Using Cryostat audit logging

Red Hat build of Cryostat 4

Red Hat Customer Content Services

Abstract

Red Hat build of Cryostat is a Red Hat offering on OpenShift Container Platform. The Using Cryostat audit logging document is for users that want to track actions performed by human or programmatic clients when interacting with the Cryostat API.

Preface

The Red Hat build of Cryostat is a container-native implementation of JDK Flight Recorder (JFR) that you can use to securely monitor the Java Virtual Machine (JVM) performance in workloads that run on an OpenShift Container Platform cluster. You can use Cryostat to start, stop, retrieve, archive, import, and export JFR data for JVMs inside your containerized applications by using a web console or an HTTP API.

Depending on your use case, you can store and analyze your recordings directly on your Red Hat OpenShift cluster by using the built-in tools that Cryostat provides or you can export recordings to an external monitoring application to perform a more in-depth analysis of your recorded data.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.

Chapter 1. Audit logging in Cryostat

From Cryostat 4.2 onward, Cryostat provides an audit logging feature, based on the open-source Hibernate Envers module, for tracking actions that are performed by human or programmatic clients when interacting with Cryostat’s API.

By using audit logging, administrators can achieve traceability and accountability around which clients performed which actions in Cryostat. Audit logging also supports the ability to track internal automated tasks that are performed by Cryostat itself.

Audit logging allows Cryostat to track various different types of interactions in its database. For example:

  • Starting, stopping, archiving, or deleting an active flight recording
  • Deleting an archived flight recording

  • Creating, updating, enabling, disabling, or deleting an automated rule

    Note

    This also includes the cascading active flight recordings that rules might create.

  • Requesting diagnostic garbage collection, thread dump, or heap dump events
  • Finding or losing a target JVM

The Cryostat web console provides an Audit Log view where you can search for audit log information for a specified timeframe. If audit logging is enabled, Cryostat loads the search results as a table of audit log revisions, including the timestamp and user details associated with each revision.

Chapter 2. Configuration of audit logging support

If you want to use audit logging, the configuration steps you need to follow will vary, depending on whether you have installed Cryostat by using the Cryostat Operator or a Helm chart. The configuration steps will also vary depending on whether you are using a new or upgraded installation of Cryostat.

Note

When you enable audit logging, it increases disk input/output, decreases potential database throughput, and increases database disk usage over time.

Audit logging configuration for Operator installations of Cryostat

If you installed Cryostat by using the Cryostat Operator, consider the following information:

  • Cryostat includes a spec.enableAudit custom resource (CR) property that you can set to true to enable audit logging in Operator installations of Cryostat.
  • The spec.enableAudit property is set to true by default in new installations of Cryostat 4.2. If you are using a new Cryostat 4.2 installation, audit logging is automatically enabled.

  • The spec.enableAudit property is not available by default in existing Cryostat installations that you are upgrading to 4.2. If you want to enable audit logging in an upgraded Cryostat installation, you must first delete the existing CR for your Cryostat instance. Then you must create a new CR for this Cryostat instance and ensure that the spec.enableAudit property is set to true.

    Note

    When you delete a CR, all data is removed from the Cryostat database and storage. Before deleting an existing CR, ensure that you have created a manual backup of any archived data in Cryostat storage or database entities such as automated rules. After creating the new CR, you can then manually restore your backed-up data, as appropriate.

  • If you want to disable audit logging, set the spec.enableAudit property to false.
Audit logging configuration for Helm chart installations of Cryostat

If you installed Cryostat by using a Helm chart, consider the following information:

  • Cryostat includes a core.audit.mode parameter that you can configure in Helm chart deployments of Cryostat. Valid values are auto, enabled, or disabled.
  • This parameter is set to auto by default, which means audit logging is automatically enabled for new Cryostat 4.2 installations, whereas it is disabled for existing Cryostat installations that you are upgrading to 4.2.
  • If you want to enable audit logging in an upgraded Cryostat installation, you must explicitly set the core.audit.mode parameter to enabled.
  • If you want to disable audit logging, set the core.audit.mode parameter to disabled.

Chapter 3. Searching for audit log information

You can use the Security > Audit Log view of the Cryostat web console to search for audit log information for a specified timeframe. You can view the search results as a paginated table of revisions, including the timestamp and user associated with each revision. You can also expand a revision in the table to view a list of database updates that occurred during that revision.

Note

The Security > Audit Log view is available in the stand-alone Cryostat web console only. This view is not available in the Cryostat web console plug-in.

Prerequisites

Procedure

  1. From the Cryostat web console navigation menu, select Security > Audit Log.
  2. In the Audit Log panel, use the Start Time and End Time fields to select the time range for which you want to view audit log details. The default start time corresponds to exactly one hour before you opened the Audit Log panel. The default end time corresponds to exactly one minute after you opened the Audit Log panel.
  3. If you subsequently want to update the specified time range, click the Reset button. This automatically updates the time range to correspond to exactly one hour before and one minute after the current time.

  4. To run a search, click the Query button.

    The search results are then displayed as a paginated table of revisions, including the timestamp and user associated with each revision.

    Figure 3.1. Example list of audit log search results

    *Example list of audit log search results
    Note

    The Username column typically displays the OpenShift user name or remote client IP address that is associated with each revision. If a user cannot be determined or a revision has no direct user association, the user information is displayed as “Unknown”.

  5. If you want to view the list of database updates that occurred during a specific revision, click the (>) expand icon next to this item in the list.

    Figure 3.2. Example list of database updates for a revision

    *Example list of database updates for a revision

    The range of additional information shown depends on the type of entity (for example, target, active recording, rule, credential, and so on ) that is associated with the revision. In the preceding example, it shows one update indicating that a recording file was added to the database.

    Note

    Depending on whether the Cryostat web console is able to render the contents, some revisions might not display any additional information.

  6. If you want to download a report of the audit log details, click the Download audit log as JSON button. This downloads the same data shown on screen to your local system in JSON format. You can use the downloaded report for further offline analysis.

    Note

    The downloaded report might also contain additional information that the Cryostat web console was unable to render on screen.

Revised on 2026-05-26 17:38:00 UTC

Legal Notice

Copyright © Red Hat.
Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.
The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.
All other trademarks are the property of their respective owners.