Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add stdout as an optional audit backend #2195

Closed
wants to merge 1 commit into from
Closed

Add stdout as an optional audit backend #2195

wants to merge 1 commit into from

Conversation

broamski
Copy link
Contributor

If deploying vault in a container, it is convenient to be able to write audit logs to stdout so that they can be picked up via standard container log collection methods.

This also eliminates the need to worry about log rotation inside of a container.

@jefferai
Copy link
Member

I worry about interleaving issues here given that Vault also writes things to stdout at various points.

@broamski
Copy link
Contributor Author

I agree with you on this one. You can accomplish the same end goal as this PR by setting the file-path backend to a symbolic link that targets /dev/stdout. I submitted this because it feels a bit more proper and not as clunky as the aforementioned solution. I'd hope any user's log aggregation tool of choice could be able to discern structured vs. unstructured data.

Some top-of-mind solutions to avoid interleaving are:

  1. Add an option to output application logs to its own logging backend. This seems to go against the logxi manifesto - https://github.com/mgutz/logxi#extending
  2. Add an option to output application logs as json

@broamski
Copy link
Contributor Author

Pardon my ignorance, it looks like VAULT_LOG_FORMAT=json is already a thing.

@jefferai
Copy link
Member

VAULT_LOG_FORMAT is a non-documented thing because we don't yet promise that the output will not change. We are likely not to stick with logxi long-term although we think that with any other logging library we will still keep this format (we have some internal discussions around standardized structured logging to implement across projects). We don't really feel beholden to the logxi manifesto -- it's just a tool :-)

One way that this could possibly be accomplished would be to not write directly to stdout but instead to pass in the logger in use by the rest of Vault and use its underlying output, since this is mutex-protected to avoid interleaving. I don't remember offhand whether there is direct access to the output but that's potentially something we could add. Essentially, if looking at the logformat package, return a vaultFormatter with a shared mutex, then add a "raw" style. The writer itself would have to get plumbed out too, though.

@tallpauley tallpauley mentioned this pull request Aug 24, 2017
Merged
@jefferai
Copy link
Member

Closing in favor of the work going on in #3235

@jefferai jefferai closed this Aug 25, 2017
@hongchaodeng hongchaodeng mentioned this pull request Jan 19, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@broamski @jefferai