Auditing

Couchbase Server provides event-auditing, sending corresponding output to target files.

Introduction to Auditing

The Couchbase Server auditing facility recognizes specific events, which can be logged. Output is written to an audit log-file, which is periodically rotated.

Couchbase events allow administrators to track the following:

  • Administrative and configuration changes to the cluster. These are logged as Admin events. An Admin event does not expose any data.

  • Attempts to access and change data. These are logged as Data events.

This page lists all auditable events, and describes how they can be enabled and disabled. It also gives examples of the record-structures used.

Note that event-auditing occurs on a per node basis: each node captures its own events only. If a cluster-wide record is needed, the individual per node records must be manually consolidated by the administrator.

For information on managing auditing, see Manage Auditing.

Filterable and Non-Filterable Events

Eventing for each cluster-node is disabled by default; and can be explicitly enabled. When enablement has occurred, a subset of Couchbase Server-events is audited, with records concatenated to the end of the audit.log file. Events relate to the following Couchbase-Server modules: the REST API, the Data Service, the Query and Index Services, the Eventing Service, the Analytics Service, Views, and the Audit facility.

The events in the default subset are non-filterable. This means that while auditing is enabled for the node, the events are always recorded, and cannot be selectively disabled.

An additional event-subset, of filterable events, is provided. These events relate to the same modules as the non-filterable events. Each filterable event has an id by which it can be referenced, and can be individually disabled and enabled. Optionally, all filterable events can be ignored, for specified users.

Audit Fields

The table below contains some frequently used audit fields with corresponding descriptions. Note that different event-types generate different field-subsets.

Field Type Description

type

string

The audit-type. For example, Login, Startup, Shutdown, Password, AuditStart, AuditStop, AuditTruncate.

timestamp

document

Contains the date and UTC time of the event in ISO 8601 format. For example, http://www.w3.org/TR/NOTE-datetime.

id

integer

A unique identifier for the event-type.

local

document

{ip: <String>,
port: <int>},

A JSON document that contains the local IP-address and the port-number of the running instance.

remote

document

{ip: <String>,
port: <int>},

A JSON document that contains the remote IP-address, the port-number, and additional information on the service used on the incoming connection associated with the event.

Possible services include cbmcd, cbhttp, cbmgmt, cbxdcr, cbn1ql, and cbsyncgw.

user

string

A string that identifies the user.

params

document

Information dependent on the event-type. For example, for a bucket-operation, the bucket name is captured.

result

integer or string

An error-code or other message, related to the attempted operation.

The audit.log File

When auditing is enabled, logged events are written to a file named audit.log. After an administrator-specified period — which must be a minimum of 15 minutes and a maximum of 7 days — this file is closed, and is saved under a modified name that features a timestamp corresponding to the time of saving. A new, empty audit.log file is created and saved when a new audit event is generated. Note that this rotation may happen earlier if the file reaches its maximum size of 20MB. For instructions on configuring the file’s rotation time, see Manage Auditing.

Login

An audit-record for a successful login might appear as follows:

{
  "timestamp":"2015-02-20T08:48:49.408-08:00",
  "id":8192,
  "name":"login success",
  "description":"Successful login to couchbase cluster",
  "role":"admin",
  "real_userid": {
    "source":"ns_server",
    "user":"bjones"
  },
 "sessionid":"0fd0b5305d1561ca2b10f9d795819b2e",
 "remote":{
  "ip":"172.23.107.165", "port":59383
  }
}

In this example, a user named bjones has successfully logged into a Couchbase cluster using the domain IP address 172.23.107.165.

Login Failure

The following audit-record indicates that a login attempt failed:

{
  "real_userid": {
    "source": "rejected",
    "user": "auditBucketUser"
  },
  "remote": {
    "ip": "127.0.0.1",
    "port": 64416
  },
  "timestamp": "2017-03-16T15:45:27.420Z",
    "id": 8193,
    "name": "login failure",
    "description": "Unsuccessful attempt to login to couchbase cluster"
}

This record indicates that a user named auditBucketUser incurred an Unsuccessful attempt to login to couchbase cluster on 2017-03-16 at 15:45:27.

Bucket Creation

The audit-record below corresponds to the creation of a bucket.

{
  "props":{
    "compression_mode":"off",
    "max_ttl":12000,
    "storage_mode":"couchstore",
    "conflict_resolution_type":"seqno",
    "eviction_policy":"value_only",
    "num_threads":3,
    "flush_enabled":false,
    "purge_interval":"undefined",
    "ram_quota":163577856,
    "replica_index":false,
    "num_replicas":1
  },
  "type":"membase",
  "bucket_name":"ProductionBucket",
  "real_userid":{
    "source":"ns_server",
    "user":"Administrator"
  },
  "sessionid":"5dd53fe63703c7fdc45ff75596e39a35",
  "remote":{
    "ip":"127.0.0.1",
    "port":61908
  },
  "timestamp":"2018-02-07T15:22:54.960Z",
  "id":8201,
  "name":"create bucket",
  "description":"Bucket was created"
}

This record indicates that a Bucket was created on 2018-02-07 at 15:22:54; that the bucket was named ProductionBucket; and that its eviction-policy was defined as value_only. The bucket was created by the system’s Full Administrator.

Bucket TTL Modification

The audit-record below corresponds to the modification of Bucket TTL, for the bucket created immediately above.

{
  "props":{
    "max_ttl":15000,
    "storage_mode":"couchstore",
    "eviction_policy":"value_only",
    "num_threads":3,
    "flush_enabled":false,
    "purge_interval":"undefined",
    "ram_quota":163577856,
    "num_replicas":1
  },
  "type":"membase",
  "bucket_name":"ProductionBucket",
  "real_userid":{
    "source":"ns_server",
    "user":"Administrator"
  },
  "sessionid":"12774a2e146c650eeed8c6d9486857ad",
  "remote":{
      "ip":"127.0.0.1","port":61966
  },
  "timestamp":"2018-02-07T15:23:51.350Z",
  "id":8202,
  "name":"modify bucket",
  "description":"Bucket was modified"
}

User Creation

The audit-record below corresponds to the creation of a user.

{
  "roles": [
    "ro_admin"
  ],
  "identity": {
    "source": "builtin",
    "user": "auditBucketUser2"
  },
  "real_userid": {
    "source": "ns_server",
    "user": "Administrator"
  },
  "sessionid": "dca284b5efe1937a1a4085ef88c2fbcb",
  "remote": {
    "ip": "127.0.0.1",
    "port": 64416
  },
  "timestamp": "2017-03-16T15:44:32.254Z",
  "id": 8232,
  "name": "set user",
  "description": "User was added or updated"
}

This record indicates that a user named auditBucketUser2 was created by the Full Administator on 2017-03-16 at 15:44:32; and that the user was given the role of ro_admin.

Index Creation

The following audit-record indicates that an index was created or updated:

{
  "timestamp": "2017-03-16T16:12:36.198Z",
  "real_userid": {
    "source": "ns_server",
    "user": "Administrator"
  },
  "index_name": "def-airportname",
  "id": 24577,
  "name": "Create/Update index",
  "description": "FTS index was created/Updated"
}

This record indicates that an FTS index named def-airportname was created or updated on 201703-16 at 16:12:36.

Event Tables

The events listed in the following tables support the auditing of administrative and data changes, made on the cluster. Each table corresponds to a module.

In each table, the first column (at the left) features the event-group heading (thereby repeating the table’s title, so as to ensure readability throughout the longer tables). The second column provides the event name. The third column provides a filter id for the event, if the event is filterable: if the event is non-filterable, a filter id is indicated to be non-applicable. The fourth column provides a description of the event; and the fifth indicates whether the event is classified as Data or Admin.

The tables — which are for the REST API, the Data Service, the Query Service, the Eventing Service, he Analytics Service, Views, and Audit — are as follows.

REST API Events

Event Group

Event Name

Filter ID

Description

Event Type

REST API

mutate document

8243

Document was mutated via the REST API

Data

REST API

read document

8255

Document was read via the REST API

Data

REST API

alert email sent

8257

An alert email was successfully sent

Admin

REST API

login success

NA

Successful login to cluster

Admin

REST API

login failure

NA

Unsuccessful attempt to login to cluster

Admin

REST API

delete user

NA

User was deleted

Admin

REST API

user credentials change

NA

User credentials were changed

Admin

REST API

add node

NA

Node was added to the cluster

Admin

REST API

remove node

NA

Node was removed from the cluster

Admin

REST API

enter node recovery

NA

Entered node recovery

Admin

REST API

rebalance initiated

NA

Rebalance was initiated

Admin

REST API

create bucket

NA

Bucket was created

Admin

REST API

modify bucket

NA

Bucket was modified

Admin

REST API

delete bucket

NA

Bucket was deleted

Admin

REST API

flush bucket

NA

Bucket was flushed

Admin

REST API

start loading sample

NA

Started loading sample

Admin

REST API

disk storage conf

NA

Disk storage configuration was set

Admin

REST API

rename node

NA

The node was renamed

Admin

REST API

setup node services

NA

The services were set for the node

Admin

REST API

change cluster settings

NA

Cluster settings were changed

Admin

REST API

add group

NA

Server group was added

Admin

REST API

delete group

NA

Server group was deleted

Admin

REST API

update group

NA

Server group was updated

Admin

REST API

xdcr create cluster ref

NA

Remote cluster reference was created

Admin

REST API

xdcr update cluster ref

NA

Remote cluster reference was updated

Admin

REST API

xdcr delete cluster ref

NA

Remote cluster reference was deleted

Admin

REST API

xdcr create replication

NA

XDCR replication was created

Admin

REST API

xdcr update replication

NA

XDCR replication was updated

Admin

REST API

xdcr cancel replication

NA

XDCR replication was canceled

Admin

REST API

xdcr update global settings

NA

Global XDCR settings were updated

Admin

REST API

enable auto failover

NA

Auto Failover was enabled

Admin

REST API

disable auto failover

NA

Auto Failover was disabled

Admin

REST API

reset auto failover count

NA

Count for Auto Failover was reset

Admin

REST API

enable cluster alerts

NA

Cluster alerts were enabled

Admin

REST API

disable cluster alerts

NA

Cluster alerts were disabled

Admin

REST API

modify compaction settings

NA

Compaction settings were modified

Admin

REST API

regenerate certificate

NA

Self-signed SSL certificate was regenerated

Admin

REST API

setup saslauthd

NA

Saslauthd settings were modified

Admin

REST API

internal settings

NA

Internal Settings

Admin

REST API

upload cluster ca

NA

Upload cluster CA

Admin

REST API

reload node certificate

NA

Reload node certificate chain and pkey from inbox

Admin

REST API

modify index storage mode

NA

Modify Index Storage Mode

Admin

REST API

set user

NA

User was added or updated

Admin

REST API

master password change

NA

Master password change was requested

Admin

REST API

encryption key rotation

NA

Encryption key rotation was requested

Admin

REST API

password policy

NA

Password policy was changed

Admin

REST API

client cert auth

NA

Client certificate authentication settings changed

Admin

REST API

security settings

NA

Security Settings

Admin

REST API

start log collection

NA

Log collection run was started

Admin

REST API

modify log redaction settings

NA

Log redaction settings were modified

Admin

REST API

configured audit daemon

NA

loaded configuration file for audit daemon

Admin

REST API

modify index settings

NA

Index service settings were modified

Admin

REST API

modify query settings

NA

Query service settings were modified

Admin

REST API

set user group

NA

User group was added or updated

Admin

REST API

delete user group

NA

User group was deleted

Admin

REST API

modify ldap settings

NA

Ldap settings were modified

Admin

REST API

developer preview settings

NA

Developer preview settings

Admin

REST API

license settings

NA

License Settings

Admin

REST API

set user profile

NA

UI profile was added or updated

Admin

REST API

delete user profile

NA

UI profile was deleted

Admin

REST API

modify retry rebalance

NA

Retry rebalance settings were modified

Admin

REST API

enable auto reprovision

NA

Auto reprovision was enabled

Admin

REST API

disable auto reprovision

NA

Auto reprovision was disabled

Admin

REST API

failover settings

NA

Failover settings

Admin

REST API

logout success

NA

Successful logout of couchbase cluster

Admin

Data Service Events

Event Group

Event Name

Filter ID

Description

Event Type

Data Service

opened DCP connection

20480

opened DCP connection

Admin

Data Service

external memcached bucket flush

20482

External user flushed the content of a memcached bucket

Admin

Data Service

invalid packet

20483

Rejected an invalid packet

Admin

Data Service

authentication succeeded

20485

Authentication to the cluster succeeded

Admin

Data Service

document read

20488

Document was read

Data

Data Service

document locked

20489

Document was locked

Data

Data Service

document modify

20490

Document was modified

Data

Data Service

document delete

20491

Document was deleted

Data

Data Service

select bucket

20492

The specified bucket was selected

Admin

Data Service

authentication failed

NA

Authentication to the cluster failed

Admin

Data Service

command access failure

NA

Access to command is not allowed

Admin

Data Service

privilege debug configured

NA

The state of the privilege debug mode changed

Admin

Data Service

privilege debug

NA

Access to a resource was granted due to privilege debug

Admin

Query Service Events

Event Group

Event Name

Filter ID

Description

Event Type

Query Service

SELECT statement

28672

A N1QL SELECT statement was executed

Data

Query Service

EXPLAIN statement

28673

A N1QL EXPLAIN statement was executed

Data

Query Service

PREPARE statement

28674

A N1QL PREPARE statement was executed

Data

Query Service

INFER statement

28675

A N1QL INFER statement was executed

Data

Query Service

INSERT statement

28676

A N1QL INSERT statement was executed

Data

Query Service

UPSERT statement

28677

A N1QL UPSERT statement was executed

Data

Query Service

DELETE statement

28678

A N1QL DELETE statement was executed

Data

Query Service

UPDATE statement

28679

A N1QL UPDATE statement was executed

Data

Query Service

MERGE statement

28680

A N1QL MERGE statement was executed

Data

Query Service

CREATE INDEX statement

28681

A N1QL CREATE INDEX statement was executed

Data

Query Service

DROP INDEX statement

28682

A N1QL DROP INDEX statement was executed

Data

Query Service

ALTER INDEX statement

28683

A N1QL ALTER INDEX statement was executed

Data

Query Service

BUILD INDEX statement

28684

A N1QL BUILD INDEX statement was executed

Data

Query Service

GRANT ROLE statement

28685

A N1QL GRANT ROLE statement was executed

Admin

Query Service

REVOKE ROLE statement

28686

A N1QL REVOKE ROLE statement was executed

Admin

Query Service

UNRECOGNIZED statement

28687

An unrecognized statement was received by the N1QL query engine

Admin

Query Service

CREATE PRIMARY INDEX statement

28688

A N1QL CREATE PRIMARY INDEX statement was executed

Data

Query Service

/admin/stats API request

28689

An HTTP request was made to the API at /admin/stats

Admin

Query Service

/admin/vitals API request

28690

An HTTP request was made to the API at /admin/vitals

Admin

Query Service

/admin/prepareds API request

28691

An HTTP request was made to the API at /admin/prepareds

Admin

Query Service

/admin/active_requests API request

28692

An HTTP request was made to the API at /admin/active_requests

Admin

Query Service

/admin/indexes/prepareds API request

28693

An HTTP request was made to the API at /admin/indexes/prepareds

Admin

Query Service

/admin/indexes/active_requests API request

28694

An HTTP request was made to the API at /admin/indexes/active_requests

Admin

Query Service

/admin/indexes/completed_requests API request

28695

An HTTP request was made to the API at /admin/indexes/completed_requests

Admin

Query Service

/admin/ping API request

28697

An HTTP request was made to the API at /admin/ping

Admin

Query Service

/admin/config API request

28698

An HTTP request was made to the API at /admin/config

Admin

Query Service

/admin/ssl_cert API request

28699

An HTTP request was made to the API at /admin/ssl_cert

Admin

Query Service

/admin/settings API request

28700

An HTTP request was made to the API at /admin/settings

Admin

Query Service

/admin/clusters API request

28701

An HTTP request was made to the API at /admin/clusters

Admin

Query Service

/admin/completed_requests API request

28702

An HTTP request was made to the API at /admin/completed_requests

Admin

Query Service

/admin/functions API request

28704

An HTTP request was made to the API at /admin/functions

Admin

Query Service

/admin/indexes/functions API request

28705

An HTTP request was made to the API at /admin/indexes/functions

Admin

Query Service

N1QL configuration

NA

States that N1QL is using audit configuration with specified uuid

Admin

Eventing Service Events

Event Group

Event Name

Filter ID

Description

Event Type

Eventing Service

Create Function

32768

Eventing function definition was created or updated

Admin

Eventing Service

Delete Function

32769

Eventing function definition was deleted

Admin

Eventing Service

Fetch Functions

32770

Eventing function definition was read

Admin

Eventing Service

List Deployed

32771

Eventing deployed functions list was read

Admin

Eventing Service

Fetch Drafts

32772

Eventing function draft definitions were read

Admin

Eventing Service

Delete Drafts

32773

Eventing function draft definitions were deleted

Admin

Eventing Service

Save Draft

32774

Save a draft definition to the store

Admin

Eventing Service

Start Debug

32775

Start eventing function debugger

Admin

Eventing Service

Stop Debug

32776

Stop eventing function debugger

Admin

Eventing Service

Start Tracing

32777

Start tracing eventing function execution

Admin

Eventing Service

Stop Tracing

32778

Stop tracing eventing function execution

Admin

Eventing Service

Set Settings

32779

Save settings for a given app

Admin

Eventing Service

Fetch Config

32780

Get config for eventing

Admin

Eventing Service

Save Config

32781

Save config for eventing

Admin

Eventing Service

Cleanup Eventing

32782

Clears up app definitions and settings from metakv

Admin

Eventing Service

Get Settings

32783

Get settings for a given app

Admin

Eventing Service

Import Functions

32784

Import a list of functions

Admin

Eventing Service

Export Functions

32785

Export the list of functions

Admin

Eventing Service

List Running

32786

Eventing running function list was read

Admin

Analytics Service Events

Event Group

Event Name

Filter ID

Description

Event Type

Analytics Service

Service configuration change

36865

A successful service configuration change was made

Admin

Analytics Service

Node configuration change

36866

A successful node configuration change was made

Admin

Views Events

Event Group

Event Name

Filter ID

Description

Event Type

Views

Create Design Doc

40960

Design Doc is Created

Data

Views

Delete Design Doc

40961

Design Doc is Deleted

Data

Views

Query DDoc Meta Data

40962

Design Doc Meta Data Query Request

Data

Views

View Query

40963

View Query Request

Data

Views

Update Design Doc

40964

Design Doc is Updated

Data

Views

Audit Configuration Change

NA

Change in Audit Configuration

Admin

Audit Events

Event Group

Event Name

Filter ID

Description

Event Type

Audit

configured audit daemon

NA

Loaded configuration file for audit daemon

Admin

Audit

shutting down audit daemon

NA

The audit daemon is being shut down

Admin