Overview over how service and audit logging happens in Convier
Updated for version: 0.2511.35
Convier produces two different types of logs: Service logs and Audit logs.
The service logs contains a mix of access log and other internal service related log entries. It is produced using log4j. An excerpt from an access log:
2024-12-18T07:29:11: [INFO] INFO - 123.123.123.123 - [email protected] [18/Dec/2024:07:29:11 +0000] "PUT /convier/api/read/aml_platform_develop/main/count HTTP/1.1" 200 53 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0)"
2024-12-18T07:29:11: [INFO] INFO - Post-filtering 157 found links
2024-12-18T07:29:11: [INFO] INFO - 123.123.123.123 - [email protected] [18/Dec/2024:07:29:11 +0000] "POST /convier/api/async-read/aml_platform_develop/main/request HTTP/1.1" 200 18406 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0)"
The access log format may be modified using the LOG_FORMAT environment setting. See the Undertow documentation for more information.
The audit log is written to Azure Log Service or a SQL database of your choice, but must be enabled. To remove the possibility of removing traces of misuse, it is recommended that users of Convier do not have access to this database themselves.
Use the configuration settings:
INTERNAL_AUDIT_LOG_JDBC_CONNECTION_STRING (mandatory, convier will not start if not set)INTERNAL_AUDIT_LOG_JDBC_USERNAMEINTERNAL_AUDIT_LOG_JDBC_PASSWORDTables and fields in the audit logging database is automatically created.
https://$endpointName.$region.ingest.monitor.azure.com)convier_audit_log{ "oidc_client_id":"guid", "BRANCH":"main", "USER_ID":"[email protected]", "PAYLOAD":"{}", "TOPIC":"SEARCH", "RESPONSE":"{\\"status\\":\\"OK\\"}", "PROJECT_ID":"prod" }dcr-...)Custon-$name_CL)https://$endpointName.$region.ingest.monitor.azure.com/dataCollectionRules/$dcrImmutableId/streams/$tableName?api-version=2023-01-01AZURE_AUDIT_LOG_WORKSPACE_URL to the full URLMonitoring Metrics Publisher on the Data Collection RuleLog Analytics Reader to users who should be able to query to audit logWorkspace ID and set as environment variable AZURE_AUDIT_LOG_WORKSPACE_ID in ConvierAZURE_AUDIT_LOG_WORKSPACE_URL. It defaults to https://{workspaceId}.ods.opinsights.azure.com/api/logs?api-version=2016-04-01Agents, then Linuxand copy the Primary Key value. Set as environment variable AZURE_AUDIT_LOG_SHARED_KEY in ConvierCONVIER_AUDIT_LOG_CL is created automatically. The name can be overridden by setting environment variables AZURE_AUDIT_LOG_TABLE_NAME (_CL is added automatically). Make sure to adjust retention settings per your needs (Default is 30 days)GOOGLE_PROJECT_ID and GOOGLE_LOG_SINK_ID and restart service
GOOGLE_LOG_SINK_ID_PROJECT_ID if a separate project is used for loggingAn audit log entry contains the following fields:
We currently do not include raw response playloads in the audit log, as they may be quite large. Audit log entries are immediately written to the database, there are not written in batches.
These are the topics being logged
connect_to_sourcesearchbrowse_dataload_objectget_linked_objectscountcompute_analyticsload_report_datareport_savereport_other_actionAn example log entry on the search topic:
| field | value |
|---|---|
| project_id | aml |
| branch | main |
| timestamp | 2024-12-10T10:00:00Z |
| user_id | [email protected] |
| topic | search |
| payload | {"query":"test","fields":["CUSTOMER_NAME"],"sourceIds":["dwh"]} |
| response | {"status": "OK", "primary_related_object_ids": []} |
The field primary_related_object_ids contains references to loaded objects if any. It is as of version 0.2601.7 populated for topics
load_object: loaded objectsload_report_data: the report object and all “connected objects” (e.g. customer associated with a task)It is not populated for topics search and compute_analytics as they are covered by previous or subsequent load_object audit entries.
To find user actions in the logs that correspond to opening a data view on a particular object:
| --- | --- | --- |