How do I track changes made to systems via knife in chef?

Question

I'd like to be able to audit and track changes to node managed by chef. Ideally I'd like to see if/when a change was made to a node to be able to correlate changes with incidents.

Is there any built-in functionality in chef that allows generation of this sort of thing? Or, perhaps, an add-on to let me add in this sort of logging/auditing?

Answer 1

jtimberman's demo handler at https://jtimberman.posterous.com/a-simple-report-handler shows how to access the specific resources that were updated in during a chef-client run. You could write a handler that sends off email, or a HTTP post, or whatever notification mechanism you like.

Chef handlers can be distributed and installed as part of your node's run_list. I have a couple of handlers installed by modifing /etc/chef/client.rb, but apparently there is a chef_handler cookbook in the Community cookbooks, see https://github.com/opscode/cookbooks/blob/master/chef_handler/README.md. This can supposedly configure handlers without having to muck around with templates.

Answer 2

you can change the log level and location in the client.rb file.

Chef includes a resource for writing events to the log from your recipes.

http://wiki.opscode.com/display/chef/Chef+Configuration+Settings#ChefConfigurationSettings-logoutput

http://wiki.opscode.com/display/chef/Resources#Resources-Log

Answer 3

You can add a custom report handler that will loop through all of the resources that were updated during the chef-solo or chef-client run, record them, and possibly email them to a sysadmin.