Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit log JSON format #1936

Closed
gulecroc opened this issue Nov 5, 2024 · 1 comment
Closed

Audit log JSON format #1936

gulecroc opened this issue Nov 5, 2024 · 1 comment

Comments

@gulecroc
Copy link

gulecroc commented Nov 5, 2024

Hello,

I would like to collect the audit log in JSON format.

I override the logback.xml file for access component :

  • copy the SECURITY_AUDIT appender and set the SecurityAuditJsonLayout layout used by SECURITY_AUDIT_CONSOLE_JSON appender :
  <appender name="SECURITY_AUDIT_FILE_JSON" class="ch.qos.logback.core.rolling.RollingFileAppender">
    <File>${log.dir}/access-security-audit-json.log</File>
    <encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
      <layout class="org.jfrog.access.server.logging.layout.security.audit.SecurityAuditJsonLayout">
            </layout>
    </encoder>
    <rollingPolicy class="org.jfrog.common.logging.logback.rolling.FixedWindowWithDateRollingPolicy">
      <FileNamePattern>${log.dir.archived}/access-security-audit-json.%i.log.gz</FileNamePattern>
      <compressLatest>false</compressLatest>
    </rollingPolicy>
    <triggeringPolicy class="org.jfrog.common.logging.logback.triggering.SizeAndIntervalTriggeringPolicy">
      <MaxFileSize>25MB</MaxFileSize>
    </triggeringPolicy>
  </appender>
  • add the appender to the logger :
  <logger name="org.jfrog.access.server.audit.security.AuditLogger" additivity="false">
    <level value="info"/>
    <appender-ref ref="SECURITY_AUDIT"/>
    <appender-ref ref="SECURITY_AUDIT_CONSOLE_JSON"/>
    <appender-ref ref="SECURITY_AUDIT_FILE_JSON"/>
  </logger>

Update the chart values :

artifactory:
  configMaps: |
    access-logback.xml: |
      <!-- PUT THE LOGBACK CONFIG-->
  copyOnEveryStartup:
    - source: /artifactory-configmaps/access-logback.xml
      target: etc/access/logback.xml
  customVolumeMounts: |
    - name: artifactory-configmaps
      mountPath: "/artifactory-configmaps"
  loggers:
    - access-security-audit-json.log

The log output :

  • before (access-security-audit.log) :
2024-11-05T10:39:20.906Z|06de291b1c5617a9|UNKNOWN|UNKNOWN|jfob@01jate6qne9tmj17b9hs3902rx|jfob@01jate6qne9tmj17b9hs3902rx|C|TKN|{"added":{"owner":"jfob@01jate6qne9tmj17b9hs3902rx","created":"1730803160904","expirationTime":"1730803280904","subject":"jfob@01jate6qne9tmj17b9hs3902rx","scope":"internal:usage:w","id":"9b546fe2-c699-467f-9610-c11c7c4ad7e9","type":"generic"}}
  • after (access-security-audit-json.log) :
{"log_name":"access-security-audit.log","audit":{"datetime":"2024-11-05T10:30:35.208Z","traceid":"6dc659d0783fe422:56ffe1823a7f9f95:1b993c82822a49ad:0","performinguserip":"UNKNOWN","performinguser":"UNKNOWN","loggedinprincipal":"jfob@01jate6qne9tmj17b9hs3902rx","entityname":"jfob@01jate6qne9tmj17b9hs3902rx","securityeventtype":"C","securityevent":"TKN","datachanged":"{\"added\":{\"owner\":\"jfob@01jate6qne9tmj17b9hs3902rx\",\"created\":\"1730802635207\",\"expirationTime\":\"1730802755207\",\"subject\":\"jfob@01jate6qne9tmj17b9hs3902rx\",\"scope\":\"internal:usage:w\",\"id\":\"ddd9dcbc-82df-4bf0-a461-39e7f7764c41\",\"type\":\"generic\"}}"}}

The problem is with the field datachanged that is already in JSON format before serialization.

Do you have any solution ?

Thank you.

Guillaume
@gulecroc
Copy link
Author

gulecroc commented Nov 6, 2024

Finally I create the JSON format with the default encoder :

          <appender name="SECURITY_AUDIT_FILE_JSON" class="ch.qos.logback.core.rolling.RollingFileAppender">
            <File>${log.dir}/access-security-audit-json.log</File>
            <encoder>
              <pattern>{"datetime":"%d{yyyy-MM-dd'T'HH:mm:ss.SSS,UTC}Z","traceid":"%formattedCustomUberTraceId","userip":"%X{audit.performingUserIp}","user":"%X{audit.performingUser}","loggedprincipal":"%X{audit.loggedinPrincipal}","entityname":"%X{audit.entityName}","eventtype":"%X{audit.securityEventType}","event":"%X{audit.securityEvent}","datachanged":%X{audit.dataChanged}}%n</pattern>
            </encoder>
            <rollingPolicy class="org.jfrog.common.logging.logback.rolling.FixedWindowWithDateRollingPolicy">
              <FileNamePattern>${log.dir.archived}/access-security-audit-json.%i.log.gz</FileNamePattern>
              <compressLatest>false</compressLatest>
            </rollingPolicy>
            <triggeringPolicy class="org.jfrog.common.logging.logback.triggering.SizeAndIntervalTriggeringPolicy">
              <MaxFileSize>25MB</MaxFileSize>
            </triggeringPolicy>
          </appender>

But I think we could have a better solution with SecurityAuditJsonLayout.

@gulecroc gulecroc closed this as completed Nov 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gulecroc