From dca562b7b4308d75d811d91ce79c9d6e6da597f9 Mon Sep 17 00:00:00 2001 From: rcourtman Date: Fri, 14 Nov 2025 10:37:09 +0000 Subject: [PATCH] docs: reference log forwarding runbook in sensor proxy guides --- docs/TEMPERATURE_MONITORING.md | 3 +++ docs/TEMPERATURE_MONITORING_SECURITY.md | 4 ++++ docs/security/pulse-sensor-proxy-hardening.md | 2 +- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/docs/TEMPERATURE_MONITORING.md b/docs/TEMPERATURE_MONITORING.md index 3fc614a..f2956c8 100644 --- a/docs/TEMPERATURE_MONITORING.md +++ b/docs/TEMPERATURE_MONITORING.md @@ -966,6 +966,9 @@ ls -l /run/pulse-sensor-proxy/pulse-sensor-proxy.sock journalctl -u pulse-sensor-proxy -f ``` +Forward these logs off-host for retention by following +[operations/sensor-proxy-log-forwarding.md](operations/sensor-proxy-log-forwarding.md). + In the Pulse container, check the logs at startup: ```bash # Should see: "Temperature proxy detected - using secure host-side bridge" diff --git a/docs/TEMPERATURE_MONITORING_SECURITY.md b/docs/TEMPERATURE_MONITORING_SECURITY.md index dec1502..6bf5684 100644 --- a/docs/TEMPERATURE_MONITORING_SECURITY.md +++ b/docs/TEMPERATURE_MONITORING_SECURITY.md @@ -243,6 +243,10 @@ journalctl -u pulse-sensor-proxy -f journalctl -u pulse-backend -f ``` +Want off-host retention? Forward `audit.log` and `proxy.log` using +[`scripts/setup-log-forwarding.sh`](operations/sensor-proxy-log-forwarding.md) +so events land in your SIEM with RELP + TLS. + **Audit rotation**: Use the steps in [operations/audit-log-rotation.md](operations/audit-log-rotation.md) to rotate `/var/log/pulse/sensor-proxy/audit.log`. After each rotation, restart the proxy and confirm temperature pollers are healthy in `/api/monitoring/scheduler/health` (closed breakers, no DLQ entries). ### Security Events to Monitor diff --git a/docs/security/pulse-sensor-proxy-hardening.md b/docs/security/pulse-sensor-proxy-hardening.md index 43c7931..8d1ed97 100644 --- a/docs/security/pulse-sensor-proxy-hardening.md +++ b/docs/security/pulse-sensor-proxy-hardening.md @@ -49,4 +49,4 @@ podman run --seccomp-profile /opt/pulse/security/seccomp/pulse-sensor-proxy.json ## Operational Notes - Use `journalctl -t auditbeat -g pulse-sensor-proxy` or `aa-status` to confirm profile status. -- Pair with network ACLs (see `docs/security/pulse-sensor-proxy-network.md`) and log shipping (`scripts/setup-log-forwarding.sh`). +- Pair with network ACLs (see `docs/security/pulse-sensor-proxy-network.md`) and log shipping via [`scripts/setup-log-forwarding.sh` + the RELP runbook](../operations/sensor-proxy-log-forwarding.md).