Audit Logging

Enterprise

This feature requires Consul Enterprise with the Governance and Policy module.

Consul Enterprise v1.8.0 adds audit logging as a feature that captures a clear and actionable log of authenticated events (both attempted and committed) that Consul processes via its HTTP API and compiles them into a JSON format for easy export. These events contain a timestamp, the operation performed, and the user who initiated the action.

Audit logging enables security and compliance teams within an organization to get greater insight into Consul access and usage patterns.

For more experience leveraging Consul’s audit logging functionality, explore our HashiCorp Learn tutorial Capture Consul Events with Audit Logging.

For detailed configuration information on configuring the Consul Enterprise’s audit logging, review the Consul Audit Log documentation.

Example Configuration

Audit logging must be enabled on every agent in order to accurately capture all operations performed through the HTTP API. To enable logging, add the audit stanza to the agent’s configuration.

Note: Consul only logs operations which are initiated via the HTTP API. The audit log does not record operations that take place over the internal RPC communication channel used for agent communication.

Audit Logging - 图1

Audit Logging - 图2

The following example configures a destination called “My Sink”. Since rotation is enabled, audit events will be stored at files named: /tmp/audit-<TIMESTAMP>.json. The log file will be rotated either every 24 hours, or when the log file size is greater than 25165824 bytes (24 megabytes).

HCL

Audit Logging - 图3

  • HCL
  • JSON
  1. audit {
  2. enabled = true
  3. sink "My sink" {
  4. type = "file"
  5. format = "json"
  6. path = "/tmp/audit.json"
  7. delivery_guarantee = "best-effort"
  8. rotate_duration = "24h"
  9. rotate_max_files = 15
  10. rotate_bytes = 25165824
  11. }
  12. }
  1. {
  2. "audit": {
  3. "enabled": true,
  4. "sink": {
  5. "My sink": {
  6. "type": "file",
  7. "format": "json",
  8. "path": "/tmp/audit.json",
  9. "delivery_guarantee": "best-effort",
  10. "rotate_duration": "24h",
  11. "rotate_max_files": 15,
  12. "rotate_bytes": 25165824
  13. }
  14. }
  15. }
  16. }

Example Audit Log

In this example a client has issued an HTTP GET request to look up the ssh service in the /v1/catalog/service/ endpoint.

Details from the HTTP request are recorded in the audit log. The stage field is set to OperationStart which indicates the agent has begun processing the request.

The value of the payload.auth.accessor_id field is the accessor ID of the ACL token which issued the request.

  1. {
  2. "created_at": "2020-12-08T12:30:29.196365-05:00",
  3. "event_type": "audit",
  4. "payload": {
  5. "id": "e4a20aec-d250-72c4-2aea-454fe8ae8051",
  6. "version": "1",
  7. "type": "HTTPEvent",
  8. "timestamp": "2020-12-08T12:30:29.196206-05:00",
  9. "auth": {
  10. "accessor_id": "08f05787-3609-8001-65b4-922e5d52e84c",
  11. "description": "Bootstrap Token (Global Management)",
  12. "create_time": "2020-12-01T11:01:51.652566-05:00"
  13. },
  14. "request": {
  15. "operation": "GET",
  16. "endpoint": "/v1/catalog/service/ssh",
  17. "remote_addr": "127.0.0.1:64015",
  18. "user_agent": "curl/7.54.0",
  19. "host": "127.0.0.1:8500"
  20. },
  21. "stage": "OperationStart"
  22. }
  23. }

After the request is processed, a corresponding log entry is written for the HTTP response. The stage field is set to OperationComplete which indicates the agent has completed processing the request.

  1. {
  2. "created_at": "2020-12-08T12:30:29.202935-05:00",
  3. "event_type": "audit",
  4. "payload": {
  5. "id": "1f85053f-badb-4567-d239-abc0ecee1570",
  6. "version": "1",
  7. "type": "HTTPEvent",
  8. "timestamp": "2020-12-08T12:30:29.202863-05:00",
  9. "auth": {
  10. "accessor_id": "08f05787-3609-8001-65b4-922e5d52e84c",
  11. "description": "Bootstrap Token (Global Management)",
  12. "create_time": "2020-12-01T11:01:51.652566-05:00"
  13. },
  14. "request": {
  15. "operation": "GET",
  16. "endpoint": "/v1/catalog/service/ssh",
  17. "remote_addr": "127.0.0.1:64015",
  18. "user_agent": "curl/7.54.0",
  19. "host": "127.0.0.1:8500"
  20. },
  21. "response": {
  22. "status": "200"
  23. },
  24. "stage": "OperationComplete"
  25. }
  26. }