Not able to change Logger Output Path #76
Comments
|
Logging to STDOUT is not supported directly from the UI, no. Typical audit logging should be done to an external append-only data store to prevent tampering with existing audit logs. Please feel free to file an issue (i.e., just update this one to request it as a feature) to add an option to output audit logs to the console (or even more configurable use cases; I'm not super imaginative when it comes to unknown unknowns and am happy to hear some). |
|
In many environments like e.g Kubernetes/Container based environments or in public cloud, logstreaming via STDOUT is a standard. Thanks for your quick answer @jvz ! According to this file there should be configurable logs already, but i cant even see that: |
|
The log destination is only used for the JSON layout at the moment (which I now think should probably be reverted to using the syslog layout for compactness; the JSON layout is far too verbose to keep a long audit log as discovered #71). While I don't think it would be too complicated to add support for outputting the log to the console, from a security point of view, I'm not a big fan of encouraging it. Perhaps there's a more K8s-native way we should integrate here? See https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ for example. |
|
@jvz what about running this plugin with an instance of Jenkins which is not running on K8s. |
|
Right, that's why we focused on the syslog socket configuration first as running a syslog daemon has been a standard way to collect logs for decades. Note that I can probably be convinced to include this option, but I'd like to know how we can make it apparent to users that secure audit logs require append-only log stores. When we offload that to stdout, it would be important to warn users to store those logs properly. |
Hi,
As written in the official Release announcement:
https://www.jenkins.io/blog/2019/09/23/outreachy-audit-log-release/
"The other major feature of this plugin is configuring where to output these audit logs. By default, audit logs will be written in HTML files (rotated once per day) to $JENKINS_HOME/logs/html/audit.html which are viewable through the "Audit Logs" root action link. In the system settings, a section for audit logging is added where the main audit log output can be configured. This can initially be configured to output via either a JSON log file in $JENKINS_HOME/logs/audit.log by default or to a syslog server using RFC5424 encoding."
Is it correct that logging to STDOUT is not supported? After checking the Plugin configuration options in my Jenkins Instance, it seems not to be configurable.
Thanks!
The text was updated successfully, but these errors were encountered: