An earlier post outlined the steps involved in setting up archiving for older audit records out of SAS Viya's Audit service. A new feature has since been added to SAS Viya to optionally enable the purging of these archived audit records once they reach a defined retention period to keep the PV storage clean and tidy. This post demonstrates the required steps.
There are two relevant configuration instances to set up the purging of archived audit records. The first, sas.audit.archive, was reviewed in the previous post, but now contains some additional configurable properties.
Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.
The *.retention.in.archive properties control the period for which audit and activity records are kept in the archive destination before they are purged. Define your retention period in these fields when setting up archiving. If your customer requires records to be kept for longer, adjust the value as necessary. In the example above, archived audit records more than a day old will be cleaned up by the purge process. Also note that another new property is also now available to define the minimum amount of available space required on storage before archiving occurs. Set your threshold value (a percentage of available space) in the storage.local.remainingSpaceThreshold property as required.
Then there's the new sas.audit.purge configuration instance which toggles the purge function on and off, and defines the frequency at which the purge process will run.
To enable purging, ensure that the enabled switch is turned on, and then define the schedule using cron standard syntax. In the same way that audit records are archived to the attached storage volume according to the schedule defined in the scanSchedule property, the purge process will remove record from the defined archive volume path per the schedule.
If backups of archived audit records (or PVCs) are required, be sure to take them between scheduled purges. Admins can also opt to disable the purge facility and manually delete archived records on an ad-hoc basis, but elevated privileges are required.
Thanks for reading. For more on the Audit service, refer to the SAS Viya: Administration guide.
Find more articles from SAS Global Enablement and Learning here.
Hi,
Can I verify for what release of SAS Environment Manager is this applicable? Currently, I am using SAS Environment Manager (release 3.4) along with SAS Viya release V.03.05 in my environment and I do not see the sas.audit.purge definition available.
I would like to find out more on how do I manage audit logs generated in my case as I did not define a location for storage.local.destination but audit logs are written to /var/log/audit.
In my case, SAS Viya is deployed on a VM RHEL instance with single machine deployment setup.
Intention: to keep audit logs for only last 3 months and delete audit logs beyond 3 month retention period
I'm pretty sure this post relates to Viya 4 as there are references to this in the above earlier linked post.
I have followed the instructions here and facing a problem.
1. As explained I have mounted a PVC to teh audit pod,, which is a azure blob storage account
I share below the pv-pvc yaml file and the transformer file which is added to the kustomization and I have rebuilt and applied the new site.
kind: PersistentVolumeClaim apiVersion: v1 metadata: name: pvc-audit namespace: sasprod spec: accessModes: - ReadWriteMany resources: requests: storage: 10Gi volumeName: pv-audit storageClassName: azureblob-nfs-premium --- apiVersion: v1 kind: PersistentVolume metadata: name: pv-audit namespace: sasprod spec: capacity: storage: 10Gi accessModes: - ReadWriteMany persistentVolumeReclaimPolicy: Retain # If set as "Delete" container would be removed after pvc deletion storageClassName: azureblob-nfs-premium csi: driver: blob.csi.azure.com readOnly: false # make sure volumeid is unique for every identical storage blob container in the cluster # character `#` is reserved for internal use and cannot be used in volumehandle volumeHandle: audit-logs volumeAttributes: resourceGroup: dpi-bsdm-sasprod-rg storageAccount: dpibsdmsasprodtest containerName: audit-logs protocol: nfs
transformers file
apiVersion: builtin
kind: PatchTransformer
metadata:
name: archive-transformer
patch: |-
- op: add
path: /spec/template/spec/volumes/-
value:
name: audit-archive-volume
persistentVolumeClaim:
claimName: pvc-audit
- op: add
path: /spec/template/spec/containers/0/volumeMounts/-
value:
name: audit-archive-volume
mountPath: /archive
target:
group: apps
kind: Deployment
name: sas-audit
version: v1
This pvc is bound succesfully as I can see it when I shell into the audit pod.
Below is the audit pod configuration
However, I get these error notifications
Could you help why the archiving is not going as expected?
Available on demand!
Missed SAS Innovate Las Vegas? Watch all the action for free! View the keynotes, general sessions and 22 breakouts on demand.
Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning and boost your career prospects.