Backtrace provides audit log capabilities for customers. The audit log will include all login requests and configuration changes (including user management). Additional metadata is provided including originating IP addresses and more.
Enabling the audit log for on-premise
The following stanza is required in your coronerd.conf
file (usually in /etc/coronerd
):
"audit" : {
"path" : "/var/log/coronerd/audit.db"
}
The default retention policy is 6 months, but it is possible to tune this. The age_seconds
integer is the number of seconds an audit log entry should be stored for, before being removed. For example, the stanza below specifies that audit logs older than 1 hour (3600 seconds) qualify for removal by the Backtrace system.
"audit" : {
"path" : "/var/log/coronerd/audit.db",
"age_seconds": 3600
}
Viewing the audit log
Once the audit log is enabled, it is possible to extract the contents of the log by using the morgue
tool or by making a copy of the audit log directly. With morgue, morgue audit extract
command will extract the log and render it in a text format.
The --table
option is used to render this data in a tabular format for your terminal as seen below.
It is also possible to render the audit log as a JSON object, using the --json
option.
Filtering the audit log
Traditional utilities such as grep
or jq
are used for more advanced filtering of the audit log. For example, below we filter all audit log entries for the configuration subsystem.
Multitenant Configuration and Access Control
Regular users and administrators have access to audit logs belonging to their tenant (universe) and only to their tenant. A superuser has access to audit logs for all tenants. It is possible for a superuser to filter on a particular tenant by specifying the --universe
option to morgue audit extract
. For example, morgue audit extract --universe=A
would provide audit log entries for tenant A
.