SimpleRPC Auditing

As part of the SimpleRPC framework we’ve added an auditing system that you can use to log all requests received into a file or even send it over mcollective to a central auditing system. What actually happens with audit data is pluggable and you can provide your own plugins to do what you need.

The clients will include the uid of the process running the client library in the requests and the audit function will have access to that on the requests.

Configuration

To enable logging you should set an option to enable it and also one to configure which plugin to use:

rpcaudit = 1
rpcauditprovider = Logfile

This sets it up to use MCollective::Audit::Logfile plugin for logging evens.

The client will embed a caller id - the Unix UID of the program running it or SSL cert - in requests which you can find in the request object.

Logfile plugin

Auditing is implemented using plugins that you should install in the normal plugin directory under mcollective/audit/. We have a sample Logfile plugin that you can see below:

module MCollective
    module RPC
        class Logfile<Audit
	    require 'pp'

            def audit_request(request, connection)
                logfile = Config.instance.pluginconf["rpcaudit.logfile"] || "/var/log/puppetlabs/mcollective/mcollective-audit.log"

                now = Time.now
                now_tz = tz = now.utc? ? "Z" : now.strftime("%z")
                now_iso8601 = "%s.%06d%s" % [now.strftime("%Y-%m-%dT%H:%M:%S"), now.tv_usec, now_tz]

                File.open(logfile, "w") do |f|
                    f.puts("#{now_iso8601}: reqid=#{request.uniqid}: reqtime=#{request.time} caller=#{request.caller}@#{request.sender} agent=#{request.agent} action=#{request.action} data=#{request.data.pretty_print_inspect}")
                end
            end
        end
    end
end

As you can see you only need to provide one method called audit_request, you will get the request in the form of an MCollective::RPC::Request object as well as the connection to the middleware should you wish to send logs to a central host.

The Logfile plugin takes a configuration option:

plugin.rpcaudit.logfile = /var/log/puppetlabs/mcollective/mcollective-audit.log

We do not do log rotation of this file so you should do that yourself if you enable this plugin.

This log lines like:

2010-12-28T17:09:03.889113+0000: reqid=319719cc475f57fda3f734136a31e19b: reqtime=1293556143 caller=cert=nagios@monitor1 agent=nrpe action=runcommand data={:process_results=>true, :command=>"check_mailq"}

Other plugins can be found on the community site like a centralized logging plugin.

Back to top