Copying Plesk Action Log Records to an External Server¶
Logs are the most fundamental way to determine user, system, and application activity on a network.
If an attacker has gained access to the Plesk root
or Administrator account, they can delete evidence of hacking by tampering with logs.
In compliance with the NIS2 directive, organizations must guarantee that logs are complete, accurate, and safeguarded against any unauthorised modifications or disruptions. To protect logs and make your Plesk server NIS2 compliant, you need to configure Plesk to send a copy of Plesk Action Log records to an external log server.
Prudence
Logs copied from Plesk to an external log server can contain GDPR-related data (for example, IP addresses, logins, an so on). Make sure to configure the external log server correctly to process the logs according to the GDPR requirements.
Configure your Plesk server to send a copy of Plesk Action Log records to an external log server:
Enable the logging of Plesk events to the system logging service (syslog in Plesk for Linux and Event Log in Plesk for Windows) by adding the following lines to the panel.ini file:
[actionLog] syslog = true
Note
In Plesk for Linux, you can also change the log facility by adding lines of the following pattern to the panel.ini file
[actionLog] syslogFacility = local0 ; the default facility
Configure the system logging service to send a copy of logs to an external log server via a third-party tool (for example, rsyslog for Linux and Windows Event Collector for Windows).
The exact procedure for step 2 of the instruction above depends on the OS your Plesk is running on. For more information, see the documentation of your OS vendor.
Below you can see how to configure the system logging service (syslog) in Plesk for Linux via rsyslog.
(Plesk for Linux) Configure syslog to send a copy of logs to an external log server via rsyslog:
Log in to the external log server via SSH.
Ajoutez les lignes suivantes au fichier
/etc/rsyslog
et enregistrez-le :module(load="imtcp") input(type="imtcp" port="514") local0.* /var/log/pleskactions
Note
The external log server will store a copy of Plesk Action Log records in the
/var/log/pleskactions
file.Restart rsyslog by running the following command:
systemctl restart rsyslog
Log in to your Plesk server.
Add lines of the following pattern to the
/etc/rsyslog
file, and then save it:local0.* action(type="omfwd" target="<IP address of the external log server>" port="514" protocol="tcp")
Par exemple :
local0.* action(type="omfwd" target="192.0.2.1" port="514" protocol="tcp")
Restart rsyslog by running the following command:
systemctl restart rsyslog
Plesk will now send a copy of Action Log records to the external log server.