Auditing
Couchbase Server provides event-auditing, sending corresponding output to target files.
Introduction to Auditing
The Couchbase Server auditing facility recognizes specific events, which can be selectively logged. The output is written to target files, each of which is periodically rotated.
This section lists the events that can be logged, and gives examples of the record-structures used within target files. For information on managing auditing, see Manage Auditing.
Audit Event-Types
Couchbase events allow administrators to track the following:
-
Administrative and configuration changes to the cluster. These are logged as admin events.
-
Attempts to access and change data. These are logged as data events.
The tables in the following sections list events according to the technology or service.
Note that events related to Data Service, Query and Index Service, Eventing Service, and Analytics are filterable. For information, see Manage Auditing.
Administrative Events
The events in the following tables support the auditing of administrative and configuration changes made to the cluster.
Analytics
Service configuration change (was successfully made) |
Node configuration change (was successfully made) |
Bucket
Bucket created |
Bucket deleted |
Bucket flushed |
Bucket-settings modified |
Compaction settings modified |
Bucket compression mode modified |
Bucket TTL modified |
Data Service
opened DCP connection |
external memcached bucket flush (was performed) |
invalid packet (was rejected) |
Eventing Service
Create Function (a function-definition was created/updated) |
Delete Function (a function-definition was deleted) |
Fetch Functions (function-definitions were read) |
List Deployed (the list of deployed functions was read) |
Fetch Drafts (draft definitions were read) |
Delete Drafts (draft definitions were deleted) |
Save Draft (save a draft definition) |
Start Debug |
Stop Debug |
Start Tracing |
Stop Tracing |
Set Settings (save application settings) |
Fetch Config (get eventing configuration) |
Save Config (save eventing configuration) |
Cleanup Eventing (clears up app definitions and settings from metakv) |
Get Settings (get application settings) |
Import Functions (import a list of functions) |
Export Functions (export a list of functions) |
List Running (the list of running functions was read) |
Query and Index Service
/admin/stats API request (was made) |
/admin/vitals API request (was made) |
/admin/prepareds API request (was made) |
/admin/active_requests API request (was made) |
/admin/index/completed_requests API request (was made) |
/admin/ping API request (was made) |
/admin/config API request (was made) |
/admin/ssl_cert API request (was made) |
/admin/settings API request (was made) |
/admin/clusters API request (was made) |
/admin/completed_requests API request (was made) |
Search Service
FTS index created or updated |
FTS index deleted |
FTS index control-command issued |
FTS configuation refreshed |
FTS configuration replanned |
Security
Login succeeded or failed |
Password changed or reset |
Self-signed SSL certificate regenerated |
LDAP authentication-settings modified |
Encryption key-rotation requested |
Data Events
The following events support the auditing of attempts to access and change data.
Data Service
authentication succeeded |
document delete (ie was deleted) |
document read (ie was read) |
document locked (ie was locked) |
document modify (ie was modified) |
Query and Index Service
Index node added or removed |
SELECT statement (was executed) |
EXPLAIN statement (was executed) |
PREPARE statement (was executed) |
INFER statement (was executed) |
INSERT statement (was executed) |
UPSERT statement (was executed) |
DELETE statement (was executed) |
UPDATE statement (was executed) |
MERGE statement (was executed) |
CREATE INDEX statement (was executed) |
DROP INDEX statement (was executed) |
ALTER INDEX statement (was executed) |
BUILD INDEX statement (was executed) |
GRANT ROLE statement (was executed) |
REVOKE ROLE statement (was executed) |
UNRECOGNIZED statement (was received) |
CREATE PRIMARY INDEX statement (was executed) |
Audit Fields
The table below contains some frequently used audit fields with corresponding descriptions. Note that different event-types generate different field-subsets.
| Field | Type | Description |
|---|---|---|
|
string |
The audit-type. For example, Login, Startup, Shutdown, Password, AuditStart, AuditStop, AuditTruncate. |
|
document |
Contains the date and UTC time of the event in ISO 8601 format. For example, http://www.w3.org/TR/NOTE-datetime. |
|
integer |
A unique identifier for the event-type. |
|
document |
A JSON document that contains the local IP-address and the port-number of the running instance. |
|
document |
A JSON document that contains the remote IP-address, the port-number, and additional information on the service used on the incoming connection associated with the event. Possible services include |
|
string |
A string that identifies the user. |
|
document |
Information dependent on the event-type. For example, for a bucket-operation, the bucket name is captured. |
|
integer or string |
An error-code or other message, related to the attempted operation. |
Audit Target-Files
When auditing is enabled, logged events are written to a default file, named audit.log.
After an administrator-specified period — which must be a minimum of 15 minutes and a maximum of 7 days — this file is closed, and is saved under a modified name that features a timestamp corresponding to the time of saving.
A new, empty audit.log file is created and saved when a new audit event is generated.
Note that this rotation may happen earlier if the file reaches its maximum size of 20MB.
For instructions on configuring the file’s rotation time, see Manage Auditing.
Login
An audit-record for a successful login might appear as follows:
{
"timestamp":"2015-02-20T08:48:49.408-08:00",
"id":8192,
"name":"login success",
"description":"Successful login to couchbase cluster",
"role":"admin",
"real_userid": {
"source":"ns_server",
"user":"bjones"
},
"sessionid":"0fd0b5305d1561ca2b10f9d795819b2e",
"remote":{
"ip":"172.23.107.165", "port":59383
}
}In this example, a user named bjones has successfully logged into a Couchbase cluster using the domain IP address 172.23.107.165.
Login Failure
The following audit-record indicates that a login attempt failed:
{
"real_userid": {
"source": "rejected",
"user": "auditBucketUser"
},
"remote": {
"ip": "127.0.0.1",
"port": 64416
},
"timestamp": "2017-03-16T15:45:27.420Z",
"id": 8193,
"name": "login failure",
"description": "Unsuccessful attempt to login to couchbase cluster"
}This record indicates that a user named auditBucketUser incurred an Unsuccessful attempt to login to couchbase cluster on 2017-03-16 at 15:45:27.
Bucket Creation
The audit-record below corresponds to the creation of a bucket.
{
"props":{
"compression_mode":"off",
"max_ttl":12000,
"storage_mode":"couchstore",
"conflict_resolution_type":"seqno",
"eviction_policy":"value_only",
"num_threads":3,
"flush_enabled":false,
"purge_interval":"undefined",
"ram_quota":163577856,
"replica_index":false,
"num_replicas":1
},
"type":"membase",
"bucket_name":"ProductionBucket",
"real_userid":{
"source":"ns_server",
"user":"Administrator"
},
"sessionid":"5dd53fe63703c7fdc45ff75596e39a35",
"remote":{
"ip":"127.0.0.1",
"port":61908
},
"timestamp":"2018-02-07T15:22:54.960Z",
"id":8201,
"name":"create bucket",
"description":"Bucket was created"
}This record indicates that a Bucket was created on 2018-02-07 at 15:22:54; that the bucket was named ProductionBucket; and that its eviction-policy was defined as value_only.
The bucket was created by the system’s Full Administrator.
Bucket TTL Modification
The audit-record below corresponds to the modification of Bucket TTL, for the bucket created immediately above.
{
"props":{
"max_ttl":15000,
"storage_mode":"couchstore",
"eviction_policy":"value_only",
"num_threads":3,
"flush_enabled":false,
"purge_interval":"undefined",
"ram_quota":163577856,
"num_replicas":1
},
"type":"membase",
"bucket_name":"ProductionBucket",
"real_userid":{
"source":"ns_server",
"user":"Administrator"
},
"sessionid":"12774a2e146c650eeed8c6d9486857ad",
"remote":{
"ip":"127.0.0.1","port":61966
},
"timestamp":"2018-02-07T15:23:51.350Z",
"id":8202,
"name":"modify bucket",
"description":"Bucket was modified"
}User Creation
The audit-record below corresponds to the creation of a user.
{
"roles": [
"ro_admin"
],
"identity": {
"source": "builtin",
"user": "auditBucketUser2"
},
"real_userid": {
"source": "ns_server",
"user": "Administrator"
},
"sessionid": "dca284b5efe1937a1a4085ef88c2fbcb",
"remote": {
"ip": "127.0.0.1",
"port": 64416
},
"timestamp": "2017-03-16T15:44:32.254Z",
"id": 8232,
"name": "set user",
"description": "User was added or updated"
}This record indicates that a user named auditBucketUser2 was created by the Full Administator on 2017-03-16 at 15:44:32; and that the user was given the role of ro_admin.
Index Creation
The following audit-record indicates that an index was created or updated:
{
"timestamp": "2017-03-16T16:12:36.198Z",
"real_userid": {
"source": "ns_server",
"user": "Administrator"
},
"index_name": "def-airportname",
"id": 24577,
"name": "Create/Update index",
"description": "FTS index was created/Updated"
}This record indicates that an FTS index named def-airportname was created or updated on 201703-16 at 16:12:36.