审计连接事件

描述如何审计连接事件。

Redis 企业软件

从版本 6.2.18 开始，Redis Enterprise Software 允许您审核数据库连接和身份验证事件。这有助于您跟踪连接活动并对其进行故障排除。

跟踪以下事件：

数据库连接尝试
身份验证请求，包括对新连接和现有连接的请求
数据库断开连接

触发跟踪事件时，将通过 TCP 将通知发送到启用审核时定义的地址和端口。通知以近乎实时的方式显示，旨在供外部侦听器（如 TCP 侦听器、第三方服务或相关实用程序）使用。

示例外部侦听器包括：

ncat：对调试有用，但不适合生产环境。
Imperva Sonar：可与 Redis Enterprise Software 分开购买的第三方服务。有关更多信息，请参阅 Redis 入门步骤。

对于开发和测试环境，可以将通知保存到本地文件;但是，这既不受支持，也不适用于生产环境。

出于性能原因，默认情况下不启用审核。此外，审计在后台进行（异步），并且根据设计是非阻塞的。也就是说，触发通知的作将继续，而不考虑通知或侦听工具的状态。

启用审核通知

集群审计

要为您的集群启用审计，请使用：

rladmin
```
rladmin cluster config auditing db_conns \
   audit_protocol <TCP|local> \
   audit_address <address> \
   audit_port <port> \
   audit_reconnect_interval <interval in seconds> \
   audit_reconnect_max_attempts <number of attempts>
```
哪里：
- audit_protocol 表示用于处理通知的协议。对于生产系统，TCP 是唯一的值。
- audit_address 定义可在其中侦听通知的 TCP/IP 地址
- audit_port 定义了可以监听通知的端口
- audit_reconnect_interval 定义尝试重新连接到侦听器之间的间隔（以秒为单位）。默认值为 1 秒。
- audit_reconnect_max_attempts 定义重新连接的最大尝试次数。默认值为 0。（无限）
开发系统可以将audit_protocol设置为local用于测试和培训目的;但是，生产用途不支持此设置。

什么时候audit_protocol设置为local,<address>应设置为在运行 Redis Enterprise 的机器上定义的流套接字，并且<port>不应指定：
```
rladmin cluster config auditing db_conns \
   audit_protocol local audit_address <output-file>
```
运行 Redis Enterprise Software 的用户和组必须能够访问输出文件（和路径）。

REST API

PUT /v1/cluster/auditing/db_conns
{ 
    "audit_address": "<address>", 
    "audit_port": <port>, 
    "audit_protocol": "TCP",
    "audit_reconnect_interval": <interval>,
    "audit_reconnect_max_attempts": <max attempts>
}

哪里<address>是包含 TCP/IP 地址的字符串，<port>是表示端口的数值，<interval>是一个数值，表示以秒为单位的间隔，而<max attempts>是一个数值，表示执行的最大尝试次数。

数据库审计

为集群启用审计后，您可以审计单个数据库。为此，请使用：

rladmin
```
rladmin tune db db:<id|name> db_conns_auditing enabled
```
其中 db： 参数的值是数据库的集群 ID 或数据库名称。

要停用审核，请将db_conns_auditing自disabled.

用rladmin info要检索其他详细信息，请执行以下作：
```
rladmin info db <id|name>
rladmin info cluster
```
REST API
```
PUT /v1/bdbs/1
{ "db_conns_auditing": true }
```
要停用审核，请将db_conns_auditing自false.

在审计数据库之前，您必须为集群启用审计;否则，将显示错误：

错误设置说明：在设置功能配置之前，无法启用 DB Connections Auditing。
错误设置 error_code：db_conns_auditing_config_missing

要解决此错误，请在尝试审核数据库之前为集群启用协议。

新数据库的策略默认值

要默认审核新数据库的连接，请使用：

rladmin
```
rladmin tune cluster db_conns_auditing enabled
```
要停用此政策，请将db_conns_auditing自disabled.
REST API
```
PUT /v1/cluster/policy
{ "db_conns_auditing": true }
```
要停用此政策，请将db_conns_auditing自false.

通知示例

审核事件通知作为 JSON 对象报告。

新建连接

此示例报告数据库的新连接：

{
    "ts":1655821384,
    "new_conn":
    {
        "id":2285001002 ,
        "srcip":"127.0.0.1",
        "srcp":"39338",
        "trgip":"127.0.0.1",
        "trgp":"12635",
        "hname":"",
        "bdb_name":"DB1",
        "bdb_uid":"5"
    }
}

`Authentication request`


Here is a sample authentication request for a database:
{
    "ts":1655821384,
    "action":"auth",
    "id":2285001002 ,
    "srcip":"127.0.0.1",
    "srcp":"39338",
    "trgip":"127.0.0.1",
    "trgp":"12635",
    "hname":"",
    "bdb_name":"DB1",
    "bdb_uid":"5",
    "status":2,
    "username":"user_one",
    "identity":"user:1",
    "acl-rules":"~* +@all"
}
The status field reports the following:



Values of 2, 7, or 8 indicate success.


Values of 3 or 5 indicate that the client authentication is in progress and should conclude later.


Other values indicate failures.


Database disconnect
Here's what's reported when a database connection is closed:
{
    "ts":1655821384,
    "close_conn":
    {
        "id":2285001002,
        "srcip":"127.0.0.1",
        "srcp":"39338",
        "trgip":"127.0.0.1",
        "trgp":"12635",
        "hname":"",
        "bdb_name":"DB1",
        "bdb_uid":"5"
    }
}
Notification field reference

The field value that appears immediately after the timestamp describes the action that triggered the notification.  The following values may appear:

new_conn indicates a new external connection
new_int_conn indicates a new internal connection
close_conn occurs when a connection is closed
"action":"auth" indicates an authentication request and can refer to new authentication requests or authorization checks on existing connections

In addition, the following fields may also appear in audit event notifications:

  
      
          Field name
          Description
      
  
  
      
          acl-rules
          ACL rules associated with the connection, which includes a rule for the default user.
      
      
          bdb_name
          Destination database name - The name of the database being accessed.
      
      
          bdb_uid
          Destination database ID - The cluster ID of the database being accessed.
      
      
          hname
          Client hostname - The hostname of the client.  Currently empty; reserved for future use.
      
      
          id
          Connection ID - Unique connection ID assigned by the proxy.
      
      
          identity
          Identity - A unique ID the proxy assigned to the user for the current connection.
      
      
          srcip
          Source IP address - Source TCP/IP address of the client accessing the Redis database.
      
      
          srcp
          Source port - Port associated with the source IP address accessing the Redis database. Combine the port with the address to uniquely identify the socket.
      
      
          status
          Status result code - An integer representing the result of an authentication request.
      
      
          trgip
          Target IP address - The IP address of the destination being accessed by the action.
      
      
          trgp
          Target port - The port of the destination being accessed by the action.  Combine the port with the destination IP address to uniquely identify the database being accessed.
      
      
          ts
          Timestamp - The date and time of the event, in Coordinated Universal Time (UTC).  Granularity is within one second.
      
      
          username
          Authentication username  - Username associated with the connection; can include default for databases that allow default access.  (Passwords are not recorded).
      
  

Status result codes
The status field reports the results of an authentication request as an integer.  Here's what different values mean:

  
      
          Error value
          Error code
          Description
      
  
  
      
          0
          AUTHENTICATION_FAILED
          Invalid username and/or password.
      
      
          1
          AUTHENTICATION_FAILED_TOO_LONG
          Username or password are too long.
      
      
          2
          AUTHENTICATION_NOT_REQUIRED
          Client tried to authenticate, but authentication isn't necessary.
      
      
          3
          AUTHENTICATION_DIRECTORY_PENDING
          Attempting to receive authentication info from the directory in async mode.
      
      
          4
          AUTHENTICATION_DIRECTORY_ERROR
          Authentication attempt failed because there was a directory connection error.
      
      
          5
          AUTHENTICATION_SYNCER_IN_PROGRESS
          Syncer SASL handshake. Return SASL response and wait for the next request.
      
      
          6
          AUTHENTICATION_SYNCER_FAILED
          Syncer SASL handshake. Returned SASL response and closed the connection.
      
      
          7
          AUTHENTICATION_SYNCER_OK
          Syncer authenticated. Returned SASL response.
      
      
          8
          AUTHENTICATION_OK
          Client successfully authenticated.
      
  


        

  
  
    
      RATE THIS PAGE
      
        
        
        ★
        
        
        ★
        
        
        ★
        
        
        ★
        
        
        ★
        
      
      
    
      Back to top ↑

Field name	Description
`acl-rules`	ACL rules associated with the connection, which includes a rule for the `default` user.
`bdb_name`	Destination database name - The name of the database being accessed.
`bdb_uid`	Destination database ID - The cluster ID of the database being accessed.
`hname`	Client hostname - The hostname of the client. Currently empty; reserved for future use.
`id`	Connection ID - Unique connection ID assigned by the proxy.
`identity`	Identity - A unique ID the proxy assigned to the user for the current connection.
`srcip`	Source IP address - Source TCP/IP address of the client accessing the Redis database.
`srcp`	Source port - Port associated with the source IP address accessing the Redis database. Combine the port with the address to uniquely identify the socket.
`status`	Status result code - An integer representing the result of an authentication request.
`trgip`	Target IP address - The IP address of the destination being accessed by the action.
`trgp`	Target port - The port of the destination being accessed by the action. Combine the port with the destination IP address to uniquely identify the database being accessed.
`ts`	Timestamp - The date and time of the event, in Coordinated Universal Time (UTC). Granularity is within one second.
`username`	Authentication username - Username associated with the connection; can include `default` for databases that allow default access. (Passwords are not recorded).

审计连接事件

启用审核通知

集群审计

数据库审计

新数据库的策略默认值

通知示例

新建连接

`Authentication request`

Database disconnect

`Notification field reference`

Status result codes

On this page

Error value	Error code	Description
`0`	AUTHENTICATION_FAILED	Invalid username and/or password.
`1`	AUTHENTICATION_FAILED_TOO_LONG	Username or password are too long.
`2`	AUTHENTICATION_NOT_REQUIRED	Client tried to authenticate, but authentication isn't necessary.
`3`	AUTHENTICATION_DIRECTORY_PENDING	Attempting to receive authentication info from the directory in async mode.
`4`	AUTHENTICATION_DIRECTORY_ERROR	Authentication attempt failed because there was a directory connection error.
`5`	AUTHENTICATION_SYNCER_IN_PROGRESS	Syncer SASL handshake. Return SASL response and wait for the next request.
`6`	AUTHENTICATION_SYNCER_FAILED	Syncer SASL handshake. Returned SASL response and closed the connection.
`7`	AUTHENTICATION_SYNCER_OK	Syncer authenticated. Returned SASL response.
`8`	AUTHENTICATION_OK	Client successfully authenticated.