Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't include log messages with log level "AUDIT" in regular service log file #4538

Merged
merged 6 commits into from
Feb 7, 2019
Merged

Don't include log messages with log level "AUDIT" in regular service log file #4538

merged 6 commits into from
Feb 7, 2019

Conversation

Kami
Copy link
Member

@Kami Kami commented Feb 6, 2019
edited
Loading

This pull request resolves an issue with log messages with log level AUDIT ending up in regular service log file (<service>.log) in addition to the service audit log file (<service>.audit.log).

Background

We implemented AUDIT log level by adding a new log level constant which contains the highest log level number (CRITICAL + 10).

Default Python log level filtering works using "include log messages with log level and above" approach. This means messages with AUDIT log level will always be included in the logs because AUDIT is the highest level.

In most cases that's not desired. That's especially true for production deployment where default log level is INFO and we have dedicated log file with audit log messages. We don't want audit log messages to also end up in the regular service log file where they just cause noise.

Implementation wise, I needed to implement it using a log filter - we exclude log messages with level AUDIT if log level is set to INFO or higher, but not to AUDIT. I couldn't make a simpler change like setting AUDIT log level constant to lower than INFO, because then we would have the opposite problem (non AUDIT messages would also end up in the audit log file).

NOTE: To aid with the debugging, AUDIT log messages are also included in a regular service log file if log level is set to DEBUG of if system.debug config option is set to True. When debug is enabled there are many more log messages coming from other places so AUDIT should be the least of your concerns :)

Resolves #4502 (thanks to @nmaludy for reporting it).

TODO

  • Integration tests

@Kami Kami added this to the 2.10.2 milestone Feb 6, 2019
Kami added 3 commits February 6, 2019 11:15
@Kami
Update service_setup service entry / bootstrap code so we exclude log
70b8de5 
messages with log level "AUDIT" if log level is set to INFO or higher.

This way we avoid issues with duplicate AUDIT messages in production
deployments.

In production deployments default log level is set to INFO which means
that all service log files will also contain AUDIT log messages because
AUDIT level if the highest.

This is not desired, because we already log AUDIT log messages in a
dedicated AUDIT log file.

NOTE: Audit messages will still go in the service log file is log level
is set to DEBUG (that's desired during debugging).
@Kami
Add changelog entry.
5602508
@Kami
Update changelog entry.
09feb5d
@Kami Kami force-pushed the audit_logging_duplication_fix branch from b5ed972 to 09feb5d Compare February 6, 2019 10:16
@Kami Kami mentioned this pull request Feb 6, 2019
Closed
@Kami
Copy link
Member Author

Kami commented Feb 6, 2019

Added integration tests in 11111ff.

@Kami Kami merged commit 2f7ef92 into master Feb 7, 2019
@Kami Kami deleted the audit_logging_duplication_fix branch February 7, 2019 19:44
@Kami Kami mentioned this pull request Feb 18, 2019
Merged
@Kami
Copy link
Member Author

Kami commented Apr 8, 2019

Randomly found out just now while debugging some other things that this doesn't work correctly on production gunicorn deployments.

I believe issue is related to another change, I'm digging in.

Kami added a commit that referenced this pull request Apr 8, 2019
@Kami
Use correct gunicorn logging config with st2 packages.
ff2976b 
Not doing that means change / fix in #4538 won't work since regular
config which includes DEBUG and AUDIT will be used over gunicorn one.
@Kami Kami mentioned this pull request Apr 8, 2019
Merged
@Kami
Copy link
Member Author

Kami commented Apr 8, 2019

^Second time is the charm - #4621.

The code was correct, but we were using incorrect logging config for API services with packages so those log messages weren't filtered out by default.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LindsayHill LindsayHill LindsayHill approved these changes

Assignees
No one assigned
Labels
bug logging
Projects
None yet
Milestone
2.10.2
Development

Successfully merging this pull request may close these issues.

Ability to filter out AUDIT logs
2 participants
@Kami @LindsayHill