tarantool · lenkis · Feb 21, 2024 · Feb 16, 2024 · Feb 19, 2024 · Feb 19, 2024
diff --git a/doc/reference/configuration/cfg_audit.rst b/doc/reference/configuration/cfg_audit.rst
@@ -0,0 +1,289 @@
+..  _cfg_audit:
+
+..  admonition:: Enterprise Edition
+    :class: fact
+
+    Audit log features are available in the `Enterprise Edition <https://www.tarantool.io/compare/>`_ only.
+
+The ``audit_*`` parameters define configuration related to :ref:`audit logging <enterprise_audit_module>`.
+
+*   :ref:`audit_extract_key <cfg_audit_extract_key>`
+*   :ref:`audit_filter <cfg_audit_filter>`
+*   :ref:`audit_format <cfg_audit_format>`
+*   :ref:`audit_log <cfg_audit_log>`
+*   :ref:`audit_nonblock <cfg_audit_nonblock>`
+*   :ref:`audit_spaces <cfg_audit_spaces>`
+
+..  _cfg_audit_extract_key:
+
+..  confval:: audit_extract_key
+
+    **Since:** :doc:`3.0.0 </release/3.0.0>`.
+
+    If set to ``true``, the audit subsystem extracts and prints only the primary key instead of full
+    tuples in DML events (``space_insert``, ``space_replace``, ``space_delete``).
+    Otherwise, full tuples are logged.
+    The option may be useful in case tuples are big.
+
+    |
+    | Type: boolean
+    | Default: false
+    | Environment variable: TT_AUDIT_EXTRACT_KEY
+
+..  _cfg_audit_filter:
+
+..  confval:: audit_filter
+
+    Enable logging for a specified subset of audit events.
+    This option accepts the following values:
+
+    *   Event names (for example, ``password_change``). For details, see :ref:`Audit log events <audit-log-events>`.
+    *   Event groups (for example, ``audit``).  For details, see :ref:`Event groups <audit-log-event-groups>`.
+
+    The option contains either one value from ``Possible values`` section (see below) or a combination of them.
+
+    To enable :ref:`custom audit log events <audit-log-custom>`, specify the ``custom`` value in this option.
+
+    The default value is ``compatibility``, which enables logging of all events available before 2.10.0.
+
+    **Example**
+
+    ..  code-block:: lua
+
+        box.cfg{
+            audit_log = 'audit.log',
+            audit_filter = 'audit,auth,priv,password_change,access_denied'
+           }
+
+    |
+    | Type: array
+    | Possible values: 'all', 'audit', 'auth', 'priv', 'ddl', 'dml', 'data_operations', 'compatibility',
+      'audit_enable', 'auth_ok', 'auth_fail', 'disconnect', 'user_create', 'user_drop', 'role_create', 'role_drop',
+      'user_disable', 'user_enable', 'user_grant_rights', 'role_grant_rights', 'role_revoke_rights', 'password_change',
+      'access_denied', 'eval', 'call', 'space_select', 'space_create', 'space_alter', 'space_drop', 'space_insert',
+      'space_replace', 'space_delete', 'custom'
+    | Default: 'compatibility'
+    | Environment variable: TT_AUDIT_FILTER
+
+..  _cfg_audit_format:
+
+..  confval:: audit_format
+
+    Specify the format that is used for the audit log events -- plain text, CSV or JSON format.
+
+    Plain text is used by default. This human-readable format can be efficiently compressed.
+
+    ..  code-block:: lua
+
+        box.cfg{audit_log = 'audit.log', audit_format = 'plain'}
+
+    **Example**
+
+    ..  code-block:: text
+
+        remote: session_type:background module:common.admin.auth user: type:custom_tdg_audit tag:tdg_severity_INFO description:[5e35b406-4274-4903-857b-c80115275940] subj: "anonymous", msg: "Access granted to anonymous user"
+
+    The JSON format is more convenient to receive log events, analyze them and integrate them with other systems if needed.
+
+    ..  code-block:: lua
+
+        box.cfg{audit_log = 'audit.log', audit_format = 'json'}
+
+    **Example**
+
+    ..  code-block:: json
+
+        {"time": "2022-11-17T21:55:49.880+0300", "remote": "", "session_type": "background", "module": "common.admin.auth", "user": "", "type": "custom_tdg_audit", "tag": "tdg_severity_INFO", "description": "[c26cd11a-3342-4ce6-8f0b-a4b222268b9d] subj: \"anonymous\", msg: \"Access granted to anonymous user\""}
+
+    Using the CSV format allows you to view audit log events in tabular form.
+
+    ..  code-block:: lua
+
+        box.cfg{audit_log = 'audit.log', audit_format = 'csv'}
+
+    **Example**
+
+    ..  code-block:: text
+
+        2022-11-17T21:58:03.131+0300,,background,common.admin.auth,,,custom_tdg_audit,tdg_severity_INFO,"[b3dfe2a3-ec29-4e61-b747-eb2332c83b2e] subj: ""anonymous"", msg: ""Access granted to anonymous user"""
+
+    |
+    | Type: string
+    | Possible values: 'json', 'csv', 'plain'
+    | Default: 'json'
+    | Environment variable: TT_AUDIT_FORMAT
+
+..  _cfg_audit_log:
+
+..  confval:: audit_log
+
+    Enable audit logging and define the log location.
+
+    This option accepts a string value that allows you to define the log location.
+    The following locations are supported:
+
+    - File: to write audit logs to a file, specify a path to a file (with an optional `file` prefix)
+    - Pipeline: to start a program and write audit logs to it, specify a program name (with `|` or `pipe` prefix)
+    - System log: to write audit logs to a system log, specify a message for `syslogd` (with `syslog` prefix)
+
+    See the examples below.
+
+    By default, audit logging is disabled.
+
+    **Example: Writing to a file**
+
+    ..  code-block:: lua
+
+        box.cfg{audit_log = 'audit_tarantool.log'}
+        -- or
+        box.cfg{audit_log = 'file:audit_tarantool.log'}
+
+    This opens the ``audit_tarantool.log`` file for output in the server’s default directory.
+    If the ``audit_log`` string has no prefix or the prefix ``file:``, the string is interpreted as a file path.
+
+    If you log to a file, Tarantool will reopen the audit log at `SIGHUP <https://en.wikipedia.org/wiki/SIGHUP>`_.
+
+    **Example: Sending to a pipeline**
+
+    ..  code-block:: lua
+
+        box.cfg{audit_log = '| cronolog audit_tarantool.log'}
+        -- or
+        box.cfg{audit_log = 'pipe: cronolog audit_tarantool.log'}'
+
+    This starts the `cronolog <https://linux.die.net/man/1/cronolog>`_ program when the server starts
+    and sends all ``audit_log`` messages to cronolog's standard input (``stdin``).
+    If the ``audit_log`` string starts with '|' or contains the prefix ``pipe:``,
+    the string is interpreted as a Unix `pipeline <https://en.wikipedia.org/wiki/Pipeline_%28Unix%29>`_.
+
+    If log is a program, check out its pid and send it a signal to rotate logs.
+
+    **Example: Writing to a system log**
+
+    ..  warning::
+
+        Below is an example of writing audit logs to a directory shared with the system logs.
+        Tarantool allows this option, but it is **not recommended** to do this to avoid difficulties
+        when working with audit logs. System and audit logs should be written separately.
+        To do this, create separate paths and specify them.
+
+    This sample configuration sends the audit log to syslog:
+
+    ..  code-block:: lua
+
+        box.cfg{audit_log = 'syslog:identity=tarantool'}
+        -- or
+        box.cfg{audit_log = 'syslog:facility=user'}
+        -- or
+        box.cfg{audit_log = 'syslog:identity=tarantool,facility=user'}
+        -- or
+        box.cfg{audit_log = 'syslog:server=unix:/dev/log'}
+
+    If the ``audit_log`` string starts with "syslog:",
+    it is interpreted as a message for the `syslogd <https://datatracker.ietf.org/doc/html/rfc5424>`_ program,
+    which normally runs in the background of any Unix-like platform.
+    The setting can be 'syslog:', 'syslog:facility=...', 'syslog:identity=...', 'syslog:server=...' or a combination.
+
+    The ``syslog:identity`` setting is an arbitrary string that is placed at the beginning of all messages.
+    The default value is ``tarantool``.
+
+    The ``syslog:facility`` setting is currently ignored, but will be used in the future.
+    The value must be one of the `syslog <https://en.wikipedia.org/wiki/Syslog>`_ keywords
+    that tell ``syslogd`` where to send the message.
+    The possible values are ``auth``, ``authpriv``, ``cron``, ``daemon``, ``ftp``,
+    ``kern``, ``lpr``, ``mail``, ``news``, ``security``, ``syslog``, ``user``, ``uucp``,
+    ``local0``, ``local1``, ``local2``, ``local3``, ``local4``, ``local5``, ``local6``, ``local7``.
+    The default value is ``local7``.
+
+    The ``syslog:server`` setting is the locator for the syslog server.
+    It can be a Unix socket path starting with "unix:" or an ipv4 port number.
+    The default socket value is ``/dev/log`` (on Linux) or ``/var/run/syslog`` (on Mac OS).
+    The default port value is 514, which is the UDP port.
+
+    An example of a Tarantool audit log entry in the syslog:
+
+    ..  code-block:: json
+
+        {
+          "__CURSOR" : "s=81564632436a4de590e80b89b0151148;i=11519;b=def80c1464fe49d1aac8a64895d6614d;m=8c825ebfc;t=5edb27a75f282;x=7eba320f7cc9ae4d",
+          "__REALTIME_TIMESTAMP" : "1668725698065026",
+          "__MONOTONIC_TIMESTAMP" : "37717666812",
+          "_BOOT_ID" : "def80c1464fe49d1aac8a64895d6614d",
+          "_UID" : "1003",
+          "_GID" : "1004",
+          "_COMM" : "tarantool",
+          "_EXE" : "/app/tarantool/dist/tdg-2.6.4.0.x86_64/tarantool",
+          "_CMDLINE" : "tarantool init.lua <running>: core-03",
+          "_CAP_EFFECTIVE" : "0",
+          "_AUDIT_SESSION" : "1",
+          "_AUDIT_LOGINUID" : "1003",
+          "_SYSTEMD_CGROUP" : "/user.slice/user-1003.slice/[email protected]/app.slice/[email protected]",
+          "_SYSTEMD_OWNER_UID" : "1003",
+          "_SYSTEMD_UNIT" : "[email protected]",
+          "_SYSTEMD_USER_UNIT" : "[email protected]",
+          "_SYSTEMD_SLICE" : "user-1003.slice",
+          "_SYSTEMD_USER_SLICE" : "app.slice",
+          "_SYSTEMD_INVOCATION_ID" : "be368b4243d842ea8c06b010e0df62c2",
+          "_MACHINE_ID" : "2e2339725deb4bc198c54ff4a2e8d626",
+          "_HOSTNAME" : "vm-0.test.env",
+          "_TRANSPORT" : "syslog",
+          "PRIORITY" : "6",
+          "SYSLOG_FACILITY" : "23",
+          "SYSLOG_IDENTIFIER" : "tarantool",
+          "SYSLOG_PID" : "101562",
+          "_PID" : "101562",
+          "MESSAGE" : "remote: session_type:background module:common.admin.auth user: type:custom_tdg_audit tag:tdg_severity_INFO description:[119eae0e-a691-42cc-9b4c-f14c499e6726] subj: \"anonymous\", msg: \"Access granted to anonymous user\"",
+          "_SOURCE_REALTIME_TIMESTAMP" : "1668725698064202"
+        }
+
+    |
+    | Type: string
+    | Possible values: see the string format above
+    | Default: 'nill'
+    | Environment variable: TT_AUDIT_LOG
+
+..  _cfg_audit_nonblock:
+
+..  confval:: audit_nonblock
+
+    Specify the logging behavior if the system is not ready to write.
+    If set to ``true``, Tarantool does not block during logging if the system is non-writable and writes a message instead.
+    Using this value may improve logging performance at the cost of losing some log messages.
+
+    ..  note::
+
+        The option only has an effect if the :ref:`audit_log <cfg_audit_log>` is set to ``syslog``
+        or ``pipe``.
+
+        Setting ``audit_nonblock`` to ``true`` is not allowed if the output is to a file.
+        In this case, set ``audit_nonblock`` to ``false``.
+
+    |
+    | Type: boolean
+    | Default: true
+    | Environment variable: TT_AUDIT_NONBLOCK
+
+..  _cfg_audit_spaces:
+
+..  confval:: audit_spaces
+
+    **Since:** :doc:`3.0.0 </release/3.0.0>`.
+
+    The array of space names for which data operation events (``space_select``, ``space_insert``, ``space_replace``,
+    ``space_delete``) should be logged. The array accepts string values.
+    If set to :ref:`box.NULL <box-null>`, the data operation events are logged for all spaces.
+
+    **Example**
+
+    In the example, only the events of ``bands`` and ``singers`` spaces are logged:
+
+    ..  code-block:: lua
+
+        box.cfg{
+            audit_spaces = 'bands,singers'
+           }
+
+    |
+    | Type: array
+    | Default: box.NULL
+    | Environment variable: TT_AUDIT_SPACES
diff --git a/doc/reference/configuration/index.rst b/doc/reference/configuration/index.rst
@@ -60,6 +60,11 @@ Logging
 
 ..  include:: cfg_logging.rst
 
+Audit log
+---------
+
+..  include:: cfg_audit.rst
+
 Authentication
 --------------