How to send DSE audit logs to a remote syslog server

Problem

Summary

Enterprises and users frequently send audit logs to a network target, like a syslog server. This article offers comprehensive instructions and examples to guide you through this process.

Applies to

Apache Cassandra (All versions)
DataStax Enterprise (All versions)

Solution

To follow these instructions, a syslog server must be online and reachable by the Database Node. In the configuration examples, replace IP_of_remote_server with the destination's IP address. In addition, make sure the port number is correct.

The location of the logback.xml file differs depending on the installed software. For most versions of Cassandra, the location would be $(CASSANDRA_HOME)/conf. For package installations of Datastax Enterprise, this would be /etc/dse. For tarball installations of DSE, it would be $(TARBALL_ROOT)/resources/cassandra/conf

The location of the dse.yaml file depends on the type of installation for DataStax Enterprise (DSE). For package installations, the dse.yaml file is located in /etc/dse/dse.yaml. For tarball installations, the file can be found at <installation_location>/resources/dse/conf/dse.yaml. This information aligns with the standard configurations and installation paths for DSE. You should adjust these paths if you have an alternate configuration or have set a custom location for your DSE configuration files.

The /var/log/auth.log file is primarily used on Unix and Linux systems to store system authorization information, including user logins and authentication mechanisms. It logs every authentication attempt and stores information about its success or failure. This file is particularly useful for monitoring unauthorized access attempts, troubleshooting authentication issues, and general security auditing purposes.

The location of the /var/log/syslog file is typically found in the /var/log directory on Unix and Linux systems. This directory houses various log files, including system logs, application logs, and logs from system daemons. The primary system log file on many Unix/Linux systems is named /var/log/syslog. However, the exact location and the presence of this file can depend on the system configuration and the syslog service being used, such as rsyslog.

1. To enable audit logging as described in the DSE documentation

https://docs.datastax.com/en/security/6.0/security/secAuditEnable.html 

To enable audit logging on DataStax Enterprise (DSE), locate and edit the file 'dse.yaml' file, find the 'audit_logging_options:' section, set 'enabled:' to 'true', save the file, restart DSE, and verify the configuration.

$ cat dse.yaml

# Audit logging options
audit_logging_options:
    enabled: true     <<< change from false. Remaining default settings are OK and log to file
    logger: SLF4JAuditWriter

2. To send Cassandra DSE audit logs to a syslog server using rsyslog, you'll need to configure rsyslog to forward logs to the remote syslog server. Here's how to set it up:

STEP 1. Install rsyslog (if it's not already installed):

On Debian-based systems:

sudo apt-get update
sudo apt-get install rsyslog

On Red Hat-based systems:

sudo yum install rsyslog

STEP 2. Edit the rsyslog Configuration File:

Open the rsyslog configuration file (/etc/rsyslog.conf) in a text editor.

sudo vi /etc/rsyslog.conf

STEP 3. Enable UDP/TCP Logging (if required):

Ensure that the following lines are uncommented to enable UDP or TCP logging. Uncomment the relevant line based on your preference (UDP is generally used for simplicity):
 

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

STEP 4. Restart rsyslog:

After making the changes, restart the rsyslog service to apply the new configuration.

sudo systemctl restart rsyslog

STEP 5. Verify rsyslog Configuration:

Check the status of the rsyslog service to ensure it's running without errors.

sudo systemctl status rsyslog

STEP 6. Confirm that rsyslog is now listening on port 514

$ sudo netstat -4altunp | grep 514
tcp  0    0 0.0.0.0:514       0.0.0.0:*      LISTEN    5307/rsyslogd
udp  0    0 0.0.0.0:514       0.0.0.0:*                5307/rsyslogd

STEP 7. Test the Configuration:

To test if logs are being forwarded correctly, you can use the logger command to send a test message:

logger "Test message to syslog server"

STEP 8. After this, my entries for AUTH were indeed being flushed to `/var/log/auth.log`. 

 

3. Now, Steps to send Cassandra DSE audit logs to a syslog server using rsyslog:

STEP 1 - For each DSE node, define a new SyslogAppender in the Cassandra logback.xml:

<appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender">
    <syslogHost>IP_of_remote_server</syslogHost>
    <facility>AUTH</facility>
    <suffixPattern>%logger%msg</suffixPattern>
  </appender>

IMPORTANT - The appender must be added before the <logger> definition for SLF4JAuditWriter.

STEP 2 - Add the new SYSLOG appender to the SLF4JAuditWriter:

<logger name="SLF4JAuditWriter" level="INFO" additivity="false">
    <appender-ref ref="SLF4JAuditWriterAppender"/>
    <appender-ref ref="SYSLOG"/>
  </logger>

STEP 3 - Restart DSE for the change to take effect.

Post-verification:

STEP 1 - Login to the remote syslog server defined in <syslogHost>.

STEP 2 - Monitor the logs in the /var/log directory:
 

$ tail -f /var/log/auth.log

STEP 3 - On one of the DSE nodes, perform an auditable action. For example:
 

$ cqlsh 10.1.2.3 -u cassandra -p cassandra

Here are example audit events in /var/log/auth.log for DSE node IP 10.101.33.230:
 

host:/10.101.33.230|source:/10.101.33.230|user:cassandra|authenticated:cassandra|timestamp:1560839112418|category:QUERY|type:CQL_SELECT|ks:system_schema|cf:aggregates|operation:SELECT * FROM system_schema.aggregates|consistency level:ONE
Jun 18 16:25:12 ip-10-101-33-230.srv101.dsinternal.org SLF4JAuditWriter host:/10.101.33.230|source:/10.101.33.230|user:cassandra|authenticated:cassandra|timestamp:1560839112419|category:QUERY|type:CQL_SELECT|ks:system_schema|cf:columns|operation:SELECT * FROM system_schema.columns|consistency level:ONE
Jun 18 16:25:12 ip-10-101-33-230.srv101.dsinternal.org SLF4JAuditWriter host:/10.101.33.230|source:/10.101.33.230|user:cassandra|authenticated:cassandra|timestamp:1560839112419|category:QUERY|type:CQL_SELECT|ks:system_schema|cf:views|operation:SELECT * FROM system_schema.views|consistency level:ONE
Jun 18 16:25:12 ip-10-101-33-230.srv101.dsinternal.org SLF4JAuditWriter host:/10.101.33.230|source:/10.101.33.230|user:cassandra|authenticated:cassandra|timestamp:1560839112559|category:AUTH|type:LOGIN|operation:Succesful login for user - cassandra
Jun 18 16:25:12 ip-10-101-33-230.srv101.dsinternal.org SLF4JAuditWriter host:/10.101.33.230|source:/10.101.33.230|user:cassandra|authenticated:cassandra|timestamp:1560839112583|category:QUERY|type:CQL_SELECT|ks:system|cf:local|operation:select * from system.local where key = 'local'|consistency level:ONE

Destination log file:

In the appender definition above, the <facility> is set to AUTH:

<facility>AUTH</facility>

The audit events will get logged to the auth.log on the remote syslog server. If the <facility> was set to SYSLOG, the audit events will get logged to /var/log/syslog on the remote syslog server.