-
Notifications
You must be signed in to change notification settings - Fork 687
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change default apache logrotate config #304
Comments
What is the current logrotate interval? We only store Apache logs for the Document Interface anyway, so this is not relevant to minimizing metadata about source behavior. If anything, given our current turnaround on support tickets, 1 day of retention is insufficient and would hamstring us in our efforts to do remote troubleshooting using the logs. I propose we move this off the 0.4 milestone and revisit at a later date, or close this entirely. |
@garrettr The apache logs are currently set to 52 weekly rotations, meaning compressed logs will remain on disk for approximately one year. Since we don't log the Source Interface, that logging only applies to the Journalist Interface—however, the Journalist Interface logging is currently broken (#1606), so right now zero useful information exists on-disk about Journalist behavior. |
I think persisting logs for 2 weeks would be a reasonable first step. Ideally, we'd be able to reduce this further, but that will require some combination of better support turnaround, and implementation of the opt-in log reporting we've discussed. |
@redshiftzero Hackathon candidate. |
A day is certainly too short, but a month or two is reasonable. |
Agreed with @redshiftzero: let's set the new default logrotate value to 1-2 months. Once the change is made in the Ansible config logic, a playbook run (via As stated above, the logrotate functionality is only relevant for the Journalist Interface (previously called the "Document Interface"; see #1384), as the Source Interface does not log visitor interactions in production. |
Keeping, the existing PR would need to be updated to cover existing instances without a playbook run, but the change is still valid. |
I believe the status quo has changed since this was last seriously discussed, as Debian switched the default from 52 weeks (which SecureDrop inherited back in 2017) to 2 weeks, which is what psivesely suggested. So the current proposal to set it to 30 days is actually increasing log retention, not decreasing it. My initial impression is that I don't think there's a problem for us to solve anymore. I don't believe anyone has ever argued for 1 month in the context of needing that much retention at minimum, just that 52 weeks was too long, and 1 month was a reasonable place to shorten it to (which I'd be on board with). But now that we're at 2 weeks, I'm okay with leaving it like that, keeping in mind that I can't think of a time in the past 3 years having the extra retention would've been useful, and to increase the retention, it'll require extra maintenance work for us to get the PR merged and keep the logrotate file up to date with Debian. I'll put this on the agenda for the first team meeting next year for further discussion. |
Change default apache logrotate to rotate every day and only retain 1 day. This should give enough time for any personnel to get on site for organizations that may opt not to enable ssh.
Since sensitive information could be in error messages the logs should be securely deleted.
The text was updated successfully, but these errors were encountered: