Backtrace provides audit log capabilities for customers. The audit log will include all login requests and configuration changes (including user management). Additional metadata is provided including originating IP addresses and more.

Enabling the audit log for on-premise

The following stanza is required in your coronerd.conf  file (usually in /etc/coronerd ):

"audit" : {
  "path" : "/var/log/coronerd/audit.db"
}


The default retention policy is 6 months, but it is possible to tune this. The age_seconds  integer is the number of seconds an audit log entry should be stored for, before being removed. For example, the stanza below specifies that audit logs older than 1 hour (3600 seconds) qualify for removal by the Backtrace system.

"audit" : {
  "path" : "/var/log/coronerd/audit.db",
  "age_seconds": 3600
}

Viewing the audit log

Once the audit log is enabled, it is possible to extract the contents of the log by using the morgue  tool or by making a copy of the audit log directly. With morgue,  morgue audit extract command will extract the log and render it in a text format.

The --table  option is used to render this data in a tabular format for your terminal as seen below.

It is also possible to render the audit log as a JSON object, using the --json  option.

Filtering the audit log

Traditional utilities such as grep  or jq  are used for more advanced filtering of the audit log. For example, below we filter all audit log entries for the configuration subsystem.

Multitenant Configuration and Access Control

Regular users and administrators have access to audit logs belonging to their tenant (universe) and only to their tenant. A superuser has access to audit logs for all tenants. It is possible for a superuser to filter on a particular tenant by specifying the --universe  option to morgue audit extract . For example, morgue audit extract --universe=A  would provide audit log entries for tenant A .

Did this answer your question?