Open Kamforka opened 2 years ago
Hello Kamforka,
How do you view the audit trail? From Search section in GUI? I see it is not visible.
Hello @viverma5 , I'm using the v1 api's audit endpoint for that.
Hello @Kamforka
I was testing this with v1 of api on latest 4.1.17 version but I see /api/v1/audit/_search not working. Can you please confirm on the exact endpoint.
I use the /api/v1/query
endpoint with with the listAudit
query:
https://github.com/TheHive-Project/TheHive/blob/b7b196c0f567997c053dadd3c66be2a7780ec40b/thehive/app/org/thp/thehive/controllers/v1/AuditCtrl.scala#L31).
There is no active /api/v1/audit/_search
endpoint at the moment, as it is commented out in the router:
https://github.com/TheHive-Project/TheHive/blob/b7b196c0f567997c053dadd3c66be2a7780ec40b/thehive/app/org/thp/thehive/controllers/v1/Router.scala#L160
[Hello @Kamforka
I have simulated the issues.
3 Then I merged both cases
{ "base": { "_id": "~40976408", "id": "~40976408", "createdBy": "honey@thehive.local", "createdAt": 1643296165979, "_type": "audit", "base": true, "details": { "cases": [ { "_id": "~122888336", "number": 13, "title": "emptycase_2" }, { "_id": "~122892424", "number": 12, "title": "emptycase_1" } ] }, "objectId": "~81948856", "objectType": "case", "operation": "Update", "requestId": "4ac1aa52d02bb283:74db14b4:17e9b8a26f0:-8000:1075", "rootId": "~81948856", "startDate": 1643296165979, "object": { "_type": "Case", "_id": "~81948856", "_createdAt": 1643296165946, "_createdBy": "honey@thehive.local", "_updatedAt": 1643296165946 } }, "summary": { "case": { "Update": 1 } }, "_type": "audit" }
Audit log in v1 query -
{ "_id": "~40976408", "_type": "Audit", "_createdBy": "honey@thehive.local", "_createdAt": 1643296165979, "operation": "merge", "requestId": "4ac1aa52d02bb283:74db14b4:17e9b8a26f0:-8000:1075", "obj": { "_type": "Case", "_id": "~81948856", "_createdAt": 1643296165946, "_createdBy": "honey@thehive.local", "_updatedAt": 1643296165946 "summary": {} }
Not sure why we see less data in v1 response but the issue remains where individual case gets removed but in v0 response, we could see the case information which gets merged but eventually looses the audit logs when they were created]
Attaching the files [request ones for v0 and v1] v0_audit_search.txt
Request Type
Bug
Work Environment
Problem Description
I created two empty cases to check their audit trails. After the creation I could see that audits with operation value of "create" were created in the backend. Then when I merge these two cases, they got deleted from the backend and only the merged case will remain. This will persist an audit entry with operation value of "merge", however I expected to have "delete" operation entries for the two deleted cases, which I cannot find, and what is more troublesome is that the pre-existing audit entries for those cases are also deleted, which basically renders the audit trail corrupted and useless.
Steps to Reproduce