stdout support for file backend via logger #3235
Conversation
|
I think it might be actually a lot cleaner to just make it a separate audit backend, since it uses almost none of the file backend. What do you think @jefferai? |
audit/audit.go
Outdated
|
|
||
| // auditing to stdout (file audit backend) requires the logger | ||
| // to prevent interleaving w/ the main log output | ||
| Logger log.Logger |
There was a problem hiding this comment.
Logging goes to stderr after startup, not stdout, so this isn't necessary.
There was a problem hiding this comment.
@jefferai I'm confused then by your comments on #2195. What were you referring to when you said "I worry about interleaving issues here given that Vault also writes things to stdout at various points."? I guess I wrongly assumed you were concerned about interleaving between a stdout audit backend and vault's main logging.
There was a problem hiding this comment.
When Vault starts it dumps a bunch of output to stdout. Then the server logs go to stderr. However, making stdout a separate audit backend doesn't make any difference. You'd basically just need to ignore any line that isn't JSON.
helper/logformat/vault.go
Outdated
| @@ -15,6 +15,10 @@ import ( | |||
| const ( | |||
| styledefault = iota | |||
| stylejson | |||
| // Setting a level for raw log output. While it's not technically a level, we need the ability | |||
There was a problem hiding this comment.
You don't need any of this -- just use os.Stdout as the writer (https://golang.org/pkg/os/#pkg-variables)
There was a problem hiding this comment.
Right, that's what I did initially, but then I was reading your comments on #2195 and thought that output from the audit-to-stdout and the primary vault logger would need to be synchronized (thinking vault logged to stdout). What needs to be changed for in #2195 for it to be merged?
There was a problem hiding this comment.
2195 will never be merged because it's a separate backend.
|
@jefferai Ok, made it super simple, can you take another look? Reused |
|
Feels like this should be sanitized to lower case since a lot of people might assume it should be valid. |
|
Other than that, looking good! |
|
@jefferai Ok, lowercased! |
|
Same problem, in reverse. To be clear I meant using a sanitizing function, like strings.ToLower. |
|
@jefferai Got it, I should have understood by the fact you used the word sanitized. It is now sanitized! I kept the docs to lowercase, feels more natural. Technically this is a breaking change for anyone who was outputting to a file named |
|
I wouldn't worry about it, we don't have defined behavior on relative paths currently. People should be using absolute paths! |
|
Looks good! |
|
Merged, thanks! |
* oss/master: changelog++ add support to use application default credentials to gcs storage backend (#3257) Remove fake news about custom plugins Fix travis build on go 1.9 changelog++ stdout support for file backend via logger (#3235) fix swallowed errors in pki package tests (#3215) Fix API/AUTH/AppRole doc issue concerning bound_cidr_list (#3205)
|
This is great. Is this documented anywhere in the vault documentation? It feel like we need a note on this page https://www.vaultproject.io/docs/audit/index.html |
Here is a working request based on @jefferai's input on #2195. For this one I just took the file backend and forked behavior if file_path is STDOUT.
What I did:
formatRaw.file_path == "STDOUT", I first tried-like @jefferai suggested, but this behaved weirdly in the CLI-- even in quotes I think it must get interpreted as a flag, wasn't sure how to escape it properly.STDOUTis easier-- no escapingQuestions:
Still to be done: