From 3145dae212c82b9e766e2ab406115b56cc3cd879 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 13 Dec 2018 13:53:08 +1300 Subject: [PATCH] audit_logging: Remove debug log header and JSON Authentication: prefix Feedback from real-world users is that they really want raw JSON strings in the log. We can not easily remove the leading " " but the other strings above and before the JSON are really annoying to strip back off BUG: https://bugzilla.samba.org/show_bug.cgi?id=13714 Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer (cherry-picked from edab1318f9138c0d87de7cc7cfa5da8e29c906f8 and modified for v4-9 by Gary Lockyer) --- auth/auth_log.c | 13 ++++--------- lib/audit_logging/audit_logging.c | 19 ++++++++++++------- lib/audit_logging/audit_logging.h | 3 +-- source4/dsdb/samdb/ldb_modules/audit_log.c | 5 ----- source4/dsdb/samdb/ldb_modules/group_audit.c | 2 -- .../dsdb/samdb/ldb_modules/tests/test_group_audit.c | 3 --- 6 files changed, 17 insertions(+), 28 deletions(-) diff --git a/auth/auth_log.c b/auth/auth_log.c index 3e81730ef14..1df112d9a8b 100644 --- a/auth/auth_log.c +++ b/auth/auth_log.c @@ -78,11 +78,10 @@ static const char* get_password_type(const struct auth_usersupplied_info *ui); static void log_json(struct imessaging_context *msg_ctx, struct loadparm_context *lp_ctx, struct json_object *object, - const char *type, int debug_class, int debug_level) { - audit_log_json(type, object, debug_class, debug_level); + audit_log_json(object, debug_class, debug_level); if (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx)) { audit_message_send(msg_ctx, AUTH_EVENT_NAME, @@ -102,9 +101,8 @@ static void log_json(struct imessaging_context *msg_ctx, * To process the resulting log lines from the commend line use jq to * parse the json. * - * grep "JSON Authentication" log file | - * sed 's;^[^{]*;;' | - * jq -rc '"\(.timestamp)\t\(.Authentication.status)\t + * grep "^ {" log file | + * jq -rc '"\(.timestamp)\t\(.Authentication.status)\t * \(.Authentication.clientDomain)\t * \(.Authentication.clientAccount) * \t\(.Authentication.workstation) @@ -272,7 +270,6 @@ static void log_authentication_event_json( log_json(msg_ctx, lp_ctx, &wrapper, - AUTH_JSON_TYPE, DBGC_AUTH_AUDIT_JSON, debug_level); json_free(&wrapper); @@ -300,8 +297,7 @@ failure: * To process the resulting log lines from the commend line use jq to * parse the json. * - * grep "JSON Authentication" log_file |\ - * sed "s;^[^{]*;;" |\ + * grep "^ {" log_file |\ * jq -rc '"\(.timestamp)\t * \(.Authorization.domain)\t * \(.Authorization.account)\t @@ -409,7 +405,6 @@ static void log_successful_authz_event_json( log_json(msg_ctx, lp_ctx, &wrapper, - AUTHZ_JSON_TYPE, DBGC_AUTH_AUDIT_JSON, debug_level); json_free(&wrapper); diff --git a/lib/audit_logging/audit_logging.c b/lib/audit_logging/audit_logging.c index ac08863129a..4ae18fb773b 100644 --- a/lib/audit_logging/audit_logging.c +++ b/lib/audit_logging/audit_logging.c @@ -105,13 +105,11 @@ const struct json_object json_empty_object = {.valid = false, .root = NULL}; * * Write the json object to the audit logs as a formatted string * - * @param prefix Text to be printed at the start of the log line * @param message The content of the log line. * @param debub_class The debug class to log the message with. * @param debug_level The debug level to log the message with. */ -void audit_log_json(const char* prefix, - struct json_object* message, +void audit_log_json(struct json_object* message, int debug_class, int debug_level) { @@ -126,13 +124,20 @@ void audit_log_json(const char* prefix, ctx = talloc_new(NULL); s = json_to_string(ctx, message); if (s == NULL) { - DBG_ERR("json_to_string for (%s) returned NULL, " - "JSON audit message could not written\n", - prefix); + DBG_ERR("json_to_string returned NULL, " + "JSON audit message could not written\n"); TALLOC_FREE(ctx); return; } - DEBUGC(debug_class, debug_level, ("JSON %s: %s\n", prefix, s)); + /* + * This is very strange, but we call this routine to get a log + * output without the header. JSON logs all have timestamps + * so this only makes parsing harder. + * + * We push out the raw JSON blob without a prefix, consumers + * can find such lines by the leading { + */ + DEBUGADDC(debug_class, debug_level, ("%s\n", s)); TALLOC_FREE(ctx); } diff --git a/lib/audit_logging/audit_logging.h b/lib/audit_logging/audit_logging.h index 84738d2bb93..f91efc39478 100644 --- a/lib/audit_logging/audit_logging.h +++ b/lib/audit_logging/audit_logging.h @@ -42,8 +42,7 @@ extern const struct json_object json_empty_object; #define JSON_ERROR -1 -void audit_log_json(const char *prefix, - struct json_object *message, +void audit_log_json(struct json_object *message, int debug_class, int debug_level); void audit_message_send(struct imessaging_context *msg_ctx, diff --git a/source4/dsdb/samdb/ldb_modules/audit_log.c b/source4/dsdb/samdb/ldb_modules/audit_log.c index dd714bca4e1..16acf146194 100644 --- a/source4/dsdb/samdb/ldb_modules/audit_log.c +++ b/source4/dsdb/samdb/ldb_modules/audit_log.c @@ -1139,7 +1139,6 @@ static void log_standard_operation( struct json_object json; json = operation_json(module, request, reply); audit_log_json( - OPERATION_JSON_TYPE, &json, DBGC_DSDB_AUDIT_JSON, OPERATION_LOG_LVL); @@ -1160,7 +1159,6 @@ static void log_standard_operation( struct json_object json; json = password_change_json(module, request, reply); audit_log_json( - PASSWORD_JSON_TYPE, &json, DBGC_DSDB_PWD_AUDIT_JSON, PASSWORD_LOG_LVL); @@ -1221,7 +1219,6 @@ static void log_replicated_operation( struct json_object json; json = replicated_update_json(module, request, reply); audit_log_json( - REPLICATION_JSON_TYPE, &json, DBGC_DSDB_AUDIT_JSON, REPLICATION_LOG_LVL); @@ -1311,7 +1308,6 @@ static void log_transaction( &audit_private->transaction_guid, duration); audit_log_json( - TRANSACTION_JSON_TYPE, &json, DBGC_DSDB_TXN_AUDIT_JSON, log_level); @@ -1384,7 +1380,6 @@ static void log_commit_failure( reason, &audit_private->transaction_guid); audit_log_json( - TRANSACTION_JSON_TYPE, &json, DBGC_DSDB_TXN_AUDIT_JSON, log_level); diff --git a/source4/dsdb/samdb/ldb_modules/group_audit.c b/source4/dsdb/samdb/ldb_modules/group_audit.c index d5c9bbdaa1e..2a6c1163c86 100644 --- a/source4/dsdb/samdb/ldb_modules/group_audit.c +++ b/source4/dsdb/samdb/ldb_modules/group_audit.c @@ -507,7 +507,6 @@ static void log_primary_group_change( group, status); audit_log_json( - AUDIT_JSON_TYPE, &json, DBGC_DSDB_GROUP_AUDIT_JSON, GROUP_LOG_LVL); @@ -582,7 +581,6 @@ static void log_membership_change( group, status); audit_log_json( - AUDIT_JSON_TYPE, &json, DBGC_DSDB_GROUP_AUDIT_JSON, GROUP_LOG_LVL); diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c index de3785463ec..2d868699b14 100644 --- a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c +++ b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c @@ -752,19 +752,16 @@ static void test_get_primary_group_dn(void **state) /* * Mocking for audit_log_json to capture the called parameters */ -const char *audit_log_json_prefix = NULL; struct json_object *audit_log_json_message = NULL; int audit_log_json_debug_class = 0; int audit_log_json_debug_level = 0; void audit_log_json( - const char* prefix, struct json_object* message, int debug_class, int debug_level) { - audit_log_json_prefix = prefix; audit_log_json_message = message; audit_log_json_debug_class = debug_class; audit_log_json_debug_level = debug_level; -- 2.11.4.GIT