On Thu, 27 Jun 2013 13:12:49 -0600
Stephen John Smoogen <smooge(a)gmail.com> wrote:
On 25 June 2013 13:16, seth vidal <skvidal(a)fedoraproject.org>
wrote:
> Last week when we were talking about spawning rdiff-backup to backup
> our systems, we diverged into discussing app/apache logs and the
> somewhat complicated system we currently have for grabbing those
> logs.
>
> Right now we have a list of hosts on log02 that it should grab logs
> from. Those hosts need to have rsyncd running on them to allow
> access from log02 to fetch the /var/log/httpd/ path from them.
>
> That requires 2 things to be coupled and it is a bit awkward if you
> set up a host that is tricky to access from log02 or isn't on the
> vpn.
>
> In general I also am not in love with having to have rsyncd
> listening on systems - even if it is ip-restricted.
>
> So the thought was we could do something like this on log02:
>
> 1. setup an ssh key on log02 that can run rsync to /var/log/httpd on
> all hosts
> 2. make any host that needs to have its logs retrieved be marked in
> the ansible inventory host/group vars
> 3. git clone public-ansible-repo onto log02
> 4. use group_by to construct a group of the hosts which can then be
> retrieved using rsync.
>
> The sole reason for using ansible here is so we can keep the log
> sync info in our inventory and to parallelize the retrieval of logs.
>
> This is more or less identical to what we talked about for backups
> using rdiff-backup.
>
>
My question is will a person who is on log02 be able to ssh into every
rsyncable host as root like they can do so from lockbox. or will we be
using a sub-user who can be ssh'd from log02 to get the log files? I
am just wanting to keep the number of systems we need to really worry
about to a minimum so we aren't ending up with whackamole later.
1. we could do a separate user - we just have to make
sure /var/log/httpd stays 'open' to that user - which is actually quite
tricky in the face of apache updated rpms
2. we could also just keep using rsync - but over ssh and restrict that
particular ssh key to only running rsync and only from one path.
-sv