How to configure a separate log sink for security information

How to configure a separate log sink for security information

Context

It may be desirable to log security information within a separate file for auditing purposes by systems or security teams. This is a simple task that can be achieved easily with Aerospike.

Method

Step 1:

Add the security audit lines into the security stanza.

security {
    enable-security true
     log {
        report-authentication true
        report-user-admin true
        report-sys-admin true
        report-violation true
    }

}

This turns on security reporting. The notes section has details on which parameter controls what action.

Step 2:

Add an extra log into the logging stanza as follows:

logging {
	file /var/log/aerospike.log {
        context any info
	}

	file /var/log/aero_security.log {
        context any critical
        context security info
	}
}

The default for any log sync is context any info and so if this is not switched to critical then excessive information will be reported into the new log. The file name used for the new log will be aero_security.log but this can be any file name. It is suggested that a descriptive file name be used.

Step 3:

Restart the Aerospike server to force a config file re-read.

root@40286da04365:/var/log# service aerospike restart
* Restarting aerospike aerospike                                                                                            * Stopping aerospike aerospike                                                                                              [ OK ]
* Starting aerospike aerospike                                                                                               [ OK ]
root@40286da04365:/var/log#
Step 4:

Attempt to access the cluster and observe the extra reporting:

root@40286da04365:/var/log# aql
Seed:         127.0.0.1
User:         None
Config File:  /etc/aerospike/astools.conf /root/.aerospike/astools.conf
2020-03-23 18:01:28 WARN Failed to connect to seed 127.0.0.1 3000. AEROSPIKE_NOT_AUTHENTICATED not authenticated, 127.0.0.1:3000
Error 80: Failed to connect
root@40286da04365:/var/log# aql
Seed:         127.0.0.1
User:         None
Config File:  /etc/aerospike/astools.conf /root/.aerospike/astools.conf
2020-03-23 18:01:29 WARN Failed to connect to seed 127.0.0.1 3000. AEROSPIKE_NOT_AUTHENTICATED not authenticated, 127.0.0.1:3000
Error 80: Failed to connect
root@40286da04365:/var/log# aql
Seed:         127.0.0.1
User:         None
Config File:  /etc/aerospike/astools.conf /root/.aerospike/astools.conf
2020-03-23 18:01:30 WARN Failed to connect

root@40286da04365:/var/log# tail -f aero_security.log
Mar 23 2020 18:05:48 GMT: INFO (security): (security.c:5973) not authenticated | client: 127.0.0.1:44726 | authenticated user: <none> | action: info request | detail: <none>
Mar 23 2020 18:05:49 GMT: INFO (security): (security.c:5973) not authenticated | client: 127.0.0.1:44728 | authenticated user: <none> | action: info request | detail: <none>
Mar 23 2020 18:05:50 GMT: INFO (security): (security.c:5973) not authenticated | client: 127.0.0.1:44730 | authenticated user: <none> | action: info request | detail: <none>
Mar 23 2020 18:05:51 GMT: INFO (security): (security.c:5973) not authenticated | client: 127.0.0.1:44732 | authenticated user: <none> | action: info request | detail: <none>
^C
root@40286da04365:/var/log#

Notes

  • The following parameters control security audit reporting:
  • This configuration can be done dynamically using the log-set however the linked sink must exist in the aerospike.conf beforehand or the server will return the following message:
root@40286da04365:/var/log# asinfo -v 'log-set:id=4;security=info'
error-bad-id

Keywords

CONFIGURE SINK SECURITY VIOLATION ACCESS REPORTING

Timestamp

March 2020

© 2015 Copyright Aerospike, Inc. | All rights reserved. Creators of the Aerospike Database.