Copying Plesk Action Log Records to an External Server
Logs are the most fundamental way to determine user, system, and application activity on a network.
If an attacker has gained access to the Plesk root
or Administrator account, they can delete evidence of hacking by tampering with logs.
In compliance with the NIS2 directive, organizations must guarantee that logs are complete, accurate, and safeguarded against any unauthorised modifications or disruptions. To protect logs and make your Plesk server NIS2 compliant, you need to configure Plesk to send a copy of Plesk Action Log records to an external log server.
Осторожно: Logs copied from Plesk to an external log server can contain GDPR-related data (for example, IP addresses, logins, an so on). Make sure to configure the external log server correctly to process the logs according to the GDPR requirements.
Configure your Plesk server to send a copy of Plesk Action Log records to an external log server:
-
Enable the logging of Plesk events to the system logging service (syslog in Plesk for Linux and Event Log in Plesk for Windows) by adding the following lines to the panel.ini file:
[actionLog] syslog = true
Примечание: In Plesk for Linux, you can also change the log facility by adding lines of the following pattern to the panel.ini file
[actionLog] syslogFacility = local0 ; the default facility
-
Configure the system logging service to send a copy of logs to an external log server via a third-party tool (for example, rsyslog for Linux and Windows Event Collector for Windows).
The exact procedure for step 2 of the instruction above depends on the OS your Plesk is running on. For more information, see the documentation of your OS vendor.
Below you can see how to configure the system logging service (syslog) in Plesk for Linux via rsyslog.
(Plesk for Linux) Configure syslog to send a copy of logs to an external log server via rsyslog:
-
Log in to the external log server via SSH.
-
Добавьте следующие строки в файл
/etc/rsyslog
и сохраните его:module(load="imtcp") input(type="imtcp" port="514") local0.* /var/log/pleskactions
Примечание: The external log server will store a copy of Plesk Action Log records in the
/var/log/pleskactions
file. -
Restart rsyslog by running the following command:
systemctl restart rsyslog
-
Войдите на ваш сервер Plesk.
-
Add lines of the following pattern to the
/etc/rsyslog
file, and then save it:local0.* action(type="omfwd" target="<IP address of the external log server>" port="514" protocol="tcp")
Например:
local0.* action(type="omfwd" target="192.0.2.1" port="514" protocol="tcp")
-
Restart rsyslog by running the following command:
systemctl restart rsyslog
Plesk will now send a copy of Action Log records to the external log server.