Boundary audit log with event sink does not create files

fmercier · June 22, 2022, 6:34am

Hello,
I have been trying to set the events onto Boundary’s controller and worker configuration with files but nothing is created on the path I set.

Here’s the worker events configuration :

events {
  audit_enabled        = true
  observations_enabled = true
  sysevents_enabled    = true

  sink "stderr" {
    name        = "all-events"
    description = "All events sent to stderr"
    event_types = ["*"]
    format      = "cloudevents-json"
  }

  sink {
    name        = "worker-audit-sink"
    description = "All events sent to a file"
    event_types = ["*"]
    format      = "cloudevents-json"

    file {
      path      = "/path/to/audit-logs"
      file_name = "worker-audit.log"
    }

    audit_config {
      audit_filter_overrides {
        secret    = "encrypt"
        sensitive = "hmac-sha256"
      }
    }
  }

And here’s the controller’s one :

  events {
    audit_enabled = true
    observations_enabled = true
    sysevents_enabled = true
    sink "stderr" {
      name = "all-events"
      description = "All events sent to stderr"
      event_types = ["*"]
      format = "hclog-text"
    }
    sink {
      name = "controller-audit-sink"
      description = "Audit sent to a file"
      event_types = ["audit"]
      format = "cloudevents-json"
      file {
        path = "/path/to/audit-logs"
        file_name = "controller-audit.log"
      }
      audit_config {
        audit_filter_overrides {
          secret    = "encrypt"
          sensitive = "hmac-sha256"
        }
      }
    }
    sink {
      name = "auth-sink"
      description = "Authentications sent to a file"
      event_types = ["observation"]
      format = "cloudevents-json"
      allow_filters = [
        "\"/Data/request_info/Path\" contains \":authenticate\""
      ]
      file {
        path = "/path/to/audit-logs"
        file_name = "auth.log"
      }
    }
  }

I just tried following the Event Filtering and Sink Configuration | Boundary - HashiCorp Learn page to try this out, but I haven’t installed ELK, thinking that it won’t be necessary just to get the log files.

I can’t find why the files aren’t created when restarting boundary. The journalctl command does show logs but no files are present on /path/to/audit-logs. I even tried a “chmod 777” on the directory, but still nothing.

When I restart Boundary, I do see this error as it shutdown :

...
[ERROR] encountered an error sending an error event:
 error:=
 5 errors occurred:
* event.(Eventer).retrySend: event not written to enough sinks
* event.(Eventer).retrySend: event not written to enough sinks
* event.(Eventer).retrySend: event not written to enough sinks
* event.(Eventer).retrySend: event not written to enough sinks
* event.(Eventer).retrySend: reached max of 3: too many retries
...

But I don’t know if that could really be related to this problem, because I soon as Boundary is restarted, there is no error like this showned.

Do you have an idea about what I’m doing wrong ?

Thanks in advance for your help !

omkensey · June 29, 2022, 10:59pm

Is SELinux possibly blocking the write regardless of the permissions? If you su to the Boundary process user, can you write files in that directory?

fmercier · August 22, 2022, 9:01am

Hello,

I haven’t had time to take a look about this issue for a while, but now that I do, I tried to “su boundary touch test.log” and nothing happened, no “permission denied” that I got when I tried another user, nothing…

Could it be selinux ? How could I change that ?

Many thanks again for your help !

omkensey · August 22, 2022, 11:01am

If you got nothing, that means the touch command probably worked. If it created the file or updated the modification time, then it did.

Have you tried the logging with an updated version of Boundary?

fmercier · August 22, 2022, 11:23am

I’m using the Boundary 0.9.1-1 version.
The touch didn’t create the file nor dit it updated the modification time on the directory.
The boundary user doesn’t have any home, could it be a reason why it can’t create the file ?
I don’t think so because Vault can create audit log without the user Vault having home too.

omkensey · August 22, 2022, 4:02pm

I’m not sure what’s going on then. When you touch a file, one of three things should happen:

the file is created;
the file modification time is updated; or
you get a permission error.

It sounds like you’re not getting any of those. What if you su - to the boundary user and use touch in the login shell?

fmercier · August 23, 2022, 6:13am

Ok, so I tried touching a file with Boundary user but it doesn’t work. I also can’t su - to the Boundary user because the user doesn’t have a home directory, so it seems this is the problem.

What I don’t know now is if I can make it possible for an user without home to create file (Vault seems possible to make audit-log without having a home directory) or if I juste have to make a home directory for Boundary.

omkensey · August 23, 2022, 5:01pm

I think the path you want audit logging to happen in has to already exist, so if that path doesn’t exist that might be why you’re getting nothing. What path are you trying to log to and does it exist on the Boundary hosts?

fmercier · August 24, 2022, 6:14am

The path I’m using is /opt/boundary/audit-logs. It does exist. I tried touching the files controller-audit.log and auth.log first, then restarting the service, but still nothing gets logged.

/opt/boundary already contains the config files I’m using for the service, and the boundary user have read and write permissions on the directory.

omkensey · September 5, 2022, 12:35am

Have you tried with the latest 0.10? (I think 0.10.3) I believe some audit logging changes went in there.

fmercier · September 16, 2022, 11:58am

I tried updating to 0.10.3 this week, but still no changes.