rundeck.audit.log - out of control
73 views
Skip to first unread message
Richard Leadbetter
Sep 12, 2023, 11:03:37 AM9/12/23
to rundeck-discuss
Hi All
So a strange one to think about. today at 11am our rundeck.audit.log file in /var/log/rundeck expanded by 50gb... have stopped rundeck, renamed it and restarted rundeck, the new file seems to be fine now, just a few MG.
The file shot up in size almost instantly according to our monitoring... Just in the process of transferring it off the server so i can look at it in isolation.
Anyone come across this type of thing before? any other places i should be looking?
Thanks
Rich
rac...@rundeck.com
Sep 12, 2023, 11:39:04 AM9/12/23
to rundeck-discuss
Hello, Rich.
That log file contains all authorization messages linked to ACLs. Perhaps the instance has been receiving (a lot of) actions via API from an external script. Check the rundeck.access.log file to see where the connections came from, and the rundeck.audit.events.logfile to see every activity.
Regards.
Richard Leadbetter
Sep 12, 2023, 11:47:10 AM9/12/23
to rundeck-discuss
Hi There.
Yes, i had a look there, and it wasn't that. I think i have found it. If i open up a job that has a lot of nodes selected by default (don't run i it, just click on the job in the jobs list), it seems to be evaluating my permissions against all the nodes. So, when i open a job that would execute against 10,000 nodes, that log gets a huge dump of data.
Is this likely due to an ACL misconfiguration? or just something that Rundeck will always do? (if so, is there a way to turn down this logging?).
Thanks
Rich
Rich
Richard Leadbetter
Sep 12, 2023, 11:51:13 AM9/12/23
to rundeck-discuss
For reference, the ACL that is being quoted in the Log looks like this:
description: Admin, all access.
context:
project: '.*' # all projects
for:
resource:
- allow: '*' # allow read/create all kinds
adhoc:
- allow: '*' # allow read/running/killing adhoc jobs
job:
- allow: '*' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
group: ADSECURITYGROUP
---
description: Admin, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
project_acl:
- allow: '*' # allow admin of all project-level ACL policies
storage:
- allow: '*' # allow read/create/update/delete for all /keys/* storage content
by:
group: ADSECURITYGROUP
context:
project: '.*' # all projects
for:
resource:
- allow: '*' # allow read/create all kinds
adhoc:
- allow: '*' # allow read/running/killing adhoc jobs
job:
- allow: '*' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
group: ADSECURITYGROUP
---
description: Admin, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
project_acl:
- allow: '*' # allow admin of all project-level ACL policies
storage:
- allow: '*' # allow read/create/update/delete for all /keys/* storage content
by:
group: ADSECURITYGROUP
rac...@rundeck.com
Sep 12, 2023, 2:14:51 PM9/12/23
to rundeck-discuss
Hello, Rich.
A good approach is to modify the rundeck.audit.log rotating behavior in your log4j2.properties file (typically at the /etc/rundeck location), as shown in this example.
Regards.
A good approach is to modify the rundeck.audit.log rotating behavior in your log4j2.properties file (typically at the /etc/rundeck location), as shown in this example.
Regards.
Richard Leadbetter
Sep 13, 2023, 3:13:34 AM9/13/23
to rundeck-discuss
Hi There
Thanks for that, i'll look into this and see if we can mitigate against this.
Good to know that it's not a misconfigured ACL or anything on our end.
Thanks
Rich
Reply all
Reply to author
Forward
0 new messages