feat: support writing audit events to stdout for log #3113
Conversation
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
There was a problem hiding this comment.
Where did we end up on the stance of using the existing zap logger instead?
As in, instead of using a JSON encoder over STDOUT, just adapt audit events into fields on the zap logger and add a distinguising field like type == audit so that a log aggregator can then distinguish these?
Was it just the leveling debate? I vaguely remember we thought about just having distinct level for the audit events.
Also, looking at zap's encoder config:
https://pkg.go.dev/go.uber.org/zap@v1.27.0/zapcore#EncoderConfig
It seems like you can set the levelKey to empty string to omit it from output.
Or it looks like there might be a way (via a LevelEncoder perhaps?) to get our own level = audit in there somehow.
|
We have not forgotten that logging could have {"L":"DEBUG","T":"2024-05-27T15:44:49+03:00","M":"using driver","server":"grpc","driver":"sqlite3"}
{"L":"DEBUG","T":"2024-05-27T15:44:49+03:00","M":"migrations up to date","server":"grpc"}
{"L":"DEBUG","T":"2024-05-27T15:44:49+03:00","M":"constructing builder","server":"grpc","prepared_statements":true}
{"L":"DEBUG","T":"2024-05-27T15:44:49+03:00","M":"database driver configured","server":"grpc","driver":"sqlite3"}I really like @GeorgeMac idea to reuse zap somehow and have |
if we reuse the existing zap logger then we still have the issue of which zap level audit events are logged at. Do you mean we use a new instance of zap logger that is always say set to log at the lowest level and then we simply exclue that I did some more research and it looks like its still not really possible for us to define our own log levels (at least not in a supported way), see: uber-go/zap#1277 (comment) |
I think this is an option, but speaking without trying it myself. I think the main thing though is that whatever the approach is, a nice experience would be for the log output to match the encoding of the existing logger. So if its console, then audit logs come out in console too, if its JSON, they all come out in JSON. And that there is a way to distinguish, through structure logging, an audit event from a standard log line. |
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
|
I've now tried switching to use a new zap logger for this functionality, seems promising: {"T":"2024-06-05T10:37:59-04:00","M":"audit","event":{"version":"0.1","type":"flag","action":"updated","metadata":{"actor":{"authentication":"none","ip":"127.0.0.1"}},"payload":{"description":"Testing newest framework of the week","enabled":true,"key":"beta-new-ui-framework","name":"beta-new-ui-framework","namespace_key":"default"},"timestamp":"2024-06-05T10:37:59-04:00"}} |
The only problem is that when written to a file, it breaks backward compatibility with our previous audit log format, which simply marshalls the event like: {"version":"0.1","type":"flag","action":"updated","metadata":{"actor":{"authentication":"none","ip":"127.0.0.1 "}},"payload":{"description":"Manages the rollout of updates to our IoT devices","enabled":true,"key":"iot-deviceUpdateControl","name":"iot-deviceUpdateControl","namespace_key":"default"},"timestamp":"2024-06-05T10:51:24-04:00"} |
|
I got it a bit closer when using file based logging: {
"event": {
"version": "0.1",
"type": "flag",
"action": "updated",
"metadata": {
"actor": {
"authentication": "none",
"ip": "127.0.0.1"
}
},
"payload": {
"description": "Testing newest framework of the week",
"enabled": false,
"key": "beta-new-ui-framework",
"name": "beta-new-ui-framework",
"namespace_key": "default"
},
"timestamp": "2024-06-05T11:25:27-04:00"
}
}I think this is good enough IMO |
|
Here's what the console log looks like: 2024-06-05T11:37:56-04:00 AUDIT {"event": {"version":"0.1","type":"flag","action":"updated","metadata":{"actor":{"authentication":"none","ip":"127.0.0.1"}},"payload":{"description":"Manages the rollout of updates to our IoT devices","enabled":false,"key":"iot-deviceUpdateControl","name":"iot-deviceUpdateControl","namespace_key":"default"},"timestamp":"2024-06-05T11:37:56-04:00"}} |
…into audit-logs-stdout * 'audit-logs-stdout' of https://github.com/flipt-io/flipt: docs: add levlaz as a contributor for doc (#3148)
|
ok, I think this is ready for another round of comments, im going to be adding tests as well /cc @erka @GeorgeMac |
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
| }, | ||
| "encoding": { | ||
| "type": "string", | ||
| "enum": ["json", "console", ""] |
There was a problem hiding this comment.
the "" is required so that by default it inherits the same encoding as log.encoding, although i guess we could make an explicit inherit option?
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
|
@markphelps this will be a breaking change for people audit:
sinks:
log:
enabled: true
file: audit.logAudit log for {"version":"0.1","type":"flag","action":"created","metadata":{"actor":{"authentication":"none"}},"payload":{"description":"","enabled":false,"key":"adf","name":"adf","namespace_key":"default"},"timestamp":"2024-06-06T16:41:21+03:00"}And this PR will send {"event": {"version":"0.1","type":"flag","action":"updated","metadata":{"actor":{"authentication":"none","ip":"::1"}},"payload":{"description":"","enabled":false,"key":"adf","name":"adfasdf","namespace_key":"default"},"timestamp":"2024-06-06T16:42:28+03:00"}} |
markphelps
added
needs docs
Fixes: #3101
Allows writing audit logs to stdout if using
logsink with no file specifiedIt looks like this when enabled along side existing logs to stdout:
Im not 💯 on if this is the functionality we want though as its hard to parse visually with both types of logs (audit and application) intertwined like this.
I guess one argument could be that if you're setting audit logs to stdout then you'd likely either:
Another thing we could support is allowing the user to configure which file handle to write both application logs and audit logs to (either STDOUT or STDERR), so they could separate the logs that way if they didn't want to / couldn't write to a file for either?
wdyt @erka @GeorgeMac ?