title: 启用API审计日志记录系统事件 description: 启用 API 审计日志,系统会将每个用户发起的系统事件信息记录下来。您可以知道发生了什么事件、事件的发生时间、事件的发起人是谁和事件对集群的影响。您可以在 Rancher 安装或升级时开启 API 审计日志功能,开启特性后,所有 Rancher API 的请求和响应信息都会写入到日志文件中。 keywords:

  • rancher
  • rancher中文
  • rancher中文文档
  • rancher官网
  • rancher文档
  • Rancher
  • rancher 中文
  • rancher 中文文档
  • rancher cn
  • 安装指南
  • 资料、参考和高级选项
  • 启用API审计日志记录系统事件

启用 API 审计日志,系统会将每个用户发起的系统事件信息记录下来。您可以知道发生了什么事件、事件的发生时间、事件的发起人是谁和事件对集群的影响。您可以在 Rancher 安装或升级时开启 API 审计日志功能,开启特性后,所有 Rancher API 的请求和响应信息都会写入到日志文件中。

开启 API 审计日志

您可以向 Rancher Server 容器中传入环境变量,开启和配置审计日志功能。请参考以下链接,在安装时开启该特性。

API 审计日志选项

审计日志内容和规则

以下定义了有关审计日志记录的内容以及包含哪些数据的规则:

参数 描述
AUDIT_LEVEL 0 - 禁用审计日志 (默认设置)1 - 仅记录事件元数据 2 - 记录事件元数据及请求内容
3 - 记录事件元数据、请求内容及响应内容。请求/响应对的每个日志事务使用相同的auditID值 有关显示每个等级设置记录的具体内容,请参阅审计日志级别
AUDIT_LOG_PATH Rancher Server API 日志记录在容器内的目录位置。审计日志在容器内的默认路径为/var/log/auditlog/rancher-api-audit.log。您可以将日志目录挂载到主机。例如: AUDIT_LOG_PATH=/my/custom/path/
AUDIT_LOG_MAXAGE 定义保留旧审计日志文件的最大天数。默认 10 天。
AUDIT_LOG_MAXBACKUP 定义保留的审计日志最大文件个数,默认 10。
AUDIT_LOG_MAXSIZE 定义单个审计日志文件的最大值(以兆为单位)。默认 100M。

审计日志级别

下面显示了每个AUDIT_LEVEL设置,记录的 API 事务具体内容。

AUDIT_LEVEL 设置 请求元数据 请求正文内容 响应元数据 响应正文内容
0
1
2
3

查看 API 审计日志

Rancher 单节点

与主机系统共享AUDIT_LOG_PATH目录(默认目录:/var/log/auditlog)。日志可以通过标准的 CLI 工具进行查看,也可以转发到日志收集工具,例如 Fluentd, Filebeat, Logstash 等。

Rancher 高可用

使用 Helm Chart 安装 Rancher 时启用 API 审计日志功能,会在 Rancher Pod 中创建一个rancher-audit-log的 sidecar 容器。该容器会将 API 审计日志发送到标准输出(stdout)。您可以像查看任何容器日志一样查看审计日志内容。

rancher-audit-log 容器位于 rancher pod 所在的 cattle-system 命名空间中。

通过 CLI 查看

  1. kubectl -n cattle-system logs -f rancher-84d886bdbb-s4s69 rancher-audit-log

通过 Rancher GUI 查看

  1. 在下拉菜单中,选择 Cluster: local > System

    Local Cluster: System Project

  2. 在主导航栏中,选择 资源 > 工作负载 (在 v2.3.0 之前的版本, 在主导航栏中选择 工作负载 )。找到 cattle-system 命名空间。找到 rancher 工作负载,单击它的链接。

    Rancher Workload

  3. 选择一个 rancher Pod 并选择 省略号 (…) > 查看日志 来查看 rancher Pod 日志。

    View Logs

  4. 日志 下拉菜单中, 选择 rancher-audit-log.

    Select Audit Log

收集审计日志

可以为集群启用 Rancher 的内置日志收集功能,将审计和其他服务日志发送到受支持的日志收集服务端。 详情请参考Rancher 工具 - 日志

审计日志样本

启用审核后,Rancher 以 JSON 的形式记录每个 API 请求或响应。以下每个代码示例都提供了如何标识每个 API 事务的示例。

元数据级别

如果设置了 AUDIT_LEVEL1, Rancher 会记录每个 API 请求的元数据请求头,但不会记录正文。请求头提供有关 API 事务的基本信息,例如事务的 ID,发起事务的用户,事件发生的时间等。

  1. {
  2.   "auditID": "30022177-9e2e-43d1-b0d0-06ef9d3db183",
  3.   "requestURI": "/v3/schemas",
  4.   "sourceIPs": ["::1"],
  5.   "user": {
  6.     "name": "user-f4tt2",
  7.     "group": ["system:authenticated"]
  8.   },
  9.   "verb": "GET",
  10.   "stage": "RequestReceived",
  11.   "stageTimestamp": "2018-07-20 10:22:43 +0800"
  12. }

元数据和请求正文级别

如果设置 AUDIT_LEVEL2, Rancher 会记录每个 API 请求的元数据标题和正文。

下面的代码示例描述了一个 API 请求,包含其元数据请求头和请求正文。

  1. {
  2.   "auditID": "ef1d249e-bfac-4fd0-a61f-cbdcad53b9bb",
  3.   "requestURI": "/v3/project/c-bcz5t:p-fdr4s/workloads/deployment:default:nginx",
  4.   "sourceIPs": ["::1"],
  5.   "user": {
  6.     "name": "user-f4tt2",
  7.     "group": ["system:authenticated"]
  8.   },
  9.   "verb": "PUT",
  10.   "stage": "RequestReceived",
  11.   "stageTimestamp": "2018-07-20 10:28:08 +0800",
  12.   "requestBody": {
  13.     "hostIPC": false,
  14.     "hostNetwork": false,
  15.     "hostPID": false,
  16.     "paused": false,
  17.     "annotations": {},
  18.     "baseType": "workload",
  19.     "containers": [
  20.       {
  21.         "allowPrivilegeEscalation": false,
  22.         "image": "nginx",
  23.         "imagePullPolicy": "Always",
  24.         "initContainer": false,
  25.         "name": "nginx",
  26.         "ports": [
  27.           {
  28.             "containerPort": 80,
  29.             "dnsName": "nginx-nodeport",
  30.             "kind": "NodePort",
  31.             "name": "80tcp01",
  32.             "protocol": "TCP",
  33.             "sourcePort": 0,
  34.             "type": "/v3/project/schemas/containerPort"
  35.           }
  36.         ],
  37.         "privileged": false,
  38.         "readOnly": false,
  39.         "resources": {
  40.           "type": "/v3/project/schemas/resourceRequirements",
  41.           "requests": {},
  42.           "limits": {}
  43.         },
  44.         "restartCount": 0,
  45.         "runAsNonRoot": false,
  46.         "stdin": true,
  47.         "stdinOnce": false,
  48.         "terminationMessagePath": "/dev/termination-log",
  49.         "terminationMessagePolicy": "File",
  50.         "tty": true,
  51.         "type": "/v3/project/schemas/container",
  52.         "environmentFrom": [],
  53.         "capAdd": [],
  54.         "capDrop": [],
  55.         "livenessProbe": null,
  56.         "volumeMounts": []
  57.       }
  58.     ],
  59.     "created": "2018-07-18T07:34:16Z",
  60.     "createdTS": 1531899256000,
  61.     "creatorId": null,
  62.     "deploymentConfig": {
  63.       "maxSurge": 1,
  64.       "maxUnavailable": 0,
  65.       "minReadySeconds": 0,
  66.       "progressDeadlineSeconds": 600,
  67.       "revisionHistoryLimit": 10,
  68.       "strategy": "RollingUpdate"
  69.     },
  70.     "deploymentStatus": {
  71.       "availableReplicas": 1,
  72.       "conditions": [
  73.         {
  74.           "lastTransitionTime": "2018-07-18T07:34:38Z",
  75.           "lastTransitionTimeTS": 1531899278000,
  76.           "lastUpdateTime": "2018-07-18T07:34:38Z",
  77.           "lastUpdateTimeTS": 1531899278000,
  78.           "message": "Deployment has minimum availability.",
  79.           "reason": "MinimumReplicasAvailable",
  80.           "status": "True",
  81.           "type": "Available"
  82.         },
  83.         {
  84.           "lastTransitionTime": "2018-07-18T07:34:16Z",
  85.           "lastTransitionTimeTS": 1531899256000,
  86.           "lastUpdateTime": "2018-07-18T07:34:38Z",
  87.           "lastUpdateTimeTS": 1531899278000,
  88.           "message": "ReplicaSet \"nginx-64d85666f9\" has successfully progressed.",
  89.           "reason": "NewReplicaSetAvailable",
  90.           "status": "True",
  91.           "type": "Progressing"
  92.         }
  93.       ],
  94.       "observedGeneration": 2,
  95.       "readyReplicas": 1,
  96.       "replicas": 1,
  97.       "type": "/v3/project/schemas/deploymentStatus",
  98.       "unavailableReplicas": 0,
  99.       "updatedReplicas": 1
  100.     },
  101.     "dnsPolicy": "ClusterFirst",
  102.     "id": "deployment:default:nginx",
  103.     "labels": {
  104.       "workload.user.cattle.io/workloadselector": "deployment-default-nginx"
  105.     },
  106.     "name": "nginx",
  107.     "namespaceId": "default",
  108.     "projectId": "c-bcz5t:p-fdr4s",
  109.     "publicEndpoints": [
  110.       {
  111.         "addresses": ["10.64.3.58"],
  112.         "allNodes": true,
  113.         "ingressId": null,
  114.         "nodeId": null,
  115.         "podId": null,
  116.         "port": 30917,
  117.         "protocol": "TCP",
  118.         "serviceId": "default:nginx-nodeport",
  119.         "type": "publicEndpoint"
  120.       }
  121.     ],
  122.     "restartPolicy": "Always",
  123.     "scale": 1,
  124.     "schedulerName": "default-scheduler",
  125.     "selector": {
  126.       "matchLabels": {
  127.         "workload.user.cattle.io/workloadselector": "deployment-default-nginx"
  128.       },
  129.       "type": "/v3/project/schemas/labelSelector"
  130.     },
  131.     "state": "active",
  132.     "terminationGracePeriodSeconds": 30,
  133.     "transitioning": "no",
  134.     "transitioningMessage": "",
  135.     "type": "deployment",
  136.     "uuid": "f998037d-8a5c-11e8-a4cf-0245a7ebb0fd",
  137.     "workloadAnnotations": {
  138.       "deployment.kubernetes.io/revision": "1",
  139.       "field.cattle.io/creatorId": "user-f4tt2"
  140.     },
  141.     "workloadLabels": {
  142.       "workload.user.cattle.io/workloadselector": "deployment-default-nginx"
  143.     },
  144.     "scheduling": {
  145.       "node": {}
  146.     },
  147.     "description": "my description",
  148.     "volumes": []
  149.   }
  150. }

元数据、请求正文和响应正文级别

如果设置 AUDIT_LEVEL3, Rancher 会记录:

  • 每个 API 请求的元数据请求头和请求正文。
  • 每个 API 响应的元数据响应头和相应正文。

请求

下面的代码示例描述了一个 API 请求,它有元数据请求头和请求正文。

  1. {
  2.   "auditID": "a886fd9f-5d6b-4ae3-9a10-5bff8f3d68af",
  3.   "requestURI": "/v3/project/c-bcz5t:p-fdr4s/workloads/deployment:default:nginx",
  4.   "sourceIPs": ["::1"],
  5.   "user": {
  6.     "name": "user-f4tt2",
  7.     "group": ["system:authenticated"]
  8.   },
  9.   "verb": "PUT",
  10.   "stage": "RequestReceived",
  11.   "stageTimestamp": "2018-07-20 10:33:06 +0800",
  12.   "requestBody": {
  13.     "hostIPC": false,
  14.     "hostNetwork": false,
  15.     "hostPID": false,
  16.     "paused": false,
  17.     "annotations": {},
  18.     "baseType": "workload",
  19.     "containers": [
  20.       {
  21.         "allowPrivilegeEscalation": false,
  22.         "image": "nginx",
  23.         "imagePullPolicy": "Always",
  24.         "initContainer": false,
  25.         "name": "nginx",
  26.         "ports": [
  27.           {
  28.             "containerPort": 80,
  29.             "dnsName": "nginx-nodeport",
  30.             "kind": "NodePort",
  31.             "name": "80tcp01",
  32.             "protocol": "TCP",
  33.             "sourcePort": 0,
  34.             "type": "/v3/project/schemas/containerPort"
  35.           }
  36.         ],
  37.         "privileged": false,
  38.         "readOnly": false,
  39.         "resources": {
  40.           "type": "/v3/project/schemas/resourceRequirements",
  41.           "requests": {},
  42.           "limits": {}
  43.         },
  44.         "restartCount": 0,
  45.         "runAsNonRoot": false,
  46.         "stdin": true,
  47.         "stdinOnce": false,
  48.         "terminationMessagePath": "/dev/termination-log",
  49.         "terminationMessagePolicy": "File",
  50.         "tty": true,
  51.         "type": "/v3/project/schemas/container",
  52.         "environmentFrom": [],
  53.         "capAdd": [],
  54.         "capDrop": [],
  55.         "livenessProbe": null,
  56.         "volumeMounts": []
  57.       }
  58.     ],
  59.     "created": "2018-07-18T07:34:16Z",
  60.     "createdTS": 1531899256000,
  61.     "creatorId": null,
  62.     "deploymentConfig": {
  63.       "maxSurge": 1,
  64.       "maxUnavailable": 0,
  65.       "minReadySeconds": 0,
  66.       "progressDeadlineSeconds": 600,
  67.       "revisionHistoryLimit": 10,
  68.       "strategy": "RollingUpdate"
  69.     },
  70.     "deploymentStatus": {
  71.       "availableReplicas": 1,
  72.       "conditions": [
  73.         {
  74.           "lastTransitionTime": "2018-07-18T07:34:38Z",
  75.           "lastTransitionTimeTS": 1531899278000,
  76.           "lastUpdateTime": "2018-07-18T07:34:38Z",
  77.           "lastUpdateTimeTS": 1531899278000,
  78.           "message": "Deployment has minimum availability.",
  79.           "reason": "MinimumReplicasAvailable",
  80.           "status": "True",
  81.           "type": "Available"
  82.         },
  83.         {
  84.           "lastTransitionTime": "2018-07-18T07:34:16Z",
  85.           "lastTransitionTimeTS": 1531899256000,
  86.           "lastUpdateTime": "2018-07-18T07:34:38Z",
  87.           "lastUpdateTimeTS": 1531899278000,
  88.           "message": "ReplicaSet \"nginx-64d85666f9\" has successfully progressed.",
  89.           "reason": "NewReplicaSetAvailable",
  90.           "status": "True",
  91.           "type": "Progressing"
  92.         }
  93.       ],
  94.       "observedGeneration": 2,
  95.       "readyReplicas": 1,
  96.       "replicas": 1,
  97.       "type": "/v3/project/schemas/deploymentStatus",
  98.       "unavailableReplicas": 0,
  99.       "updatedReplicas": 1
  100.     },
  101.     "dnsPolicy": "ClusterFirst",
  102.     "id": "deployment:default:nginx",
  103.     "labels": {
  104.       "workload.user.cattle.io/workloadselector": "deployment-default-nginx"
  105.     },
  106.     "name": "nginx",
  107.     "namespaceId": "default",
  108.     "projectId": "c-bcz5t:p-fdr4s",
  109.     "publicEndpoints": [
  110.       {
  111.         "addresses": ["10.64.3.58"],
  112.         "allNodes": true,
  113.         "ingressId": null,
  114.         "nodeId": null,
  115.         "podId": null,
  116.         "port": 30917,
  117.         "protocol": "TCP",
  118.         "serviceId": "default:nginx-nodeport",
  119.         "type": "publicEndpoint"
  120.       }
  121.     ],
  122.     "restartPolicy": "Always",
  123.     "scale": 1,
  124.     "schedulerName": "default-scheduler",
  125.     "selector": {
  126.       "matchLabels": {
  127.         "workload.user.cattle.io/workloadselector": "deployment-default-nginx"
  128.       },
  129.       "type": "/v3/project/schemas/labelSelector"
  130.     },
  131.     "state": "active",
  132.     "terminationGracePeriodSeconds": 30,
  133.     "transitioning": "no",
  134.     "transitioningMessage": "",
  135.     "type": "deployment",
  136.     "uuid": "f998037d-8a5c-11e8-a4cf-0245a7ebb0fd",
  137.     "workloadAnnotations": {
  138.       "deployment.kubernetes.io/revision": "1",
  139.       "field.cattle.io/creatorId": "user-f4tt2"
  140.     },
  141.     "workloadLabels": {
  142.       "workload.user.cattle.io/workloadselector": "deployment-default-nginx"
  143.     },
  144.     "scheduling": {
  145.       "node": {}
  146.     },
  147.     "description": "my decript",
  148.     "volumes": []
  149.   }
  150. }

响应

下面的代码示例描述了一个 API 响应,其中包含它的元数据响应头和响应正文。

  1. {
  2.   "auditID": "a886fd9f-5d6b-4ae3-9a10-5bff8f3d68af",
  3.   "responseStatus": "200",
  4.   "stage": "ResponseComplete",
  5.   "stageTimestamp": "2018-07-20 10:33:06 +0800",
  6.   "responseBody": {
  7.     "actionLinks": {
  8.       "pause": "https://localhost:8443/v3/project/c-bcz5t:p-fdr4s/workloads/deployment:default:nginx?action=pause",
  9.       "resume": "https://localhost:8443/v3/project/c-bcz5t:p-fdr4s/workloads/deployment:default:nginx?action=resume",
  10.       "rollback": "https://localhost:8443/v3/project/c-bcz5t:p-fdr4s/workloads/deployment:default:nginx?action=rollback"
  11.     },
  12.     "annotations": {},
  13.     "baseType": "workload",
  14.     "containers": [
  15.       {
  16.         "allowPrivilegeEscalation": false,
  17.         "image": "nginx",
  18.         "imagePullPolicy": "Always",
  19.         "initContainer": false,
  20.         "name": "nginx",
  21.         "ports": [
  22.           {
  23.             "containerPort": 80,
  24.             "dnsName": "nginx-nodeport",
  25.             "kind": "NodePort",
  26.             "name": "80tcp01",
  27.             "protocol": "TCP",
  28.             "sourcePort": 0,
  29.             "type": "/v3/project/schemas/containerPort"
  30.           }
  31.         ],
  32.         "privileged": false,
  33.         "readOnly": false,
  34.         "resources": {
  35.           "type": "/v3/project/schemas/resourceRequirements"
  36.         },
  37.         "restartCount": 0,
  38.         "runAsNonRoot": false,
  39.         "stdin": true,
  40.         "stdinOnce": false,
  41.         "terminationMessagePath": "/dev/termination-log",
  42.         "terminationMessagePolicy": "File",
  43.         "tty": true,
  44.         "type": "/v3/project/schemas/container"
  45.       }
  46.     ],
  47.     "created": "2018-07-18T07:34:16Z",
  48.     "createdTS": 1531899256000,
  49.     "creatorId": null,
  50.     "deploymentConfig": {
  51.       "maxSurge": 1,
  52.       "maxUnavailable": 0,
  53.       "minReadySeconds": 0,
  54.       "progressDeadlineSeconds": 600,
  55.       "revisionHistoryLimit": 10,
  56.       "strategy": "RollingUpdate"
  57.     },
  58.     "deploymentStatus": {
  59.       "availableReplicas": 1,
  60.       "conditions": [
  61.         {
  62.           "lastTransitionTime": "2018-07-18T07:34:38Z",
  63.           "lastTransitionTimeTS": 1531899278000,
  64.           "lastUpdateTime": "2018-07-18T07:34:38Z",
  65.           "lastUpdateTimeTS": 1531899278000,
  66.           "message": "Deployment has minimum availability.",
  67.           "reason": "MinimumReplicasAvailable",
  68.           "status": "True",
  69.           "type": "Available"
  70.         },
  71.         {
  72.           "lastTransitionTime": "2018-07-18T07:34:16Z",
  73.           "lastTransitionTimeTS": 1531899256000,
  74.           "lastUpdateTime": "2018-07-18T07:34:38Z",
  75.           "lastUpdateTimeTS": 1531899278000,
  76.           "message": "ReplicaSet \"nginx-64d85666f9\" has successfully progressed.",
  77.           "reason": "NewReplicaSetAvailable",
  78.           "status": "True",
  79.           "type": "Progressing"
  80.         }
  81.       ],
  82.       "observedGeneration": 2,
  83.       "readyReplicas": 1,
  84.       "replicas": 1,
  85.       "type": "/v3/project/schemas/deploymentStatus",
  86.       "unavailableReplicas": 0,
  87.       "updatedReplicas": 1
  88.     },
  89.     "dnsPolicy": "ClusterFirst",
  90.     "hostIPC": false,
  91.     "hostNetwork": false,
  92.     "hostPID": false,
  93.     "id": "deployment:default:nginx",
  94.     "labels": {
  95.       "workload.user.cattle.io/workloadselector": "deployment-default-nginx"
  96.     },
  97.     "links": {
  98.       "remove": "https://localhost:8443/v3/project/c-bcz5t:p-fdr4s/workloads/deployment:default:nginx",
  99.       "revisions": "https://localhost:8443/v3/project/c-bcz5t:p-fdr4s/workloads/deployment:default:nginx/revisions",
  100.       "self": "https://localhost:8443/v3/project/c-bcz5t:p-fdr4s/workloads/deployment:default:nginx",
  101.       "update": "https://localhost:8443/v3/project/c-bcz5t:p-fdr4s/workloads/deployment:default:nginx",
  102.       "yaml": "https://localhost:8443/v3/project/c-bcz5t:p-fdr4s/workloads/deployment:default:nginx/yaml"
  103.     },
  104.     "name": "nginx",
  105.     "namespaceId": "default",
  106.     "paused": false,
  107.     "projectId": "c-bcz5t:p-fdr4s",
  108.     "publicEndpoints": [
  109.       {
  110.         "addresses": ["10.64.3.58"],
  111.         "allNodes": true,
  112.         "ingressId": null,
  113.         "nodeId": null,
  114.         "podId": null,
  115.         "port": 30917,
  116.         "protocol": "TCP",
  117.         "serviceId": "default:nginx-nodeport"
  118.       }
  119.     ],
  120.     "restartPolicy": "Always",
  121.     "scale": 1,
  122.     "schedulerName": "default-scheduler",
  123.     "selector": {
  124.       "matchLabels": {
  125.         "workload.user.cattle.io/workloadselector": "deployment-default-nginx"
  126.       },
  127.       "type": "/v3/project/schemas/labelSelector"
  128.     },
  129.     "state": "active",
  130.     "terminationGracePeriodSeconds": 30,
  131.     "transitioning": "no",
  132.     "transitioningMessage": "",
  133.     "type": "deployment",
  134.     "uuid": "f998037d-8a5c-11e8-a4cf-0245a7ebb0fd",
  135.     "workloadAnnotations": {
  136.       "deployment.kubernetes.io/revision": "1",
  137.       "field.cattle.io/creatorId": "user-f4tt2"
  138.     },
  139.     "workloadLabels": {
  140.       "workload.user.cattle.io/workloadselector": "deployment-default-nginx"
  141.     }
  142.   }
  143. }