Auditing
Couchbase Server provides event-auditing, sending corresponding output to target files.
Introduction to Auditing
The Couchbase Server auditing facility recognizes specific events, which can be configured to produce logged output: the output is written to a specific target file, which is periodically rotated.
List of Audit Events
Events audited by Couchbase Server include successful and failed logins, events associated with cluster and bucket configuration, and the use of tools that require administrative privileges. Corresponding information is captured in output targets, which are files in JSON format.
Couchbase Server generates audit events whenever the following actions occur:
Login succeeded or failed |
Audit configuration changed |
Auditing enabled or disabled |
Node added to cluster |
Node removed from cluster |
Node failed over |
Cluster rebalanced |
System started or shut down |
Bucket created |
Bucket deleted |
Bucket flushed |
Bucket-settings modified |
Disk or index path changed |
Remote cluster-reference established |
Remote cluster-reference updated |
Remote cluster-reference deleted |
User added |
User removed |
XDCR reference created |
XDCR reference updated |
XDCR reference deleted |
XDCR replication paused or resumed |
XDCR replication-settings updated |
XDCR replication created |
XDCR replication canceled |
Auto failover enabled |
Auto failover disabled |
Auto failover-count reset |
Cluster alerts enabled |
Cluster alerts disabled |
Index-node added or removed |
Server-group created |
Node added to server-group |
Node removed from server-group |
Server-group deleted |
Password changed or reset |
FTS index created or updated |
FTS index deleted |
FTS index control-command issued |
FTS configuration refreshed |
FTS configuration replanned |
GC run triggered |
CPU profiling started |
Memory profiling started |
Self-signed SSL certificate regenerated |
LDAP authentication-settings modified |
Encryption key-rotation requested |
Compaction settings modified |
Bucket compression mode modified |
Bucket TTL modified |
Audit Fields
The table below contains some frequently used audit fields with corresponding descriptions. Note that different event-types generate different field-subsets.
Field | Type | Description |
---|---|---|
|
string |
The audit-type. For example, Login, Startup, Shutdown, Password, AuditStart, AuditStop, AuditTruncate. |
|
document |
Contains the date and UTC time of the event in ISO 8601 format. For example, http://www.w3.org/TR/NOTE-datetime. |
|
integer |
A unique identifier for the event-type. |
|
document
|
A JSON document that contains the local IP-address and the port-number of the running instance. |
|
document
|
A JSON document that contains the remote IP-address, the port-number, and additional information on the service used on the incoming connection associated with the event. Possible services include |
|
string |
A string that identifies the user. |
|
document |
Information dependent on the event-type. For example, for a bucket-operation, the bucket name is captured. |
|
integer or string |
An error-code or other message, related to the attempted operation. |
Audit Log Targets
When auditing is enabled, logged events are written to a default file, named audit.log
.
After an administrator-specified period — which must be a minimum of 15 minutes and a maximum of 7 days — this file is closed, and is saved under a modified name that features a timestamp corresponding to the time of saving.
A new, empty audit.log
file is created and saved when a new audit event is generated.
Note that this rotation may happen earlier if the file reaches its maximum size of 20MB.
For instructions on configuring the file’s rotation time, see Auditing.
Login
An audit-record for a successful login might appear as follows:
{
"timestamp":"2015-02-20T08:48:49.408-08:00",
"id":8192,
"name":"login success",
"description":"Successful login to couchbase cluster",
"role":"admin",
"real_userid": {
"source":"ns_server",
"user":"bjones"
},
"sessionid":"0fd0b5305d1561ca2b10f9d795819b2e",
"remote":{
"ip":"172.23.107.165", "port":59383
}
}
In this example, a user named bjones
has successfully logged into a Couchbase cluster using the domain IP address 172.23.107.165.
Login Failure
The following audit-record indicates that a login attempt failed:
{
"real_userid": {
"source": "rejected",
"user": "auditBucketUser"
},
"remote": {
"ip": "127.0.0.1",
"port": 64416
},
"timestamp": "2017-03-16T15:45:27.420Z",
"id": 8193,
"name": "login failure",
"description": "Unsuccessful attempt to login to couchbase cluster"
}
This record indicates that a user named auditBucketUser
incurred an Unsuccessful attempt to login to couchbase cluster
on 2017-03-16
at 15:45:27
.
Bucket Creation
The audit-record below corresponds to the creation of a bucket.
{
"props":{
"compression_mode":"off",
"max_ttl":12000,
"storage_mode":"couchstore",
"conflict_resolution_type":"seqno",
"eviction_policy":"value_only",
"num_threads":3,
"flush_enabled":false,
"purge_interval":"undefined",
"ram_quota":163577856,
"replica_index":false,
"num_replicas":1
},
"type":"membase",
"bucket_name":"ProductionBucket",
"real_userid":{
"source":"ns_server",
"user":"Administrator"
},
"sessionid":"5dd53fe63703c7fdc45ff75596e39a35",
"remote":{
"ip":"127.0.0.1",
"port":61908
},
"timestamp":"2018-02-07T15:22:54.960Z",
"id":8201,
"name":"create bucket",
"description":"Bucket was created"
}
This record indicates that a Bucket was created
on 2018-02-07
at 15:22:54
; that the bucket was named ProductionBucket
; and that its eviction-policy was defined as value_only
.
The bucket was created by the system’s full Administrator
.
Bucket TTL Modification
The audit-record below corresponds to the modification of Bucket TTL, for the bucket created immediately above.
{
"props":{
"max_ttl":15000,
"storage_mode":"couchstore",
"eviction_policy":"value_only",
"num_threads":3,
"flush_enabled":false,
"purge_interval":"undefined",
"ram_quota":163577856,
"num_replicas":1
},
"type":"membase",
"bucket_name":"ProductionBucket",
"real_userid":{
"source":"ns_server",
"user":"Administrator"
},
"sessionid":"12774a2e146c650eeed8c6d9486857ad",
"remote":{
"ip":"127.0.0.1","port":61966
},
"timestamp":"2018-02-07T15:23:51.350Z",
"id":8202,
"name":"modify bucket",
"description":"Bucket was modified"
}
User Creation
The audit-record below corresponds to the creation of a user.
{
"roles": [
"ro_admin"
],
"identity": {
"source": "builtin",
"user": "auditBucketUser2"
},
"real_userid": {
"source": "ns_server",
"user": "Administrator"
},
"sessionid": "dca284b5efe1937a1a4085ef88c2fbcb",
"remote": {
"ip": "127.0.0.1",
"port": 64416
},
"timestamp": "2017-03-16T15:44:32.254Z",
"id": 8232,
"name": "set user",
"description": "User was added or updated"
}
This record indicates that a user named auditBucketUser2
was created by the full Administator
on 2017-03-16
at 15:44:32
; and that the user was given the role of ro_admin
.
Index Creation
The following audit-record indicates that an index was created or updated:
{
"timestamp": "2017-03-16T16:12:36.198Z",
"real_userid": {
"source": "ns_server",
"user": "Administrator"
},
"index_name": "def-airportname",
"id": 24577,
"name": "Create/Update index",
"description": "FTS index was created/Updated"
}
This record indicates that an FTS
index named def-airportname
was created or updated on 201703-16
at 16:12:36
.