Audit Logging
OSO Kafka Backup Enterprise provides comprehensive audit logging for compliance and security monitoring.
Overview
Audit logging captures:
- All backup operations
- All restore operations
- Configuration changes
- Access attempts (successful and denied)
- Administrative actions
Configuration
Basic Audit Configuration
enterprise:
audit:
enabled: true
# Where to send audit logs
destination:
type: file
path: /var/log/kafka-backup/audit.log
# What to log
events:
- backup.started
- backup.completed
- backup.failed
- restore.started
- restore.completed
- restore.failed
- access.denied
- config.changed
Audit Destinations
File
enterprise:
audit:
destination:
type: file
path: /var/log/kafka-backup/audit.log
rotation:
max_size_mb: 100
max_files: 10
compress: true
S3
enterprise:
audit:
destination:
type: s3
bucket: audit-logs
prefix: kafka-backup/
region: us-west-2
# Logs are batched and uploaded periodically
batch_interval_secs: 60
CloudWatch Logs
enterprise:
audit:
destination:
type: cloudwatch
log_group: /kafka-backup/audit
log_stream: ${HOSTNAME}
region: us-west-2
Kafka Topic
enterprise:
audit:
destination:
type: kafka
bootstrap_servers:
- kafka:9092
topic: audit-events
security:
security_protocol: SASL_SSL
sasl_mechanism: SCRAM-SHA256
sasl_username: audit-producer
sasl_password: ${AUDIT_KAFKA_PASSWORD}
Syslog
enterprise:
audit:
destination:
type: syslog
server: syslog.company.com:514
protocol: tcp # or udp
facility: local0
Webhook
enterprise:
audit:
destination:
type: webhook
url: https://siem.company.com/ingest
headers:
Authorization: Bearer ${WEBHOOK_TOKEN}
batch_size: 100
retry_attempts: 3
Multiple Destinations
enterprise:
audit:
destinations:
- type: file
path: /var/log/kafka-backup/audit.log
- type: s3
bucket: audit-archive
prefix: kafka-backup/
- type: kafka
bootstrap_servers:
- kafka:9092
topic: audit-events
Audit Events
Event Categories
| Category | Events |
|---|---|
| Backup | started, completed, failed, cancelled |
| Restore | started, completed, failed, cancelled |
| Validate | started, completed, failed |
| Access | granted, denied |
| Config | changed, viewed |
| Auth | login, logout, token_refresh |
| Admin | license_applied, feature_enabled |
Event Configuration
enterprise:
audit:
events:
# Backup events
- backup.started
- backup.completed
- backup.failed
- backup.checkpoint # Include progress checkpoints
# Restore events
- restore.started
- restore.completed
- restore.failed
# Security events (always recommended)
- access.denied
- auth.login
- auth.logout
- auth.failed
# Configuration events
- config.changed
# Exclude specific events
exclude_events:
- backup.checkpoint # If too verbose
Audit Log Format
Standard Fields
Every audit event includes:
{
"timestamp": "2024-12-01T10:15:30.123Z",
"event_type": "backup.completed",
"event_id": "evt_abc123def456",
"version": "1.0",
"actor": {
"type": "user",
"id": "alice@company.com",
"roles": ["backup-operator"],
"ip_address": "10.0.0.50",
"user_agent": "kafka-backup-cli/1.0.0"
},
"resource": {
"type": "backup",
"id": "production-backup-20241201",
"path": "s3://kafka-backups/production/"
},
"action": {
"operation": "backup",
"result": "success",
"duration_ms": 45000
},
"context": {
"cluster_id": "prod-us-west-2",
"environment": "production",
"correlation_id": "req_xyz789"
}
}
Event-Specific Fields
Backup Events
{
"event_type": "backup.completed",
"details": {
"backup_id": "production-backup-20241201",
"topics": ["orders", "payments", "users"],
"records_backed_up": 1500000,
"bytes_backed_up": 524288000,
"compressed_bytes": 104857600,
"compression_ratio": 5.0,
"duration_secs": 120,
"checkpoints": 4
}
}