cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed

Purging archived audit records in SAS Viya

Started ‎10-20-2022 by
Modified ‎10-20-2022 by
Views 930

An earlier post outlined the steps involved in setting up archiving for older audit records out of SAS Viya's Audit service. A new feature has since been added to SAS Viya to optionally enable the purging of these archived audit records once they reach a defined retention period to keep the PV storage clean and tidy. This post demonstrates the required steps.

 

There are two relevant configuration instances to set up the purging of archived audit records. The first, sas.audit.archive, was reviewed in the previous post, but now contains some additional configurable properties.

 

af_1_audit_record_archive_purge_retention-1024x551.png

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

 

 

The *.retention.in.archive properties control the period for which audit and activity records are kept in the archive destination before they are purged. Define your retention period in these fields when setting up archiving. If your customer requires records to be kept for longer, adjust the value as necessary. In the example above, archived audit records more than a day old will be cleaned up by the purge process. Also note that another new property is also now available to define the minimum amount of available space required on storage before archiving occurs. Set your threshold value (a percentage of available space) in the storage.local.remainingSpaceThreshold property as required.

 

Then there's the new sas.audit.purge configuration instance which toggles the purge function on and off, and defines the frequency at which the purge process will run.

 

af_2_sas_audit_purge-1024x505.png

 

 

To enable purging, ensure that the enabled switch is turned on, and then define the schedule using cron standard syntax. In the same way that audit records are archived to the attached storage volume according to the schedule defined in the scanSchedule property, the purge process will remove record from the defined archive volume path per the schedule.

 

If backups of archived audit records (or PVCs) are required, be sure to take them between scheduled purges. Admins can also opt to disable the purge facility and manually delete archived records on an ad-hoc basis, but elevated privileges are required.

 

Thanks for reading. For more on the Audit service, refer to the SAS Viya: Administration guide.

 

Find more articles from SAS Global Enablement and Learning here.

0 Likes
Comments
kd92
‎02-05-2023 11:07 PM
‎02-05-2023 11:07 PM

Hi,

 

Can I verify for what release of SAS Environment Manager is this applicable? Currently, I am using SAS Environment Manager (release 3.4) along with SAS Viya release V.03.05 in my environment and I do not see the sas.audit.purge definition available. 

 

I would like to find out more on how do I manage audit logs generated in my case as I did not define a location for storage.local.destination but audit logs are written to /var/log/audit.

 

In my case, SAS Viya is deployed on a VM RHEL instance with single machine deployment setup.

 

Intention: to keep audit logs for only last 3 months and delete audit logs beyond 3 month retention period

0 Likes
SASKiwi
‎02-06-2023 09:56 PM
‎02-06-2023 09:56 PM

I'm pretty sure this post relates to Viya 4 as there are references to this in the above earlier linked post.

0 Likes
vki
‎12-20-2023 05:39 AM
‎12-20-2023 05:39 AM

I have followed the instructions here and facing a problem. 
1. As explained I have mounted a PVC to teh audit pod,, which is a azure blob storage account
I share below the pv-pvc yaml file and the transformer file which is added to the kustomization and I have rebuilt and applied the new site. 

 

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: pvc-audit
  namespace: sasprod
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 10Gi
  volumeName: pv-audit
  storageClassName: azureblob-nfs-premium
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-audit
  namespace: sasprod
spec:
  capacity:
    storage: 10Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain  # If set as "Delete" container would be removed after pvc deletion
  storageClassName: azureblob-nfs-premium
  csi:
    driver: blob.csi.azure.com
    readOnly: false
    # make sure volumeid is unique for every identical storage blob container in the cluster
    # character `#` is reserved for internal use and cannot be used in volumehandle
    volumeHandle: audit-logs
    volumeAttributes:
      resourceGroup: dpi-bsdm-sasprod-rg
      storageAccount: dpibsdmsasprodtest
      containerName: audit-logs
      protocol: nfs

transformers file

apiVersion: builtin
kind: PatchTransformer
metadata:
  name: archive-transformer
patch: |-
  - op: add
    path: /spec/template/spec/volumes/-
    value:
      name: audit-archive-volume
      persistentVolumeClaim:
        claimName: pvc-audit
  - op: add
    path: /spec/template/spec/containers/0/volumeMounts/-
    value:
      name: audit-archive-volume
      mountPath: /archive
target:
  group: apps
  kind: Deployment
  name: sas-audit
  version: v1

This pvc is bound succesfully as I can see it when I shell into the audit pod. 
Below is the audit pod configuration

Screenshot 2023-12-20 at 11.38.38.png

 However, I get these error notifications

Screenshot 2023-12-20 at 11.39.16.png

Could you help why the archiving is not going as expected?




0 Likes
Version history
Last update:
‎10-20-2022 12:10 AM
Updated by:
SAS Employee
Contributors

sas-innovate-2024.png

Available on demand!

Missed SAS Innovate Las Vegas? Watch all the action for free! View the keynotes, general sessions and 22 breakouts on demand.

 

Register now!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Labels
Article Tags