Audit Trail

[c-lliope]

This is a big one.

If a product ever has a problem that requires a recall, Accupac, the client, and the FDA will turn to the audit logs to suss out where the responsibility lies.

The FDA (and customers) also perform regular audits of Accupac's systems. They request information such as:

• Show every instance where a chemist has deleted or overwritten test results.
• List every person who is authorized to modify test plans.
• For system maintenance tasks (cleaning up old records, etc), show the reasons the actions were performed as well as their effects.

Requirement

At the very least, we need to demonstrate that we have a record of all events the system has processed. Each action in the log should be tied to a timestamp, and to a person (or automated processs) who is responsible for the action.

This doesn't need to be too rigorous to start with – it just needs to work well and be well-documented.

Option 1

The server keeps a log of all requests that it has processed, in server/log/development.log or server/log/production.log.

These log files are verbose, to say the least. A two-minute session clicking through the app resulted in 1300 lines of logged activity, without much structure to it.

The logs would likely be more condensed in production mode.

Navigating these logs requires someone familiar with Rails, and familiar with the specific architecture we're using. I woud not be comfortable training someone at Accupac or the FDA to sift through the logs directly.

Option 2

We can achieve less cluttered, higher-quality logs by manually instrumenting the different events in the app.

Off the top of my head, the important events are:

• User sign in
• User sign out
• Receive a sample
• Modify test plans
• Enter test results
• Release a sample

We could start by adding an optional "description" argument to our Assemble.run() function. If a description is given, we can log the event.

As a bonus, once we have these events instrumented we'll be able to throw in arbitrary events that we're interested in. For example, we could track page views to get an idea of how much the app is being used.

Flair

For extra credit, we can set up a system like the Elastic Stack or Splunk, which would give us a great UI and powerful querying abilities over our logs.

Demo video:

[themangoemoji]

Duo uses Kibana/Graphana for logging and tracking metrics.