Log settings RavenDB 4

[Besozzi Luca]

Hi

I've implemented a single node of RavenDB 4 (4.0.3-patch-40031) on my Windows 2012 R2.

I've configured authentication trough certificate, and now I need to set the logs for trace

login/operations on the DB. 

Following the online guide, I set the Logs.Mode both in Information and Operations mode, but

I can not find the logins and the operations performed by the users.

what is the correct "settings.json" setting?

Thaks 

Luca

[Oren Eini (Ayende Rahien)]

I assume you saw :

https://ravendb.net/docs/article-page/4.0/Csharp/server/troubleshooting/logging

https://ravendb.net/docs/article-page/4.0/Csharp/server/configuration/logs-configuration

Make sure that the Logs.Path points to a directory that the server has write permissions to.

Hibernating Rhinos Ltd  

Oren Eini l CEO l Mobile: + 972-52-548-6969

Office: +972-4-622-7811 l Fax: +972-153-4-622-7811

 

--
You received this message because you are subscribed to the Google Groups "RavenDB - 2nd generation document database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Besozzi Luca]

This is my config file

{

  "DataDir": "RavenData",

  "License.Eula.Accepted": true,

  "Security.Certificate.LetsEncrypt.Email": "svilup...@test.net",

  "Setup.Mode": "LetsEncrypt",

  "Security.Certificate.Path": "cluster.server.certificate.test.pfx",

  "ServerUrl": "https://192.168.100.137",

  "ServerUrl.Tcp": "tcp://192.168.100.137:38888",

  "PublicServerUrl": "https://a.test.development.run",

  "PublicServerUrl.Tcp": "tcp://a.test.development.run:38888",

  "Logs.Path": "Logs",

  "Logs.Mode": "Operations"

}

For example the log of today is completely empty.

Luca

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.

[Oren Eini (Ayende Rahien)]

Try providing the _full_ path to the directoy.

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.

[Besozzi Luca]

If I replace "Logs" with the full path "D:\RavenDB4\Server\Logs" the service doesn't start

This is the error in Event Viewer:

Faulting application name: Raven.Server.exe, version: 0.0.0.0, time stamp: 0x5a3b026d

Faulting module name: KERNELBASE.dll, version: 6.3.9600.18895, time stamp: 0x5a4b1cf7

Exception code: 0xe0434352

Fault offset: 0x00000000000092fc

Faulting process id: 0xacc

Faulting application start time: 0x01d3bf5f14b39f01

Faulting application path: D:\RavenDB4\Server\Raven.Server.exe

Faulting module path: C:\Windows\system32\KERNELBASE.dll

Report Id: 5bef9176-2b52-11e8-80ca-005056bc4069

Faulting package full name: 

Faulting package-relative application ID: 

Event ID: 1000

[Oren Eini (Ayende Rahien)]

D:\\RavenDB\\Logs

You need to double excape?

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.

[Besozzi Luca]

If I insert D:\\RavenDB4\\Server\\Logs

[Oren Eini (Ayende Rahien)]

Try running this from the command line, what do you get?

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.

[Besozzi Luca]

C:\Windows\system32>net start RavenDB

The RavenDB service is starting.

The RavenDB service could not be started.

A system error has occurred.

System error 65535 has occurred.

The system cannot find message text for message number 0xffff in the message fil

e for BASE.

[Oren Eini (Ayende Rahien)]

Unable to create file with File system error (65535)

Check file permissisons?

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.

[Oren Eini (Ayende Rahien)]

And please, start it as YOUR user, not as a service

[Besozzi Luca]

This is the permission of the folder

If I start it as my user:

[Besozzi Luca]

I solved the problem of the certificate, now Raven start correctly.

The log file was created, but there is only some log, not the information that I need, for example login or operation on db.

[Oren Eini (Ayende Rahien)]

Set the log mode to Information

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.

[Besozzi Luca]

Ok, I've set the log mode to Information, now I have more details.

But the strange thing is when I login with my certificate, in the log:

2018-03-20T08:08:28.8918443Z, 15, Information, Raven/Server, Raven.Server.Https.AuthenticatingAdapter, Received TLS connection request from : with client certificate: . Authentication status: NoCertificateProvided.

Seems that I log in without certificate.

[Oren Eini (Ayende Rahien)]

What does  /certificates/whoami says?

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.

[Besozzi Luca]

Seems to be ok.

{"Name":"L.Besozzi","Certificate":"MIIE8zCCAtugAwIBAgIDBpzCMA0GCSqGSIb3DQEBDQUAMCcxJTAjBgNVBAMTHGEuYXN0YWxlZ2FsZS5kZXZlbG9wbWVudC5ydW4wHhcNMTgwMzA5MDAwMDAwWhcNMjMwMzA5MDAwMDAwWjAUMRIwEAYDVQQDDAlMLkJlc296emkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDMOty0Ya9KiAYH7cgT0S5exqQQkndc5DrpY/F8GyeWV79n/2nFW9WOK2a++FZDZrLfUFszJkNx3/Dg43rONPGTnFmGB4aitA6tmQG/oc8iKLxYE/8pJw6trm2oYTJUsZeEnp0wf80iPU0hIi2vKD0Sybw151EEAzor2CZSftvoLBjKSC76wpu1ZEVx2old2mmjhwk7HeYST0FmwEzsaaKu55YaZMKxvoK7iyVXCnCgWX9o5bW+LsxbxtJLLdzwChxzhQp0T9flMlwFkjSzTkRBZ8RNetf1vNgfMnw4IYZsnmkIu63XyVgi8yWUc8XY+G0HFAbGVipEPzfoyUGs88pukjGAeZjK59lwOqKINP2vzvo4H2gufXJd8kB2SMHjLK5cYrQaDwW98v1VJ7GiTsoPPU090FfYp+vp9XMW+/sVRjoxsRvpfRdhA0InBzXffWJVc77GVnWOlIfM3VE6tS1RGrJgaDfgedvKFPMggTk9SMOXqg5aB6hLsFYf6LJ+W3axzWgMJx2+J9JKeT86cAXs9i75PFDaI9iJjOmkZKJcrLKt/H90gFFrsyfVkx3+HXcTYIrq9FlvHX9pUwrbBFksQbaD8wEgVJ9LtWUjsD/Yv4IH0UQaF8NypO6Qphkfb2/IJDyx/V38pxe3Nac2vU79EhWsCCkX43eIBXwl5N0xcwIDAQABozswOTAfBgNVHSMEGDAWgBR5QdV7odMDRXg4QvmhoZpbDwgr4TAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQ0FAAOCAgEAvBkn8nni7VyxC09WXxa3WH+XxOYN6q3APGL11pk3grnOdbifxhn+nUp60ZjAI/qrv/1GQmAgqrdHnZf/Wr+I72huBw7KZqm3ZsvJplOhom4LtgHztFO86QtiipI9PnNm+eJR5vm8MaY7yMvvBkDxUSFmguGe0qhfg0rabreUhRX5p5qdlHS3T8AGY7jtFmJIErxkEy8DuQ8bwTaff56Tudi8/6Gst9IacTyO3Sgmj4y2rMR9KllooEhP1n4qiZ+OElYl2uKS+MRsNmH36QKe8kBVhxLxHJSaGINFRUtrxwof+LwyuFHeytROLHsxrXcWW3GhGq/gkLq+rroe2S7XbbH4Hyeobjd/M0SW/xTkDXKM2CXBVJbOAcjNVXJZhaB9vJDRk0I/yqBi6m8InzbePkbOWui37iJQ/Mbgsh/GZuqCc2SDFjDMgLDxe0xYY1D5IZzxu6mUkl564RAVdCFYisJX9fX9TeP+ZhfCOIDR/mCcNbopqrk2IYs47KZwG85siPaSuKDBf4tPTbh+Xt+ZMAo5pABON7lm44olVwetF0RnEE6Nb0IkOTarjgicCTDwG40k/3tzGEsCXpf13LgIR5CT33X2Sq1VTenI4D+Os+zDQ+i9QI6ymiJd//k/CSw1x8osTMPEHNiV6ZrAwuRh57OZArWdlMckeePGCAuyfiU=","Thumbprint":"566C2FB019BDE838C1C01B25051B8DE59963465D","NotAfter":"2023-03-09T01:00:00.0000000","SecurityClearance":"ClusterAdmin","Permissions":{},"CollectionPrimaryKey":"","CollectionSecondaryKeys":[]}

But in the log 

2018-03-20T08:10:29.9387191Z, 11, Information, Server, Raven.Server.RavenServerStartup, GET /certificates/whoami? - 200 - 0 ms

[Besozzi Luca]

In the log file I still cannot see collegue log with the certificate:

Information, Raven/Server, Raven.Server.Https.AuthenticatingAdapter, Received TLS connection request from : with client certificate: . Authentication status: NoCertificateProvided.

[Oren Eini (Ayende Rahien)]

This is an attempted request that was rejected because it had no certificate. 

I assume that something in the browser first tried this request without the cert?

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.

[Besozzi Luca]

Is strange because in every browser immediately compare a pop-up for choose the certificate to login.

And than in the log file there is not the login event.

[Oren Eini (Ayende Rahien)]

The log statement there is, so I'm not sure how it isn't showing at least the remote address.:

  Logger.Info($"Received TLS connection request from {info?.RemoteIpAddress}:{info?.RemotePort} with client certificate: {certificate?.SubjectName?.Name}. " +

                            $"Authentication status: {authenticationStatus.Status}.");

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.

[Arkadiusz Palinski]

We log only unsuccessful connection attempts. As you don't have any problem with accessing the server you don't see anything in the log.

[Besozzi Luca]

For us, and for the GDPR law compliance, is also very important to log also the successful logins.

In 3.5 we use Api-key and windows AD login, and in the log I can see all the login.

[Oren Eini (Ayende Rahien)]

We can offer that, but I'm not sure that the log is the best place to put such a thing, to be frank.

Activating the log at information level is too much for such a requirement.

The question here is, what kind of audit are we talking about? Remember, this is done on a _per_ connection basis, so likely is going to be a lot of that6 over time.

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.

[Besozzi Luca]

For the GDPR law it is important to know who logs in on Ravendb, both for applications and users,

Because in case of data breach we have to provide as much data as possible to the authorities.

[Oren Eini (Ayende Rahien)]

What I'm trying to say here is that we probably need a specific feature, audit log, which will have such entries.

The problem is how do we keep it, and what trims it

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.

[Besozzi Luca]

It would be very good to save them in another log file that changes name every day.

We would then import them on EventLogAnalyzer or Kibana, so for cleaning we can also make the software decide when to delete them.

For more options, visit <a href="https://groups.google.com/d/optout" rel="

[Oren Eini (Ayende Rahien)]

I created an issue: http://issues.hibernatingrhinos.com/issue/RavenDB-10794

Please see if you have additional needs there.

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.

[Besozzi Luca]

Thanks a lot

[Oren Eini (Ayende Rahien)]

Please add any other details you need to be there

--

[Besozzi Luca]

it may also be useful to log the operations that the logged in user performs on the db.

As I told you before, it is important for the law to provide the most information in the event of a data breach.

But I would not want all these additional logs impact Raven's performance.

[Oren Eini (Ayende Rahien)]

The problem is what you define as operations.

Each document modified? What about queries? What about patch queries?

The moment we add something to the audit log, this becomes _really bad_ if users can avoid it.

And there is the cost associated with it, too.

--

[Besozzi Luca]

Honestly I would not trace the queries and every single change on the db, not even sql server does it.

Perhaps the only operations I would like to track are the delete and the drop.

however, for us it is already very useful to trace successful connections, including IP & certificate thumbprint,

name and time as we already talk. 

[Oren Eini (Ayende Rahien)]

delete and drop? 

--

[Besozzi Luca]

Yes, should be fine. 

I think have notice of delete, drop and login (failed/success) will be enough.

Thanks

delete and drop? 

What does  /certificates/whoami says?

<span

[Oren Eini (Ayende Rahien)]

Login in easy.

Delete you mean document deletion?

Drop you mean db deletion?

--

[Besozzi Luca]

Exactly.

I don't know if is also possible to do with the indexes.

delete and drop? 

What does  /certificates/whoami says?

<b

[Oren Eini (Ayende Rahien)]

DB & Indexes are easy. I'm not sure why you want to do things with doc deletes.

How is setting the document to {} different from deleting the data? But one would be logged and one not

--

[Besozzi Luca]

you're right, in the end the importance of having traced the delete of a document is not fundamental.

I would however track the drop of db and indexes

Exactly.

delete and drop? 

What does  /certificates/whoami says?

On Mon, Mar 19, 2018 at 11:32 AM, Besozzi Luca <<a re

[Oren Eini (Ayende Rahien)]

This is not implemented Security.AuditLog.FolderPath

--

[Besozzi Luca]

So the in the next patch of RavenDB4 we will have the log of login, drop db and indexes?

[Oren Eini (Ayende Rahien)]

Yes, but note that it isn't in the log, you have to configure it explicitly, and it writes to a different location and have a different retention policy

Hibernating Rhinos Ltd  

Oren Eini l CEO l Mobile: + 972-52-548-6969

Office: +972-4-622-7811 l Fax: +972-153-4-622-7811

 

On Tue, Mar 27, 2018 at 5:33 PM, Besozzi Luca <bes...@gmail.com> wrote:

So the in the next patch of RavenDB4 we will have the log of login, drop db and indexes?

[Besozzi Luca]

Thanks a lot!

[Besozzi Luca]

Hi Oren

I've installed the update and configure the log settings, it's exactly what we need.

Just a question, in this new RavenDB4 the only way for authentication is using certificate, why 

you remove Api keys? for us they were very useful.

Thanks

[Oren Eini (Ayende Rahien)]

API Keys are limited in the following ways:

- Cannot be implemented natively in browsers, so you need a bunch of workarounds to deal with it.

- Same for curl.

- Same for any client we need to implement.

- They relied on our own provided secured solution. I don't want to do security on my own, I want to use well known and trusted solutions.

Hibernating Rhinos Ltd  

Oren Eini l CEO l Mobile: + 972-52-548-6969

Office: +972-4-622-7811 l Fax: +972-153-4-622-7811

 

--