Audit logging in Cassandra logs every incoming CQL command request, Authentication (successful as well as unsuccessful login) to C* node. Currently, there are two implementations provided, the custom logger can be implemented and injected with the class name as a parameter in cassandra.yaml.
BinAuditLogger
An efficient way to log events to file in a binary format.FileAuditLogger
Logs events to audit/audit.log
file using slf4j logger.Recommendation BinAuditLogger
is a community recommended logger considering the performance
Audit logging captures following events
Executing prepared statements will log the query as provided by the client in the prepare call, along with the execution time stamp and all other attributes (see below). Actual values bound for prepared statement execution will not show up in the audit log.
Each audit log implementation has access to the following attributes, and for the default text based logger these fields are concatenated with | s to yield the final message.
user
: User name(if available)host
: Host IP, where the command is being executedsource ip address
: Source IP address from where the request initiatedsource port
: Source port number from where the request initiatedtimestamp
: unix time stamptype
: Type of the request (SELECT, INSERT, etc.,)category
- Category of the request (DDL, DML, etc.,)keyspace
- Keyspace(If applicable) on which request is targeted to be executedscope
- Table/Aggregate name/ function name/ trigger name etc., as applicableoperation
- CQL command being executed
Auditlog can be configured using cassandra.yaml. If you want to try Auditlog on one node, it can also be enabled and configured using nodetool
.
enabled
: This option enables/ disables audit loglogger
: Class name of the logger/ custom logger.audit_logs_dir
: Auditlogs directory location, if not set, default to cassandra.logdir.audit or cassandra.logdir + /audit/included_keyspaces
: Comma separated list of keyspaces to be included in audit log, default - includes all keyspacesexcluded_keyspaces
: Comma separated list of keyspaces to be excluded from audit log, default - excludes no keyspace except system, system_schema and system_virtual_schemaincluded_categories
: Comma separated list of Audit Log Categories to be included in audit log, default - includes all categoriesexcluded_categories
: Comma separated list of Audit Log Categories to be excluded from audit log, default - excludes no categoryincluded_users
: Comma separated list of users to be included in audit log, default - includes all usersexcluded_users
: Comma separated list of users to be excluded from audit log, default - excludes no user
List of available categories are: QUERY, DML, DDL, DCL, OTHER, AUTH, ERROR, PREPARE
enableauditlog
: Enables AuditLog with yaml defaults. yaml configurations can be overridden using options via nodetool command.
nodetool enableauditlog
--excluded-categories
--excluded-keyspaces
--excluded-users
--included-categories
--included-keyspaces
--included-users
--logger
enableauditlog
: NodeTool enableauditlog command can be used to reload auditlog filters when called with default or previous loggername
and updated filters
E.g.,
nodetool enableauditlog --loggername <Default/ existing loggerName> --included-keyspaces <New Filter values>
auditlogviewer
is the new tool introduced to help view the contents of binlog file in human readable text format.
auditlogviewer <path1> [<path2>...<pathN>] [options]
-f,--follow
-r,--roll_cycle
-h,--help
For example, to dump the contents of audit log files on the console
auditlogviewer /logs/cassandra/audit
LogMessage: user:anonymous|host:localhost/X.X.X.X|source:/X.X.X.X|port:60878|timestamp:1521158923615|type:USE_KS|category:DDL|ks:dev1|operation:USE "dev1"
To use BinAuditLogger
as a logger in AuditLogging, set the logger to BinAuditLogger
in cassandra.yaml under audit_logging_options
section. BinAuditLogger
can be futher configued using its advanced options in cassandra.yaml.
block
true
so that AuditLog records wont be lostmax_queue_weight
256 * 1024 * 1024
max_log_size
16L * 1024L * 1024L * 1024L
roll_cycle
"HOURLY"
To use FileAuditLogger
as a logger in AuditLogging, apart from setting the class name in cassandra.yaml, following configuration is needed to have the audit log events to flow through separate log file instead of system.log
<!-- Audit Logging (FileAuditLogger) rolling file appender to audit.log -->
<appender name="AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>${cassandra.logdir}/audit/audit.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
<!-- rollover daily -->
<fileNamePattern>${cassandra.logdir}/audit/audit.log.%d{yyyy-MM-dd}.%i.zip</fileNamePattern>
<!-- each file should be at most 50MB, keep 30 days worth of history, but at most 5GB -->
<maxFileSize>50MB</maxFileSize>
<maxHistory>30</maxHistory>
<totalSizeCap>5GB</totalSizeCap>
</rollingPolicy>
<encoder>
<pattern>%-5level [%thread] %date{ISO8601} %F:%L - %msg%n</pattern>
</encoder>
</appender>
<!-- Audit Logging additivity to redirect audt logging events to audit/audit.log -->
<logger name="org.apache.cassandra.audit" additivity="false" level="INFO">
<appender-ref ref="AUDIT"/>
</logger>