docs(admin/policy): document ReadWritePaths for logging to files (#1469)

The default Anubis systemd configuration is very restrictive in order to prevent any possible compromise of Anubis to be useful by threat actors. As such, it assumes all logs will be pushed to the system journal. Some administrators do not want Anubis' logs to be pushed to the system journal and want Anubis to log to a file instead. This change documents how to set up ReadWritePaths in the Anubis systemd configuration such that Anubis can lot to a file as administrators expect. Closes: #1468 Signed-off-by: Xe Iaso <me@xeiaso.net>
2026-04-09 18:18:49 +00:00 · 2026-02-19 07:24:34 -05:00
parent 35b5e78a0d
commit f38210fd84
1 changed files with 26 additions and 0 deletions
--- a/docs/docs/admin/policies.mdx
+++ b/docs/docs/admin/policies.mdx
@@ -393,6 +393,32 @@ logging:

 When files are rotated out, the old files will be named after the rotation timestamp in [RFC 3339 format](https://www.rfc-editor.org/rfc/rfc3339).

+:::note
+
+If you are running Anubis in systemd via a native package, the default systemd unit settings are very restrictive and will forbid writing to folders in `/var/log`. In order to fix this, please make a [drop-in unit](https://www.flatcar.org/docs/latest/setup/systemd/drop-in-units/) like the following:
+
+```text
+# /etc/systemd/anubis@instance-name.service.d/50-var-log-readwrite.conf
+[Service]
+ReadWritePaths=/run /var/log/anubis
+```
+
+Once you write this to the correct place, reload the systemd configuration:
+
+```text
+sudo systemctl daemon-reload
+```
+
+And then restart Anubis:
+
+```text
+sudo systemctl restart anubis@instance-name
+```
+
+You may be required to make drop-ins for each Anubis instance depending on the facts and circumstances of your deployment.
+
+:::
+
 ### `stdio` sink

 By default, Anubis logs everything to the standard error stream of its process. This requires no configuration: