Copying Plesk Action Log Records to an External Server

Logs are the most fundamental way to determine user, system, and application activity on a network. If an attacker has gained access to the Plesk root or Administrator account, they can delete evidence of hacking by tampering with logs.

In compliance with the NIS2 directive, organizations must guarantee that logs are complete, accurate, and safeguarded against any unauthorised modifications or disruptions. To protect logs and make your Plesk server NIS2 compliant, you need to configure Plesk to send a copy of Plesk Action Log records to an external log server.

Prudence

Logs copied from Plesk to an external log server can contain GDPR-related data (for example, IP addresses, logins, an so on). Make sure to configure the external log server correctly to process the logs according to the GDPR requirements.

Configure your Plesk server to send a copy of Plesk Action Log records to an external log server:

  1. Enable the logging of Plesk events to the system logging service (syslog in Plesk for Linux and Event Log in Plesk for Windows) by adding the following lines to the panel.ini file:

    [actionLog]
    syslog = true
    

    Note

    In Plesk for Linux, you can also change the log facility by adding lines of the following pattern to the panel.ini file

    [actionLog]
    syslogFacility = local0 ; the default facility
    
  2. Configure the system logging service to send a copy of logs to an external log server via a third-party tool (for example, rsyslog for Linux and Windows Event Collector for Windows).

The exact procedure for step 2 of the instruction above depends on the OS your Plesk is running on. For more information, see the documentation of your OS vendor.

Below you can see how to configure the system logging service (syslog) in Plesk for Linux via rsyslog.

(Plesk for Linux) Configure syslog to send a copy of logs to an external log server via rsyslog:

  1. Log in to the external log server via SSH.

  2. Ajoutez les lignes suivantes au fichier /etc/rsyslog et enregistrez-le :

    module(load="imtcp")
    input(type="imtcp" port="514")
    
    local0.*  /var/log/pleskactions
    

    Note

    The external log server will store a copy of Plesk Action Log records in the /var/log/pleskactions file.

  3. Restart rsyslog by running the following command:

    systemctl restart rsyslog
    
  4. Log in to your Plesk server.

  5. Add lines of the following pattern to the /etc/rsyslog file, and then save it:

    local0.* action(type="omfwd" target="<IP address of the external log server>" port="514" protocol="tcp")
    

    Par exemple :

    local0.* action(type="omfwd" target="192.0.2.1" port="514" protocol="tcp")
    
  6. Restart rsyslog by running the following command:

    systemctl restart rsyslog
    

Plesk will now send a copy of Action Log records to the external log server.