Matt, my only goal is to be able to have something that can be checked to see which key was used to access which resource. The closest I was able to get in Jewel was rgw debug logging 10/10, but it generates 100+ lines of logs for every request and as Aaron points out takes some logic to combine the object, the key, and the action as well that it doesn't actually catch every type of request.
It sounds like you've done some work with this. How can we utilize what you've done to be able to have audit logging on buckets? On Fri, Mar 9, 2018, 5:00 PM Aaron Bassett <aaron.bass...@nantomics.com> wrote: > Ah yes, I found it: > https://github.com/ceph/ceph/commit/3192ef6a034bf39becead5f87a0e48651fcab705 > > Unfortunately I can't quite figure out how to use it. I've got "rgw log > http headers = "authorization" in my ceph.conf but I'm getting no love in > the rgw log. > > > Also, setting rgw debug level to 10 did get me the user access key id, but > only incidentally, talking about a cache miss and put for the user, so I'm > not sure how much I'd want to depend on that. Also, to Davids point, that > makes thing very chatty and I'll have to do some processing to correlate > the key id with the rest of the request info. > > > Aaron > > On Mar 8, 2018, at 8:18 PM, Matt Benjamin <mbenj...@redhat.com> wrote: > > Hi Yehuda, > > I did add support for logging arbitrary headers, but not a > configurable log record a-la webservers. To level set, David, are you > speaking about a file or pipe log sync on the RGW host? > > Matt > > On Thu, Mar 8, 2018 at 7:55 PM, Yehuda Sadeh-Weinraub <yeh...@redhat.com> > wrote: > > On Thu, Mar 8, 2018 at 2:22 PM, David Turner <drakonst...@gmail.com> > wrote: > > I remember some time ago Yehuda had commented on a thread like this saying > that it would make sense to add a logging/auditing feature like this to > RGW. > I haven't heard much about it since then, though. Yehuda, do you remember > that and/or think that logging like this might become viable. > > > I vaguely remember Matt was working on this. Matt? > > Yehuda > > > > On Thu, Mar 8, 2018 at 4:17 PM Aaron Bassett <aaron.bass...@nantomics.com> > wrote: > > > Yea thats what I was afraid of. I'm looking at possibly patching to add > it, but i really dont want to support my own builds. I suppose other > alternatives are to use proxies to log stuff, but that makes me sad. > > Aaron > > > On Mar 8, 2018, at 12:36 PM, David Turner <drakonst...@gmail.com> wrote: > > Setting radosgw debug logging to 10/10 is the only way I've been able to > get the access key in the logs for requests. It's very unfortunate as it > DRASTICALLY increases the amount of log per request, but it's what we > needed > to do to be able to have the access key in the logs along with the request. > > On Tue, Mar 6, 2018 at 3:09 PM Aaron Bassett <aaron.bass...@nantomics.com> > wrote: > > > Hey all, > I'm trying to get something of an audit log out of radosgw. To that end I > was wondering if theres a mechanism to customize the log format of > civetweb. > It's already writing IP, HTTP Verb, path, response and time, but I'm hoping > to get it to print the Authorization header of the request, which > containers > the access key id which we can tie back into the systems we use to issue > credentials. Any thoughts? > > Thanks, > Aaron > CONFIDENTIALITY NOTICE > This e-mail message and any attachments are only for the use of the > intended recipient and may contain information that is privileged, > confidential or exempt from disclosure under applicable law. If you are not > the intended recipient, any disclosure, distribution or other use of this > e-mail message or attachments is prohibited. If you have received this > e-mail message in error, please delete and notify the sender immediately. > Thank you. > > _______________________________________________ > ceph-users mailing list > ceph-users@lists.ceph.com > > > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.ceph.com_listinfo.cgi_ceph-2Dusers-2Dceph.com&d=DwIBaQ&c=Tpa2GKmmYSmpYS4baANxQwQYqA0vwGXwkJOPBegaiTs&r=5nKer5huNDFQXjYpOR4o_7t5CRI8wb5Vb_v1pBywbYw&m=q8So9TjC57treWWapD23wxqiYyUohBcrF1HlEB82ntY&s=SqGv02oZlntXRPTSqDK9e5nWhELurcxGkg8HxB-py_k&e= > > > > > > > > -- > > Matt > <https://maps.google.com/?q=315%0D%0A+West+Huron+Street,+Suite+140A+%0D%0A+Ann%0D%0A+Arbor,+Michigan+48103&entry=gmail&source=g> > Benjamin > Red Hat, Inc. > 315 West Huron Street, Suite 140A > <https://maps.google.com/?q=315%0D%0A+West+Huron+Street,+Suite+140A+%0D%0A+Ann%0D%0A+Arbor,+Michigan+48103&entry=gmail&source=g> > Ann Arbor, Michigan 48103 > <https://maps.google.com/?q=315%0D%0A+West+Huron+Street,+Suite+140A+%0D%0A+Ann%0D%0A+Arbor,+Michigan+48103&entry=gmail&source=g> > > > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.redhat.com_en_technologies_storage&d=DwIBaQ&c=Tpa2GKmmYSmpYS4baANxQwQYqA0vwGXwkJOPBegaiTs&r=5nKer5huNDFQXjYpOR4o_7t5CRI8wb5Vb_v1pBywbYw&m=q8So9TjC57treWWapD23wxqiYyUohBcrF1HlEB82ntY&s=WETrkwV8EkHd9iypM-7_WonFV4XeYhJbXCjg-c6dr84&e= > > > > tel. 734-821-5101 > fax. 734-769-8938 > cel. 734-216-5309 > > CONFIDENTIALITY NOTICE > This e-mail message and any attachments are only for the use of the > intended recipient and may contain information that is privileged, > confidential or exempt from disclosure under applicable law. If you are not > the intended recipient, any disclosure, distribution or other use of this > e-mail message or attachments is prohibited. If you have received this > e-mail message in error, please delete and notify the sender immediately. > Thank you. >
_______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
