github.com/anth0d/nomad@v0.0.0-20221214183521-ae3a0a2cad06/website/content/docs/configuration/audit.mdx (about) 1 --- 2 layout: docs 3 page_title: audit Stanza - Agent Configuration 4 description: >- 5 The "audit" stanza configures the Nomad agent to configure Audit Logging 6 behavior. This is an Enterprise-only feature. 7 --- 8 9 # `audit` Stanza 10 11 <Placement groups={['audit']} /> 12 13 The `audit` stanza configures the Nomad agent to configure Audit logging behavior. 14 Audit logging is an Enterprise-only feature. 15 16 ```hcl 17 audit { 18 enabled = true 19 } 20 ``` 21 22 When enabled, each HTTP request made to a nomad agent (client or server) will 23 generate two audit log entries. These two entries correspond to a stage, 24 `OperationReceived` and `OperationComplete`. Audit logging will generate a 25 `OperationReceived` event before the request is processed. An `OperationComplete` 26 event will be sent after the request has been processed, but before the response 27 body is returned to the end user. 28 29 By default, with a minimally configured audit stanza (`audit { enabled = true }`) 30 The following default sink will be added with no filters. 31 32 ```hcl 33 audit { 34 enabled = true 35 sink "audit" { 36 type = "file" 37 delivery_guarantee = "enforced" 38 format = "json" 39 path = "/[data_dir]/audit/audit.log" 40 } 41 } 42 ``` 43 44 The sink will create an `audit.log` file located within the defined `data_dir` 45 directory inside an `audit` directory. `delivery_guarantee` will be set to 46 `"enforced"` meaning that all requests must successfully be written to the sink 47 in order for HTTP requests to successfully complete. 48 49 ## `audit` Parameters 50 51 - `enabled` `(bool: false)` - Specifies if audit logging should be enabled. 52 When enabled, audit logging will occur for every request, unless it is 53 filtered by a `filter`. 54 55 - `sink` <code>([sink](#sink-stanza): default)</code> - Configures a sink 56 for audit logs to be sent to. 57 58 - `filter` <code>(array<[filter](#filter-stanza)>: [])</code> - Configures a filter 59 to exclude matching events from being sent to audit logging sinks. 60 61 ### `sink` Stanza 62 63 The `sink` stanza is used to make audit logging sinks for events to be 64 sent to. Currently only a single sink is supported. 65 66 The key of the stanza corresponds to the name of the sink which is used 67 for logging purposes 68 69 ```hcl 70 audit { 71 enabled = true 72 73 sink "audit" { 74 type = "file" 75 delivery_guarantee = "enforced" 76 format = "json" 77 path = "/var/lib/nomad/audit/audit.log" 78 rotate_bytes = 100 79 rotate_duration = "24h" 80 rotate_max_files = 10 81 mode = "0600" 82 } 83 } 84 ``` 85 86 #### `sink` Parameters 87 88 - `type` `(string: "file", required)` - Specifies the type of sink to create. 89 Currently only `"file"` type is supported. 90 91 - `delivery_guarantee` `(string: "enforced", required)` - Specifies the 92 delivery guarantee that will be made for each audit log entry. Available 93 options are `"enforced"` and `"best-effort"`. `"enforced"` will 94 halt request execution if the audit log event fails to be written to its sink. 95 `"best-effort"` will not halt request execution, meaning a request could 96 potentially be un-audited. 97 98 - `format` `(string: "json", required)` - Specifies the output format to be 99 sent to a sink. Currently only `"json"` format is supported. 100 101 - `mode` `(string: "0600")` - Specifies the permissions mode for the audit log 102 files using octal notation. 103 104 - `path` `(string: "[data_dir]/audit/audit.log")` - Specifies the path and file 105 name to use for the audit log. By default Nomad will use its configured 106 [`data_dir`](/docs/configuration#data_dir) for a combined path of 107 `/data_dir/audit/audit.log`. If `rotate_bytes` or `rotate_duration` are set 108 file rotation will occur. In this case the filename will be post-fixed with 109 a timestamp `"filename-{timestamp}.log"` 110 111 - `rotate_bytes` `(int: 0)` - Specifies the number of bytes that should be 112 written to an audit log before it needs to be rotated. Unless specified, 113 there is no limit to the number of bytes that can be written to a log file. 114 115 - `rotate_duration` `(duration: "24h")` - Specifies the maximum duration a 116 audit log should be written to before it needs to be rotated. Must be a 117 duration value such as 30s. 118 119 - `rotate_max_files` `(int: 0)` - Specifies the maximum number of older audit 120 log file archives to keep. If 0, no files are ever deleted. 121 122 ### `filter` Stanza 123 124 The `filter` stanza is used to create filters to filter **out** matching events 125 from being written to the audit log. By default, all events will be sent to an 126 audit log for all stages (OperationReceived and OperationComplete). Filters 127 are useful for operators who want to limit the performance impact of audit 128 logging as well as reducing the amount of events generated. 129 130 `endpoints`, `stages`, and `operations` support [globbed pattern][glob] matching. 131 132 Query parameters are ignored when evaluating filters. 133 134 ```hcl 135 audit { 136 enabled = true 137 138 # Filter out all requests and all stages for /v1/metrics 139 filter "default" { 140 type = "HTTPEvent" 141 endpoints = ["/v1/metrics"] 142 stages = ["*"] 143 operations = ["*"] 144 } 145 146 # Filter out requests where endpoint matches globbed pattern 147 filter "globbed example" { 148 type = "HTTPEvent" 149 endpoints = ["/v1/evaluation/*/allocations"] 150 stages = ["*"] 151 operations = ["*"] 152 } 153 154 # Filter out OperationReceived GET requests for all endpoints 155 filter "OperationReceived GETs" { 156 type = "HTTPEvent" 157 endpoints = ["*"] 158 stages = ["OperationReceived"] 159 operations = ["GET"] 160 } 161 } 162 ``` 163 164 #### `filter` Parameters 165 166 - `type` `(string: "HTTPEvent", required)` - Specifies the type of filter to 167 create. Currently only HTTPEvent is supported. 168 169 - `endpoints` `(array<string>: [])` - Specifies the list of endpoints to apply 170 the filter to. 171 172 - `stages` `(array<string>: [])` - Specifies the list of stages 173 (`"OperationReceived"`, `"OperationComplete"`, `"*"`) to apply the filter to 174 for a matching endpoint. 175 176 - `operations` `(array<string>: [])` - Specifies the list of operations to 177 apply the filter to for a matching endpoint. For HTTPEvent types this 178 corresponds to an HTTP verb (GET, PUT, POST, DELETE...). 179 180 ## Audit Log Format 181 182 Below are two audit log entries for a request made to `/v1/job/web/summary`. The 183 first entry is for the `OperationReceived` stage. The second entry is for the 184 `OperationComplete` stage and includes the contents of the `OperationReceived` 185 stage plus a `response` key. 186 187 ```json 188 { 189 "created_at": "2020-03-24T13:09:35.703869927-04:00", 190 "event_type": "audit", 191 "payload": { 192 "id": "8b826146-b264-af15-6526-29cb905145aa", 193 "stage": "OperationReceived", 194 "type": "audit", 195 "timestamp": "2020-03-24T13:09:35.703865005-04:00", 196 "version": 1, 197 "auth": { 198 "accessor_id": "a162f017-bcf7-900c-e22a-a2a8cbbcef53", 199 "name": "Bootstrap Token", 200 "global": true, 201 "create_time": "2020-03-24T17:08:35.086591881Z" 202 }, 203 "request": { 204 "id": "02f0ac35-c7e8-0871-5a58-ee9dbc0a70ea", 205 "operation": "GET", 206 "endpoint": "/v1/job/web/summary", 207 "namespace": { 208 "id": "default" 209 }, 210 "request_meta": { 211 "remote_address": "127.0.0.1:33648", 212 "user_agent": "Go-http-client/1.1" 213 }, 214 "node_meta": { 215 "ip": "127.0.0.1:4646" 216 } 217 } 218 } 219 } 220 { 221 "created_at": "2020-03-24T13:09:35.704224536-04:00", 222 "event_type": "audit", 223 "payload": { 224 "id": "8b826146-b264-af15-6526-29cb905145aa", 225 "stage": "OperationComplete", 226 "type": "audit", 227 "timestamp": "2020-03-24T13:09:35.703865005-04:00", 228 "version": 1, 229 "auth": { 230 "accessor_id": "a162f017-bcf7-900c-e22a-a2a8cbbcef53", 231 "name": "Bootstrap Token", 232 "global": true, 233 "create_time": "2020-03-24T17:08:35.086591881Z" 234 }, 235 "request": { 236 "id": "02f0ac35-c7e8-0871-5a58-ee9dbc0a70ea", 237 "operation": "GET", 238 "endpoint": "/v1/job/web/summary", 239 "namespace": { 240 "id": "default" 241 }, 242 "request_meta": { 243 "remote_address": "127.0.0.1:33648", 244 "user_agent": "Go-http-client/1.1" 245 }, 246 "node_meta": { 247 "ip": "127.0.0.1:4646" 248 } 249 }, 250 "response": { 251 "status_code": 200 252 } 253 } 254 } 255 256 ``` 257 258 If the request returns an error the audit log will reflect the error message. 259 260 ```json 261 { 262 "created_at": "2020-03-24T13:18:36.121978648-04:00", 263 "event_type": "audit", 264 "payload": { 265 "id": "21c6f97a-fbfb-1090-1e34-34d1ece57cc2", 266 "stage": "OperationComplete", 267 "type": "audit", 268 "timestamp": "2020-03-24T13:18:36.121428628-04:00", 269 "version": 1, 270 "auth": { 271 "accessor_id": "anonymous", 272 "name": "Anonymous Token", 273 "policies": ["anonymous"], 274 "create_time": "0001-01-01T00:00:00Z" 275 }, 276 "request": { 277 "id": "c696cc9e-962e-18b3-4097-e0a09070f89e", 278 "operation": "GET", 279 "endpoint": "/v1/jobs?prefix=web", 280 "namespace": { 281 "id": "default" 282 }, 283 "request_meta": { 284 "remote_address": "127.0.0.1:33874", 285 "user_agent": "Go-http-client/1.1" 286 }, 287 "node_meta": { 288 "ip": "127.0.0.1:4646" 289 } 290 }, 291 "response": { 292 "status_code": 403, 293 "error": "Permission denied" 294 } 295 } 296 } 297 ``` 298 299 [glob]: https://github.com/ryanuber/go-glob/blob/master/README.md#example