search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.22k stars 4.22k forks source link

Configurable additional fields on audit logs #9236

Open patoarvizu opened 4 years ago

patoarvizu commented 4 years ago

Is your feature request related to a problem? Please describe. I'm shipping logs from multiple Vault clusters to a central logging facility and I would need to have a way to differentiate where each line comes from. Right now the prefix field kinda helps, but because it's not a field in the document, it makes it hard to parse/query.

Describe the solution you'd like An additional argument in the audit configuration called something like additional_attributes that's a map of fields to be injected into each audit log line.

Describe alternatives you've considered Using the configured prefix to parse it and inject it, but this solution is kinda fragile.

Explain any additional use-cases Potentially, the fields can also be templatized, e.g.

additional_attributes = {
  environment = "{{ cluster_name }}-prod"
}
hixichen commented 3 years ago

strongly agreed that it would be helpful if there are configured fields:

Example prefix: staging

staging{"time":"2021-01-22T22:19:10.594844586Z","type":"request","auth":{"token_type":"default"},"request":{"id":"94axxxxxx6","operation":"update","mount_type":"utoken","namespace":{"id":"root"},"path":"auth/xxxxx/login","data":{"jwt":"hmac-sha256:6efb53xxxxxx30f"},"remote_address":"10.15.xxx","headers":{"client-id":["e9fd628xxx"],"client-version":["0.1"],"rpc-caller":["myprober"],"x-request-id":["d8ec2xxxxx"]}}}

prefix value here breaks the JSON blob.

It would make sense that even there is only clusterID there with hmac.

Internally, we can have clusterID map to figure out which cluster on our own.

But, it would be convenient if we can directly add fields.