Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-28271

Audit records are not created for several memcached events

    XMLWordPrintable

Details

    Description

      Build 5.5.0-1944.

      Setup:

      • 1-node cluster
      • 1 bucket
      • Audit is enabled for all events

      After performing the following operations:

      • Enabling audit
      • Connecting using invalid user name
      • Connecting using valid user name
      • Inserting, reading, updating documents
      • Enabling bucket flush feature
      • Flushing the bucket

      I see only 4 audit events:

      # jq '.' audit.log 
      {
      		 
        "timestamp": "2018-02-20T14:29:40.177296-08:00",
      		 
        "real_userid": {
      		 
          "source": "internal",
      		 
          "user": "couchbase"
      		 
        },
      		 
        "auditd_enabled": true,
      		 
        "descriptors_path": "/opt/couchbase/etc/security",
      		 
        "hostname": "172-23-133-13",
      		 
        "log_path": "/opt/couchbase/var/lib/couchbase/logs",
      		 
        "rotate_interval": 86400,
      		 
        "version": 2,
      		 
        "uuid": "19611918",
      		 
        "id": 4096,
      		 
        "name": "configured audit daemon",
      		 
        "description": "loaded configuration file for audit daemon"
      		 
      }
      		 
      {
      		 
        "timestamp": "2018-02-20T14:30:35.288667-08:00",
      		 
        "peername": "172.23.133.10:59122",
      		 
        "sockname": "172.23.133.13:11210",
      		 
        "real_userid": {
      		 
          "source": "memcached",
      		 
          "user": "bucket-1"
      		 
        },
      		 
        "reason": "Unknown user",
      		 
        "id": 20481,
      		 
        "name": "authentication failed",
      		 
        "description": "Authentication to the cluster failed"
      		 
      }
      		 
      {
      		 
        "props": {
      		 
          "compression_mode": "off",
      		 
          "max_ttl": 0,
      		 
          "storage_mode": "couchstore",
      		 
          "eviction_policy": "value_only",
      		 
          "num_threads": 3,
      		 
          "flush_enabled": true,
      		 
          "purge_interval": "undefined",
      		 
          "ram_quota": 40359690240,
      		 
          "num_replicas": 1
      		 
        },
      		 
        "type": "membase",
      		 
        "bucket_name": "bucket",
      		 
        "real_userid": {
      		 
          "source": "ns_server",
      		 
          "user": "Administrator"
      		 
        },
      		 
        "sessionid": "288ab628027e1513ed111dc6a786a12e",
      		 
        "remote": {
      		 
          "ip": "10.17.5.113",
      		 
          "port": 58340
      		 
        },
      		 
        "timestamp": "2018-02-20T14:39:15.393-08:00",
      		 
        "id": 8202,
      		 
        "name": "modify bucket",
      		 
        "description": "Bucket was modified"
      		 
      }
      		 
      {
      		 
        "bucket_name": "bucket",
      		 
        "real_userid": {
      		 
          "source": "ns_server",
      		 
          "user": "Administrator"
      		 
        },
      		 
        "sessionid": "fecec6605eec2a727e2f0f263d6354f2",
      		 
        "remote": {
      		 
          "ip": "10.17.5.113",
      		 
          "port": 58348
      		 
        },
      		 
        "timestamp": "2018-02-20T14:39:23.196-08:00",
      		 
        "id": 8204,
      		 
        "name": "flush bucket",
      		 
        "description": "Bucket was flushed"
      		 
      }


      > curl -s http://Administrator:password@172.23.133.13:8091/settings/audit | jq '.'
      		 
      {
      		 
        "disabled": [],
      		 
        "uid": "19611918",
      		 
        "auditdEnabled": true,
      		 
        "disabledUsers": [],
      		 
        "logPath": "/opt/couchbase/var/lib/couchbase/logs",
      		 
        "rotateInterval": 86400,
      		 
        "rotateSize": 20971520
      		 
      }

      Attachments

        Issue Links

          blocks

          Task - A task that needs to be done. MB-28276 Auditing requires up to one CPU core per 20K events/sec

          • Major - Major loss of function.
          • Closed
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MB-28439 N1QL events are not stored even when enabled

          • Major - Major loss of function.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              pavelpaulau Pavel Paulau (Inactive)
              pavelpaulau Pavel Paulau (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty