search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.42k stars 1.74k forks source link

HA backend/audit log configuration docs should point out that `audit_sessions_uri` also needs to be set #36619

Open webvictim opened 8 months ago

webvictim commented 8 months ago

Applies To

https://goteleport.com/docs/reference/backends/#postgresql https://goteleport.com/docs/reference/backends/#athena

Details

Following the backend reference docs to configure PostgreSQL backend/audit logs (or Athena audit logs) causes Teleport to emit an error when using the reference configs:

teleport[6176]: ERROR REPORT:
teleport[6176]: Original Error: *trace.BadParameterError please specify audit_sessions_uri when using external audit backends
teleport[6176]: Stack Trace:
teleport[6176]: github.com/gravitational/teleport/lib/service/service.go:1624 github.com/gravitational/teleport/lib/service.(*TeleportProcess).initAuthExternalAuditLog
teleport[6176]: github.com/gravitational/teleport/lib/service/service.go:1696 github.com/gravitational/teleport/lib/service.(*TeleportProcess).initAuthService
teleport[6176]: github.com/gravitational/teleport/lib/service/service.go:1095 github.com/gravitational/teleport/lib/service.NewTeleport
teleport[6176]: github.com/gravitational/teleport/lib/service/service.go:679 github.com/gravitational/teleport/lib/service.newTeleportProcess
teleport[6176]: github.com/gravitational/teleport/lib/service/service.go:689 github.com/gravitational/teleport/lib/service.Run
teleport[6176]: github.com/gravitational/teleport/tool/teleport/common/teleport.go:609 github.com/gravitational/teleport/tool/teleport/common.OnStart
teleport[6176]: github.com/gravitational/teleport/tool/teleport/common/teleport.go:527 github.com/gravitational/teleport/tool/teleport/common.Run
teleport[6176]: github.com/gravitational/teleport/tool/teleport/main.go:31 main.main
teleport[6176]: runtime/proc.go:267 runtime.main
teleport[6176]: runtime/asm_amd64.s:1650 runtime.goexit
teleport[6176]: User Message: initialization failed
teleport[6176]: please specify audit_sessions_uri when using external audit backends

We should add a callout and links in these sections of the docs explaining how to configure HA session recording storage as well.

Merely telling people to use local file storage is not a good solution; although it will make the error go away in the short term, there will be inconsistencies in true HA setups where logs are written to one of the configured auth servers and are thus unavailable for playback on demand.

For reference, though, if anyone does want to work around this for testing on single-node clusters, you can set this in the config and restart:

auth_service:
  storage:
    # for local testing on single-node clusters ONLY
    audit_sessions_uri: "file:///var/lib/teleport/log/records"

How will we know this is resolved?

Follow the docs and ensure that Teleport starts after implementing the reference config and following the notes.

Related Issues

flyinghermit commented 4 months ago

+1 to mention audit_sessions_uri in the docs.

I just got bitten by this when testing out audit event in postgres backend.