disable audit logging to db by default#51686
Conversation
daxmc99
force-pushed
the
dax/remove_audit_log
branch
5 times, most recently
from
6f87466 to
716d22f
Compare
schema/site.schema.json
Outdated
| "location": { | ||
| "description": "Where to output the audit log", | ||
| "type": "string", | ||
| "enum": ["none", "stdout", "database", "both"], | ||
| "default": "none" | ||
| } |
There was a problem hiding this comment.
is the plan to make it possible to also render audit logs in the database? right now the implementation only touches the security event logs
IMO: we should never introduce an option for audit logs to go to database, that sounds disastrous. we should have a completely separate field for securityEventLogs that dictates the destination:
{
"auditLog": { ... }
"securityEvents": {
"location": "auditlogs" // enum: ["none", "auditlogs", "database", "all"]
}
}security event logs !== audit logs, and we should be careful to not conflate the two 😅 the only overlap is that security event logs also can be rendered as audit logs
There was a problem hiding this comment.
+1 to create another top level config for security events,
it's really confusing for me to see a mix of config for two totally different things
like can I use severityLevel to tune the verbose level for securityEvents? (you can't, but that's the point)
There was a problem hiding this comment.
+1 from me. It's confusing to understand what I am configuring if we put both at the same level.
There was a problem hiding this comment.
Changed to be another property at the top-level Log
schema/site.schema.json
Outdated
| "location": { | ||
| "description": "Where to output the audit log", | ||
| "type": "string", | ||
| "enum": ["none", "stdout", "database", "both"], | ||
| "default": "none" | ||
| } |
There was a problem hiding this comment.
+1 from me. It's confusing to understand what I am configuring if we put both at the same level.
daxmc99
force-pushed
the
dax/remove_audit_log
branch
from
b1fc79f to
2c8457e
Compare
daxmc99
force-pushed
the
dax/remove_audit_log
branch
from
2c8457e to
3069900
Compare
|
Codenotify: Notifying subscribers in CODENOTIFY files for diff b2e59d0...bee3f1f.
|
| } | ||
|
|
||
| func (s *securityEventLogsStore) InsertList(ctx context.Context, events []*SecurityEvent) error { | ||
| cfg := conf.SiteConfig() |
There was a problem hiding this comment.
TODO: consider refactoring this out of hot path
There was a problem hiding this comment.
this is a fairly minimal concern I think, there is usually a cache in front of this. The alternative would be to have a conf.Watch that updates securityEventLogsStore but store instances are typically set up on the fly so that might not be feasible
Co-authored-by: Robert Lin <robert@bobheadxi.dev>
bobheadxi
left a comment
bobheadxi
left a comment
There was a problem hiding this comment.
I think the changelog entry needs more rewording, no longer writing to DB by default is a significant change in behaviour
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
Co-authored-by: Robert Lin <robert@bobheadxi.dev>
Co-authored-by: Robert Lin <robert@bobheadxi.dev>
CHANGELOG.md
Outdated
| - Added the ability to block auto-indexing scheduling and inference via the `codeintel_autoindexing_exceptions` Postgres table. [#51578](https://github.com/sourcegraph/sourcegraph/pull/51578) | ||
| - When an admin has configured rollout windows for Batch Changes changesets, the configuration details are now visible to all users on the Batch Changes settings page. [#50479](https://github.com/sourcegraph/sourcegraph/pull/50479) | ||
| - Added support for regular expressions in`exclude` repositories for GitLab code host connections. [#51862](https://github.com/sourcegraph/sourcegraph/pull/51862) | ||
| - Security event logs no longer write to database by default - instead, they will be written in the [audit log format](https://docs.sourcegraph.com/admin/audit_log) to console. There is a new site config setting `log.securityEventLogs` that can be used to configure security event logs to write to database if the old behaviour is desired. This new default will significantly improve performance for large instances. In addition, the old environment variable `SRC_DISABLE_LOG_PRIVATE_REPO_ACCESS` no longer does anything. [#51686](https://github.com/sourcegraph/sourcegraph/pull/51686) |
There was a problem hiding this comment.
nit - can this just replace the entry in Changed? i.e. just move this whole thing down
Co-authored-by: Robert Lin <robert@bobheadxi.dev>
Co-authored-by: Robert Lin <robert@bobheadxi.dev>
Co-authored-by: Robert Lin <robert@bobheadxi.dev>
Co-authored-by: Robert Lin <robert@bobheadxi.dev>
…52571) As of https://github.com/sourcegraph/sourcegraph/pull/51686 we will no longer write audit logs to DB by default. I noticed this background prune job is causing high load on a customer instance, and I think this should be disabled by default now as well. While here, I also removed the log15 usages from this file. ## Test plan n/a
Security event logs are no longer logged to the `security_event_log` table by default after this change. They are now configurable through the site_config --------- Co-authored-by: Robert Lin <robert@bobheadxi.dev>
…52571) As of https://github.com/sourcegraph/sourcegraph/pull/51686 we will no longer write audit logs to DB by default. I noticed this background prune job is causing high load on a customer instance, and I think this should be disabled by default now as well. While here, I also removed the log15 usages from this file. ## Test plan n/a
| - Access tokens now begin with the prefix `sgp_` to make them identifiable as secrets. You can also prepend `sgp_` to previously generated access tokens, although they will continue to work as-is without that prefix. | ||
| - The commit message defined in a batch spec will now be quoted when git is invoked, i.e. `git commit -m "commit message"`, to improve how the message is interpreted by the shell in certain edge cases, such as when the commit message begins with a dash. This may mean that previous escaping strategies will behave differently. | ||
| - 429 errors from external services Sourcegraph talks to are only retried automatically if the Retry-After header doesn't indicate that a retry would be useless. The time grace period can be configured using `SRC_HTTP_CLI_EXTERNAL_RETRY_AFTER_MAX_DURATION` and `SRC_HTTP_CLI_INTERNAL_RETRY_AFTER_MAX_DURATION`. [#51743](https://github.com/sourcegraph/sourcegraph/pull/51743) | ||
| - Security Events NO LONGER write to database by default - instead, they will be written in the [audit log format](https://docs.sourcegraph.com/admin/audit_log) to console. There is a new site config setting `log.securityEventLogs` that can be used to configure security event logs to write to database if the old behaviour is desired. This new default will significantly improve performance for large instances. In addition, the old environment variable `SRC_DISABLE_LOG_PRIVATE_REPO_ACCESS` no longer does anything. [#51686](https://github.com/sourcegraph/sourcegraph/pull/51686) |
There was a problem hiding this comment.
This should be log.securityEventLog not log.securityEventLogs
7 participants
This modifies our audit configuration. After this
security_event_logswill be output to stdout in our audit log format by default.Test plan
Go tests included in this PR