Skip to main content Link Menu Expand (external link) Document Search Copy Copied
Auditing User Activity in SAS® Viya®

Audit Record Maintenance

In this exercise, you will modify the configuration to implement audit record archiving and purging.

Archive location preparation

A location has already been set up as a destination for your audit record archives in the workshop environment. This is typically an additional manual post-deployment step that requires an administrator to attach a PVC to the sas-audit pod.

  1. View mount on the audit pod: 
    kubectl describe po -l app=sas-audit | grep -A3 audit-archive-volume

    Expected output:

       /archive from audit-archive-volume (rw)
   /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts from security (rw,path="cacerts")
   /opt/sas/viya/config/etc/SASSecurityCertificateFramework/private from security (rw,path="private")
   /security from security (rw)
--
audit-archive-volume:
   Type:       PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
   ClaimName:  audit-archive-pvc
   ReadOnly:   false
    At what location is the archive volume mounted in the audit pod?


    The PVC is mounted at /archive.

Archive audit records

  1. Log on to SAS Environment Manager as Student:Metadata0 and go to the Configuration area.

  2. From the list of services, select Audit service.

  3. Click the pencil/edit icon for the sas.audit.archive.process configuration instance. This is one of several configuration instances that control the behavior of audit record archival and purging.

  4. Make the following edits to the configuration:
    • Specify a value of local for the storageType property.
    • Specify a value of 1h for the audit.retention property.
    • Specify a value of */5 * * * * for the scanSchedule property to have the process run every 5 minutes.

  5. Click Save.

  6. Now edit the sas.audit.archive.system property as follows:
    • Specify /archive as the value for the storage.location.destination property.

  7. Click Save to apply.

  8. When the time specified in your cron expression is reached, the archive process commences and records will start to be written to the PVC (and removed from the Infrastructure Data Server). View the archived records directly from the main cluster node by running:

    ls -R /srv/nfs/kubedata/audit-archive-pvc-$(kubectl get pv|grep audit-archive| awk '{print $1}')/archive/provider/2024 |grep -A30 /audit

    You will see a list of some directories containing .arc files:

    /srv/nfs/kubedata/gelcorp-audit-archive-pvc-pvc-5cd63491-baed-4368-b937-c9dc5d4369e7/archive/provider/2024/2/16/audit:
034ef97b-8e64-4ad5-8bf9-9c1598a3fae9.arc
11b5a9fe-dad8-4a40-bcfd-a9148f86a46b.arc
17f1fa49-f463-4a14-ad4e-7508fbf50609.arc
18b6ff40-174f-4198-aab3-1a0249be1b77.arc
23941ee6-e25b-404d-951d-f0ae42a70f4f.arc
3a2e68d5-97fa-4f3a-8547-bd03c9eecad9.arc
53d43268-6426-4453-9921-b07d630c693c.arc
58c1e86a-970d-4a70-a213-d7d30e919c6b.arc
63ca1338-3d5a-435b-93b4-5cfae44bffbf.arc
6ab6a8d8-d93c-48ea-9b32-4d9ca182f785.arc
7382f50d-a633-440a-863a-00a121497114.arc
8f90173f-40f7-4a5e-a62d-87c49eae74ea.arc
a45d01fc-30e7-4078-b87c-e86a8b4ad8ef.arc
a6bd926b-ca5d-4db1-9dc3-cf4a78ffaa49.arc
c31976f4-6bcb-4aba-84ec-f3d05fada8d4.arc
c41f3160-19e5-4b62-b013-476d4c29ab4f.arc
df124934-83de-465b-a700-bdcaeb5afbb1.arc
e6da5a2d-9440-4244-922d-56cab2e7b54d.arc
ed468dee-6f25-419a-bb2a-2318154e8150.arc

    Each .ARC is a JSON archive containing 1000 audit records (as defined by the batchSize configuration property). If desired, you may open one of the files in a text editor to inspect it.

    The files can be copied to another location (e.g. somewhere that gets backed up) and/or deleted, noting that they are owned by root (sudo access required).

Purge archived records

Archived audit records can be purged once they reach a defined retention period to keep the PV storage well-maintained. In this exercise, you will set up the purging of archived audit records.

  1. There are two relevant configuration instances to set up the purging of archived audit records. First, edit the sas.audit.archive.process instance as follows:
    • Specify a value of 30m for the audit.retention.in.archive property.
  2. Edit the sas.audit.purge as follows:
    • Ensure that the enabled switch is turned on
    • Specify the scanSchedule as */5 * * * *

    In the same way that audit records are archived to the attached storage volume according to the schedule defined in the scanSchedule property, the purge process will remove record from the defined archive volume path per the schedule.

    Note: If backups of archived audit records (or PVCs) are required, be sure to take them between scheduled purges.

  3. After 5 minutes, archive files containing records older than 30 minutes will be removed from the archive location by the purge process. Verify by running the following:

    # After 5 minutes, this command will show old archives being removed:
ls /srv/nfs/kubedata/audit-archive-pvc-$(kubectl get pv|grep audit-archive| awk '{print $1}')

Back to top

Copyright © SAS Institute Inc. All Rights Reserved.