Managing Functions in Couchbase Kishan Iyer LOONYCORN www.loonycorn.com
Overview Redacting sensitive information from logs Function statistics from the Eventing Service Statistics graphs for functions
Auditing in Couchbase
Couchbase Auditing Facility Recognizes specific, server-generated events that can be logged for audit purposes.
Types of Audit Events Admin events: Administrative and configuration changes to cluster Data events: Attempts to access and change data
Examples of Audited Events Successful login Unsuccessful login Bucket creation Bucket TTL modification User creation Index creation
Mechanics of Auditing When auditing is enabled, logged events are saved to audit.log Events are audited on a per-node basis Each node captures its own events only For cluster-wide records, manual consolidation by admin is required
Mechanics of Auditing Default log file is named audit.log Log file is automatically rotated, saved, and timestamped New empty audit.log created Rotation happens either At specified interval ranging from 15 - minutes (min) to 7 days (max) When file reaches 20 MB in size -
Non-filterable Events By default, auditing is disabled If auditing is enabled, certain events will always be logged These are called non-filterable events - Other events can be individually marked for exclusion from audit.log These events are called filterable -
Categories of Audit Events Several broad categories of audit events REST API events - Data Service events - Eventing Service events - … - Within each category, individual events maybe Data or Admin events
Eventing Service Audit Events All audit events of the Eventing Service are Admin Events Create/Delete/Export/Import Function Save/Fetch/Delete Drafts and Config List Running Functions Start/Stop Debug
Functions Logs and Stats
Functions Log Eventing Service maintains two types of logs Application log that functions can - write to e.g. from try-catch blocks System log that functions can not - write to
Log Redaction Couchbase Server provides way to redact sensitive data from log Post-redaction, logs can be shared for troubleshooting Avoids potential regulatory compliance issues related to data-sharing
Log Redaction is available only for System Logs, not for Application Logs
Redactable Data JSON key/value pairs Usernames Names and email addresses Extended attributes Query fields referencing such data
Redactable Data Redacted text will be substituted with hashed text Hashing performed using SHA1 Redaction may also eliminate non-private data Redaction performed during log- collection, slowing process significantly
Redactable Data Couchbase currently (v6.5) supports partial redaction Full redaction will be available in a forthcoming version Also will redact metadata -
Demo Auditing Actions on Couchbase Functions
Demo Explicit Logging and Redaction
Demo Retrieving Function Statistics
Demo Cleaning Up
Summary Redacting sensitive information from logs Function statistics from the Eventing Service Statistics graphs for functions
Related Courses Manage Functions in Couchbase Configure Functions in Couchbase
Recommend
More recommend