BookmarkSubscribeRSS Feed

How to configure archiving of audit records in SAS Viya

Started ‎03-07-2022 by
Modified ‎03-07-2022 by
Views 2,406

SAS Viya's Audit service tracks system usage through audit records, which are stored in the SAS Infrastructure Data Server. By default, audit records are retained for seven days; older records are archived every day at midnight (schedule is customizable). But the Audit service runs as a pod in a Kubernetes cluster, and is therefore designed to be ephemeral and disposable. So how does archival (which can be a persistent process) of audit records work? In this post, we'll look at the extra setup steps required to configure audit record archiving.




Attach a PVC to the sas-audit pod and update the Audit service configuration to configure archiving behaviour.


The detail


First, create the YAML manifests for a new PVC which will be attached to the sas-audit pod to store archived audit records. The files will be in a new subdirectory under site-config called sas-audit in your $deploy directory.


mkdir ~/project/deploy/gelcorp/site-config/sas-audit


In this example, we'll create a 1Gi PVC.


tee ~/project/deploy/gelcorp/site-config/sas-audit/resources.yaml > /dev/null << EOF
apiVersion: v1
kind: PersistentVolumeClaim
    name: audit-archive-pvc
    - ReadWriteMany
    volumeMode: Filesystem
        storage: 1Gi # Change this to desired capacity.
    storageClassName: nfs-client # Change this the desired storage class.


We'll then define how and where it's mounted. In this case, at the path "/archive" in the sas-audit pod.


tee ~/project/deploy/gelcorp/site-config/sas-audit/archive-transformer.yaml > /dev/null << EOF
apiVersion: builtin
kind: PatchTransformer
  name: archive-transformer
patch: |-
  - op: add
    path: /spec/template/spec/volumes/-
      name: audit-archive-volume
        claimName: audit-archive-pvc
  - op: add
    path: /spec/template/spec/containers/0/volumeMounts/-
      name: audit-archive-volume
      mountPath: /archive
  group: apps
  kind: Deployment
  name: sas-audit
  version: v1


Now we need to backup and rebuild the kustomization.yaml file (using yq in the below example)...


cd  ~/project/deploy/gelcorp
cp -p kustomization.yaml kustomization.pre-audit-archive.yaml
yq4 eval -i '.transformers += ["site-config/sas-audit/archive-transformer.yaml"]' ./kustomization.yaml
yq4 eval -i '.resources += ["site-config/sas-audit/resources.yaml"]' ./kustomization.yaml


...and apply to the cluster. If you have SAS Deployment Operator, back up and regenerate the SASDeployment CR YAML file and then apply it, otherwise just run a kubectl apply command:


cd ~/project/deploy/
cp -p gelcorp-sasdeployment.yaml gelcorp-sasdeployment.pre-audit-archive.yaml

docker run --rm \
   -v ${PWD}/license:/license \
   -v ${PWD}/gelcorp:/gelcorp \
   sas-orchestration \
   create sas-deployment-cr \
   --deployment-data /license/ \
   --license /license/SASViyaV4_9CKY1V_license.jwt \
   --user-content /gelcorp \
   --cadence-name lts \
   --cadence-version 2021.2 \
   --cadence-release 20220104.1641281166167 \
> ~/project/deploy/gelcorp-sasdeployment.yaml

kubectl apply -f ~/project/deploy/gelcorp-sasdeployment.yaml

Wait for reconciliation (about 5-10 mins), verify the PVC has been mounted in the new pod (the old pod gets terminated):


kubectl exec -it sas-audit-848b79fb7d-ssqmb -- ls /
archive  dev   lib       lost+found  opt   run       srv  usr
bin      etc   lib64     media       proc  sbin      sys  var
boot     home  licenses  mnt         root  security  tmp


So now we have somewhere to archive to, we need to tell the Audit service to use it.


Go to SAS Environment Manager > Configuration > Audit service and edit (pencil icon) the sas.audit.archive configuration instance. Update the storage.local.destination property with a path (inside the new archive location), and set storageType to "local". Optionally, adjust the cron schedule and retention periods as required.



Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.


Hit Save to apply. When the time specified in your cron expression is reached, the archive process commences and records will start to be written to the PVC (and removed from the Infrastructure Data Server). You can view them directly from the main cluster node:


ls /srv/nfs/kubedata/gelcorp-audit-archive-pvc-pvc-09d41561-b13b-4438-bcc0-378c388e0fbe/archive/audit
audit--1645619701154.arc  audit--1645619706866.arc audit--1645619711756.arc audit--1645619716885.arc audit--1645619721857.arc audit--1645619726758.arc audit--1645619731454.arc audit--1645619736548.arc audit--1645619741568.arc audit--1645619746173.arc
audit--1645619702309.arc audit--1645619707666.arc audit--1645619712760.arc audit--1645619717673.arc audit--1645619722683.arc audit--1645619727558.arc audit--1645619732241.arc audit--1645619737355.arc audit--1645619742358.arc audit--1645619746963.arc audit--1645619703291.arc audit--1645619708476.arc audit--1645619713546.arc audit--1645619718498.arc audit--1645619723663.arc audit--1645619728371.arc audit--1645619732983.arc audit--1645619738084.arc audit--1645619743051.arc audit--1645619747661.arc audit--1645619704236.arc audit--1645619709298.arc audit--1645619714360.arc audit--1645619719357.arc audit--1645619724463.arc audit--1645619729059.arc audit--1645619733762.arc audit--1645619738860.arc audit--1645619743752.arc audit--1645619748484.arc audit--1645619705147.arc audit--1645619710060.arc audit--1645619715156.arc audit--1645619720184.arc audit--1645619725255.arc audit--1645619729865.arc audit--1645619734630.arc audit--1645619739647.arc audit--1645619744567.arc audit--1645619706056.arc audit--1645619710867.arc audit--1645619715946.arc audit--1645619721071.arc audit--1645619725981.arc audit--1645619730639.arc audit--1645619735760.arc audit--1645619740385.arc audit--1645619745361.arc


Each .ARC is a JSON file containing audit data containing 1000 records (as defined by the batchSize configuration property). The files can be copied to another location (e.g. somewhere that gets backed up) and/or deleted, noting that they are owned by root (sudo access required).


Thank you for reading. 


Find more articles from SAS Global Enablement and Learning here.

Version history
Last update:
‎03-07-2022 03:55 PM
Updated by:


Available on demand!

Missed SAS Innovate Las Vegas? Watch all the action for free! View the keynotes, general sessions and 22 breakouts on demand.


Register now!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Tags