Configuring audit logging to a logback log file
Configuring audit logging in DataStax Enterprise.
If you've enabled audit logging and set the logger to output to the SLF4JAuditWriter
as described in Configuring and using data auditing, you can configure the logger
by setting options in logback.xml. DataStax Enterprise places
the audit log in the directory defined in the
logback.xml configuration file. After the log file
reaches the configured size threshold, it rolls over, and the log file name is
changed. The file names include a numerical suffix that is determined by the
maxBackupIndex
property.
Installer-Services and Package installations | /etc/dse/cassandra/logback.xml |
Installer-No Services and Tarball installations | install_location/resources/cassandra/logback.xml |
Sensitive data in log files
Because auditing is configured through a text file in the file system, the file is vulnerable to OS-level security breaches. You can address this issue by changing DataStax Enterprise's umask setting to change the permissions to 600 on the audit files by default. Be aware that if other tools look at the data, changing this setting can cause read problems. Alternately, you can store the audit file on an OS-level encrypted file system such as Vormetric.
- A password is inserted in a table in a column named password.
- And the audit logging options in dse.yaml are set to
included_categories: DML, ...
to include DML (insert, update, delete and other data manipulation language events) in the audit log. - You can redact the values for that column so that passwords do not show in
the log. Use the following to replace that string in the <encoder>
section of the logback.xml
file:
<encoder> <pattern>%-5level [%thread] %date{ISO8601} %X{service} %F:%L - %replace(%msg){"password='.*'", "password='xxxxx'"}%n</pattern> ... </encoder>
Configuring data auditing
You can configure which categories of audit events to log, and whether to omit operations against specific keyspaces from audit logging.