https://rancher.com/ logo
l

loud-daybreak-83328

10/14/2022, 1:02 PM
Hi. I'm trying to come to grips with auditing in Rancher and Rancher-created clusters. I have the auditing enabled on the main Rancher server, and it is collecting lots of logs. As a test, I added a user as a cluster member to one of our clusters, and there is no audit record of anything related to that user appearing in either the rancher server rancher-api-audit.log, nor in the cluster log of the RKE cluster. Is that something that's logged elsewhere? Thanks.
d

damp-painting-69352

10/14/2022, 1:04 PM
This is all configured in the Rancher install helm chart, and the Audit Log location, it is best to use the default location for the logs, as they are acutally mounted to the container. any change to the location would also require new mounts to be added and passed to the container
l

loud-daybreak-83328

10/14/2022, 1:06 PM
yes, I have that all set, and the logs are being created in the path that I specified. It's just a specific action that I'm not seeing reflected in that log.
d

damp-painting-69352

10/14/2022, 1:07 PM
what is the audit log level
l

loud-daybreak-83328

10/14/2022, 1:08 PM
I have that set to 3
d

damp-painting-69352

10/14/2022, 1:08 PM
try lowering it to 2
l

loud-daybreak-83328

10/14/2022, 1:13 PM
isn't that less information?
d

damp-painting-69352

10/14/2022, 1:14 PM
I see you are correct
What are you missing from the logs? specific types of audit? The user name of the logged in user is hashed and can be found in rancher to decode what user is doing what
l

loud-daybreak-83328

10/14/2022, 4:55 PM
I added a user to a project as a cluster member (through the gui), and nothing was logged for that event. Similarly I removed that user and didn't see any record for it. I searched for both the username and the internal Rancher (u-) user ids in the audit log and nothing was returned
d

damp-painting-69352

10/14/2022, 5:24 PM
Did you look for rb- being deleted
that would be the role binding for the project
or crb-
l

loud-daybreak-83328

10/14/2022, 5:35 PM
I'll take a look at that