Auditing is an important feature for database administrators to verify valid DB access. We recently build audit as an enterprise feature for Dgraph.
What would we log?
All requests will be logged in a file over the HTTP ports zero:6080 and alpha:8080 [except /health, /state and /jemalloc] and over the GRPC port zero:5080 and alpha:9080 [except Raft endpoints i.e. Heartbeat, RaftMessage, JoinCluster, IsPeer, health endpoints i.e. Check, Watch, and zero stream points StreamMembership, UpdateMembership, Oracle, Timestamps, ShouldServe, Connect ]
Format of Audit logs
All audit logs are in JSON format. We log the following information about each query:
- Endpoint
- LoggedIn User Name
- Server host address
- Client Host address
- Req Body (Truncated to max 4KB in length)
- Query Params if provided
- Response status
How to enable audit logs
Audit logs is an enterprise feature currently available on master and will be released during next major release.
You can enable audits in alpha or zero via new --audit flag. Sample alpha command could look like:
dgraph alpha --audit dir=aa where dir specifies the directory path where to store the audit logs.
Logs Compaction
With time audit logs will grow in size. We have implemented a rolling file-based policy for audit logs. Each file will have a size of 100MB and a max-age of 10 days. Users can also make the old log files to have compression. Sample alpha command with compression enabled would look like:
dgraph alpha --audit dir=aa;compress=true
Encryption of Audit Logs
It might be necessary for the administrators to encrypt audit logs because request might contain some sensitive information which needs to be protected. Dgraph audit logs will have the capability to encrypt log messages. Sample alpha command with encryption enabled would look like:
dgraph alpha --audit dir=aa;compress=true;encrypt_file=/path/to/encrypt/key/file
Decrypt Audit Logs
To decrypt audit logs if encryption is enabled, you can use the dgraph audit decrypt command. Sample command would look like:
dgraph audit decrypt --encryption_key_file /path/encrypt/key/file --in /path/to/encrypted/log/file --out /path/to/output/file