github.com/Ilhicas/nomad@v1.0.4-0.20210304152020-e86851182bc3/website/content/docs/configuration/audit.mdx (about) 1 --- 2 layout: docs 3 page_title: audit Stanza - Agent Configuration 4 sidebar_title: audit 5 description: >- 6 The "audit" stanza configures the Nomad agent to configure Audit Logging 7 behavior. This is an Enterprise-only feature. 8 --- 9 10 # `audit` Stanza 11 12 <Placement groups={['audit']} /> 13 14 The `audit` stanza configures the Nomad agent to configure Audit logging behavior. 15 Audit logging is an Enterprise-only feature. 16 17 ```hcl 18 audit { 19 enabled = true 20 } 21 ``` 22 23 When enabled, each HTTP request made to a nomad agent (client or server) will 24 generate two audit log entries. These two entries correspond to a stage, 25 `OperationReceived` and `OperationComplete`. Audit logging will generate a 26 `OperationReceived` event before the request is processed. An `OperationComplete` 27 event will be sent after the request has been processed, but before the response 28 body is returned to the end user. 29 30 By default, with a minimally configured audit stanza (`audit { enabled = true }`) 31 The following default sink will be added with no filters. 32 33 ```hcl 34 audit { 35 enable = true 36 sink "audit" { 37 type = "file" 38 delivery_guarantee = "enforced" 39 format = "json" 40 path = "/[data_dir]/audit/audit.log" 41 } 42 } 43 ``` 44 45 The sink will create an `audit.log` file located within the defined `data_dir` 46 directory inside an `audit` directory. `delivery_guarantee` will be set to 47 `"enforced"` meaning that all requests must successfully be written to the sink 48 in order for HTTP requests to successfully complete. 49 50 ## `audit` Parameters 51 52 - `enabled` `(bool: false)` - Specifies if audit logging should be enabled. 53 When enabled, audit logging will occur for every request, unless it is 54 filtered by a `filter`. 55 56 - `sink` <code>([sink](#sink-stanza): default)</code> - Configures a sink 57 for audit logs to be sent to. 58 59 - `filter` <code>(array<[filter](#filter-stanza)>: [])</code> - Configures a filter 60 to exclude matching events from being sent to audit logging sinks. 61 62 ### `sink` Stanza 63 64 The `sink` stanza is used to make audit logging sinks for events to be 65 sent to. Currently only a single sink is supported. 66 67 The key of the stanza corresponds to the name of the sink which is used 68 for logging purposes 69 70 ```hcl 71 audit { 72 enabled = true 73 74 sink "audit" { 75 type = "file" 76 delivery_guarantee = "enforced" 77 format = "json" 78 path = "/var/lib/nomad/audit/audit.log" 79 rotate_bytes = 100 80 rotate_duration = "24h" 81 rotate_max_files = 10 82 } 83 } 84 ``` 85 86 #### `sink` Parameters 87 88 - `type` `(string: "file", required)` - Specifies the type of sink to create. 89 Currently only `"file"` type is supported. 90 91 - `delivery_guarantee` `(string: "enforced", required)` - Specifies the 92 delivery guarantee that will be made for each audit log entry. Available 93 options are `"enforced"` and `"best-effort"`. `"enforced"` will 94 halt request execution if the audit log event fails to be written to its sink. 95 `"best-effort"` will not halt request execution, meaning a request could 96 potentially be un-audited. 97 98 - `format` `(string: "json", required)` - Specifies the output format to be 99 sent to a sink. Currently only `"json"` format is supported. 100 101 - `path` `(string: "[data_dir]/audit/audit.log")` - Specifies the path and file 102 name to use for the audit log. By default Nomad will use its configured 103 [`data_dir`](/docs/configuration#data_dir) for a combined path of 104 `/data_dir/audit/audit.log`. If `rotate_bytes` or `rotate_duration` are set 105 file rotation will occur. In this case the filename will be post-fixed with 106 a timestamp `"filename-{timestamp}.log"` 107 108 - `rotate_bytes` `(int: 0)` - Specifies the number of bytes that should be 109 written to an audit log before it needs to be rotated. Unless specified, 110 there is no limit to the number of bytes that can be written to a log file. 111 112 - `rotate_duration` `(duration: "24h")` - Specifies the maximum duration a 113 audit log should be written to before it needs to be rotated. Must be a 114 duration value such as 30s. 115 116 - `rotate_max_files` `(int: 0)` - Specifies the maximum number of older audit 117 log file archives to keep. If 0, no files are ever deleted. 118 119 ### `filter` Stanza 120 121 The `filter` stanza is used to create filters to filter **out** matching events 122 from being written to the audit log. By default, all events will be sent to an 123 audit log for all stages (OperationReceived and OperationComplete). Filters 124 are useful for operators who want to limit the performance impact of audit 125 logging as well as reducing the amount of events generated. 126 127 `endpoints`, `stages`, and `operations` support [globbed pattern][glob] matching. 128 129 Query parameters are ignored when evaluating filters. 130 131 ```hcl 132 audit { 133 enabled = true 134 135 # Filter out all requests and all stages for /v1/metrics 136 filter "default" { 137 type = "HTTPEvent" 138 endpoints = ["/v1/metrics"] 139 stages = ["*"] 140 operations = ["*"] 141 } 142 143 # Filter out requests where endpoint matches globbed pattern 144 filter "globbed example" { 145 type = "HTTPEvent" 146 endpoints = ["/v1/evaluation/*/allocations"] 147 stages = ["*"] 148 operations = ["*"] 149 } 150 151 # Filter out OperationReceived GET requests for all endpoints 152 filter "OperationReceived GETs" { 153 type = "HTTPEvent" 154 endpoints = ["*"] 155 stages = ["OperationReceived"] 156 operations = ["GET"] 157 } 158 } 159 ``` 160 161 #### `filter` Parameters 162 163 - `type` `(string: "HTTPEvent", required)` - Specifies the type of filter to 164 create. Currently only HTTPEvent is supported. 165 166 - `endpoints` `(array<string>: [])` - Specifies the list of endpoints to apply 167 the filter to. 168 169 - `stages` `(array<string>: [])` - Specifies the list of stages 170 (`"OperationReceived"`, `"OperationComplete"`, `"*"`) to apply the filter to 171 for a matching endpoint. 172 173 - `operations` `(array<string>: [])` - Specifies the list of operations to 174 apply the filter to for a matching endpoint. For HTTPEvent types this 175 corresponds to an HTTP verb (GET, PUT, POST, DELETE...). 176 177 ## Audit Log Format 178 179 Below are two audit log entries for a request made to `/v1/job/web/summary`. The 180 first entry is for the `OperationReceived` stage. The second entry is for the 181 `OperationComplete` stage and includes the contents of the `OperationReceived` 182 stage plus a `response` key. 183 184 ```json 185 { 186 "created_at": "2020-03-24T13:09:35.703869927-04:00", 187 "event_type": "audit", 188 "payload": { 189 "id": "8b826146-b264-af15-6526-29cb905145aa", 190 "stage": "OperationReceived", 191 "type": "audit", 192 "timestamp": "2020-03-24T13:09:35.703865005-04:00", 193 "version": 1, 194 "auth": { 195 "accessor_id": "a162f017-bcf7-900c-e22a-a2a8cbbcef53", 196 "name": "Bootstrap Token", 197 "global": true, 198 "create_time": "2020-03-24T17:08:35.086591881Z" 199 }, 200 "request": { 201 "id": "02f0ac35-c7e8-0871-5a58-ee9dbc0a70ea", 202 "operation": "GET", 203 "endpoint": "/v1/job/web/summary", 204 "namespace": { 205 "id": "default" 206 }, 207 "request_meta": { 208 "remote_address": "127.0.0.1:33648", 209 "user_agent": "Go-http-client/1.1" 210 }, 211 "node_meta": { 212 "ip": "127.0.0.1:4646" 213 } 214 } 215 } 216 } 217 { 218 "created_at": "2020-03-24T13:09:35.704224536-04:00", 219 "event_type": "audit", 220 "payload": { 221 "id": "8b826146-b264-af15-6526-29cb905145aa", 222 "stage": "OperationComplete", 223 "type": "audit", 224 "timestamp": "2020-03-24T13:09:35.703865005-04:00", 225 "version": 1, 226 "auth": { 227 "accessor_id": "a162f017-bcf7-900c-e22a-a2a8cbbcef53", 228 "name": "Bootstrap Token", 229 "global": true, 230 "create_time": "2020-03-24T17:08:35.086591881Z" 231 }, 232 "request": { 233 "id": "02f0ac35-c7e8-0871-5a58-ee9dbc0a70ea", 234 "operation": "GET", 235 "endpoint": "/v1/job/web/summary", 236 "namespace": { 237 "id": "default" 238 }, 239 "request_meta": { 240 "remote_address": "127.0.0.1:33648", 241 "user_agent": "Go-http-client/1.1" 242 }, 243 "node_meta": { 244 "ip": "127.0.0.1:4646" 245 } 246 }, 247 "response": { 248 "status_code": 200 249 } 250 } 251 } 252 253 ``` 254 255 If the request returns an error the audit log will reflect the error message. 256 257 ```json 258 { 259 "created_at": "2020-03-24T13:18:36.121978648-04:00", 260 "event_type": "audit", 261 "payload": { 262 "id": "21c6f97a-fbfb-1090-1e34-34d1ece57cc2", 263 "stage": "OperationComplete", 264 "type": "audit", 265 "timestamp": "2020-03-24T13:18:36.121428628-04:00", 266 "version": 1, 267 "auth": { 268 "accessor_id": "anonymous", 269 "name": "Anonymous Token", 270 "policies": ["anonymous"], 271 "create_time": "0001-01-01T00:00:00Z" 272 }, 273 "request": { 274 "id": "c696cc9e-962e-18b3-4097-e0a09070f89e", 275 "operation": "GET", 276 "endpoint": "/v1/jobs?prefix=web", 277 "namespace": { 278 "id": "default" 279 }, 280 "request_meta": { 281 "remote_address": "127.0.0.1:33874", 282 "user_agent": "Go-http-client/1.1" 283 }, 284 "node_meta": { 285 "ip": "127.0.0.1:4646" 286 } 287 }, 288 "response": { 289 "status_code": 403, 290 "error": "Permission denied" 291 } 292 } 293 } 294 ``` 295 296 [glob]: https://github.com/ryanuber/go-glob/blob/master/README.md#example