Can not enable audit logs in percona mongodb 1.15.0 deployed via helm chart

Ahmad_Abdolmaleki · December 10, 2023, 11:29am

Dear Percona developers

I can’t enable audit log of mongos in mongodb-server deployed via helm chart

Version:

1.15.0

Additional Information:

Kubernetes 1.26

Steps to Reproduce:

1- helm install mongo-operator . -n mongo-ns
2- in valuse.yaml of mongo server helm chart:
2.1 sharding.enabled: true
2.2 uncomment sharding.mongos.auditLog block
3- helm install mongo-server . -n mongo-ns

There is no auditlog file among Pod files.

Even when I add path under sharding.mongos.auditLog block it gives the following warning:

W1210 08:04:18.562770  949624 warnings.go:70] unknown field "spec.sharding.mongos.auditLog.path"

I set the configuration for mongos in sharding.mongos.configuration as:

    configuration: |
      systemLog:
        verbosity: 1
        destination: file
        logAppend: true
        path: /var/log/mongo/mongod.log
      auditLog:
        destination: file
        format: BSON
        path: /data/db/auditlog.bson
        filter: '{}'

yet it doesn’t work.

I saw comments in other posts about how to persist auditLog via sidecar and why sometimes it doesn’t produce an auditLog file because of the processManagement block in mongodb.conf.

How can I add

setParameter: { auditAuthorizationSuccess: true }

to config files to get success auth too?

Sergey_Pronin · December 11, 2023, 9:39am

Hello @Ahmad_Abdolmaleki ,

there are multiple things.

First, we need to be sure that we pass the parameters to mongos. The correct way to do with Helm is through values.yaml. It might look like this:

sharding:
  enabled: true
  mongos:
    configuration: |
      systemLog:
        verbosity: 1
      auditLog:
        destination: file
        format: BSON
        path: /data/db/auditlog.bson
        filter: '{}'

Now you can install your helm with this manifest:
helm install cluster1 percona/psmdb-db -f values.yaml

This way you should see the config map created and the auditlog.bson in the container.

Logging successful authorization. To do it, just add the setParameter section into your manifest. So you values.yaml now looks like this:

sharding:
  enabled: true
  mongos:
    configuration: |
      setParameter:
        auditAuthorizationSuccess: true
      systemLog:
        verbosity: 1
      auditLog:
        destination: file
        format: BSON
        path: /data/db/auditlog.bson
        filter: '{}'

This is it.
Please let me know if it worked for you.

Ahmad_Abdolmaleki · December 23, 2023, 4:16am

I’ve already tried with these configs, and it failed. After your emphasis, I rechecked it, but this time it works

Thanks

Topic		Replies	Views
Percona audit filter and parameter Percona Server for MongoDB	4	1069	March 21, 2016
Percona server for mongodb: docker image with auditing included Percona Distribution for MongoDB percona	9	1172	January 29, 2021
Persist Audit logs in mongos pod. [Helm chart] Percona Server for MongoDB closed-no-reply , kubernetes	1	959	November 17, 2023
Mongodb auditing Percona Server for MongoDB	1	627	August 4, 2021
Auditing: logout Percona Server for MongoDB	0	382	September 21, 2017

Can not enable audit logs in percona mongodb 1.15.0 deployed via helm chart

Version:

Additional Information:

Steps to Reproduce:

Related topics