Context
It may be desirable to log security information within a separate file for auditing purposes by systems or security teams. This is a simple task that can be achieved easily with Aerospike.
Method
Step 1:
Add the security audit lines into the security stanza.
security {
enable-security true
log {
report-authentication true
report-user-admin true
report-sys-admin true
report-violation true
}
}
This turns on security reporting. The notes section has details on which parameter controls what action.
Step 2:
Add an extra log into the logging stanza as follows:
logging {
file /var/log/aerospike.log {
context any info
}
file /var/log/aero_security.log {
context any critical
context security info
}
}
The default for any log sync is context any info and so if this is not switched to critical then excessive information will be reported into the new log. The file name used for the new log will be aero_security.log but this can be any file name. It is suggested that a descriptive file name be used.
Step 3:
Restart the Aerospike server to force a config file re-read.
root@40286da04365:/var/log# service aerospike restart * Restarting aerospike aerospike * Stopping aerospike aerospike [ OK ] * Starting aerospike aerospike [ OK ] root@40286da04365:/var/log#
Step 4:
Attempt to access the cluster and observe the extra reporting:
root@40286da04365:/var/log# aql Seed: 127.0.0.1 User: None Config File: /etc/aerospike/astools.conf /root/.aerospike/astools.conf 2020-03-23 18:01:28 WARN Failed to connect to seed 127.0.0.1 3000. AEROSPIKE_NOT_AUTHENTICATED not authenticated, 127.0.0.1:3000 Error 80: Failed to connect root@40286da04365:/var/log# aql Seed: 127.0.0.1 User: None Config File: /etc/aerospike/astools.conf /root/.aerospike/astools.conf 2020-03-23 18:01:29 WARN Failed to connect to seed 127.0.0.1 3000. AEROSPIKE_NOT_AUTHENTICATED not authenticated, 127.0.0.1:3000 Error 80: Failed to connect root@40286da04365:/var/log# aql Seed: 127.0.0.1 User: None Config File: /etc/aerospike/astools.conf /root/.aerospike/astools.conf 2020-03-23 18:01:30 WARN Failed to connect
...
root@40286da04365:/var/log# tail -f aero_security.log Mar 23 2020 18:05:48 GMT: INFO (security): (security.c:5973) not authenticated | client: 127.0.0.1:44726 | authenticated user: <none> | action: info request | detail: <none> Mar 23 2020 18:05:49 GMT: INFO (security): (security.c:5973) not authenticated | client: 127.0.0.1:44728 | authenticated user: <none> | action: info request | detail: <none> Mar 23 2020 18:05:50 GMT: INFO (security): (security.c:5973) not authenticated | client: 127.0.0.1:44730 | authenticated user: <none> | action: info request | detail: <none> Mar 23 2020 18:05:51 GMT: INFO (security): (security.c:5973) not authenticated | client: 127.0.0.1:44732 | authenticated user: <none> | action: info request | detail: <none> ^C root@40286da04365:/var/log#
Notes:
- The following parameters control security audit reporting:
report-authentication true: reports successful authentication.report-user-admin true: reports user administration tasks that have succeeded.report-sys-admin true: reports successful systems administration tasks.report-violation true: reports failed logins to the system.
- This configuration can be done dynamically using the
log-sethowever the linked sink must exist in theaerospike.confbeforehand or the server will return the following message: - There is a paramater that can be used to report on data transactions for a set or namespace. It is report-data-op. Due to the volume of log information generated using this setting it is recommended only for use with a separate sink.
root@40286da04365:/var/log# asinfo -v 'log-set:id=4;security=info' error-bad-id