Auditing¶
Kinetica can be configured to print audit information to a log for security or
debugging purposes. The audit configuration settings can be found in the
Auditing section of the gpudb.conf file (located in the
/opt/gpudb/core/etc directory). The enable_audit setting must be
enabled for the other settings to work. Any of these settings can be altered at
runtime using /alter/system/properties to assist with
debugging unless lock_audit is set to true. Below is a list of the
settings and what they do:
| Setting Name | Description |
|---|---|
enable_audit |
If set to
|
audit_headers |
If set to true, all HTTP headers received with the request will also be audited except for
authorization information, which is redacted to prevent exposure of passwords |
audit_body |
If set to true, each request body will be audited in JSON format except for records that are
inserted via /insert/records or /update/records or
any passwords that are used in administrative requests |
audit_data |
If set to Note: Enabling this setting during bulk ingestion of data will rapidly produce very large audit logs, which may cause disk space exhaustion |
lock_audit |
If set to true, audit settings cannot be altered at runtime |
Changing the Location of Audit Logs¶
The location of audit logs is controlled by the gpudb_logger.conf file
(located in the /opt/gpudb/core/etc directory). By default, audit
information is logged inline with the main Kinetica logs (gpudb.log in
the /opt/gpudb/core/logs directory).
To change the location of the audit logs:
Navigate to the
gpudb_logger.conffile in the/opt/gpudb/core/etcdirectoryIn the Auditing section at the bottom of the file, comment out the default console appender settings
#log4cplus.appender.AuditAppender=log4cplus::ConsoleAppender #log4cplus.appender.AuditAppender.layout=log4cplus::PatternLayout #log4cplus.appender.AuditAppender.layout.ConversionPattern=%D{%Y-%m-%d %H:%M:%S.%q} %-5p (%i,%T,%-18t) %h - %m
Uncomment the default file or rolling file appender settings depending on your needs
File appender settings:
log4cplus.appender.AuditAppender=log4cplus::FileAppender log4cplus.appender.AuditAppender.File=/opt/gpudb/core/logs/gpudb-audit.log log4cplus.appender.AuditAppender.layout=log4cplus::PatternLayout log4cplus.appender.AuditAppender.layout.ConversionPattern=%D{%Y-%m-%d %H:%M:%S.%q} %-5p (%i,%T,%-18t) %h - %m
Rolling file appender settings:
log4cplus.appender.AuditAppender=log4cplus::RollingFileAppender log4cplus.appender.AuditAppender.File=/opt/gpudb/core/logs/gpudb-audit.log log4cplus.appender.AuditAppender.MaxFileSize=20 MB log4cplus.appender.AuditAppender.MaxBackupIndex=4 log4cplus.appender.AuditAppender.Append=false log4cplus.appender.AuditAppender.layout=log4cplus::PatternLayout log4cplus.appender.AuditAppender.layout.ConversionPattern=%D{%Y-%m-%d %H:%M:%S.%q} %-5p (%i,%T,%-18t) %h - %m
Update the appender settings as necessary
Important
If you update the file location setting, we recommend using an absolute filepath.
Configuration Examples¶
No Auditing¶
enable_audit = falseaudit_headers = falseaudit_body = falseaudit_data = false
Basic Auditing¶
Settings:
enable_audit = trueaudit_headers = falseaudit_body = falseaudit_data = false
2018-01-22 10:30:46.182 INFO (30520,31495,r0/gpudb_cluster_i) vm03-01.nova.gpudb.local - Job ID: 18 URI: /filter User: admin Client: 172.30.21.122:58452
...
2018-01-22 10:48:32.217 INFO (14801,16039,r0/gpudb_cluster_i) vm03-01.nova.gpudb.local - Job ID: 26 URI: /insert/records User: admin Client: 172.30.21.123:57973
Request Body Auditing¶
Settings:
enable_audit = trueaudit_headers = falseaudit_body = trueaudit_data = false
2018-01-24 08:38:13.821 INFO (21303,22318,r0/gpudb_cluster_i) vm03-01.nova.gpudb.local - Job ID: 17 URI: /filter User: admin Client: 172.30.21.131:60279
{"table_name":"rand_num_table","view_name":"tf2","expression":"x = 1","options":{}}
...
2018-01-24 08:40:54.157 INFO (21303,22318,r0/gpudb_cluster_i) vm03-01.nova.gpudb.local - Job ID: 113 URI: /insert/records User: admin Client: 172.30.21.131:60266
{"table_name":"mrg_src1","list":[],"list_str":[],"list_encoding":"json","options":{}} (5 records in list_str)
Request Body and Data Auditing¶
Settings:
enable_audit = trueaudit_headers = falseaudit_body = trueaudit_data = true
2018-01-22 10:25:57.003 INFO (28047,29104,r0/gpudb_cluster_i) vm03-01.nova.gpudb.local - Job ID: 29 URI: /filter User: admin Client: 172.30.21.122:58350
{"table_name":"test_table","view_name":"test_view","expression":"x = 7","options":{}}
...
2018-01-22 10:36:03.338 INFO (17302,18378,r0/gpudb_cluster_i) vm03-01.nova.gpudb.local - Job ID: 36 URI: /insert/records User: admin Client: 172.30.21.123:58038
{"table_name":"mrg_src1","list":[],"list_str":[],"list_encoding":"json","options":{}}
{"x":4, "y":40}
{"x":5, "y":50}
{"x":6, "y":60}
{"x":7, "y":70}
{"x":8, "y":80}
Request Body, Data, and Header Auditing¶
Settings:
enable_audit = trueaudit_headers = trueaudit_body = trueaudit_data = true
2018-01-22 10:20:25.696 INFO (25633,26607,r0/gpudb_cluster_i) vm03-01.nova.gpudb.local - Job ID: 54 URI: /filter User: admin Client: 172.30.21.122:58271
Accept: */*
Authorization: [redacted]
Connection: keep-alive
Content-Type: application/json
Host: 172.30.53.1:9191
Postman-Token: cc79932a-090c-4271-8df2-7e7788264ab1
User-Agent: PostmanRuntime/7.1.1
accept-encoding: gzip, deflate
cache-control: no-cache
content-length: 100
{"table_name":"test_table","view_name":"test_view","expression":"x = 7","options":{}}
...
2018-01-22 10:27:21.651 INFO (19780,20806,r0/gpudb_cluster_i) vm03-01.nova.gpudb.local - Job ID: 61 URI: /insert/records User: admin Client: 172.30.21.123:58139
Accept: */*
Authorization: [redacted]
Connection: keep-alive
Content-Type: application/json
Host: 172.30.53.1:9191
Postman-Token: 14480159-3794-4396-a9b7-b27fbfeae3a9
User-Agent: PostmanRuntime/7.1.1
accept-encoding: gzip, deflate
cache-control: no-cache
content-length: 217
{"table_name":"mrg_src1","list":[],"list_str":[],"list_encoding":"json","options":{}}
{"x":4, "y":40}
{"x":5, "y":50}
{"x":6, "y":60}
{"x":7, "y":70}
{"x":8, "y":80}