Skip to content

[RORDEV-2016] Audit improvements#320

Open
mgoworko wants to merge 2 commits into
developfrom
RORDEV-2016
Open

[RORDEV-2016] Audit improvements#320
mgoworko wants to merge 2 commits into
developfrom
RORDEV-2016

Conversation

@mgoworko

@mgoworko mgoworko commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • Documentation
    • Updated the audit configuration guide with a new master switch, clarified ACL decision logging controls, and refined sink routing guidance.
    • Expanded block-level audit behavior documentation, including how audit disabling affects default ACL log emissions.
    • Reworked log output documentation with new logger routing guidance and added support for an ACL serializer (limited to log outputs).
    • Updated index and data stream output guidance, including delivery warnings and revised operational steps.
    • Refreshed audit serializer documentation, aligning allowed-event serialization behavior with block settings.

@coderabbitai

This comment was marked as spam.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@details/audit.md`:
- Line 461: Update the audit docs to use the same log4j2.properties path as
other docs: replace the occurrence of "$ES_PATH_CONF/config/log4j2.properties"
in details/audit.md with "$ES_PATH_CONF/log4j2.properties" and keep the
surrounding guidance about matching the logger name to the logger_name value
(default readonlyrest_audit) intact so references remain consistent with
elasticsearch.md and the debug logging docs.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4b6cb9bf-403f-43d8-8dfc-41fd875af9a9

📥 Commits

Reviewing files that changed from the base of the PR and between 9a86134 and 6518c59.

📒 Files selected for processing (1)
  • details/audit.md

Comment thread details/audit.md

#### Custom logging settings via log4j2

For advanced log configuration — custom patterns, external syslog appenders, etc. — configure the logger in `$ES_PATH_CONF/config/log4j2.properties`. The logger name must match the `logger_name` value in the output config (or the default `readonlyrest_audit`):

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for references to log4j2.properties path in documentation
rg -n "log4j2\.properties" -g "*.md" -C2

Repository: beshu-tech/readonlyrest-docs

Length of output: 2315


🏁 Script executed:

#!/bin/bash
# List all occurrences of both path variants and print tight context
rg -n "\$ES_PATH_CONF/(config/)?log4j2\.properties" -g "*.md" -C2

Repository: beshu-tech/readonlyrest-docs

Length of output: 54


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== occurrences of \$ES_PATH_CONF/config/log4j2.properties =="
rg -n "\$ES_PATH_CONF/config/log4j2\.properties" -g "*.md" -C2 || true

echo
echo "== occurrences of \$ES_PATH_CONF/log4j2.properties =="
rg -n "\$ES_PATH_CONF/log4j2\.properties" -g "*.md" -C2 || true

Repository: beshu-tech/readonlyrest-docs

Length of output: 186


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== occurrences of config/log4j2.properties (no $ prefix) =="
rg -n "config/log4j2\.properties" -g "*.md" -C2 || true

echo
echo "== occurrences of log4j2.properties (no config/) =="
rg -n "(^|[^/])log4j2\.properties" -g "*.md" -C2 || true

echo
echo "== show details/audit.md around line ~450-470 =="
nl -ba details/audit.md | sed -n '445,470p'
echo
echo "== show elasticsearch.md around line ~3000-3135 =="
nl -ba elasticsearch.md | sed -n '2985,3150p'

Repository: beshu-tech/readonlyrest-docs

Length of output: 2138


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== details/audit.md around line 461 =="
awk 'NR>=452 && NR<=468 {printf "%d:%s\n", NR, $0}' details/audit.md

echo
echo "== elasticsearch.md around line 3010-3020 =="
awk 'NR>=3008 && NR<=3020 {printf "%d:%s\n", NR, $0}' elasticsearch.md

echo
echo "== elasticsearch.md around line 3110-3120 =="
awk 'NR>=3110 && NR<=3120 {printf "%d:%s\n", NR, $0}' elasticsearch.md

echo
echo "== elasticsearch.md around line 3122-3140 =="
awk 'NR>=3122 && NR<=3140 {printf "%d:%s\n", NR, $0}' elasticsearch.md

Repository: beshu-tech/readonlyrest-docs

Length of output: 2922


Align log4j2.properties path in audit docs

  • details/audit.md points to $ES_PATH_CONF/config/log4j2.properties, but elsewhere in the docs (elasticsearch.md, debug logging) the path is $ES_PATH_CONF/log4j2.properties. Update details/audit.md to use the same documented path.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@details/audit.md` at line 461, Update the audit docs to use the same
log4j2.properties path as other docs: replace the occurrence of
"$ES_PATH_CONF/config/log4j2.properties" in details/audit.md with
"$ES_PATH_CONF/log4j2.properties" and keep the surrounding guidance about
matching the logger name to the logger_name value (default readonlyrest_audit)
intact so references remain consistent with elasticsearch.md and the debug
logging docs.

Comment thread details/audit.md

You can configure multiple outputs for audit events. When the audit is enabled, at least one output has to be defined.
If you omit `outputs` definition, the default `index` output will be used.
**Note**: Even when `audit.enabled` is `false` or not set, the built-in ACL log is a special case — it writes a human-readable decision line to Elasticsearch logs for every request by default. See [The default ACL log](#the-default-acl-log) below.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe when we talk about defaults, we could show what the explicitly defined equivalent would look like?

Comment thread details/audit.md Outdated
| Setting | Default | Description |
|---|---|---|
| `enabled` | `false` | Master switch for the audit subsystem |
| `default_acl_log_enabled` | `true` | Controls the built-in ACL log sink (see below) |

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We use "output" and "sink" words. Is this required or/and interntionl? Or maybe we can just use "output" in every place?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changed to output everywhere

Comment thread details/audit.md Outdated
- name: Admin users
auth_key: admin:admin
audit:
# keep both sinks active (default behaviour)

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we miss sth here? I see "audit:" and the comment only

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I meant an empty audit section, but that is not a very useful example, so now without audit: and with better comment.

Comment thread details/audit.md
name: custom-acl-log
logger_name: my.custom.acl.logger
serializer:
type: acl # reproduces the built-in ACL log format

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, but it would be nice to tell users about the format. Because I assume the format stays the same here.
And what bout the logger_name. What's this? Users may not know.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added explanation what logger_name does and that acl serializer produces the same format as the built-in acl log

Comment thread details/audit.md

`enabled_audit_sinks` and `disabled_audit_sinks` are mutually exclusive — you cannot specify both on the same block.

**⚠️IMPORTANT**: When `audit.enabled: false` for a specific block, there will be no audit events at all when that block is matched — this suppresses both custom outputs and the default ACL log. **This is a change in behaviour from previous versions**, where block-level `audit: {enabled: false}` only suppressed the ES audit sinks while the ACL log continued to write.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But what about verbosity? I didn't check it yet, but I assume we have backward compatibility, so if someone declares verbosity: info explicitly, it should be treated as enabled ACL log with log_allowed_events: true` right?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Yes, verbosity: info maps to Block.Audit.Enabled(logAllowedEvents = true) with all sinks active, so the ACL log continues to work exactly as before
  2. The IMPORTANT note applies only when audit: {enabled: false} is set explicitly in a block, which maps to Block.Audit.Disabled and suppresses everything

Blocks using verbosity settings are unaffected - never mapped to Disabled.

Comment thread details/audit.md
default_acl_log_enabled: true
outputs:
- type: index
name: my-index-sink

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we describe what this is? Is this required? If not, when users need it

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added explanation

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
details/audit.md (1)

475-475: 🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

Fix unresolved log4j2.properties path from previous review.

Line 475 still documents $ES_PATH_CONF/config/log4j2.properties, but the previous review explicitly identified that other documentation (elasticsearch.md, debug logging docs) uses $ES_PATH_CONF/log4j2.properties without the /config/ segment. This inconsistency will confuse users who copy the path. Update to $ES_PATH_CONF/log4j2.properties.

📝 Proposed fix
-For advanced log configuration — custom patterns, external syslog appenders, etc. — configure the logger in `$ES_PATH_CONF/config/log4j2.properties`. The logger name must match the `logger_name` value in the output config (or the default `readonlyrest_audit`):
+For advanced log configuration — custom patterns, external syslog appenders, etc. — configure the logger in `$ES_PATH_CONF/log4j2.properties`. The logger name must match the `logger_name` value in the output config (or the default `readonlyrest_audit`):
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@details/audit.md` at line 475, The audit logging documentation still
references the wrong log4j2.properties location, causing an inconsistency with
the other docs. Update the path in the audit configuration guidance to use
$ES_PATH_CONF/log4j2.properties instead of
$ES_PATH_CONF/config/log4j2.properties, and keep the surrounding text about the
logger name and readonlyrest_audit behavior unchanged.
🧹 Nitpick comments (3)
details/audit.md (3)

73-73: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Clarify "sinks" vs "outputs" terminology in prose.

The prose still uses "sinks" in multiple places (e.g., line 73 "per-block sink routing", line 80 "sinks", line 141-142 "sink names") despite the past review resolution to use "output" everywhere. Since the YAML keys remain *_audit_sinks, consider standardizing prose to "output" while parenthetically noting the configuration key names, or add a brief note early in the document that "sink" refers to the configuration key *_audit_sinks while "output" refers to the conceptual destination. This will reduce reader confusion.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@details/audit.md` at line 73, The audit docs prose still mixes “sinks” and
“outputs,” which conflicts with the preferred terminology. Update the wording in
the documentation sections around outputs, block-level routing, and sink names
so the conceptual term is consistently “output,” and only mention
`*_audit_sinks` parenthetically when referring to the YAML keys. If needed, add
a short note near the top of the document clarifying that “output” is the
conceptual destination and `*_audit_sinks` is the configuration key used for
routing.

141-142: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Use "output" instead of "sink" in table descriptions.

The table descriptions for enabled_audit_sinks and disabled_audit_sinks use "sink names" but should use "output names" for consistency with the resolution to standardize on "output" terminology. The YAML key names in the left column already make the configuration key clear.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@details/audit.md` around lines 141 - 142, Update the table descriptions for
enabled_audit_sinks and disabled_audit_sinks in audit.md to use “output names”
instead of “sink names” for consistency with the standardized terminology. Keep
the configuration keys unchanged, and adjust the wording in those two rows so
the descriptions refer to audit.outputs and default_acl_log as output names
rather than sinks.

500-500: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Use "output" instead of "sink" for consistency.

"custom log sink" should be "custom log output" to align with the resolution to standardize on "output" terminology throughout the document.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@details/audit.md` at line 500, The wording in the audit document uses
inconsistent terminology for the logging destination; update the phrase in the
affected section to use “output” instead of “sink” so it matches the
standardized terminology used elsewhere. Look for the “custom log sink” wording
in the audit content and replace it with “custom log output” without changing
the surrounding meaning.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@details/audit.md`:
- Line 475: The audit logging documentation still references the wrong
log4j2.properties location, causing an inconsistency with the other docs. Update
the path in the audit configuration guidance to use
$ES_PATH_CONF/log4j2.properties instead of
$ES_PATH_CONF/config/log4j2.properties, and keep the surrounding text about the
logger name and readonlyrest_audit behavior unchanged.

---

Nitpick comments:
In `@details/audit.md`:
- Line 73: The audit docs prose still mixes “sinks” and “outputs,” which
conflicts with the preferred terminology. Update the wording in the
documentation sections around outputs, block-level routing, and sink names so
the conceptual term is consistently “output,” and only mention `*_audit_sinks`
parenthetically when referring to the YAML keys. If needed, add a short note
near the top of the document clarifying that “output” is the conceptual
destination and `*_audit_sinks` is the configuration key used for routing.
- Around line 141-142: Update the table descriptions for enabled_audit_sinks and
disabled_audit_sinks in audit.md to use “output names” instead of “sink names”
for consistency with the standardized terminology. Keep the configuration keys
unchanged, and adjust the wording in those two rows so the descriptions refer to
audit.outputs and default_acl_log as output names rather than sinks.
- Line 500: The wording in the audit document uses inconsistent terminology for
the logging destination; update the phrase in the affected section to use
“output” instead of “sink” so it matches the standardized terminology used
elsewhere. Look for the “custom log sink” wording in the audit content and
replace it with “custom log output” without changing the surrounding meaning.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ff7af288-de00-432f-b0f7-dcca1dccd0b8

📥 Commits

Reviewing files that changed from the base of the PR and between 6518c59 and bb71f72.

📒 Files selected for processing (1)
  • details/audit.md

@mgoworko mgoworko requested a review from coutoPL July 1, 2026 19:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants