Audit Targets
The target of a Couchbase Server audit is a JSON file; which is rotated after a configured time interval, and whose location path is configurable. This section provides some examples of content-appearance.
Audit Log Targets
When auditing is enabled, logged events are written to a default file, named audit.log
.
After an administrator-specified period — which must be a minimum of 15 minutes and a maximum of 7 days — this file is closed, and is saved under a modified name that features a timestamp corresponding to the time of saving.
A new, empty audit.log
file is created and saved when a new audit event is generated.
Note that this rotation may happen earlier if the file reaches its maximum size of 20MB.
For instructions on configuring the file’s rotation time, see Auditing.
Login
An audit-record for a successful login might appear as follows:
{
"roles": [
"admin"
],
"real_userid": {
"domain": "builtin",
"user": "Administrator"
},
"sessionid": "e141f4d5bf83f5210640edbb68eeafc4",
"remote": {
"ip": "10.143.180.1",
"port": 51778
},
"timestamp": "2020-01-28T08:23:35.110-08:00",
"id": 8192,
"name": "login success",
"description": "Successful login to couchbase cluster"
}
In this example, a user named Administrator
has successfully logged into a Couchbase cluster using the domain IP address 10.143.180.1.
Login Failure
The following audit-record indicates that a login attempt failed:
{
"real_userid": {
"domain": "rejected",
"user": "testUser"
},
"remote": {
"ip": "10.143.180.1",
"port": 51950
},
"timestamp": "2020-01-28T08:35:28.974-08:00",
"id": 8193,
"name": "login failure",
"description": "Unsuccessful attempt to login to couchbase cluster"
}
This record indicates that a user named testUser
incurred an Unsuccessful attempt to login to couchbase cluster
on 2020-01-28
at 08:35:28
.
Bucket Creation
The audit-record below corresponds to the creation of a bucket.
{
"props":{
"compression_mode":"off",
"max_ttl":12000,
"storage_mode":"couchstore",
"conflict_resolution_type":"seqno",
"eviction_policy":"value_only",
"num_threads":3,
"flush_enabled":false,
"purge_interval":"undefined",
"ram_quota":163577856,
"replica_index":false,
"num_replicas":1
},
"type":"membase",
"bucket_name":"ProductionBucket",
"real_userid":{
"source":"ns_server",
"user":"Administrator"
},
"sessionid":"5dd53fe63703c7fdc45ff75596e39a35",
"remote":{
"ip":"127.0.0.1",
"port":61908
},
"timestamp":"2018-02-07T15:22:54.960Z",
"id":8201,
"name":"create bucket",
"description":"Bucket was created"
}
This record indicates that a Bucket was created
on 2018-02-07
at 15:22:54
; that the bucket was named ProductionBucket
; and that its eviction-policy was defined as value_only
.
The bucket was created by the system’s full Administrator
.
Bucket TTL Modification
The audit-record below corresponds to the modification of Bucket TTL, for the bucket created immediately above.
{
"props": {
"compression_mode": "passive",
"max_ttl": 1000000,
"storage_mode": "couchstore",
"eviction_policy": "value_only",
"num_threads": 3,
"flush_enabled": false,
"purge_interval": "undefined",
"ram_quota": 163577856,
"num_replicas": 1
},
"type": "membase",
"bucket_name": "testBucket",
"real_userid": {
"domain": "builtin",
"user": "Administrator"
},
"sessionid": "f3a2b2dca80bfdaba707b8d2267b0181",
"remote": {
"ip": "10.143.180.1",
"port": 52189
},
"timestamp": "2020-01-28T08:54:59.426-08:00",
"id": 8202,
"name": "modify bucket",
"description": "Bucket was modified"
}
User Creation
The audit-record below corresponds to the creation of a user.
{
"full_name": "Test Bucket User",
"roles": [
"bucket_admin[testBucket]"
],
"identity": {
"domain": "local",
"user": "testBucketUser"
},
"real_userid": {
"domain": "builtin",
"user": "Administrator"
},
"sessionid": "cd7877e3c22e057803c3ba5f9a88bbf3",
"remote": {
"ip": "10.143.180.1",
"port": 52248
},
"timestamp": "2020-01-28T08:59:38.787-08:00",
"id": 8232,
"name": "set user",
"description": "User was added or updated"
}
This record indicates that a user named testBucketUser
was created by the full Administrator
on 2020-01-28
at 08:59:38
; and that the user was given the role of bucket_admin
for the bucket testBucket
.
Index Creation
The following audit-record indicates that a Search Service index was created or updated:
{
"timestamp": "2020-01-28T09:10:50.682-08:00",
"real_userid": {
"domain": "builtin",
"user": "Administrator"
},
"index_name": "travelSampleIndex",
"id": 24577,
"name": "Create/Update index",
"description": "FTS index was created/Updated"
}
This record indicates that an FTS
index named travelSampleIndex
was created or updated on 2020-01-28
at 09:10:50
.