Logging and Auditing Events – Redis Knowledge Base

Redis Software logs key system and database-level activities to support operational visibility, security auditing, and compliance reporting. This article shows how to view and configure logs and audit records across the UI, REST API, and file system, manage log retention and syslog export, enable database auditing, and troubleshoot common issues. Key sections include Viewing Logs, Configuring Log Settings, Auditing Events, Troubleshooting, and a Feature Summary Table.

Logging in Redis

Redis logs capture major system and user events, including configuration changes, authentication attempts, database failovers, and connection issues.
Each internal process within Redis Software (such as cluster management, database operations, and node communication) generates its own dedicated log file. These process-specific logs are critical for diagnosing issues and understanding the behavior and performance of the system.

Key Features:

What is captured:
- Who performed the action
- What was done
- When it occurred
- Whether it succeeded
Where logs can be accessed:
- UI: Cluster Manager → Logs
- REST API: GET /v1/logs
- File system: /var/opt/redislabs/log/
  - This may vary depending on your deployment

Primary Log Files

Log File	Purpose	Tagging / Log Format
`cnm_exec.log`	Database lifecycle actions such as failovers, migrations, and topology changes	N/A
`event_log.log`	System and user-triggered events:– User: authentication attempts, config changes– System: high latency alerts, import failures, resource constraints	Entries tagged as `event_log` with fields like:– `type: high_latency`, `type: import_failed`– `severity: INFO`, `WARNING`, `ERROR`
`resource_mgr.log`	Tracks resource usage and management decisions:– CPU/memory monitoring– Shard allocation– Auto-rebalance events	Internal tags may include module/action fields; numeric metrics often included
`redis-<ID>.log`	Shard-level Redis logs:– Commands and slowlogs– Eviction and replication messages– Client errors (per shard)	Matches open source Redis log format per process; shard ID from `rladmin status`
`node_wd.log`	Node-level watchdog monitoring:– Local health checks– Process restarts– Disk/memory pressure alerts	Tagged as `WD_NODE`; includes status probes and recovery actions
`cluster_wd.log`	Inter-node communication and cluster watchdog:– Node failures and recovery– Quorum state changes– Gossip protocol status	Tagged as `WD_CLUSTER`; examples:– `INFO: ClusterState: Node Y (10.0.0.1) just died`– `WARNING: ClusterState: Quorum lost`
`dmcproxy.log`	Client proxy and connection routing activity:– Endpoint assignment– Connection failures– Timeout handling	Entries often include endpoint ID, source IP, connection status

Viewing Logs

UI Access

Navigate to Cluster Manager → Logs
Filter by time, severity, or event type

REST API

curl -k -X GET -u <username>:<password> \
  -H "Content-Type: application/json" \
  https://<cluster_fqdn>:9443/v1/logs | jq

Only partial logging is available via UI and API (limited to event_log.log content).

File System

Log directory: /var/opt/redislabs/log/
Logs rotate daily
Retention defaults:
- 7 copies for most logs
- 30 copies for watchdog logs (node_wd.log, cluster_wd.log)
Configurable via: /etc/logrotate.conf or logrotate policy files

Configuring Log Settings

Change Timestamp Format

Go to Cluster Manager → Configuration → General
Select your preferred time zone

Change Log Retention (Logrotate)

Default path: /opt/redislabs/config/logrotate.conf
Customize file rotation in: /etc/logrotate.d/redislabs

Syslog/SIEM Export

Redis logs can be enriched and forwarded using rsyslog
Common syslog paths: /var/log/syslog, /var/log/messages
Edit rsyslog configuration to forward logs from Redis log directory

Auditing Events

Redis auditing (v6.2.18+) captures connection attempts, authentication outcomes, and disconnections for compliance and forensic review.

Key Notes:

Disabled by default; must be explicitly enabled
Output options:
- Local file (audit_protocol local)
- Remote TCP endpoint (audit_protocol TCP)

Recommendation: Avoid local protocol in production—use TCP and forward to external SIEM for safety and scalability.

Enabling Audit Logging

rladmin cluster config auditing db_conns \
  audit_protocol <TCP|local> \
  audit_address <address> \
  audit_port <port> \
  audit_reconnect_interval <seconds> \
  audit_reconnect_max_attempts <attempts>

Omit audit_port if using local
Ensure the destination file/endpoint is reachable and writable

Viewing Audit Logs

Audit events output in JSON format, such as:

{
  "ts": 1655821384,
  "new_conn": {
    "id": 2285001002,
    "srcip": "127.0.0.1",
    "srcp": "39338",
    "trgip": "127.0.0.1",
    "trgp": "12635",
    "bdb_name": "DB1",
    "bdb_uid": "5"
  }
}

Audit logs are not included in Cluster Manager → Logs or API output.

Sample Event Log Entry

{
  "originator_uid": "0",
  "originator_username": "system",
  "severity": "WARNING",
  "time": "2021-08-04T13:10:40Z",
  "type": "cluster_failed_authentication_attempt",
  "username": null
}

Common Issues and Troubleshooting

No Audit Logs Appearing

Audit not enabled
Invalid config (check rladmin cluster config)
File or port inaccessible

Logs Not Reaching External System

Check network path, port, and hostname
Confirm firewall rules allow outbound traffic
Ensure rsyslog or TCP listener is running

SSL/TLS Handshake Failures

Inspect dmcproxy.log for certificate-related issues during TLS negotiation. These errors often indicate misconfigured client certificates, expired certificates, or missing trust relationships.

Example log snippet:

[2024-07-07 18:14:52.345] error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate
[2024-07-07 18:14:52.345] TLS handshake failed for client 192.168.1.15:45000

If you see messages like the one above, verify that:

The client is providing a valid certificate (if required)
The Redis server has the correct CA configuration
The TLS version and cipher suites are compatible

Feature Summary Table

Feature	How to Access/Configure
Management/action event logging	UI (Cluster > Logs), REST API, `/var/opt/redislabs/log/event_log.log`
Connection/authentication auditing	Enable via `rladmin`; export to syslog/SIEM
Log rotation	Edit `/opt/redislabs/config/logrotate.conf`; default is daily
Syslog/SIEM forwarding	Configure `rsyslog` to send logs from Redis log directory
Slowlog	Use UI (DB > Slowlog tab), or `redis-cli CONFIG GET/SET slowlog-log-slower-than`
ACL LOG (OSS-only)	Not supported in Redis Software—use auditing instead

Auditing API key usage

Redis Cloud API key activity can be audited through the system log. For API-driven actions, log entries may include the timestamp, apiKeyName, originator, affected resource, activity type, and description. You can review system logs in the Redis Cloud console or query them with the GET/logs REST API endpoint.

Redis Cloud does not currently provide a dedicated per-key usage dashboard or report that summarizes:
- last-used timestamp
- source IP history
- endpoint-by-endpoint request history
- usage frequency metrics

For deeper auditing, use system logs, export logs to a SIEM where available, or add logging around the automation or integration using the API key.

Additional Resources

Redis Logging Documentation

Audit Events Documentation

Redis rsyslog Setup

rladmin Command Reference

Redis logrotate Reference

Related to