Audit Logging
AIStor supports publishing an audit log of all operations to a remote receiver. The audit logging feature meets security and compliance requirements around granular tracking of operations within an AIStor deployment.
AIStor does not by default publish audit logs to any destination. Audit logs can contain private and internal details such as hostnames, IP addresses, and object names. The remote receiver takes responsibility for processing, storing, and securing all incoming audit logs.
Supported audit log targets
AIStor supports the following remote targets:
Audit event queue
For each API operation, AIStor attempts to send an event to the configured receivers. AIStor automatically retries failed events before storing them in a queue to attempt replaying later. Events may be permanently lost if the queue fills before AIStor can connect to the receiver and flush both pending an ongoing operation events. You can control the audit queue configuration using either environment variables or configuration settings.
For options that require specifying a directory path, ensure the minio-user user and group have read, write, and list access to those resources.
Where possible use chown and chmod to limit access and ownership to only the minio-user.
Restart AIStor to apply the new settings.
Audit log structure
AIStor Server audit logs resemble the following JSON document:
{
"version": "1",
"deploymentid": "8ca2b7ad-20cf-4d07-9efb-28b2f519f4a5",
"time": "2024-02-29T19:39:25.744431903Z",
"event": "",
"trigger": "incoming",
"api": {
"name": "CompleteMultipartUpload",
"bucket": "data",
"object": "test-data.csv",
"status": "OK",
"statusCode": 200,
"rx": 267,
"tx": 358,
"txHeaders": 387,
"timeToFirstByte": "2096989ns",
"timeToFirstByteInNS": "2096989",
"timeToResponse": "2111986ns",
"timeToResponseInNS": "2111986"
},
"remotehost": "127.0.0.1",
"requestID": "17B86CB0ED88EBE9",
"userAgent": "MinIO (linux; amd64) minio-go/v7.0.67 mc/RELEASE.2024-02-24T01-33-20Z",
"requestPath": "/data/test-data.csv",
"requestHost": "minio.example.net:9000",
"requestQuery": {
"uploadId": "OGNhMmI3YWQtMjBjZi00ZDA3LTllZmItMjhiMmY1MTlmNGE1LmU3MjNlNWI4LTNiYWYtNDYyNy1hNzI3LWMyNDE3NTVjMmMzNw"
},
"requestHeader": {
"Accept-Encoding": "zstd,gzip",
"Authorization": "AWS4-HMAC-SHA256 Credential=minioadmin/20240229/us-east-1/s3/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=ccb3acdc1763509a88a7e4a3d7fe431ef0ee5ca3f66ccb430d5a09326e87e893",
"Content-Length": "267",
"Content-Type": "application/octet-stream",
"User-Agent": "MinIO (linux; amd64) minio-go/v7.0.67 mc/RELEASE.2024-02-24T01-33-20Z",
"X-Amz-Content-Sha256": "d61969719ee94f43c4e87044229b7a13b54cab320131e9a77259ad0c9344f6d3",
"X-Amz-Date": "20240229T193925Z"
},
"responseHeader": {
"Accept-Ranges": "bytes",
"Content-Length": "358",
"Content-Type": "application/xml",
"ETag": "1d9fdc88af5e74f5eac0a3dd750ce58e-2",
"Server": "MinIO",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains",
"Vary": "Origin,Accept-Encoding",
"X-Amz-Id-2": "dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8",
"X-Amz-Request-Id": "17B86CB0ED88EBE9",
"X-Content-Type-Options": "nosniff",
"X-Xss-Protection": "1; mode=block"
},
"tags": {
"objectLocation": {
"name": "Mousepad Template-v03final.jpg",
"poolId": 1,
"setId": 1,
"disks": [
"/mnt/drive-1",
"/mnt/drive-2",
"/mnt/drive-3",
"/mnt/drive-4"
]
}
},
"accessKey": "minioadmin"
}
- The
api.timeToFirstByteandapi.timeToResponsefields are expressed in nanoseconds. - For erasure coded setups
tags.objectErasureMapprovides per-object details on the following:- The server pool on which the object operation was performed.
- The erasure set on which the object operation was performed.
- The list of drives in the erasure set which participated in the object operation.