Audit Log - missing_line FAIL

#1

I notice that in my privacyIDEA installation all audit entries have missing_line set to FAIL. Any direction in figuring out what setting I did not perform properly in regards to my audit log?

I also appear to be seeing lots of “[ERROR][privacyidea.lib.crypto:758] Failed to verify signature” in my log file, which I’m assuming is either related to a mistake during the initial installation, something that occurred during the upgrade to 3.0, or related to setting PI_CHECK_OLD_SIGNATURES to True.

#2

It is not clear if you have a redundant setup.
In this case, the log entries contain gaps.
Both nodes need the same audit signing keys.

#3

Yes I do have a redundant configuration setup as active/passive. And it looks like when I followed the HA configuration, I copied the enckey but not the public/private.pem files for audit log signing.

I’ve copied the files to the passive node. Is there any way to fix my mistake? Or do I just need to wait for audit logs to be purged and the invalid entries fall off?

#4

After looking more, it appears I’m losing LOTS of audit entries. All of my audit log entry numbers are spaced out by 5-10 instead of being sequential.

EDIT:
It appears my auto_increment_increment for MySQL was set to 7 by default? I’ve changed this to 1 and fixed the AUTO_INCREMENT value on the pidea_audit table. The missing_line issue is gone for new entries now.

#5

Regarding the missing_line FAIL: we only check, if the previous/next line (according to the audit number) exists (therefore the first and last audit entries always FAIL). If You setup a master/master replication of the DB, You need to increment the auto_increment to avoid that both servers insert an audit entry with the same primary key. So in this setup, the missing_line will always FAIL.

Regarding the ‘Failed to verify signature’ Error: Does this error appear when viewing the audit log? What does the ‘sig_check’ entry in the audit log show? We switched to a different signing method in privacyIDEA 3.0 and all old signatures won’t be validated unless the PI_CHECK_OLD_SIGNATURES option is set to true.
Hope it helps.
Regards
Paul

#6

Thanks for the response. I got everything taken care of. The Howto I followed for group replication stated to copy the enckey but not the signing keys so the secondary server did not have the same keys. I’ve copied the same keys to both systems and the signature failures have gone away.

And yes, I had to change the default auto-increment to 1 since MySQL uses 7 as the default for whatever reason. After then fixing the increment counters on both systems on the tables that were out of sequence, the missing_line issue went away as well.