audit-log-plugin icon indicating copy to clipboard operation
audit-log-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

Not able to change Logger Output Path

Open gluehbirnenkopf opened this issue 5 years ago • 5 comments

Hi,

As written in the official Release announcement: https://www.jenkins.io/blog/2019/09/23/outreachy-audit-log-release/

"The other major feature of this plugin is configuring where to output these audit logs. By default, audit logs will be written in HTML files (rotated once per day) to $JENKINS_HOME/logs/html/audit.html which are viewable through the "Audit Logs" root action link. In the system settings, a section for audit logging is added where the main audit log output can be configured. This can initially be configured to output via either a JSON log file in $JENKINS_HOME/logs/audit.log by default or to a syslog server using RFC5424 encoding."

Is it correct that logging to STDOUT is not supported? After checking the Plugin configuration options in my Jenkins Instance, it seems not to be configurable.

Thanks!

gluehbirnenkopf avatar Nov 03 '20 16:11 gluehbirnenkopf

Logging to STDOUT is not supported directly from the UI, no. Typical audit logging should be done to an external append-only data store to prevent tampering with existing audit logs. Please feel free to file an issue (i.e., just update this one to request it as a feature) to add an option to output audit logs to the console (or even more configurable use cases; I'm not super imaginative when it comes to unknown unknowns and am happy to hear some).

jvz avatar Nov 03 '20 16:11 jvz

In many environments like e.g Kubernetes/Container based environments or in public cloud, logstreaming via STDOUT is a standard. Thanks for your quick answer @jvz !

According to this file there should be configurable logs already, but i cant even see that: https://github.com/jenkinsci/audit-log-plugin/blob/master/src/main/resources/io/jenkins/plugins/audit/config/AuditLogConfiguration/help-logDestination.html

gluehbirnenkopf avatar Nov 04 '20 07:11 gluehbirnenkopf

The log destination is only used for the JSON layout at the moment (which I now think should probably be reverted to using the syslog layout for compactness; the JSON layout is far too verbose to keep a long audit log as discovered #71). While I don't think it would be too complicated to add support for outputting the log to the console, from a security point of view, I'm not a big fan of encouraging it. Perhaps there's a more K8s-native way we should integrate here? See https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ for example.

jvz avatar Nov 04 '20 15:11 jvz

@jvz what about running this plugin with an instance of Jenkins which is not running on K8s. The Plugin should be generic right? Independent of the underlying container runtime. There are enough people who even run jenkins without container.

gluehbirnenkopf avatar Nov 09 '20 10:11 gluehbirnenkopf

Right, that's why we focused on the syslog socket configuration first as running a syslog daemon has been a standard way to collect logs for decades. Note that I can probably be convinced to include this option, but I'd like to know how we can make it apparent to users that secure audit logs require append-only log stores. When we offload that to stdout, it would be important to warn users to store those logs properly.

jvz avatar Nov 09 '20 15:11 jvz