Linux-UNIX: Datastax Cassandra auditing configuration

Configure logging to a file appender for monitoring encrypted traffic on Datastax Cassandra. This supports the audits provided by the built-in audit logging, for example: queries, data manipulation language, data definition language, data control syntax, authentication. This configuration does not require an inspection engine or K-TAP.

Before you begin

See Datastax online reference for details about Datastax audit logging.

The user running the Cassandra database needs to be authorized to write to the cassandra pipe in the S-TAP® directory. Use guardctl authorize-user to add the user to the group.

Before copying the jars to the Cassandra directory, make sure that the Cassandra user has appropriate permissions to read the jar files.

About this task

Datastax Cassandra auditing can be configured concurrently with Apache Cassandra on the same host, since they have different setups on different files. The S-TAP handles both of them similarly, via a pipe.

Datastax Cassandra auditing supports multi-tenancy.

Procedure

  1. On the database, open the file dse.yaml in a text editor and update the Audit logging options section, with:
    # Audit logging options
    audit_logging_options:
        enabled: true
    logger: SLF4JAuditWriter
  2. Save and close the file.
  3. Open the file logback.xml in a text editor and add this appender:
    <appender name="GuardiumAuditWriterAppender" class="ch.qos.logback.core.FileAppender">
        <file><STAP location in your system>.cassandra_audit</file>
        <encoder>
          <pattern>%msg{}GUARD_DELIM</pattern>
          <immediateFlush>true</immediateFlush>
        </encoder>
      </appender>
    Typical S-TAP locations are:
    • non-GIM installations: /usr/local/guardium/guard_stap/
    • GIM installations: /opt/modules/STAP/current/
  4. Add the new appender to audit logger:
    <logger name="SLF4JAuditWriter" level="INFO" additivity="false">
        <appender-ref ref="SLF4JAuditWriterAppender"/>
        <appender-ref ref="GuardiumAuditWriterAppender"/>
      </logger>
  5. Save and close the file.
  6. Verify that the guard_tap.ini parameter cassandra_audit_enabled=1.
    This creates the file appender pipe for Cassandra/Datastax with native audit logging.
  7. If the guard_tap.ini parameter cassandra_audit_delimiter if set to something other than the default, verify that the value "GUARD_DELIM" in the logger configuration has the same value.
  8. On your Guardium system, add the Cassandra user to the "guardium" group, by entering:
    /usr/local/guardium/guard_stap/guardctl authorize-user <cassandra>
    This allows the Cassandra user to write to the pipe file appender. The permissions on the pipe allow the S-TAP user to read/write and anyone in the guardium group to write.
  9. Restart theS-TAP to create the Cassandra audit pipe.
  10. Restart the Cassandra instance to pick up the logging changes. (The restart for Cassandra also ensures that the guardium group membership is picked up for the new Cassandra process.)