Auditing Overview

Fabric has a robust Auditing mechanism that logs various activities running on Fabric. These can be logins, Web Service calls, and various Fabric commands.

Two major Auditing features can be controlled:

  • Filtering strategies: provides full flexibility over the type of activities that are introduced to the Auditing mechanism. For instance, you may audit the Web Service calls only, without impacting the performance of other activities but with saving a lot of disk space.
  • Persistence strategies: defines the reporting channel of the Auditing mechanism. Examples for such channels are Cassandra (default), Kafka, files, etc.

The Auditing mechanism can be configured via the [audit] and [audit_kafka_producer] sections of the config.ini. By default, the persistence strategy is Cassandra, and the data is written into the k2_auditing table of the k2audit keyspace.

Auditing Reporting Structure

When an activity is logged by the Fabric Auditing mechanism, it has the following structure:

Name Description Example
action Type of activity performed in Fabric. LOGIN, GetCommand, called Web-Service name, etc.
date Activity date. 2020-11-05
user Fabric User ID. admin, etc...
written_at Activity date and timestamp. 2020-11-05 11:49:14.452000+0000
address IP address of the node where the activity is performed. In HTTP/HTTPS protocol address is a concatenation of the IP address:port. 10.21.1.1 or 10.21.1.1:3213
params Activity parameters, applicable for Fabric commands only. For example, for GetCommand: [DC_NAME=null|LU_NAME=CRM|IID=1]
protocol Contains the protocol used for the activity. The valid values are: HTTP/1.1, HTTPS/1.3 or DRIVER or JDBC driver. DRIVER
query Activity details, for example CQL query for a CQLCommand, a DESCRIBE SCHEMA CRM for a DescribeCommand, or the authentication provider for the LOGIN action. SELECT * FROM CRM.SUBSCRIBER
result Number of affected rows or activity status. Rows Affected: 3
session_id Session ID. When few actions are executed as a result of entry point (e.g. Web Service), session ID is the same for all the related entries. 07a40433-17a3-4054-9aaf-59d19378c555

For example, when the user performs login and authentication to the Web Framework, the activity is audited as follows:

  • Action = LOGIN
  • Protocol = HTTP/1.1
  • Query = LDAP/SAML/FABRIC

When the user performs login to the Fabric console, it is audited as follows:

  • Action = LOGIN
  • Protocol = DRIVER
  • Query = LDAP/FABRIC

Logouts are not audited.

Click for more information about the User Identification and Access Management Auditing.

Turning Auditing On/Off

By default, Auditing is set to OFF. To enable Auditing in Fabric, set AUDIT=ON in the config.ini file and then restart Fabric.

AUDIT=ON

Auditing Overview

Fabric has a robust Auditing mechanism that logs various activities running on Fabric. These can be logins, Web Service calls, and various Fabric commands.

Two major Auditing features can be controlled:

  • Filtering strategies: provides full flexibility over the type of activities that are introduced to the Auditing mechanism. For instance, you may audit the Web Service calls only, without impacting the performance of other activities but with saving a lot of disk space.
  • Persistence strategies: defines the reporting channel of the Auditing mechanism. Examples for such channels are Cassandra (default), Kafka, files, etc.

The Auditing mechanism can be configured via the [audit] and [audit_kafka_producer] sections of the config.ini. By default, the persistence strategy is Cassandra, and the data is written into the k2_auditing table of the k2audit keyspace.

Auditing Reporting Structure

When an activity is logged by the Fabric Auditing mechanism, it has the following structure:

Name Description Example
action Type of activity performed in Fabric. LOGIN, GetCommand, called Web-Service name, etc.
date Activity date. 2020-11-05
user Fabric User ID. admin, etc...
written_at Activity date and timestamp. 2020-11-05 11:49:14.452000+0000
address IP address of the node where the activity is performed. In HTTP/HTTPS protocol address is a concatenation of the IP address:port. 10.21.1.1 or 10.21.1.1:3213
params Activity parameters, applicable for Fabric commands only. For example, for GetCommand: [DC_NAME=null|LU_NAME=CRM|IID=1]
protocol Contains the protocol used for the activity. The valid values are: HTTP/1.1, HTTPS/1.3 or DRIVER or JDBC driver. DRIVER
query Activity details, for example CQL query for a CQLCommand, a DESCRIBE SCHEMA CRM for a DescribeCommand, or the authentication provider for the LOGIN action. SELECT * FROM CRM.SUBSCRIBER
result Number of affected rows or activity status. Rows Affected: 3
session_id Session ID. When few actions are executed as a result of entry point (e.g. Web Service), session ID is the same for all the related entries. 07a40433-17a3-4054-9aaf-59d19378c555

For example, when the user performs login and authentication to the Web Framework, the activity is audited as follows:

  • Action = LOGIN
  • Protocol = HTTP/1.1
  • Query = LDAP/SAML/FABRIC

When the user performs login to the Fabric console, it is audited as follows:

  • Action = LOGIN
  • Protocol = DRIVER
  • Query = LDAP/FABRIC

Logouts are not audited.

Click for more information about the User Identification and Access Management Auditing.

Turning Auditing On/Off

By default, Auditing is set to OFF. To enable Auditing in Fabric, set AUDIT=ON in the config.ini file and then restart Fabric.

AUDIT=ON