANDS} \
-o=yaml

    Confirm that the data portion of the ConfigMap matches the contents of the

    zen-nginx-config-patch.yaml file.
  6. Restart the ibm-nginx pods for the changes to take effect: 
    oc delete pod \
-n=${PROJECT_CPD_INST_OPERANDS} \
-l component=ibm-nginx

Results

The logs are transmitted to the RSYSLOG server.

You can confirm that the logs are transmitted to the RSYSLOG server by looking for logs tagged with cpd_nginx.