Session Auditing in Posit Workbench/ RStudio Server Pro

Follow

Posit Workbench (previously RStudio Workbench) can be optionally configured to write an audit log of session-related events (e.g. login/logout, session start/suspend/exit) to a central location (the /var/lib/rstudio-server/audit/r-sessions directory by default). This feature can be enabled using the audit-r-sessions setting. For
example:

/etc/rstudio/rserver.conf

audit-r-sessions=1

Data Format

The R session event log is written by default to the file at /var/lib/rstudio-server/audit/r-sessions/r-sessions.csv The following fields are included:

pid Unix process ID the event is associated with (for auth events this will be the main rserver process, for session events the rsession process).
username Unix user the event is associated with
timestamp Timestamp of event in milliseconds since the epoch.
type Event Type (see documentation on event types below)
data Administrative user that initiated event (only applies to admin events and auth_login for login-as-user by admin).

The following values are valid for the event type field:

auth_login User logged in to Posit Workbench
auth_logout User logged out of Posit Workbench
auth_login_failed User login attempt failed
session_start R session started
session_suicide R session exiting due to suicide (internal error)
session_suspend R session exiting due to suspend
session_quit R session exiting due to user quit
session_exit R session exited
session_admin_suspend Administrator attempt to suspend R session
session_admin_terminate Administrator attempt to terminate R sessions

The default format for the log file is CSV (Comma Separated Values). It’s also possible to write the data to Newline Delimited JSON by using the audit-r-console-format option. For example:

audit-r-sessions-format=json

Note that when using the JSON format the entire file is not a valid JSON object but rather each individual line is one. This follows the Newline Delimited JSON specification supported by several libraries including the R jsonlite package.

Storage Options

You can customize both the location where audit data is written as well as the maximum amount of R session event data to log (by default this is set to 1 GB). To specify the root directory for audit data you use the audit-data-path setting. For example:

/etc/rstudio/rserver.conf

audit-data-path=/audit-data

Note that this path affects the location of both R console auditing and R session auditing data.

To specify the maximum amount of R session event data to log you use the audit-r-sessions-limit-mb setting. For example:

/etc/rstudio/rserver.conf

audit-r-sessions-limit-mb=2048

The default maximum R session event log file size is 1 GB (1024 MB). To configure no limit to the size of files which can be written you set the value to 0, for example:

/etc/rstudio/rserver.conf

audit-r-sessions-limit-mb=0

Note that there is no automatic rotation of the R session event log file as it gets larger. This means that you should either create a scheduled (e.g. cron) job to periodically move the file off the server onto auxiliary storage and/or ensure that the volume that it is stored on has sufficient capacity.

In any case, the amount of data written to the R session event log file is not large (less than 1 KB per session) so a large number of session events can be stored within the default 1 GB maximum log file size.

You may also be interested in:

Comments