[chef] Chef server activity logging/auditing

[DV < >]

Hi all,

Hopefully someone else had the need we have and can provide some advice!

We're running an instance of Chef server 10.12 with 100+ active users modifying cookbooks, roles, environments, and bootstrapping new hosts. Each user has a unique client key.

Occasionally we see a role, environment, or node/client object deleted, either accidentally or on purpose. Upon going through the logs Chef provides, we can't identify who does what, since that information isn't logged:

(nginx example log entry)

chef-server-access.log.2.gz

10.32.35.67 - - [15/Jul/2013:18:59:50 -0700] "DELETE /nodes/h2o-1.propensity.example.com HTTP/1.1" 200 218 "-" "Chef Knife/0.10.8 (ruby-1.8.7-p358; ohai-0.6.10; universal-darwin13.0; +http://opscode.com)" "-"

10.32.35.67 - - [15/Jul/2013:18:59:50 -0700] "DELETE /clients/h2o-1.propensity.example.com HTTP/1.1" 200 56 "-" "Chef Knife/0.10.8 (ruby-1.8.7-p358; ohai-0.6.10; universal-darwin13.0; +http://opscode.com)" "-"

10.32.78.188 - - [15/Jul/2013:23:12:56 -0700] "DELETE /roles/example-role HTTP/1.1" 200 917 "-" "Chef Knife/10.16.2 (ruby-1.9.3-p327; ohai-6.14.0; i386-mingw32; +http://opscode.com)" "-"

(unicorn example log entry)

unicorn-webui.stdout.log.1.gz

~ Started request handling: Tue Jul 16 16:42:33 -0700 2013

~ Params: {"format"=>nil, "action"=>"destroy", "_method"=>"delete", "id"=>"mongo-2.example.com", "controller"=>"nodes"}

~ Redirecting to: https://chef-test/nodes?_message=BAh7BjoLbm90avbSBkZWxldGVkIHN1Y2Nlc3uZ28tMi5kZXYtMS5jbG91%0AZC5lZG11bmRzLmxGVkIHN1Y2vbSBkZWxldGVkIHN1Y2Nlc3Nlc3NmdWxseQ%3D%3D%0A (301)

~ {:dispatch_time=>0.571713, :before_filters_time=>0.270627, :action_time=>0.570461, :after_filters_time=>1.1e-05}

Is there a way for us to get any kind of changes posted to Chef server audited, so we can determine who's doing what? Thanks in advance!

--
Best regards, Dmitriy V.