@@ -11,6 +11,231 @@ This topic describes all :ref:`configuration parameters <configuration>` provide
1111Most of the configuration options described in this reference can be applied to a specific instance, replica set, group, or to all instances globally.
1212To do so, you need to define the required option at the :ref: `specified level <configuration_scopes >`.
1313
14+ .. _configuration_reference_audit :
15+
16+ audit_log
17+ ---------
18+
19+ The ``audit_log `` section defines various parameters related to :ref: `audit log <enterprise_audit_module>.
20+
21+ .. NOTE::
22+
23+ ``audit_log`` can be defined in ? :ref: `scope <configuration_scopes >`.
24+
25+ * :ref: `audit_log.extract_key <configuration_reference_audit_extract_key >`
26+ * :ref: `audit_log.file <configuration_reference_audit_file >`
27+ * :ref: `audit_log.filter <configuration_reference_audit_filter >`
28+ * :ref: `audit_log.format <configuration_reference_audit_format >`
29+ * :ref: `audit_log.nonblock <configuration_reference_audit_nonblock >`
30+ * :ref: `audit_log.pipe <configuration_reference_audit_pipe >`
31+ * :ref: `audit_log.spaces <configuration_reference_audit_spaces >`
32+ * :ref: `audit_log.syslog_facility <configuration_reference_audit_syslog-facility >`
33+ * :ref: `audit_log.syslog_identity <configuration_reference_audit_syslog-identity >`
34+ * :ref: `audit_log.syslog_server <configuration_reference_audit_syslog-server >`
35+ * :ref: `audit_log.to <configuration_reference_audit_to >`
36+
37+ .. _configuration_reference_audit_extract_key :
38+
39+ .. confval :: audit_log.extract_key
40+
41+ **Since: ** :doc: `3.0.0 </release/3.0.0 >`.
42+
43+ Specify the logging mode in DML events.
44+ If set to ``true ``, the audit subsystem extracts and prints only the primary key instead of a full
45+ tuples in DML events (``space_insert ``, ``space_replace ``, ``space_delete ``).
46+ Otherwise, full tuples are logged.
47+ The option may be useful in case tuples are big.
48+
49+ |
50+ | Type: boolean
51+ | Default: false
52+ | Environment variable: TT_AUDIT_LOG_EXTRACT_KEY
53+
54+ .. _configuration_reference_audit_file :
55+
56+ .. confval :: audit_log.file
57+
58+ **Since: ** :doc: `3.0.0 </release/3.0.0 >`.
59+
60+ Specify a file for the audit logs destination.
61+ You can set the 'file' type using the :ref: `audit_log.to <configuration_reference_audit_to >` option.
62+ If you write logs to a file, Tarantool reopens the audit log at SIGHUP.
63+
64+ |
65+ | Type: string
66+ | Default: var/log/{{ instance_name }}/audit.lo
67+ | Environment variable: TT_AUDIT_LOG_FILE
68+
69+ .. _configuration_reference_audit_filter :
70+
71+ .. confval :: audit_log.filter
72+
73+ **Since: ** :doc: `3.0.0 </release/3.0.0 >`.
74+
75+ Enable logging for a specified subset of audit events.
76+ This option accepts the following values:
77+
78+ * ``all `` -- all :ref: `events <audit-log-events >`.
79+
80+ .. note ::
81+
82+ Events ``call `` and ``eval `` are included only into the ``all `` group.
83+
84+ * ``audit `` -- ``audit_enable `` event.
85+
86+ * ``auth `` -- authorization events: ``auth_ok ``, ``auth_fail ``.
87+
88+ * ``priv `` -- events related to authentication, authorization, users, and roles:
89+ ``user_create ``, ``user_drop ``, ``role_create ``, ``role_drop ``, ``user_enable ``, ``user_disable ``,
90+ ``user_grant_rights ``, ``user_revoke_rights ``, ``role_grant_rights ``, ``role_revoke_rights ``.
91+
92+ * ``ddl `` -- events of space creation, altering, and dropping:
93+ ``space_create ``, ``space_alter ``, ``space_drop ``.
94+
95+ * ``dml `` -- events of data modification in spaces:
96+ ``space_insert ``, ``space_replace ``, ``space_delete ``.
97+
98+ * ``data_operations `` -- events of data modification or selection from spaces:
99+ ``space_select ``, ``space_insert ``, ``space_replace ``, ``space_delete ``.
100+
101+ * ``compatibility `` -- events available in Tarantool before the version 2.10.0.
102+ ``auth_ok ``, ``auth_fail ``, ``disconnect ``, ``user_create ``, ``user_drop ``,
103+ ``role_create ``, ``role_drop ``, ``user_enable ``, ``user_disable ``,
104+ ``user_grant_rights ``, ``user_revoke_rights ``, ``role_grant_rights ``.
105+ ``role_revoke_rights ``, ``password_change ``, ``access_denied ``.
106+ This group enables the compatibility with earlier Tarantool versions.
107+
108+
109+ |
110+ | Type: array
111+ | Possible values: 'all', 'audit', 'auth', 'priv', 'ddl', 'dml', 'data_operations', 'compatibility'
112+ | Default: 'nil'
113+ | Environment variable: TT_AUDIT_LOG_FILTER
114+
115+ .. _configuration_reference_audit_format :
116+
117+ .. confval :: audit_log.format
118+
119+ **Since: ** :doc: `3.0.0 </release/3.0.0 >`.
120+
121+ Specify a format that is used for the audit log.
122+
123+ |
124+ | Type: string
125+ | Possible values: 'json', 'csv', 'plain'
126+ | Default: 'json'
127+ | Environment variable: TT_AUDIT_LOG_FORMAT
128+
129+ .. _configuration_reference_audit_nonblock :
130+
131+ .. confval :: audit_log.nonblock
132+
133+ **Since: ** :doc: `3.0.0 </release/3.0.0 >`.
134+
135+ Specify the logging behavior if the system is not ready to write.
136+ If set to ``true ``, Tarantool does not block during logging if the system is non-writable and writes a message instead.
137+ The option only has an effect if the output goes to ``syslog `` or ``pipe: ``.
138+ Setting ``audit_nonblock `` to ``true `` is not allowed if the output is to a file.
139+ Using this value may improve logging performance at the cost of losing some log messages.
140+
141+ |
142+ | Type: boolean
143+ | Default: false
144+ | Environment variable: TT_AUDIT_LOG_NONBLOCK
145+
146+ .. _configuration_reference_audit_pipe :
147+
148+ .. confval :: audit_log.pipe
149+
150+ **Since: ** :doc: `3.0.0 </release/3.0.0 >`.
151+
152+ Specify a pipe for the audit logs destination.
153+ You can set the 'pipe' type using the :ref: `audit_log.to <configuration_reference_audit_to >` option.
154+
155+ |
156+ | Type: string
157+ | Default: box.NULL
158+ | Environment variable: TT_AUDIT_LOG_PIPE
159+
160+ .. _configuration_reference_audit_spaces :
161+
162+ .. confval :: audit_log.spaces
163+
164+ **Since: ** :doc: `3.0.0 </release/3.0.0 >`.
165+
166+ The array of space names for which data operation events (``space_select ``, ``space_insert ``, ``space_replace ``,
167+ ``space_delete ``) should be logged. The array accepts string values.
168+ If set to :ref: `box.NULL <box-null >`, the data operation events are logged for all spaces.
169+
170+ |
171+ | Type: array
172+ | Default: box.NULL
173+ | Environment variable: TT_AUDIT_LOG_SPACES
174+
175+ .. _configuration_reference_audit_syslog-facility :
176+
177+ .. confval :: audit_log.syslog_facility
178+
179+ **Since: ** :doc: `3.0.0 </release/3.0.0 >`.
180+
181+ Specify a syslog keyword that tells `syslogd <https://datatracker.ietf.org/doc/html/rfc5424 >`__ where to send the message.
182+
183+ |
184+ | Type: string
185+ | Possible values: 'auth', 'authpriv', 'cron', 'daemon', 'ftp', 'kern', 'lpr', 'mail', 'news', 'security', 'syslog', 'user', 'uucp', 'local0', 'local1', 'local2', 'local3', 'local4', 'local5', 'local6', 'local7'
186+ | Default: local7
187+ | Environment variable: TT_AUDIT_LOG_SYSLOG_FACILITY
188+
189+ .. _configuration_reference_audit_syslog-identity :
190+
191+ .. confval :: audit_log.syslog_identity
192+
193+ **Since: ** :doc: `3.0.0 </release/3.0.0 >`.
194+
195+ Specify an arbitrary string that will be placed at the beginning of all messages.
196+
197+ |
198+ | Type: string
199+ | Default: 'tarantool'
200+ | Environment variable: TT_AUDIT_LOG_SYSLOG_IDENTITY
201+
202+ .. _configuration_reference_audit_syslog-server :
203+
204+ .. confval :: audit_log.syslog_server
205+
206+ **Since: ** :doc: `3.0.0 </release/3.0.0 >`.
207+
208+ Set a location for the syslog server.
209+ It can be a Unix socket path starting with 'unix:' or an ipv4 port number.
210+ You can enable logging to the system logger using the :ref: `audit_log.to <configuration_reference_audit_to >` option.
211+
212+ |
213+ | Type: string
214+ | Possible values:
215+ | Default: box.NULL
216+ | Environment variable: TT_AUDIT_LOG_SYSLOG_SERVER
217+
218+ .. _configuration_reference_audit_to :
219+
220+ .. confval :: audit_log.to
221+
222+ **Since: ** :doc: `3.0.0 </release/3.0.0 >`.
223+
224+ Enable audit logging and define the logs location.
225+ This option accepts the following values:
226+
227+ - ``devnull ``: disable audit logging.
228+ - ``file ``: write audit logs to a file (see :ref: `audit_log.file <configuration_reference_audit_file >`).
229+ - ``pipe ``: write audit logs to a pipe (see :ref: `audit_log.pipe <configuration_reference_audit_pipe >`).
230+ - ``syslog ``: write audit logs to the system logger (see :ref: `audit_log.syslog <configuration_reference_audit_pipe >`).
231+
232+ By default, audit logging is disabled.
233+
234+ |
235+ | Type: string
236+ | Possible values: 'devnull', 'file', 'pipe', 'syslog'
237+ | Default: 'devnull'
238+ | Environment variable: TT_AUDIT_LOG_TO
14239
15240.. _configuration_reference_config :
16241
@@ -19,7 +244,7 @@ config
19244
20245The ``config `` section defines various parameters related to centralized configuration.
21246
22- .. NOTE ::
247+ .. NOTE ::
23248
24249 ``config `` can be defined in the global :ref: `scope <configuration_scopes >` only.
25250
0 commit comments