Enable access logging for key value store #33
Comments
tinnightcap
changed the title
|
Web access can be logged via the ELBs or nginx can be placed in front. The issue is that when accessed through confd (aka local agent on remote node accessing over consuls RPC protocol) is not currently implemented in consul. The correct solution here is a feature enhancement to consul itself to add access logging to the key / value store regardless of the access route. |
|
Filed upstream issue: hashicorp/consul#1447 |
|
Right now, we can only enable this in consul by setting the log level to DEBUG, which includes lots of noise. However, we do have access logging enabled on the SSO dashboard, which is the proxy into consul, so can we consider that as an alternate implementation of the feature ? @jd? Thoughts ? |
|
Nop. |
|
@gozer Interesting thought. I think this answers one part of the concern, which is human actors editing the k/v store. The other part is when the k/v store is edited by a host/node. This is commonplace, however if an instance is compromised, the k/v store may be edited and we still have no visibility into that. In other words, this good progress in the right direction, but in my opinion does not resolve the issue in entirety. |
Useful for auditing purposes
The text was updated successfully, but these errors were encountered: