Articles in this section

See more

Enable Audit Logging in Domino Data Lab as of version 4.x

Greg Hudson
  • Updated
Follow

 

It is possible to enable Audit logging for security purposes. These logs contain information about which userIDs have performed actions on RBAC controlled resources like projects, environments, datasets, and files.   This applies to version 4.x thru at least version 5.1.x

 

Enabling audit logs for Domino

  1. Log in to Domino as a SysAdmin user

  2. Click the wrench icon in the main menu to open the Admin UI

  3. Navigate to Advanced -> Central Config

  4. Add record com.cerebro.domino.frontend.analytics.isSyslogEnabled with value true

  5. Add record com.cerebro.domino.frontend.analytics.isFileEventLoggingEnabled with value true

  6. Navigate to Advanced -> Restart Services

  7. After the services restart, edit the nucleus-logback-config configmap in the platform namespace to set the telemetry logger level to TRACE

    <configuration scan="true" scanPeriod="30 seconds" >
        <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
             <encoder>
                 <pattern>%-5level [%logger{1}] %message thread="%thread"%n%xException</pattern>
             </encoder>
         </appender>
        <logger name="telemetry" level="TRACE" />
         <logger name="play" level="INFO" />
         <logger name="akka" level="INFO" />
         <logger name="org.quartz" level="INFO" />
         <logger name="application" level="INFO" />
         <logger name="domino" level="INFO" />
         <logger name="domino.authn" level="INFO" />
         <logger name="org.jets3t" level="INFO" />
         <logger name="okhttp3" level="INFO" />
        <root level="ERROR">
             <appender-ref ref="STDOUT" />
             <appender-ref ref="FILE" />
         </root>
    </configuration>

 

  1. After approximately 60 seconds the configuration change should be picked up by nucleus and you should see TRACE level audit logs in stdout, available from the Kubernetes logging API by running:

    kubectl logs <frontend-podname> -n domino-platform -c nucleus-frontend

  2. See the below example log entry for a user modifying a project visibility setting. All of these logs will include the [telemetry] logger ID.

TRACE [telemetry] User(id=Some(614bfc9d8662474f9371e3a1),username=admin,loginId=DominoIdentityId(admin,Some(admin),userpass),fullName=admin admin,email=Some(admin@admin.com),created=2021-09-23T04:03:41.410Z,systemRoles=Set(SysAdmin, Practitioner),deactivated=false) did UpdateProjectSettingEvent(ProjectEventInformation(615f34e1e52a76185a9c8658,trace-test,AnalyticProject),ProjectVisibility,Public) correlationId="474e5960-c545-40f4-94d2-b4be268c9f5a" thread="application-akka.actor.default-dispatcher-399"

Related articles

Comments

0 comments

Please sign in to leave a comment.