Audit Trail
An audit trail (also called an audit log) is a security-relevant chronological record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific operation, procedure, event, or device.
In Pro Mosquitto, the audit trail feature has two components - the in-broker functionality which provides a mechanism for the broker and plugins to send audit events and which can be configured to filter which events are accepted. The second part is a reporting plugin which sends the filtered events on to their final destination. At present, the syslog reporting plugin is available.
Audit trail syslog plugin configuration
To configure the syslog plugin, add the following to your mosquitto.conf file:
global_plugin /path/to/cedalo_audit_trail_syslog.so
The plugin has some options which can be configured.
Docker usage
If you are using Pro Mosquitto via docker, please add the following mount to your docker-compose file to be able to get the logs directly wired to your host system. Otherwise, the logs stay within the docker container.
volumes:
- /dev/log:/dev/log
Log ident
By default, the log ident will be the program name, i.e. mosquitto. This can
be changed with the plugin_opt_log_ident option:
plugin_opt_log_ident audittrail
Log facility
By default, logging will use the daemon facility. This can be changed to one
of local0 to local7 if required.
plugin_opt_log_facility local2
Log timestamp
By default the event timestamp in the payload is a Unix timestamp with
millisecond resolution. Alternatively, the plugin_opt_iso8601_timestamp
option may be used to have an ISO-8601 format timestamp.
plugin_opt_iso8601_timestamp true
Exclude IP address
By default the IP address of the client which originated the request will be
included in the audit event. If this is not wanted, the
plugin_opt_exclude_ip_address option can be set to true.
plugin_opt_exclude_ip_address true
Audit trail configuration
The Audit Trail feature in Mosquitto can be configured to allow control over which events are reported. There are two mechanisms to achieve this. The first is through the use of a log threshold, which only reports events which are greater than or equal to an importance threshold set by the administrator. The second is through the use of fine grained filters.
All configuration is done through a configuration file audit-trail.json,
which must be located in the persistence_location directory.
If the audit-trail.json file is not found, no audit events will be reported.
An example of the file is given below:
{
"filters": [
{
"filterType": "include",
"source": "dynamic-security"
},
{
"filterType": "include",
"source": "ha",
"operation": "createCluster"
},
{
"filterType": "exclude",
"operationType": "read"
}
]
"logThreshold": "debug"
}
Log threshold
The logThreshold option can be set to one of debug, info, notice,
warning, and error, which relate to the corresponding syslog log levels.
Any audit events which have a lower importance than the log threshold will not
be logged. For example, setting the log threshold to warning, means that only
events with importance of warning and error will be logged.
The default threshold is info.
Filters
All audit events have an associated source, operationType, and operation
property. The filters functionality allows events to be filtered using all of
those properties.
The filters part of the configuration file is a list of individual filters
that are to be applied to each event to determine whether it is to be reported.
The filters are evaluated in order and the final result applies. This means it
is straightforward to arrange very specific filters to pick out or exclude
certain events.
Each filter has a filterType property which is the only required property,
and must be set to either include, or exclude. If the final result of
evaluating the filter list is include, then the event will be reported. If
the final result is exclude then the event will not be reported.
It is recommended to order the filters from most general to most specific.
The default behaviour is exclude reporting of events, so at least one include
filter must be provided.
The source, operationType, and operation properties are used to match
events. All of these properties are optional. If the property is not present
then any property of that type will match. If the property is present, then an
event must match that property for the filter to be applied to the event.
The source property is used to match against the provider of the event. This
will be core for events coming from the core Mosquitto broker, or the name of
a plugin, e.g. dynamic-security, ha.
The operationType property is used to match against the CRUD type of the
operation. If present, this property must be one of create, read, update,
delete, or other. The other type includes operation types that are not
well covered by the first four types, such as client connection/disconnection.
The operation property is used to match against a specific operation by a
source. The list of available properties for each source is provided below. If
this property is available, the event operation must match exactly.
Filter example - exclude all
This is the default behaviour if audit-trail.json is missing or empty, or if
no include filters are defined.
Filter example - include all
Because only the filterType property is used, this matches against every
event.
{
"filters": [
{
"filterType": "include"
}
]
}
Filter example - dynamic security source only
This matches against the dynamic security plugin events and reports all of them.
{
"filters": [
{
"filterType": "include",
"source": "dynamic-security"
}
]
}
Filter example - dynamic security excluding some operations
This matches against the dynamic security plugin events and reports all of
them apart from the disableClient operation.
{
"filters": [
{
"filterType": "include",
"source": "dynamic-security"
},
{
"filterType": "exclude",
"source": "dynamic-security",
"operation": "disableClient"
}
]
}
Filter example - core broker excluding other operation types
This matches against the core broker events and reports all of
them apart from the other operation type.
{
"filters": [
{
"filterType": "include",
"source": "core"
},
{
"filterType": "exclude",
"operationType": "other"
}
]
}
Filter example - multiple types
This is a more realistic setup that addresses multiple sources.
All core events match and are reported.
All dynamic-security events match, apart from those that are read operation.
All ha events match, except the specific getRaftStatus and isLeader operations.
For the getRaftStatus and isLeader operations, the source isn't
specifically set to ha, however in this case those operations are only
available on that source.
{
"filters": [
{
"filterType": "include",
"source": "core"
},
{
"filterType": "include",
"source": "dynamic-security"
},
{
"filterType": "include",
"source": "ha"
},
{
"filterType": "exclude",
"source": "dynamic-security"
"operationType": "read"
},
{
"filterType": "exclude",
"operation": "getRaftStatus"
},
{
"filterType": "exclude",
"operation": "isLeader"
}
]
}
List of audit events
| source | operation | operationType | log level |
|---|---|---|---|
| core | brokerStart | other | notice |
| core | brokerStop | other | notice |
| core | brokerReload | other | notice |
| core | clientConnect | other | notice |
| core | clientDisconnect | other | notice |
| dynamic-security | createClient | create | notice |
| dynamic-security | deleteClient | delete | notice |
| dynamic-security | enableClient | update | notice |
| dynamic-security | disableClient | update | notice |
| dynamic-security | setClientId | update | info |
| dynamic-security | setClientPassword | update | info |
| dynamic-security | getClient | read | debug |
| dynamic-security | listClients | read | debug |
| dynamic-security | addClientRole | update | info |
| dynamic-security | removeClientRole | update | info |
| dynamic-security | modifyClient | update | info |
| dynamic-security | createGroup | create | notice |
| dynamic-security | getGroup | read | debug |
| dynamic-security | listGroups | read | debug |
| dynamic-security | addGroupClient | update | info |
| dynamic-security | removeGroupClient | update | info |
| dynamic-security | addGroupRole | update | info |
| dynamic-security | removeGroupRole | update | info |
| dynamic-security | modifyGroup | update | info |
| dynamic-security | setAnonymousGroup | update | info |
| dynamic-security | getAnonymousGroup | update | info |
| dynamic-security | createRole | create | notice |
| dynamic-security | deleteRole | delete | notice |
| dynamic-security | getRole | read | debug |
| dynamic-security | listRoles | read | debug |
| dynamic-security | addRoleAcl | update | info |
| dynamic-security | removeRoleAcl | update | info |
| dynamic-security | modifyRole | update | info |
| dynamic-security | getDefaultAcl | read | debug |
| dynamic-security | setDefaultAcl | update | notice |
| ha | createCluster | create | notice |
| ha | joinCluster | create | notice |
| ha | leaveCluster | update | notice |
| ha | deleteCluster | delete | notice |
| ha | addNode | update | notice |
| ha | removeNode | update | notice |
| ha | isLeader | read | debug |
| ha | setLeader | update | notice |
| ha | getNode | read | debug |
| ha | getCluster | read | debug |
| ha | getRaftStatus | read | debug |
| ha | nodeRole | update | info |
| ha | clusterStatus | update | info |