github.com/iqoqo/nomad@v0.11.3-0.20200911112621-d7021c74d101/website/pages/docs/configuration/audit.mdx (about) 1 --- 2 layout: docs 3 page_title: audit Stanza - Agent Configuration 4 sidebar_title: audit 5 description: >- 6 The "audit" stanza configures the Nomad agent to configure Audit Logging 7 behavior. This is an Enterprise-only feature. 8 --- 9 10 # `audit` Stanza 11 12 <Placement groups={['audit']} /> 13 14 The `audit` stanza configures the Nomad agent to configure Audit logging behavior. 15 Audit logging is an Enterprise-only feature. 16 17 ```hcl 18 audit { 19 enabled = true 20 } 21 ``` 22 23 When enabled, each HTTP request made to a nomad agent (client or server) will 24 generate two audit log entries. These two entries correspond to a stage, 25 `OperationReceived` and `OperationComplete`. Audit logging will generate a 26 `OperationReceived` event before the request is processed. An `OperationComplete` 27 event will be sent after the request has been processed, but before the response 28 body is returned to the end user. 29 30 By default, with a minimally configured audit stanza (`audit { enabled = true }`) 31 The following default sink will be added with no filters. 32 33 ```hcl 34 audit { 35 enable = true 36 sink "audit" { 37 type = "file" 38 delivery_guarantee = "enforced" 39 format = "json" 40 path = "/[data_dir]/audit/audit.log" 41 } 42 } 43 ``` 44 45 The sink will create an `audit.log` file located within the defined `data_dir` 46 directory inside an `audit` directory. `delivery_guarantee` will be set to 47 `"enforced"` meaning that all requests must successfully be written to the sink 48 in order for HTTP requests to successfully complete. 49 50 51 ## `audit` Parameters 52 53 - `enabled` `(bool: false)` - Specifies if audit logging should be enabled. 54 When enabled, audit logging will occur for every request, unless it is 55 filtered by a `filter`. 56 57 - `sink` <code>([sink](#sink-stanza): default)</code> - Configures a sink 58 for audit logs to be sent to. 59 60 - `filter` <code>(array<[filter](#filter-stanza)>: [])</code> - Configures a filter 61 to exclude matching events from being sent to audit logging sinks. 62 63 ### `sink` Stanza 64 65 The `sink` stanza is used to make audit logging sinks for events to be 66 sent to. Currently only a single sink is supported. 67 68 The key of the stanza corresponds to the name of the sink which is used 69 for logging purposes 70 71 ```hcl 72 audit { 73 enabled = true 74 75 sink "audit" { 76 type = "file" 77 delivery_guarantee = "enforced" 78 format = "json" 79 path = "/var/lib/nomad/audit/audit.log" 80 rotate_bytes = 100 81 rotate_duration = "24h" 82 rotate_max_files = 10 83 } 84 } 85 ``` 86 87 #### `sink` Parameters 88 89 - `type` `(string: "file", required)` - Specifies the type of sink to create. 90 Currently only `"file"` type is supported. 91 92 - `delivery_guarantee` `(string: "enforced", required)` - Specifies the 93 delivery guarantee that will be made for each audit log entry. Available 94 options are `"enforced"` and `"best-effort"`. `"enforced"` will 95 hault request execution if the audit log event fails to be written to it's sink. 96 `"best-effort"` will not hault request execution, meaning a request could 97 potentially be un-audited. 98 99 - `format` `(string: "json", required)` - Specifies the output format to be 100 sent to a sink. Currently only `"json"` format is supported. 101 102 - `path` `(string: "[data_dir]/audit/audit.log")` - Specifies the path and file 103 name to use for the audit log. By default Nomad will use it's configured 104 [`data_dir`](/docs/configuration#data_dir) for a combined path of 105 `/data_dir/audit/audit.log`. If `rotate_bytes` or `rotate_duration` are set 106 file rotation will occur. In this case the filename will be post-fixed with 107 a timestamp `"filename-{timestamp}.log"` 108 109 - `rotate_bytes` `(int: 0)` - Specifies the number of bytes that should be 110 written to an audit log before it needs to be rotated. Unless specified, 111 there is no limit to the number of bytes that can be written to a log file. 112 113 - `rotate_duration` `(duration: "24h")` - Specifies the maximum duration a 114 audit log should be written to before it needs to be rotated. Must be a 115 duration value such as 30s. 116 117 - `rotate_max_files` `(int: 0)` - Specifies the maximum number of older audit log 118 file archives to keep. If 0 no files are ever deleted. 119 120 ### `filter` Stanza 121 122 The `filter` stanza is used to create filters to filter __out__ matching events 123 from being written to the audit log. By default, all events will be sent to an 124 audit log for all stages (OperationReceived and OperationComplete). Filters 125 are useful for operators who want to limit the performance impact of audit 126 logging as well as reducing the amount of events generated. 127 128 `endpoints`, `stages`, and `operations` support [globbed pattern](https://github.com/ryanuber/go-glob/blob/master/README.md#example) matching. 129 130 Query parameters are ignored when evaluating filters. 131 132 ```hcl 133 audit { 134 enabled = true 135 136 # Filter out all requests and all stages for /v1/metrics 137 filter "default" { 138 type = "HTTPEvent" 139 endpoints = ["/v1/metrics"] 140 stages = ["*"] 141 operations = ["*"] 142 } 143 144 # Filter out requests where endpoint matches globbed pattern 145 filter "globbed example" { 146 type = "HTTPEvent" 147 endpoints = ["/v1/evaluation/*/allocations"] 148 stages = ["*"] 149 operations = ["*"] 150 } 151 152 # Filter out OperationReceived GET requests for all endpoints 153 filter "OperationReceived GETs" { 154 type = "HTTPEvent" 155 endpoints = ["*"] 156 stages = ["OperationReceived"] 157 operations = ["GET"] 158 } 159 } 160 ``` 161 162 #### `filter` Parameters 163 164 - `type` `(string: "HTTPEvent", required)` - Specifies the type of filter to 165 create. Currently only HTTPEvent is supported. 166 167 - `endpoints` `(array<string>: [])` - Specifies the list of endpoints to apply 168 the filter to. 169 170 - `stages` `(array<string>: [])` - Specifies the list of stages 171 (`"OperationReceived"`, `"OperationComplete"`, `"*"`) to apply the filter to 172 for a matching endpoint. 173 174 - `operations` `(array<string>: [])` - Specifies the list of operations to 175 apply the filter to for a matching endpoint. For HTTPEvent types this 176 corresponds to an HTTP verb (GET, PUT, POST, DELETE...). 177 178 ## Audit Log Format 179 180 Below are two audit log entries for a request made to `/v1/job/web/summary`. 181 The first entry is for the `OperationReceived` stage. The second entry is for 182 the `OperationComplete` stage and includes the contents of the `OperationReceived` 183 stage plus a `response` key. 184 185 ```json 186 { 187 "created_at": "2020-03-24T13:09:35.703869927-04:00", 188 "event_type": "audit", 189 "payload": { 190 "id": "8b826146-b264-af15-6526-29cb905145aa", 191 "stage": "OperationReceived", 192 "type": "audit", 193 "timestamp": "2020-03-24T13:09:35.703865005-04:00", 194 "version": 1, 195 "auth": { 196 "accessor_id": "a162f017-bcf7-900c-e22a-a2a8cbbcef53", 197 "name": "Bootstrap Token", 198 "global": true, 199 "create_time": "2020-03-24T17:08:35.086591881Z" 200 }, 201 "request": { 202 "id": "02f0ac35-c7e8-0871-5a58-ee9dbc0a70ea", 203 "operation": "GET", 204 "endpoint": "/v1/job/web/summary", 205 "namespace": { 206 "id": "default" 207 }, 208 "request_meta": { 209 "remote_address": "127.0.0.1:33648", 210 "user_agent": "Go-http-client/1.1" 211 }, 212 "node_meta": { 213 "ip": "127.0.0.1:4646" 214 } 215 } 216 } 217 } 218 { 219 "created_at": "2020-03-24T13:09:35.704224536-04:00", 220 "event_type": "audit", 221 "payload": { 222 "id": "8b826146-b264-af15-6526-29cb905145aa", 223 "stage": "OperationComplete", 224 "type": "audit", 225 "timestamp": "2020-03-24T13:09:35.703865005-04:00", 226 "version": 1, 227 "auth": { 228 "accessor_id": "a162f017-bcf7-900c-e22a-a2a8cbbcef53", 229 "name": "Bootstrap Token", 230 "global": true, 231 "create_time": "2020-03-24T17:08:35.086591881Z" 232 }, 233 "request": { 234 "id": "02f0ac35-c7e8-0871-5a58-ee9dbc0a70ea", 235 "operation": "GET", 236 "endpoint": "/v1/job/web/summary", 237 "namespace": { 238 "id": "default" 239 }, 240 "request_meta": { 241 "remote_address": "127.0.0.1:33648", 242 "user_agent": "Go-http-client/1.1" 243 }, 244 "node_meta": { 245 "ip": "127.0.0.1:4646" 246 } 247 }, 248 "response": { 249 "status_code": 200 250 } 251 } 252 } 253 254 ``` 255 256 If the request returns an error the audit log will reflect the error message. 257 258 ```json 259 { 260 "created_at": "2020-03-24T13:18:36.121978648-04:00", 261 "event_type": "audit", 262 "payload": { 263 "id": "21c6f97a-fbfb-1090-1e34-34d1ece57cc2", 264 "stage": "OperationComplete", 265 "type": "audit", 266 "timestamp": "2020-03-24T13:18:36.121428628-04:00", 267 "version": 1, 268 "auth": { 269 "accessor_id": "anonymous", 270 "name": "Anonymous Token", 271 "policies": [ 272 "anonymous" 273 ], 274 "create_time": "0001-01-01T00:00:00Z" 275 }, 276 "request": { 277 "id": "c696cc9e-962e-18b3-4097-e0a09070f89e", 278 "operation": "GET", 279 "endpoint": "/v1/jobs?prefix=web", 280 "namespace": { 281 "id": "default" 282 }, 283 "request_meta": { 284 "remote_address": "127.0.0.1:33874", 285 "user_agent": "Go-http-client/1.1" 286 }, 287 "node_meta": { 288 "ip": "127.0.0.1:4646" 289 } 290 }, 291 "response": { 292 "status_code": 403, 293 "error": "Permission denied" 294 } 295 } 296 } 297 ```