Audit log JSON format

[gulecroc]

Hello,

I would like to collect the audit log in JSON format.

I override the logback.xml file for access component :

• copy the SECURITY_AUDIT appender and set the SecurityAuditJsonLayout layout used by SECURITY_AUDIT_CONSOLE_JSON appender :

  <appender name="SECURITY_AUDIT_FILE_JSON" class="ch.qos.logback.core.rolling.RollingFileAppender">
  <File>${log.dir}/access-security-audit-json.log</File>
  <encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
    <layout class="org.jfrog.access.server.logging.layout.security.audit.SecurityAuditJsonLayout">
          </layout>
  </encoder>
  <rollingPolicy class="org.jfrog.common.logging.logback.rolling.FixedWindowWithDateRollingPolicy">
    <FileNamePattern>${log.dir.archived}/access-security-audit-json.%i.log.gz</FileNamePattern>
    <compressLatest>false</compressLatest>
  </rollingPolicy>
  <triggeringPolicy class="org.jfrog.common.logging.logback.triggering.SizeAndIntervalTriggeringPolicy">
    <MaxFileSize>25MB</MaxFileSize>
  </triggeringPolicy>
  </appender>

• add the appender to the logger :

  <logger name="org.jfrog.access.server.audit.security.AuditLogger" additivity="false">
  <level value="info"/>
  <appender-ref ref="SECURITY_AUDIT"/>
  <appender-ref ref="SECURITY_AUDIT_CONSOLE_JSON"/>
  <appender-ref ref="SECURITY_AUDIT_FILE_JSON"/>
  </logger>

Update the chart values :

artifactory:
  configMaps: |
    access-logback.xml: |
      <!-- PUT THE LOGBACK CONFIG-->
  copyOnEveryStartup:
    - source: /artifactory-configmaps/access-logback.xml
      target: etc/access/logback.xml
  customVolumeMounts: |
    - name: artifactory-configmaps
      mountPath: "/artifactory-configmaps"
  loggers:
    - access-security-audit-json.log

The log output :

• before (access-security-audit.log) :

  2024-11-05T10:39:20.906Z|06de291b1c5617a9|UNKNOWN|UNKNOWN|jfob@01jate6qne9tmj17b9hs3902rx|jfob@01jate6qne9tmj17b9hs3902rx|C|TKN|{"added":{"owner":"jfob@01jate6qne9tmj17b9hs3902rx","created":"1730803160904","expirationTime":"1730803280904","subject":"jfob@01jate6qne9tmj17b9hs3902rx","scope":"internal:usage:w","id":"9b546fe2-c699-467f-9610-c11c7c4ad7e9","type":"generic"}}

• after (access-security-audit-json.log) :

  {"log_name":"access-security-audit.log","audit":{"datetime":"2024-11-05T10:30:35.208Z","traceid":"6dc659d0783fe422:56ffe1823a7f9f95:1b993c82822a49ad:0","performinguserip":"UNKNOWN","performinguser":"UNKNOWN","loggedinprincipal":"jfob@01jate6qne9tmj17b9hs3902rx","entityname":"jfob@01jate6qne9tmj17b9hs3902rx","securityeventtype":"C","securityevent":"TKN","datachanged":"{\"added\":{\"owner\":\"jfob@01jate6qne9tmj17b9hs3902rx\",\"created\":\"1730802635207\",\"expirationTime\":\"1730802755207\",\"subject\":\"jfob@01jate6qne9tmj17b9hs3902rx\",\"scope\":\"internal:usage:w\",\"id\":\"ddd9dcbc-82df-4bf0-a461-39e7f7764c41\",\"type\":\"generic\"}}"}}

The problem is with the field datachanged that is already in JSON format before serialization.

Do you have any solution ?

Thank you.

Guillaume

[gulecroc]

Finally I create the JSON format with the default encoder :

          <appender name="SECURITY_AUDIT_FILE_JSON" class="ch.qos.logback.core.rolling.RollingFileAppender">
            <File>${log.dir}/access-security-audit-json.log</File>
            <encoder>
              <pattern>{"datetime":"%d{yyyy-MM-dd'T'HH:mm:ss.SSS,UTC}Z","traceid":"%formattedCustomUberTraceId","userip":"%X{audit.performingUserIp}","user":"%X{audit.performingUser}","loggedprincipal":"%X{audit.loggedinPrincipal}","entityname":"%X{audit.entityName}","eventtype":"%X{audit.securityEventType}","event":"%X{audit.securityEvent}","datachanged":%X{audit.dataChanged}}%n</pattern>
            </encoder>
            <rollingPolicy class="org.jfrog.common.logging.logback.rolling.FixedWindowWithDateRollingPolicy">
              <FileNamePattern>${log.dir.archived}/access-security-audit-json.%i.log.gz</FileNamePattern>
              <compressLatest>false</compressLatest>
            </rollingPolicy>
            <triggeringPolicy class="org.jfrog.common.logging.logback.triggering.SizeAndIntervalTriggeringPolicy">
              <MaxFileSize>25MB</MaxFileSize>
            </triggeringPolicy>
          </appender>

But I think we could have a better solution with SecurityAuditJsonLayout.