topic Re: Audit logs theory in Log Analytics

Audit logs theory

IvanVovk — Mon, 17 Aug 2020 10:36:53 GMT

Hello there! I have some questions about auditr logs. Please share your ideas.

1. Are audit events duplicated in the API of different environments (for example, the login of a user who has access to multiple environments)?

2. How much does the load on the cluster change when enabling audit log?

3. Duplicate the audit logs on the nodes of the cluster?

4. What is the principle for choosing which cluster node to write audit logs on?

Re: Audit logs theory

ChadTurner — Thu, 20 Aug 2020 12:21:13 GMT

In instances where multiple nodes make up a cluster, it is my understanding that:

1.) Log files are duplicated on each node in the event that a node goes offline. Much like monitoring metrics, the host syncs up with the other ones once it is back up and running.

2.) Dynatrace has allotted enough space for log files, i would recommend following their sizing chart: Requirements

3.) This is part of # 1

4.) I am not aware of the ability to point a single node as the "Log writer" the nodes should be redundant so if Node A goes down with all the data on it, that data is mirrored on Node B and Node C which will seamlessly take over with host metrics and log files.

Re: Audit logs theory

IvanVovk — Tue, 25 Aug 2020 12:11:38 GMT

Hello Chad. Thanks for your answer.

Can you a bit more explain the first point.

Are audit events duplicated in the different environment API in case of user login?

Re: Audit logs theory

ChadTurner — Tue, 25 Aug 2020 15:50:29 GMT

Hey,

Each clustered node will have its own set of log files/Audit logs these are the same across all 3 clustered nodes.