Setting up Adminbot and Auditbot

Overview

Adminbot allows for an Element Administrator to become admin in any existing room or space on a managed homeserver. This enables you to delete rooms for which the room administrator has left your company and other useful administration actions.

Auditbot allows you to have the ability to export any communications in any room that the auditbot is a member of, even if encryption is in use. This is important in enabling you to handle compliance requirements that require chat histories be obtainable.

On using Admin Bot and Audit Bot

Currently, we deploy a special version of Element Web to allow you to log in as the adminbot and auditbot. Given this, please do not make changes to widgets in rooms while logged in as the adminbot or the auditbot. The special Element Web does not have any custom settings that you have applied to the main Element Web that your users use and as such, you can cause problems for yourself by working with widgets as the adminbot and auditbot. In the future, we are working to provide custom interfaces for these bots.

Configuring Admin Bot

From the Installer's Integrations page, click "Install" under "Admin Bot"

~~For~~You will then see the ~~adminbot.yml~~following:

~~presented~~ by

Your first choice is to configure adminbot or enable this server as part of a federated adminbot cluster. For most cases, you'll want to select "Configure Adminbot".

Below this, we have a checkbox to either allow the ~~installer, edit the file and ensure the following values are set:~~

bot_backup_phrase: adminsecret
bot_data_path: /mnt/data/adminbot
bot_data_size: 10M

enable_dm_admin: false

join_local_rooms_only: true
access_elementweb_fqdn: adminbot.airgap.local

~~Let's discuss them:~~

~~bot_backup_phrase~~~~: This is the security phrase that will guard access~~ to ~~your~~participate ~~encryption~~in ~~keys.~~DM Dorooms ~~NOT~~(rooms ~~share~~with 1-2 people) or not.

We also have a checkbox to join local rooms only. You probably want to leave this ~~phrase with anyone. This is required.~~

~~bot_data_path~~~~: This is the directory where the bot's data will be stored.~~on. If you ~~need~~turn it off, the adminbot will try to join any federated rooms that your server is joined to.

Moving on, we also have the ability to change the ~~path,~~logging ~~please~~level ~~do,~~and ~~but~~set ~~for~~the ~~most~~username ~~cases,~~of ~~you~~the ~~can~~bot.
~~leave~~
After ~~this~~this, ~~alone.~~we Ifhave ~~you~~the ~~are deploying~~ability to ~~Kubernetes,~~set ~~you~~the ~~need~~"Backup Passphrase" which is used to ~~comment~~gain ~~this out!~~

~~bot_data_size~~~~: In most cases, you can leave this at 10M, but it does put a limit on the amount of data that can be written by the bot~~access to the ~~path.~~

key

backup ~~enable_dm_admin~~:store.
~~This~~
Two ~~defaults to~~ false ~~and~~settings that ~~behavior means that adminbot~~ ~~will not~~ ~~join DMs. If you want full control of DMs, simply set this to~~ true.

~~join_local_rooms_only~~~~: This defaults to~~ true ~~and that behavior means that adminbot will only join rooms on your local homeserver.~~

~~access_elementweb_fqdn~~: You should set this to a hostname that is resolvable in your environment which will host a special instance of Element Web for logging in. This hostname will need a crt/key PEM encoded key pair and these files will need to be ~~stored in~~ ~/.element-enterprise-server/config/legacy/certs ~~prior to running the installer. In the above example, we have the hostname of~~ adminbot.airgap.local~~. This means that the installer expects to find~~ adminbot.airgap.local.crt ~~and~~ adminbot.airgap.local.keyset in the ~~~/.element-enterprise-server/config/legacy/certs`~~"Advanced" ~~directory. If you~~section are ~~using~~the ~~Let's~~fqdn ~~Encrypt,~~for ~~you~~the doadminbot ~~not~~element ~~need~~web toaccess ~~add~~point ~~these~~and ~~files.~~

its

certifactes. ~~verify_tls~~These :settings ~~Optional.~~can Ifbe ~~doing~~found aby ~~POC~~clicking ~~with~~"Advanced" ~~self-signed~~and ~~certificates,~~scrolling ~~set~~to:
~~this~~ to
0. ~~Defaults~~
and tothen:
1.

Configuring Audit Bot

From the Installer's Integrations page, click "Install" under "Audit Bot".

~~For~~You will then see the ~~auditbot.yml~~following:

~~presented~~ by

Your first choice is to configure auditbot or enable this server as part of a federated auditbot cluster. For most cases, you'll want to select "Configure Auditbot".

Below this, we have a checkbox to either allow the ~~installer, edit the file and ensure the following values are set:~~

bot_backup_phrase: auditsecret bot_data_path: /mnt/data/auditbot bot_data_size: 10M join_local_rooms_only: true enable_dm_audit: false access_elementweb_fqdn: auditbot.airgap.local ### optional :the S3 bucket whereadminbot to storeparticipate thein auditDM logsrooms #s3_bucket:(rooms #s3_access_key_id:with #s3_secret_access_key:1-2 #s3_key_prefix:people) #s3_region:or #s3_endpoint:not. ###

We optionalalso :have thea checkbox to join local logfilerooms settings.only. UsedYou ifprobably s3 bucket is not enabled. logfile_size: 1M logfile_keep: 3

~~Let's discuss them:~~

~~bot_backup_phrase~~~~: This is the security phrase that will guard access~~want to ~~your encryption keys. Do NOT share~~leave this ~~phrase with anyone. This is required.~~

~~bot_data_path~~~~: This is the directory where the bot's data will be stored.~~on. If you ~~need~~turn it off, the adminbot will try to join any federated rooms that your server is joined to.

Moving on, we also have the ability to change the ~~path,~~logging ~~please~~level ~~do,~~and ~~but~~set ~~for~~the ~~most~~username ~~cases,~~of the bot.

After this, we have the ability to set the "Backup Passphrase" which is used to gain access to the key backup store.

You can also configure an S3 bucket to log to and you can ~~leave~~configure ~~this~~how ~~alone.~~many Iflogfiles ~~you~~should ~~are~~be ~~deploying~~kept and how large a log file should be allowed to ~~Kubernetes,~~grow ~~you~~to. ~~need~~By default, the auditbot will log to ~~comment this out!~~

~~bot_data_size~~~~: In most cases, you can leave this at 10M, but it does put a limit on~~ the ~~amount of data~~storage that ~~can~~has bebeen ~~written~~attached by the ~~bot~~cluster to(check the ~~path.~~

storage

settings ~~join_local_rooms_only~~:under ~~This~~the ~~defaults~~"Advanced" totab).
true
Two ~~and~~settings that ~~behavior means that adminbot will only join rooms on your local homeserver.~~

~~enable_dm_admin~~~~: This defaults to~~ false ~~and that behavior means that adminbot~~ ~~will not~~ ~~join DMs. If you want full control of DMs, simply set this to~~ true.

~~access_elementweb_fqdn~~: You should set this to a hostname that is resolvable in your environment which will host a special instance of Element Web for logging in. This hostname will need a crt/key PEM encoded key pair and these files will need to be ~~stored in~~ ~/.element-enterprise-server/config/legacy/certs ~~prior to running the installer. In the above example, we have the hostname of~~ auditbot.airgap.local~~. This means that the installer expects to find~~ auditbot.airgap.local.crt ~~and~~ auditbot.airgap.local.keyset in the ~~~/.element-enterprise-server/config/legacy/certs`~~"Advanced" ~~directory. If you~~section are ~~using~~the ~~Let's~~fqdn ~~Encrypt,~~for ~~you~~the doauditbot ~~not~~element ~~need~~web toaccess ~~add~~point ~~these~~and ~~files.~~

its

certifactes. ~~verify_tls~~These :settings ~~Optional.~~can Ifbe ~~doing~~found aby ~~POC~~clicking ~~with~~"Advanced" ~~self-signed~~and ~~certificates,~~scrolling ~~set~~to:
~~this~~ to
0.
~~Defaults to 1.~~

Adminbot Federation

On the central admin bot server

~~Complete~~You will pick "Configure Admin Bot" and will fill in everything from the ~~values~~above Adminbot configuration instructions, but you will also add Remote Federated Homeservers in this interface:

You will need to fill out this form for ~~the~~each ~~provided~~remote ~~central.yml~~server inthat will join the ~~installer~~federation. ~~interface.~~You ~~Here~~will isneed anto ~~explanation of~~set the ~~parameters:~~domain name and the matrix server for each to get started.

adminbot_fqdn ~~: The FQDN which~~
You will bealso ~~targeted~~need byto ~~remote federated servers as~~grab the ~~central~~Admin ~~audit~~user authentication token for each server
and remote_federated_homeservers:specify Athat ~~list~~here. ~~containing~~You ~~every~~may ~~remote~~get ~~audited~~this ~~server. It contains~~with the following ~~variables~~command :run
- a matrix_server:specific ~~URL of the synapse server~~
- domain_name~~: Domain name from parameters.yaml (the server name part of the users mxid)~~
- ~~If the server is managed by the installer :~~
  - generic_shared_secret~~: The generic shared secret to get from secrets.yaml~~
  - adminuser_token~~: The token from the admin user, to get via~~server: kubectl get synapseusers/adminuser-donotdelete -n element-onprem -o yaml. ~~It's~~You are looking for the value of the field status.accessToken.
  Then
- Ifin the ~~server~~app isservice, ~~not~~you ~~managed~~can byleave Automatically compute the ~~installer~~appservice :
- set. as_tokenYou :will ~~The~~need to also get the generic shared secret from that server and specify it here as ~~token~~well. ~~configured~~You oncan get this value from running: kubectl get -n element-onprem secrets first-element-deployment-synapse-secrets -o yaml | grep registration and looking at the ~~remote~~value ~~appservice file on~~for the ~~remote server.~~
- hs_token ~~: The as token configured on the remote appservice file on the remote server.~~
- adminuser_token ~~: An access token to an user which is server admin.~~

registrationSharedSecret.

On the remote admin bot server

~~Complete~~Instead of selecting "Configure Adminbot", you will pick "Enable Central Adminbot Access" and will then be presented with this UI:

You will then specify the ~~access.yml file in the installer interface by providing the fqdn~~FQDN of the central ~~admin bot~~adminbot server.

central_adminbot_fqdn ~~: The value of~~ adminbot_fqdn ~~on the central audit bot server~~

Auditbot Federation

On the central auditbot server

~~Complete~~You will pick "Configure Audit Bot" and will fill in everything from the ~~values~~above Auditbot configuration instructions, but you will also add Remote Federated Homeservers in this interface:

auditbot_fqdn ~~: The FQDN which~~
You will bealso ~~targeted~~need byto ~~remote federated servers as~~grab the ~~central~~Admin ~~audit~~user authentication token for each server
and remote_federated_homeservers:specify Athat ~~list~~here. ~~containing~~You ~~every~~may ~~remote~~get ~~audited~~this ~~server. It contains~~with the following ~~variables~~command :run
- a matrix_server:specific ~~URL of the synapse server~~
- domain_name~~: Domain name from parameters.yaml (the server name part of the users mxid)~~
- ~~If the server is managed by the installer :~~
  - generic_shared_secret~~: The generic shared secret to get from secrets.yaml~~
  - adminuser_token~~: The token from the admin user, to get via~~server: kubectl get synapseusers/adminuser-donotdelete -n element-onprem -o yaml. ~~It's~~You are looking for the value of the field status.accessToken.
  Then
- Ifin the ~~server~~app isservice, ~~not~~you ~~managed~~can byleave Automatically compute the ~~installer~~appservice :
- set. as_tokenYou :will ~~The~~need to also get the generic shared secret from that server and specify it here as ~~token~~well. ~~configured~~You oncan get this value from running: kubectl get -n element-onprem secrets first-element-deployment-synapse-secrets -o yaml | grep registration and looking at the ~~remote~~value ~~appservice file on~~for the ~~remote server.~~
- hs_token ~~: The as token configured on the remote appservice file on the remote server.~~
- adminuser_token ~~: An access token to an user which is server admin.~~

registrationSharedSecret.

On the remote audit bot server

~~Complete~~Instead of selecting "Configure Auditbot", you will pick "Enable Central Auditbot Access" and will then be presented with this UI:

You will then specify the ~~access.yml file in the installer interface by providing the fqdn~~FQDN of the central ~~audit bot~~auditbot server.

central_auditbot_fqdn ~~: The value of~~ auditbot_fqdn ~~on the central audit bot server~~