Hi. I'm trying to come to grips with auditing in Rancher and Rancher-created clusters. I have the auditing enabled on the main Rancher server, and it is collecting lots of logs. As a test, I added a user as a cluster member to one of our clusters, and there is no audit record of anything related to that user appearing in either the rancher server rancher-api-audit.log, nor in the cluster log of the RKE cluster. Is that something that's logged elsewhere? Thanks.

This is all configured in the Rancher install helm chart, and the Audit Log location, it is best to use the default location for the logs, as they are acutally mounted to the container. any change to the location would also require new mounts to be added and passed to the container

yes, I have that all set, and the logs are being created in the path that I specified. It's just a specific action that I'm not seeing reflected in that log.

what is the audit log level

I have that set to 3

try lowering it to 2

isn't that less information?

I see you are correct

I added a user to a project as a cluster member (through the gui), and nothing was logged for that event. Similarly I removed that user and didn't see any record for it. I searched for both the username and the internal Rancher (u-) user ids in the audit log and nothing was returned

Did you look for rb- being deleted

I'll take a look at that