A newer version of this documentation is available.

View Latest

Auditing

Actions performed on Couchbase Server can be audited. This allows administrators to ensure that system-management tasks are being appropriately performed.

Audit Records and Their Content

The records created by the Couchbase Auditing facililty capture information on who has performed what action, when, and how successfully. The records are created by Couchbase Server-processes, which run asynchronously. Each record is stored as a JSON document, which can be retrieved and inspected.

Audit Configuration

Auditing can be configured by the Full Admin and Security Admin roles, and read by the Read-Only Admin role, using Couchbase Web Console. Proceed as follows.

Access Couchbase Web Console, and left-click on the Security tab, in the vertical navigation-bar, at the left-hand side of the Dashboard:

securityTabWithHandCursor

This brings up the Security screen, which appears as follows:

securityViewInitialNoUsers

The initial, default view is for Users. To select auditing, left-click on the Audit tab, on the horizontal control-bar, near the top:

auditTab

This brings up the Audit view:

auditView

To enable auditing, check the Audit events & write them to a log checkbox:

enableAuditing

This makes the default pathname within the Audit Log Directory text-field editable. For Linux, the pathname is /opt/couchbase/var/lib/couchbase/logs; for Windows, C:\Program Files\Couchbase\Server\var\lib\couchbase\logs; for MacOS, /Users/couchbase/Library/Application Support/Couchbase/var/lib/couchbase/logs.

If you wish to modify the pathname, enter the appropriate content. Records will be saved to the directory you specify. Note the advisory message now visible beneath the checkbox: as this indicates, electing to audit a wide range of events may significantly impact performance and consume disk-space.

The Log Rotation time interval & size trigger determines at what times stored log files — referred to as targets — are rotated: this means that the current default file, to which records are being written, named audit.log, is saved under a new name, which features an appended timestamp. For example: usermachinename`.local-2017-03-16T15-42-18-audit.log`.

The number of time-units is specified by changing the number 1, which appears in the interactive field by default. The time-unit type is specified by means of the pull-down menu, at the right-hand side of the field:

setRotationTimeInterval

Note that the value you establish must be from 15 minutes to 7 days.

Log rotation can also be specified by means of a size trigger: this can be edited, in the interactive field to the right of the Log Rotation pane. The default value is 20, and the units are megabytes.

Filterable Events

Events can be filtered for the Data Service, the Query and Index Service, and the Eventing Service. Filtering means selective logging.

To view filterable events for the Data Service, first, ensure that logging is generally enabled, by checking the Audit events & write them to a log checkbox. Then, left-click on the right-pointing arrowhead adjacent to Data Service. The Data Service events panel opens, as follows:

eventFilteringUIdataServiceInitial

This shows that currently, no Data Service events are to be logged. To elect to log all such events, move the enable all toggle to the right:

eventFilteringToggle

The panel now appears as follows:

eventFilteringUIdataServiceEnabled

Every checkbox appears selected, indicating that each corresponding event will be logged. To de-select individual events, simply uncheck the appropriate checkboxes.

In some cases, it may not be desirable to log events incurred by particular users: for example, authentication performed by the Full Administrator. These users can be specified in the Ignore Filterable Events From These Users field. As the placeholder indicates, specification should take the form username`/external` or username`/couchbase`, according to the domain in which the user is registered. (See Authentication, for information on authentication domains.) Left-click on the Save button, to save the list of users.

Configuring with CLI

For information on configuring audit with the Couchbase command-line interface, see setting-audit.

Understanding Audit Events

Audit events are defined by Couchbase, and are automatically generated when auditing is enabled, in correspondence with defined actions. Corresponding data is written to target-files. For a complete list of events, see the section Audit Events.