Audit Targets

Audit Targets

The target of a Couchbase Server audit is a JSON file; which is rotated after a configured time interval, and whose location path is configurable. This section provides some examples of content-appearance.

Audit Log Targets

Auditable events are captured in JSON files. A default file, named audit.log is always available; and logged events are written to this file. After an administrator-specified period — which must be a minimum of 15 minutes and a maximum of 7 days — the default file is saved under a modified name that features a timestamp corresponding to the time of saving. A new, empty audit.log file is saved, and logged events continue to be written to this new file. (Note that rollover may happen earlier if the file reaches its maximum size of 20MB.) For instructions on configuring the file's rotation time, see Auditing.

Login

An audit-record for a successful login might appear as follows:

{
  "timestamp":"2015-02-20T08:48:49.408-08:00", 
  "id":8192, 
   "name":"login success", 
   "description":"Successful login to couchbase cluster",                              
   "role":"admin", 
   "real_userid": {
                                "source":"ns_server",
                                "user":"bjones"
                              },
   "sessionid":"0fd0b5305d1561ca2b10f9d795819b2e", 
   "remote":{"ip":"172.23.107.165", "port":59383}
}

In this example, a user named bjones has successfully logged into a Couchbase cluster using the domain IP address 172.23.107.165.

Login Failure

The following audit-record indicates that a login attempt failed:

{
    "real_userid": {
      "source": "rejected",
      "user": "auditBucketUser"
    },
    "remote": {
      "ip": "127.0.0.1",
      "port": 64416
    },
    "timestamp": "2017-03-16T15:45:27.420Z",
      "id": 8193,
      "name": "login failure",
      "description": "Unsuccessful attempt to login to couchbase cluster"
}
     

This record indicates that a user named auditBucketUser incurred an Unsuccessful attempt to login to couchbase cluster on 2017-03-16 at 15:45:27.

Bucket Creation

The audit-record below corresponds to the creation of a bucket.

{
    "props": {
       "storage_mode": "couchstore",
       "conflict_resolution_type": "seqno",
       "eviction_policy": "value_only",
       "num_threads": 3,
       "flush_enabled": false,
       "purge_interval": "undefined",
       "auth_type": "sasl",
       "ram_quota": 1156579328,
       "replica_index": false,
       "num_replicas": 1
    },
    "type": "membase",
    "bucket_name": "auditBucket",
    "real_userid": {
    "source": "ns_server",
    "user": "Administrator"
    },
    "sessionid": "dca284b5efe1937a1a4085ef88c2fbcb",
    "remote": {
    "ip": "127.0.0.1",
    "port": 64477
    },
    "timestamp": "2017-03-16T15:43:35.187Z",
    "id": 8201,
    "name": "create bucket",
    "description": "Bucket was created"
}
     

This record indicates that a Bucket was created on 2017-03-16 at 15:43:35; that the bucket was named auditBucket; that it was created with sasl authentication-access required, and that its eviction-policy was defined as value_only. The bucket was created by the system's full Administrator.

User Creation

The audit-record below corresponds to the creation of a user.

{
   "roles": [
     "ro_admin"
    ],
    "identity": {
       "source": "builtin",
       "user": "auditBucketUser2"
    },
    "real_userid": {
      "source": "ns_server",
      "user": "Administrator"
    },
    "sessionid": "dca284b5efe1937a1a4085ef88c2fbcb",
    "remote": {
      "ip": "127.0.0.1",
      "port": 64416
    },
    "timestamp": "2017-03-16T15:44:32.254Z",
    "id": 8232,
    "name": "set user",
    "description": "User was added or updated"
}
     

This record indicates that a user named auditBucketUser2 was created by the full Administator on 2017-03-16 at 15:44:32; and that the user was given the role of ro_admin.

Index Creation

The following audit-record indicates that an index was created or updated:

{
   "timestamp": "2017-03-16T16:12:36.198Z",
   "real_userid": {
     "source": "ns_server",
     "user": "Administrator"
    },
    "index_name": "def-airportname",
    "id": 24577,
    "name": "Create/Update index",
    "description": "FTS index was created/Updated"
}

This record indicates that an FTS index named def-airportname was created or updated on 201703-16 at 16:12:36.