Bug 13714 - JSON audit logging is difficult to use
JSON audit logging is difficult to use
Status: ASSIGNED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.9.3
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks: 13737
  Show dependency treegraph
 
Reported: 2018-12-14 03:07 UTC by Andrew Bartlett
Modified: 2019-01-21 20:07 UTC (History)
3 users (show)

See Also:


Attachments
patch for 4.9 (87.72 KB, patch)
2018-12-17 04:23 UTC, Andrew Bartlett
gary: review+
Details
Updated patch for 4.9 (88.52 KB, patch)
2019-01-08 20:24 UTC, Gary Lockyer
timbeale: review+
Details
Updated patch for 4.9 (87.26 KB, text/plain)
2019-01-14 21:00 UTC, Gary Lockyer
timbeale: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2018-12-14 03:07:19 UTC
The JSON audit logging is prefixed with a JSON Authentication:  and had a debug header on it.  This makes log ingestion much harder then it needs to be.
Comment 1 Andrew Bartlett 2018-12-17 04:23:21 UTC
Created attachment 14741 [details]
patch for 4.9

To backport these changes, I had to backport the JSON API change as well.

This is a user-visible change, but given that bug 13715 was not noticed until now either, I suspect there were no users, so we should pay good heed to the feedback we now have and make the logs easier to digest.
Comment 2 Andrew Bartlett 2018-12-17 04:24:37 UTC
Under test at https://gitlab.com/samba-team/samba/merge_requests/168
Comment 3 Karolin Seeger 2019-01-08 12:02:28 UTC
Pushed to autobuild-v4-9-test.
Comment 4 Gary Lockyer 2019-01-08 20:24:59 UTC
Created attachment 14757 [details]
Updated patch for 4.9

Fixed signature of the mock audit_log_json.

diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c
index de3785463ec..2d868699b14 100644
--- a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c
+++ b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c
@@ -752,19 +752,16 @@ static void test_get_primary_group_dn(void **state)
 /*
  * Mocking for audit_log_json to capture the called parameters
  */
-const char *audit_log_json_prefix = NULL;
 struct json_object *audit_log_json_message = NULL;
 int audit_log_json_debug_class = 0;
 int audit_log_json_debug_level = 0;
 
 
 void audit_log_json(
-	const char* prefix,
 	struct json_object* message,
 	int debug_class,
 	int debug_level)
 {
-	audit_log_json_prefix = prefix;
 	audit_log_json_message = message;
 	audit_log_json_debug_class = debug_class;
 	audit_log_json_debug_level = debug_level;
Comment 5 Karolin Seeger 2019-01-09 08:37:48 UTC
Removed from autobuild-v4-9-test, breaks make.
Waiting for review.
Comment 6 Karolin Seeger 2019-01-14 09:18:06 UTC
Re-tried to apply after applying patch from bug #13715, but it fails:

Wende an: json: Modify API to use return codes
error: Anwendung des Patches fehlgeschlagen: auth/auth_log.c:204
error: auth/auth_log.c: Patch konnte nicht angewendet werden
Anwendung des Patches fehlgeschlagen bei 0001 json: Modify API to use return codes
Comment 7 Gary Lockyer 2019-01-14 21:00:41 UTC
Created attachment 14770 [details]
Updated patch for 4.9
Comment 8 Gary Lockyer 2019-01-21 20:07:48 UTC
Re-assigning to Karolin for 4.9.next