| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | LSobanski | T111653 Encrypt all the things | |||
| Resolved | Jgreen | T142994 configure TLS for fundraising syslog collection | |||
| Resolved | Jgreen | T145116 replace indium (eqiad fundraising logger) with new hardware running jessie | |||
| Unknown Object (Task) | |||||
| Unknown Object (Task) | |||||
| Unknown Object (Task) | |||||
| Resolved | faidon | T159336 deploy firewall policies for (barium,lutetium,db1025,indium) replacements (civi1001,frdev1001,frdb1002,frlog1001) | |||
| Resolved | Jgreen | T163127 rack and cable frlog1001 | |||
| Resolved | • Cmjohnson | T164748 configure RAID on frlog1001 |
Event Timeline
note that firewall access is added with this commit:
commit 75a8183fa45b36339660cbde6deaa67f7de3112f
Author: The Root <root@boron.frack.eqiad.wmnet>
Date: Tue Jan 24 19:58:15 2017 +0000
iptables/pfw policies for SIEM testing (T156146) and for syslog-over-tls 6514/tcp
I was going to do this by switching the existing 10514/tcp listener from imtcp to imptcp, and enabling imtcp on 6514/tcp with gtls. But indium is still Precise and the ancient rsyslog release doesn't support imptcp. So it think it's simplest to defer this task until we deploy indium's replacement.
also this requires a new internal use CA and certs, and we'll need to monitor for cert expiration
pfw/iptables policies to remove 10514/tcp (fundraising private puppet):
commit 8e403abe1e552b078d217479c9f48ed23d892380
Author: Jeff Green <jgreen@wikimedia.org>
Date: Mon Mar 6 15:32:57 2017 +0000
iptables and pfw policies for replacement hosts, remove deprecated 10514/tcp Bug: T142994,T145107,T145110,T145116