Enable Logging for Baffle Manager and Baffle Shield Containers

This document demonstrates how to use stdout (standard output) to enable logging for Baffle Manager and Baffle Shield containers.

If Baffle Advanced Data Protection encounters an error in its program, Baffle Advanced Data Protection logs the error as well as other notable conditions.

In cases where there's an explicit application error, the query log might show that the database returned an error code. If the error is in response to a transformed query, then the cause can be isolated to Baffle encryption use.

This article covers the following topics:


You must have deployed Baffle Manager and Baffle Shield in an orchestrated container environment.

Enabling Logging for Containers

This section walks through the process of enabling logging for a container deployment.

All log containers are located in /var/log/containers. This path can be specified as an event collection point for your logging solution. 

The Baffle Manager deployment consists of the following containers:

  • baffle-manager
  • baffle-web
  • baffle-nginx
  • baffle-mongodb

The Baffle Shield container will be the name specified in the Baffle Shield application properties file.

To enable logging in a container environment, do the following:

  1. Log in to your container environment and use the following command to verify the running pods.
    kubectl get pods
  2. Use the following command to retrieve logs for the baffle-manager-container.
    kubectl logs -f baffle-manager-...
  3. To retrieve logs for other containers, specify the container name and use the logs -f parameter.
    kubectl logs -f <container-name>...

Collecting Logs with Fluentd for AWS deployments

Baffle Manager and Baffle Shield deployments with Amazon Elastic Kubernetes Service and/or Amazon Elastic Container Service can configure Fluentd to collect event logs from containers.

For more information, see the following Amazon AWS documentation.

In the fluentd.yaml file section for logging, you can specify the path /var/log/containers/* as shown in the following example.


Accessing Baffle Query Logs

For Standard Encryption, the primary log file can be found in /opt/baffle/<port#>/shield/log.

The current log filename will have the process number as a suffix and the log extension. By default, each log file is capped with a file size of 100 MB. When the log reaches 100 MB, it will be renamed and a new file will be opened to stored logs. Old logs will have the log.N filename extension where N is the number of the log file.

The default Baffle Shield configuration uses up to 10 log files before they are recycled. This means that default Baffle Shield setting cap log storage at around 1 GB.

To locate the latest log file, do the following:

1. Navigate to the log directory /opt/baffle/<port#>/shield/log.

2. Execute the following command:

ls -latr

3. In the log file, search for:

  • Client query - the query sent by the application
  • Transformed query - the proxy transformed query that is sent to the DB.


Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.