Description of problem: This RFE is raised to have a logfile (preferably a configurable filepath) to log all user activity on RGW nodes. We want to record all object access on rados gateways and keep track of all S3 users. Currently with enabling ops_log in ceph.conf, we are able to read the header details from the opslog socket. rgw_enable_ops_log = True rgw_log_http_headers = http_x_forwarded_for, http_expect, http_content_md5 rgw_ops_log_socket_path = /var/run/ceph/opslog But this is a manual way, it would be helpful to have a logfile and can help with audit purposes of user/bucket activity. https://access.redhat.com/solutions/3613291 Version-Release number of selected component (if applicable): Red Hat Ceph Storage 4.1 Actual results: No specific logfile for rgw activity. Expected results: Have a configurable logfile that logs all user/bucket activity. Additional info:
Hi, There's actually discussion going on now around improving access logging, so I'd like to run the current ideas by you. The current leading proposal, with support from Sebastien and the ceph-ansible maintainers, is to continue using the ops-log socket, but to provide automations in rook and ceph-ansible for setting it up and exposing it everywhere. Does this sound like an approach that will work for you? Matt
(In reply to Matt Benjamin (redhat) from comment #2) > Hi, > > There's actually discussion going on now around improving access logging, so > I'd like to run the current ideas by you. > > The current leading proposal, with support from Sebastien and the > ceph-ansible maintainers, is to continue using the ops-log socket, but to > provide automations > in rook and ceph-ansible for setting it up and exposing it everywhere. > > Does this sound like an approach that will work for you? Hi Matt, Thanks for the quick response. The mentioned approach helps; by exposing you mean only the ops-log socket or getting the data written somewhere. The end user would want to having a readable file (could be under /var/log/ceph/) and no manual probe to the ops-log socket. Thanks.
Hello Matt, (In reply to Deepu K S from comment #3) > (In reply to Matt Benjamin (redhat) from comment #2) > > Hi, > > > > There's actually discussion going on now around improving access logging, so > > I'd like to run the current ideas by you. > > > > The current leading proposal, with support from Sebastien and the > > ceph-ansible maintainers, is to continue using the ops-log socket, but to > > provide automations > > in rook and ceph-ansible for setting it up and exposing it everywhere. > > > > Does this sound like an approach that will work for you? > > Hi Matt, > > Thanks for the quick response. > > The mentioned approach helps; by exposing you mean only the ops-log socket > or getting the data written somewhere. > > The end user would want to having a readable file (could be under > /var/log/ceph/) and no manual probe to the ops-log socket. > > Thanks. Can we please have an update about this ? Thanks.
*** This bug has been marked as a duplicate of bug 1910419 ***