Enabling data auditing in DataStax Enterprise

The audit logger logs information only on nodes set up for logging. For example, node 0 has audit turned on, node 1 does not. This configuration means that issuing updates and other commands on node 1 does not affect the node 0 audit log. For maximum information from data auditing, turn on data auditing on every node.

Audit logs can be written to either file system log files or to a database table:

System log files Database tables

When you turn on audit logging, the default is to write to logback file system log files. Logging functionality uses Simple Logging Facade for Java (SLF4J) with a logback backend.

As audit logs increase in size, logging audit data to a table is more useful.

File-based logs are stored per node and are secured with standard Linux file system permissions.

Audit events stored in database tables can be secured like any other table using RBAC, see Managing roles. For example, store database table-based logs in encrypted SSTables. Control access to the tables with object permissions.

The log files can be read from a terminal for troubleshooting queries or managing security.

Larger clusters use tables because logback audit logs become cumbersome. The data can be queried like any other table, making analysis easier and custom audit reports possible.

Audit logging of queries and prepared statements submitted to the DataStax drivers, which use the CQL binary protocol, is supported.

When using audit logging with Kerberos authentication, the login events take place on Kerberos and are not logged in DataStax Enterprise. Authentication history is available only on Kerberos. When DataStax Enterprise is unable to authenticate a client with Kerberos, a LOGIN_ERROR event is logged.

Procedure

  1. Open the dse.yaml file in a text editor.

  2. In the audit_logging_options section, set enabled to true.

    # Audit logging options
    audit_logging_options:
        enabled: true
  3. Set the logger option to either:

    • CassandraAuditWriter

      Logs to a table.

    • SLF4JAuditWriter

      Logs to the SLF4J logger.

  4. To include or exclude event categories from being logged, add the event types included_categories or excluded_categories and specify the categories in a comma separated list. You can set either event type, but not both.

    Setting Logging

    AUTH

    Logs login events.

    DML

    Logs insert, update, delete and other data manipulation language (DML) events.

    DDL

    Logs object and role create, alter, drop, and other data definition language (DDL) events.

    DCL

    Logs grant, revoke, create role, drop role, and list roles events.

    QUERY

    Logs all queries.

    The authenticator determines whether DataStax Enterprise audit logs include login events:

    • When using audit logging with DataStax Unified Authentication, the login events with the native protocol authentication are logged in DataStax Enterprise.

    • When using audit logging with internal authentication, the login events take place as part of connection negotiation and are not logged in DataStax Enterprise.

  5. To include or exclude database keyspaces from being logged, add a comma separated list of keyspaces to the included_keyspaces or excluded_keyspaces options. You can set either one, but not both.

    When whitelisting keyspaces, included_keyspaces, AUTH messages are not captured.

  6. If you are logging to a database table, set the retention time for logged events by setting the retention_time option to the number of hours the events should be retained. The default value is 0, which retains all event data indefinitely.

  7. Configure the audit logging writer.

Example

The following example sets the audit logger to log to a database table.

# Audit logging options
audit_logging_options:
    enabled: true
    logger: CassandraAuditWriter

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com