Skip to content

YugabyteDB audit log support #1331

New issue
New issue
Closed
Closed
YugabyteDB audit log support#1331
Assignees
frozenspiderramsrivatsa
Labels
area/ysqlYugabyte SQL (YSQL)community/requestIssues created by external userskind/new-featureThis is a request for a completely new featureroadmap-tracking-issueThis issue tracks a major roadmap item, and usually appears in the roadmap list.
Milestone
 
v2.3
@sanjimoh

Description

@sanjimoh
sanjimoh
opened on May 8, 2019 · edited by ameyb

Support audit logging (CONNECT, DCL events for example) with YugabyteDB.

Status Feature Comments
Design doc for audit logging Audit Logging Official Doc
YCQL audit logging #5887 Configure (include or exclude) what to audit along three dimensions: (statement or event) categories, users, and keyspaces.
YSQL audit logging #6199 Enable pgAudit extension on each node for audit logging.
Pre-package pgAudit by default Each node of the YugabyteDB cluster would need the extension installed, simplify this by pre-packaging the extension with the code by default.

Goals

The primary aim of this feature is to monitor and audit database activity in order to identify and report on fraudulent, illegal or other undesirable behavior.

Note that the audit log and database activity data will be stored outside the database (in log files), in order to ensure that the log is immutable.

Scope of what will be monitored

Below are the guidelines for what needs to be monitored:

  • Monitoring privileged users: database users that have elevated privileges to access sensitive information within the database.
  • Monitoring sensitive objects: Access to database objects (tables, views, etc.) including who accessed these objects, at what time, from what IP address, and the specific SQL statement that was used.
  • Misc: Monitor all accesses into the DB including grant/revoke of Access, SQL errors, and failed logins.

To achieve the above, the monitored activities include SQL events such as Select, Insert, Update, Delete, Drop, Create, and Alter. The following data should be logged:

  • Date/Timestamp
  • User ID (OS User and DB User Name)
  • Client and Server IP Address
  • Server Type
  • Source Program
  • Activity/Error (e.g., SQL Statement)

Monitoring across the different APIs

YSQL

It should be possible to achieve most of the above by using something like pgAudit.

YCQL

For YCQL, we should follow the format specified at: Audit Logging Cassandra. We could start with connections events, (LOGIN, ALTER ROLE, CREATE ROLE, GRANT, REVOKE ROLE, DROP ROLE, GRANT PERMISSION, REVOKE PERMISSION.

Additional features/integrations

In order to consume these, we would need a number of integrations.

⬜️ Splunk forwarder for audit logs #4422
⬜️ Integration with thirdparty tools for policy violation reporting

Analytics

Activity

kmuthukk
assigned
ndeodhar
on May 13, 2019
kmuthukk
added
area/ysqlYugabyte SQL (YSQL)
on May 13, 2019
kmuthukk

kmuthukk commented on May 13, 2019

@kmuthukk
kmuthukk
on May 13, 2019
Collaborator

hi @sanjimoh - we currently do not have audit logging support, but it is on the roadmap.

Are you interested primarily in tracking all DDL operations (such as CREATE , ALTER, DROP ... ) or also write operations (such as tracking every modificiation also - UPDATE/INSERT)

sanjimoh

sanjimoh commented on May 13, 2019

@sanjimoh
sanjimoh
on May 13, 2019
Author

From a security point of view, CONNECT, DCL & DDL Queries would be my priorities.

ndeodhar
added this to To Do in YCQLon May 13, 2019
ndeodhar
added this to To do in YSQLon May 13, 2019
yugabyte-ci
added
community/requestIssues created by external users
on Jul 17, 2019
ttyusupov
added
kind/new-featureThis is a request for a completely new feature
on Jul 18, 2019
CH-JosephBironas

CH-JosephBironas commented on Aug 19, 2019

@CH-JosephBironas
CH-JosephBironas
on Aug 19, 2019

+1 to this, but also for ycql (assuming it doesn't already exist).

ajcaldera1

ajcaldera1 commented on Apr 22, 2020

@ajcaldera1
ajcaldera1
on Apr 22, 2020
Contributor

For YCQL, we should follow the format specified at: Audit Logging Cassandra. We could start with connections events, (LOGIN, ALTER ROLE, CREATE ROLE, GRANT, REVOKE ROLE, DROP ROLE, GRANT PERMISSION, REVOKE PERMISSION.

ajcaldera1
mentioned this on May 8, 2020
schoudhury

schoudhury commented on Jun 5, 2020

@schoudhury
schoudhury
on Jun 5, 2020
Contributor

Status update - design and planning for this feature to start in early July 2020.

rkarthik007
added this to the v2.3 milestone on Jun 5, 2020
rkarthik007
changed the title Audit logging support YugabyteDB activity monitoring and audit log support on Jul 8, 2020
rkarthik007
added
roadmap-tracking-issueThis issue tracks a major roadmap item, and usually appears in the roadmap list.
on Jul 24, 2020

13 remaining items

m-iancu
changed the title YugabyteDB activity monitoring and audit log support [YCQL] YugabyteDB activity monitoring and audit log support on Sep 30, 2020
m-iancu
changed the title [YCQL] YugabyteDB activity monitoring and audit log support YugabyteDB activity monitoring and audit log support on Sep 30, 2020
m-iancu
reopened this on Sep 30, 2020
stevebang
mentioned this on Oct 7, 2020
ramsrivatsa
self-assigned this
on Oct 19, 2020
ramsrivatsa
added a commit that references this issue on Oct 22, 2020

[#1331][YSQL] Audit logging support for YSQL

fb7ce2b
ramsrivatsa

ramsrivatsa commented on Oct 22, 2020

@ramsrivatsa
ramsrivatsa
on Oct 22, 2020 · edited by m-iancu
Contributor

Both YSQL(commit link) and YCQL audit logging support is enabled.

ramsrivatsa
closed this as completedon Oct 22, 2020
ramsrivatsa
added a commit that references this issue on Oct 28, 2020

[Backport to 2.3][#1331][YSQL] Audit logging support for YSQL

91f4574
rkarthik007
changed the title YugabyteDB activity monitoring and audit log support YugabyteDB audit log support on Oct 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

area/ysqlYugabyte SQL (YSQL)community/requestIssues created by external userskind/new-featureThis is a request for a completely new featureroadmap-tracking-issueThis issue tracks a major roadmap item, and usually appears in the roadmap list.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

    Participants

    @schoudhury@ttyusupov@frozenspider@m-iancu@ramsrivatsa

    Issue actions
      YugabyteDB audit log support · Issue #1331 · yugabyte/yugabyte-db