Enterprise Audit Logs

Auditing is an important feature for database administrators to verify valid DB access. We recently build audit as an enterprise feature for Dgraph.

What would we log?

All requests will be logged in a file over the HTTP ports zero:6080 and alpha:8080 [except /health, /state and /jemalloc] and over the GRPC port zero:5080 and alpha:9080 [except Raft endpoints i.e. Heartbeat, RaftMessage, JoinCluster, IsPeer, health endpoints i.e. Check, Watch, and zero stream points StreamMembership, UpdateMembership, Oracle, Timestamps, ShouldServe, Connect ]

Format of Audit logs

All audit logs are in JSON format. We log the following information about each query:

  1. Endpoint
  2. LoggedIn User Name
  3. Server host address
  4. Client Host address
  5. Req Body (Truncated to max 4KB in length)
  6. Query Params if provided
  7. Response status

How to enable audit logs

Audit logs is an enterprise feature currently available on master and will be released during next major release.
You can enable audits in alpha or zero via new --audit flag. Sample alpha command could look like:
dgraph alpha --audit dir=aa where dir specifies the directory path where to store the audit logs.

Logs Compaction

With time audit logs will grow in size. We have implemented a rolling file-based policy for audit logs. Each file will have a size of 100MB and a max-age of 10 days. Users can also make the old log files to have compression. Sample alpha command with compression enabled would look like:
dgraph alpha --audit dir=aa;compress=true

Encryption of Audit Logs

It might be necessary for the administrators to encrypt audit logs because request might contain some sensitive information which needs to be protected. Dgraph audit logs will have the capability to encrypt log messages. Sample alpha command with encryption enabled would look like:

dgraph alpha --audit dir=aa;compress=true;encrypt_file=/path/to/encrypt/key/file

Decrypt Audit Logs

To decrypt audit logs if encryption is enabled, you can use the dgraph audit decrypt command. Sample command would look like:
dgraph audit decrypt --encryption_key_file /path/encrypt/key/file --in /path/to/encrypted/log/file --out /path/to/output/file