nats-server icon indicating copy to clipboard operation
nats-server copied to clipboard

Published 20 hours ago verified publisher icon nats-io

Enhance Authentication Audit Logging for Comprehensive Security Visibility

Open lujiefsi opened this issue 6 months ago • 1 comments

Proposed change

Extend the existing audit logging system to provide comprehensive coverage of authentication events. While JetStream API authorization already has audit logging capabilities, the authentication process itself lacks structured and complete audit trails. The proposed enhancements include:

  • Create structured audit records for all authentication events (success and failure)
  • Log detailed information about authentication attempts:
  • Client information (IP, ID, connection type)
  • Authentication method used (username/password, token, NKey, JWT, TLS certificate)
  • Timestamp and duration of authentication process
  • Success/failure status with specific failure reason
  • Track credential changes (password changes, token revocations, etc.)
  • Record TLS certificate validation events
  • Log JWT validation details (issuer verification, expiration checks)
  • Ensure consistent format with existing JetStream API authorization logs
  • Add configuration options to control authentication logging verbosity
  • Provide hooks to forward authentication logs to external systems

This would complement the existing API authorization audit logs (in jetstream_events.go) to provide end-to-end visibility of the security process.

Use case

While NATS already provides audit logging for API authorization events, the authentication process lacks the same level of structured logging. This creates a gap in security visibility that impacts several important use cases:

  • Complete security event timeline: Organizations need to see the full sequence of events from authentication through authorization for comprehensive security analysis.
  • Authentication failure analysis: When authentication issues occur, detailed logs help quickly identify the root cause (expired credentials, misconfigured certificates, etc.).
  • Credential abuse detection: Structured logging of authentication attempts enables detection of potential brute force attacks or credential stuffing.
  • Access pattern analysis: Understanding which authentication methods are being used and their success rates helps optimize security configurations.
  • Compliance requirements: Many regulatory frameworks require logging of all authentication events, not just subsequent API authorizations.

The current implementation includes some debug-level logging for authentication events, but these are not structured for audit purposes and lack the consistency and completeness needed for security monitoring and compliance. This enhancement would close an important gap in NATS' security logging capabilities.

Contribution

No response

lujiefsi avatar May 08 '25 06:05 lujiefsi

You can already receive most of this information via the Connect / Disconnect events, have you looked at those?

ripienaar avatar May 08 '25 07:05 ripienaar