Hello All! I am having trouble with Audit logs and would appreciate the support 🙂 : I am Building and Pushing the following Cerbos Docker Image into ECR:

FROM <http://ghcr.io/cerbos/cerbos:0.24.0|ghcr.io/cerbos/cerbos:0.24.0>

#To access the kernel inside the container

COPY --from=public.ecr.aws/docker/library/busybox:uclibc /bin /bin

COPY policies /policies

ENV CERBOS_CONFIG="/config/config.yaml"

EXPOSE 3593 3592

The policies directory is in the same directory as the DockerFile and is mounted onto the container. Then deploying the following Kubernetes manifest Deployment.yaml in my AWS EKS Cluster, Fargate Node: Mounting the /config/config.yaml and audit-logs directory onto the container. And audit logs are enabled and specified a path for the file inside the audit-logs directory

apiVersion: v1

kind: ConfigMap

metadata:

name: cerbos-config

data:

config.yaml: |

server:

httpListenAddr: ":3592"

grpcListenAddr: ":3593"

storage:

driver: "disk"

disk:

directory: /policies

schema:

enforcement: reject

audit:

enabled: true

accessLogsEnabled: true

decisionLogsEnabled: true

backend: file

file:

path: /audit-logs/cerbos.log

---

apiVersion: apps/v1

kind: Deployment

metadata:

annotations:

<http://prometheus.io/path|prometheus.io/path>: /metrics

<http://prometheus.io/port|prometheus.io/port>: "3000"

<http://prometheus.io/scrape|prometheus.io/scrape>: "true"

labels:

app: yl-api-cerbos

namespace: "{{ .Values.ENVIRONMENT }}"

name: yl-api-cerbos-deployment

namespace: "{{ .Values.ENVIRONMENT }}"

spec:

minReadySeconds: 0

progressDeadlineSeconds: 600

replicas: 3

selector:

matchExpressions: []

matchLabels:

cdk8s.deployment: AppChart-yl-api-cerbos-deployment-c8445de9

strategy:

rollingUpdate:

maxSurge: 25%

maxUnavailable: 25%

type: RollingUpdate

template:

metadata:

labels:

app: yl-api-cerbos

cdk8s.deployment: AppChart-yl-api-cerbos-deployment-c8445de9

namespace: "{{ .Values.ENVIRONMENT }}"

spec:

automountServiceAccountToken: true

containers:

image: "{{ .Values.AWS_ACCOUNT }}.dkr.ecr.{{ .Values.AWS_REGION }}.<http://amazonaws.com/{{|amazonaws.com/{{> .Values.SERVICE_NAME }}:{{ .Values.APP_VERSION }}"

imagePullPolicy: Always

livenessProbe:

failureThreshold: 3

httpGet:

path: /

port: 3592

initialDelaySeconds: 30

timeoutSeconds: 10

name: yl-api-cerbos

ports:

- containerPort: 3593

readinessProbe:

failureThreshold: 3

httpGet:

path: /

port: 3592

initialDelaySeconds: 30

timeoutSeconds: 10

resources:

limits:

cpu: 500m

memory: 256Mi

requests:

cpu: 250m

memory: 128Mi

securityContext:

privileged: false

readOnlyRootFilesystem: false

runAsNonRoot: false

volumeMounts:

- name: cerbos-logs

mountPath: /audit-logs/

- name: cerbos-config

mountPath: /config/

volumes:

- name: cerbos-config

configMap:

name: cerbos-config

- name: cerbos-logs

emptyDir: {}

I deploy the deployment and the yl-api-cerbos container is running as expected. However when I exec inside the container and check the cerbos.log file. I see that the file is empty. When I run the command kubectl logs <POD_NAME> -c <CONTAINER_NAME> . i See the following logs:

{"log.level":"info","@timestamp":"2023-02-24T20:27:20.166Z","log.logger":"cerbos.server","message":"maxprocs: Updating GOMAXPROCS=1: using minimum allowed GOMAXPROCS"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.166Z","log.logger":"cerbos.server","message":"Loading configuration from /config/config.yaml"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.235Z","log.logger":"cerbos.index","message":"Found 2 executable policies"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.236Z","log.logger":"cerbos.telemetry","message":"Anonymous telemetry enabled. Disable via the config file or by setting the CERBOS_NO_TELEMETRY=1 environment variable"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.240Z","log.logger":"cerbos.grpc","message":"Starting gRPC server at :3593"} {"log.level":"info","@timestamp":"2023-02-24T20:27:20.240Z","log.logger":"cerbos.http","message":"Starting HTTP server at :3592"}

Why aren’t these logs captured in the cerbos.log file and How can I log these logs inside the file ? Please advise if there is anything wrong with My Configurations. 😊 Many Thanks

Hi Omar, I think you expected to see the server logs you have shared in the audit log file. But, it works like this; You can see every type of log in the server logs (

kubectl logs <POD_NAME> -c <CONTAINER_NAME>

), but audit logs only include logs for the requests made to cerbos instance. (ex:

CheckResources

) If you send a

CheckResources

(docs) or

PlanResources

(docs) request to your cerbos instance, you will see the logs for it in your audit log file (

/audit-logs/cerbos.log

) and also in the server logs (

kubectl logs <POD_NAME> -c <CONTAINER_NAME>

).

Thank you @oguzhan for the clarification! Do you know any methods I can take to capture the server logs in a log file or store them anywhere? I need to send all the logs ( Audit/Server) into Datadog and I'm using a fluentbit sidecar container. I would appreciate any suggestions 🙂

You could set the audit log file to

stdout

. Since both audit logs and server logs will be available on

stdout

, you could scrape the container logs with DataDog agent.