tlog icon indicating copy to clipboard operation
tlog copied to clipboard

Published 20 hours ago verified publisher icon Scribery

Consider implementing playback correlated with audit

Open spbnick opened this issue 8 years ago • 3 comments

Consider implementing a playback interface which would allow correlating terminal I/O with at least audit messages, all fetched from ElasticSearch. Perhaps we can simply fetch any specified indexes, join them by absolute timestamp and allow scrolling them side-by-side. Say, a bunch of options to tlog-play.

spbnick avatar Feb 26 '16 16:02 spbnick

We can have two terminals spawned by tlog-play: one having playback with resizing, another scrolling the joined messages. This wouldn't be terribly useful, but at least would show something. Ultimately it would be good to have synchronous rewinding between those two.

Ideally it should be a web-interface, but it's unlikely I'll be able to master all the required APIs and frameworks by the Milestone deadline.

spbnick avatar Feb 26 '16 16:02 spbnick

Perhaps a simple GTK app embedding the terminal widget and some sort of box with the logs would be easy enough and better.

spbnick avatar Feb 26 '16 16:02 spbnick

I do not think we can assume Desktop. We can assume browser or terminal. The browser actually would be better since IMO it can combine a terminal and a window. What are we trying to solve with this correlation? IMO we are trying to show what was happening when the user did something on the system. As an admin I what to know what impact on the system the user action that I see in the playback had. So I want to zoom on the specific user activity in the recording and inspect what was going under the hood. This seems like a user story we should focus here.

The correlation between session and audit can be by user and by time. So if we have a tlog playback window and we pause it and then click a line in the input or output we can popup a window that will have the filtered subset of the audit entries that happen at this time on the system and are related to the activity of this user. That would be a good starting point. Is this doable? The progression seems to me is: a) Make playback be in a terminal window b) Make the terminal window accessible via browser c) Have controls over the terminal window (playback buttons) outside of the terminal window on the page that embeds the terminal. Allow them to control playback. Start, stop, rewind, etc. d) Allow the page to get information about the selected entry in the terminal. When user clicks a place in the terminal window the page should be able to figure out what tlog record this place corresponds to. e) Pop-up a separate window and display the data from the audit feed that corresponds to the tlog playback record identified in d)

This can be built gradually. Pretty much every step adds a value over the previous one and makes the solution more polished.

dpal avatar Feb 26 '16 17:02 dpal