Bug 13714 - JSON audit logging is difficult to use
Summary: JSON audit logging is difficult to use
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.9.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Blocks: 13737
  Show dependency treegraph
Reported: 2018-12-14 03:07 UTC by Andrew Bartlett
Modified: 2019-02-05 14:08 UTC (History)
3 users (show)

See Also:

patch for 4.9 (87.72 KB, patch)
2018-12-17 04:23 UTC, Andrew Bartlett
gary: review+
Updated patch for 4.9 (88.52 KB, patch)
2019-01-08 20:24 UTC, Gary Lockyer
timbeale: review+
Updated patch for 4.9 (87.26 KB, text/plain)
2019-01-14 21:00 UTC, Gary Lockyer
timbeale: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2018-12-14 03:07:19 UTC
The JSON audit logging is prefixed with a JSON Authentication:  and had a debug header on it.  This makes log ingestion much harder then it needs to be.
Comment 1 Andrew Bartlett 2018-12-17 04:23:21 UTC
Created attachment 14741 [details]
patch for 4.9

To backport these changes, I had to backport the JSON API change as well.

This is a user-visible change, but given that bug 13715 was not noticed until now either, I suspect there were no users, so we should pay good heed to the feedback we now have and make the logs easier to digest.
Comment 2 Andrew Bartlett 2018-12-17 04:24:37 UTC
Under test at https://gitlab.com/samba-team/samba/merge_requests/168
Comment 3 Karolin Seeger 2019-01-08 12:02:28 UTC
Pushed to autobuild-v4-9-test.
Comment 4 Gary Lockyer 2019-01-08 20:24:59 UTC
Created attachment 14757 [details]
Updated patch for 4.9

Fixed signature of the mock audit_log_json.

diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c
index de3785463ec..2d868699b14 100644
--- a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c
+++ b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c
@@ -752,19 +752,16 @@ static void test_get_primary_group_dn(void **state)
  * Mocking for audit_log_json to capture the called parameters
-const char *audit_log_json_prefix = NULL;
 struct json_object *audit_log_json_message = NULL;
 int audit_log_json_debug_class = 0;
 int audit_log_json_debug_level = 0;
 void audit_log_json(
-	const char* prefix,
 	struct json_object* message,
 	int debug_class,
 	int debug_level)
-	audit_log_json_prefix = prefix;
 	audit_log_json_message = message;
 	audit_log_json_debug_class = debug_class;
 	audit_log_json_debug_level = debug_level;
Comment 5 Karolin Seeger 2019-01-09 08:37:48 UTC
Removed from autobuild-v4-9-test, breaks make.
Waiting for review.
Comment 6 Karolin Seeger 2019-01-14 09:18:06 UTC
Re-tried to apply after applying patch from bug #13715, but it fails:

Wende an: json: Modify API to use return codes
error: Anwendung des Patches fehlgeschlagen: auth/auth_log.c:204
error: auth/auth_log.c: Patch konnte nicht angewendet werden
Anwendung des Patches fehlgeschlagen bei 0001 json: Modify API to use return codes
Comment 7 Gary Lockyer 2019-01-14 21:00:41 UTC
Created attachment 14770 [details]
Updated patch for 4.9
Comment 8 Gary Lockyer 2019-01-21 20:07:48 UTC
Re-assigning to Karolin for 4.9.next
Comment 9 Karolin Seeger 2019-01-31 09:43:25 UTC
(In reply to Gary Lockyer from comment #8)
Pushed to autobuild-v4-9-test.
Comment 10 Karolin Seeger 2019-02-05 14:08:31 UTC
Pushed to v4-9-test.
Closing out bug report.