Configuring security logging

About this task

Configure comprehensive security logging in logback.xml that records user activity within OpsCenter, such as:

  • Creating or deleting users and roles

  • Adding or deleting users from roles

  • Changing permissions for a role, including the specific details about all permission changes

  • Resetting user passwords

  • Logging in attempts both successful and unsuccessful

All login attempts that are anonymous or admin binds with regard to LDAP authentication are also logged. Comparisons between the OpsCenter authentication logging and LDAP logs should match exactly.

For more information, see OpsCenter logback.xml configuration.

Procedure

  1. Locate the logback.xml file. The location of this file depends on the type of installation:

    • Package installations: /etc/opscenter/logback.xml

    • Tarball installations: install_location/conf/logback.xml

  2. Open logback.xml for editing.

  3. Ensure the Security Audit logger is included in logback.xml:

    <!-- Security Audit logger -->
    <logger name="opscenterd.security-audit" additivity="false">
      <appender-ref ref="security" />
    </logger>

  4. Add the following section:

    <appender name="security" class="ch.qos.logback.core.rolling.RollingFileAppender">
    <file>./log/security.log</file>
    <encoder>
        <pattern>%date{ISO8601, UTC} [%X{cluster_id}] %msg (%thread)%n%exception{20}</pattern>
    </encoder>
    <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
        <fileNamePattern>./log/security.%i.log</fileNamePattern>
        <minIndex>1</minIndex>
        <maxIndex>10</maxIndex>
    </rollingPolicy>
    <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
        <maxFileSize>10MB</maxFileSize>
    </triggeringPolicy>
    <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
        <level>INFO</level>
    </filter>
    <logger name="opscenterd.security-audit" additivity="false">
        <appender-ref ref="security" />
    </logger>
</appender>

  5. To get JSON-encoded details of the audit event, include ==%X{structured}== in the <pattern>:

    <pattern>%date{ISO8601, UTC} [%X{cluster_id}] %msg ==%X{structured}== (%thread)%n%exception{20}</pattern>

    === is a delimiter to separate the plain text from the JSON string.

  6. Restart OpsCenter.

Example

Log output:

2016-04-07 21:42:16,664 [] Login failure user: foo (MainThread)

Structured log output:

2016-04-07 21:42:16,664 [] Login failure user: foo =={"event": "login-failure", "user": "foo", "opsc-initiated": false, "ip": "0:0:0:0:0:0:0:1"}== (MainThread)

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com