Audit log rotation on PSMDB

MongoDB Percona Server for MongoDB
1

Hi,

I have audit enabled in a cluster (3 nodes) running PSMDB 4.4.9-10.

Part of my mongod.conf:

systemLog:
  destination: file
  logAppend: true
  logRotate: reopen
  path: /var/log/mongodb/mongod.log

auditLog:
  destination: file
  format: JSON
  path: /datadrive/mongodb/audit/audit.json
  filter: '{"$or": [{"users": [],"param.command": [{ $ne: "isMaster" }, { $ne: "ping" }] }, { "atype" : { $in: [ "authCheck", "authentication" ] }, "users.user" : /[a-zA-Z]+\\.[a-zA-Z]+/}]}'

I’m using /etc/logrotate.d/mongodb to rotate mongod.conf:

/var/log/mongodb/mongod.log {
  daily
  size 50M
  rotate 10
  missingok
  compress
  delaycompress
  notifempty
  create 640 mongod mongod
  sharedscripts
  postrotate
    /bin/kill -SIGUSR1 $(cat /var/run/mongod.pid 2>/dev/null) >/dev/null 2>&1
  endscript
}

When MongoDB rotates the mongod.log, the audit log is also rotated.

If auditing is enabled, the logRotate command also rotates the audit log.

However, although I have logRotate: reopen specified in the mongod.conf and this mechanism is used to rotate mongod.log, for the audit log, files like audit.json.<YYYY>-<mm>-<DD>T<HH>-<MM>-<SS> are created, what suggests that MongoDB is using the rename mechanism to rotate the audit logs instead of using the same mechanism used to rotate mongod.log, the one specified in mongod.conf, as it is stated in the documentation:

If auditing is enabled, the logRotate command also rotates the audit log according to the above parameters. For example, if systemLog.logRotate is set to rename , the audit log will also be renamed.

Note: I can implement some kind of workaround by adding the following command to postrotate, to only retain this kind of history logs from the last 7 days, but this would be avoided if the audit log was rotated with the reopen mechanism.

find /datadrive/mongodb/audit -type f -mtime +7 -regextype posix-awk -regex "^\/datadrive\/mongodb\/audit\/audit\.json.+" -execdir rm {} \; >/dev/null 2>&1

Does anyone know if this is expected and I’m missing something? If this is not expected should I create a Jira ticket?

Thanks in advance.
Kind regards,
João Soares

1 Like
2

Hello @joaorpsoares ,

thank you for sharing.

It looks like a bug.
Could you please open a JIRA issue (type = Bug) in https://jira.percona.com/projects/PSMDB project?

2 Likes
3

Hi @Sergey_Pronin,

Thanks for the suggestion. In fact, this really seems to be a bug. I opened a ticket [PSMDB-979] Audit log rotation behaviour on PSMDB 4.4.9-10 - Percona JIRA.

Kind regards,
João Soares

1 Like