From 0105ccdd6846cf39b04e40dc27a80fa4ffe34927 Mon Sep 17 00:00:00 2001
From: jaskaransarkaria <jaskaran.sarkaria@digital.justice.gov.uk>
Date: Mon, 19 Jun 2023 15:28:33 +0100
Subject: [PATCH] =?UTF-8?q?docs:=20=E2=9C=8F=EF=B8=8F=20update=20instructi?=
 =?UTF-8?q?ons=20to=20get=20modsec=20logs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../source/get-audit-log-from-modsec.html.md.erb     | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/runbooks/source/get-audit-log-from-modsec.html.md.erb b/runbooks/source/get-audit-log-from-modsec.html.md.erb
index 1eec9c45..091365f6 100644
--- a/runbooks/source/get-audit-log-from-modsec.html.md.erb
+++ b/runbooks/source/get-audit-log-from-modsec.html.md.erb
@@ -1,15 +1,19 @@
 ---
 title: Get an audit log from modsec
 weight: 8600
-last_reviewed_on: 2023-03-16
+last_reviewed_on: 2023-05-19
 review_in: 3 months
 ---
 
-# Get an audit log from modsec
+# Opensearch modsec setup
+
+We have introduced an opensearch dashboard which collects all modsec logs and has document level security enabled. This means users can only access the logs for the github team they are in (see here for more details)[https://user-guide.cloud-platform.service.justice.gov.uk/documentation/networking/modsecurity.html]. With this feature in place users can self serve and access their own modsec logs. In the case of a rare error, we may shut off logs to the dashboard (from fluent-bit) and then you must use the instructions below to access modsec logs on behalf of the user.
+
+## Get an audit log from modsec (when fluent-bit is not pushing to opensearch)
 
 On occasion users may need you to provide them with audit log information on an modsec event from our ingress-controllers. This information may be sensitive so it can't be placed in our org-wide Elasticsearch cluster. You'll need to fetch this information from the pod that generated the log.
 
-## How do I check the audit log
+### How do I check the audit log
 
 As mentioned above, the audit log cannot be placed into Elasticsearch so you'll need the following:
 
@@ -32,7 +36,7 @@ example: https://mojdt.slack.com/archives/C57UPMZLY/p1630936971082200
 
 - Kubectl access to the live cluster and access to the `ingress-controllers` namespace.
 
-## Perform a search for the unique-id (obtained from the Kibana entry)
+### Perform a search for the unique-id (obtained from the Kibana entry)
 
 ```
 # assuming the event id is 16494071776.005464