Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: audit logs #994

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: audit logs #994

wants to merge 1 commit into from

Conversation

Anirudhxx
Copy link
Contributor

Opening this PR so it makes it easier to discuss adding audit logs to parseable.

Fixes #765.

What kind of events do we want to capture?

  • Right now I am only tracking the Action events
  • Since these are accessible in the auth middleware I have sent the actual audit log post request in the auth middleware itself
  • This most likely add a performance penalty to our server and should be moved elsewhere (Looking for some suggestions)

Adding any other details to the audit log

  • Right now I am only capturing details like <action, ip address, request type>

This PR has:

  • been tested to ensure log ingestion and log query works.
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added documentation for new or modified features or behaviors.

@Anirudhxx @akshatagarwl
feat: audit logs
c455912 
Co-authored-by: Akshat Agarwal <[email protected]>
de-sh
de-sh reviewed Nov 19, 2024
View reviewed changes
server/src/cli.rs
pub audit_log_target_username: Option<String>,
pub audit_log_target_password: Option<String>,
pub audit_log_target_tls_verify: bool,
pub audit_log_target_headers: HashMap<String, String>,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could just as well be an http::HeaderMap

de-sh
de-sh reviewed Nov 19, 2024
View reviewed changes
server/src/handlers/http/middleware.rs
.get("user-agent")
.and_then(|value| value.to_str().ok())
.unwrap_or("unknown"),
"id": "user123"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this hardcoded, and what is the intention behind using user-agent as type?

server/src/handlers/http/middleware.rs
.unwrap_or("unknown"),
"id": "user123"
},
"ip-address":&req
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you intending to use the addr of the client?

server/src/handlers/http/middleware.rs
@@ -164,6 +171,31 @@ where
/* ## Section end */

let auth_result: Result<_, Error> = (self.auth_method)(&mut req, self.action);
let body = json!([
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will work on the Schema, will get back to you in a week's time

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @de-sh, just following up. Did you get a chance to work on this?

Copy link
Contributor

@de-sh de-sh Dec 2, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, sorry that this got lost, here is what I have been able to come up with:

{
  "audit_id": "String: uuid",
  "timestamp": "String: Datetime",
  "actor": {
    "type": "Enum: user/sync",
    "user_id": "String: username",
    "authorization_method": "Enum: basic/oauth/jwt"
  },
  "request": {
    "method": "Enum: POST/GET/PUT",
    "url": "String: url",
    "headers": {
      "key": "value"
    },
    "protocol": "Enum: kafka/http"
  },
  "action": {
    "type": "Enum: create/delete/update",
    "target": "Enum: s3/hottier/local-store/user-list",
    "resource": "Enum: object/user"
  },
  "response": {
    "code": int
  }
}

@de-sh
Copy link
Contributor

de-sh commented Dec 2, 2024
edited
Loading

This most likely add a performance penalty to our server and should be moved elsewhere (Looking for some suggestions)

I feel like the right way to do this would involve a dedicated thread that handles the serialization and reqwest part of your code. This since audit logging shouldn't impact normal functioning of request in any-ways and hence should be done, removed from the data flow path. I am exploring the feasibility of using a specialized tracing subscriber, to do this for us, similar to how we log to stdout now and how otel loggers work.

@Anirudhxx
Copy link
Contributor Author

I am exploring the feasibility of using a specialized tracing subscriber, to do this for us, similar to how we log to stdout now and how otel loggers work.

@de-sh I'll implement a audit macro and replace it with the current reqwest code and create a new tracing subscriber which will look for these audit spans and send the audit log to the relevant parseable server. lmk if this works?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@de-sh de-sh de-sh left review comments

@nikhilsinhaparseable nikhilsinhaparseable Awaiting requested review from nikhilsinhaparseable

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat: audit logging for Parseable
2 participants
@Anirudhxx @de-sh