auditlog

package
v0.5.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 18, 2026 License: MIT Imports: 4 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// Log types
	LogTypeLogin       = 1
	LogTypeLogout      = 2
	LogTypeNode        = 3
	LogTypeQuery       = 4
	LogTypeCarve       = 5
	LogTypeTag         = 6
	LogTypeEnvironment = 7
	LogTypeSetting     = 8
	LogTypeVisit       = 9
	LogTypeUser        = 10
	// Severities
	SeverityInfo    = 1
	SeverityWarning = 2
	SeverityError   = 3
	// No environment action
	NoEnvironment = 0
)
View Source 
const (
	// Log type strings
	LogTypeLoginStr   = "Login"
	LogTypeLogoutStr  = "Logout"
	LogTypeNodeStr    = "Node"
	LogTypeQueryStr   = "Query"
	LogTypeCarveStr   = "Carve"
	LogTypeTagStr     = "Tag"
	LogTypeEnvStr     = "Environment"
	LogTypeSettingStr = "Setting"
	LogTypeVisitStr   = "Visit"
	LogTypeUserStr    = "User"
	LogTypeUnknown    = "Unknown"
	// Severity strings
	SeverityInfoStr    = "Info"
	SeverityWarningStr = "Warning"
	SeverityErrorStr   = "Error"
	SeverityUnknownStr = "Unknown"
)

Variables

View Source 
var LogTypes = map[uint]struct{}{
	LogTypeLogin:       {},
	LogTypeLogout:      {},
	LogTypeNode:        {},
	LogTypeQuery:       {},
	LogTypeCarve:       {},
	LogTypeTag:         {},
	LogTypeEnvironment: {},
	LogTypeSetting:     {},
	LogTypeVisit:       {},
	LogTypeUser:        {},
}

LogTypes - allowlist of valid log_type filter values. Used by the paginated filter to reject arbitrary integers (defense in depth — the underlying column is uint so junk values just match nothing, but we surface a 400 to the SPA instead of an empty response).

Functions

This section is empty.

Types

type AuditLog 

type AuditLog struct {
	gorm.Model
	Service       string
	Username      string
	Line          string
	LogType       uint
	Severity      uint
	SourceIP      string
	EnvironmentID uint
}

AuditLog to store all audit logs

type AuditLogManager 

type AuditLogManager struct {
	DB      *gorm.DB
	Service string
	Enabled bool
}

AuditLogManager for audit logs

func CreateAuditLogManager 

func CreateAuditLogManager(backend *gorm.DB, service string, enabled bool) (*AuditLogManager, error)

CreateAuditLogManager to initialize the audit log struct and tables

func (*AuditLogManager) CarveAction 

func (m *AuditLogManager) CarveAction(username, action, ip string, envID uint)

CarveAction - create new carve action audit log entry

func (*AuditLogManager) ConfAction 

func (m *AuditLogManager) ConfAction(username, action, ip string, envID uint)

ConfAction - create new configuration action audit log entry

func (*AuditLogManager) Create 

func (m *AuditLogManager) Create(logLine *AuditLog) error

Create new audit log entry

func (*AuditLogManager) CreateNew 

func (m *AuditLogManager) CreateNew(username, line, ip string, logType, severity, envID uint) error

CreateNew - create new audit log entry

func (*AuditLogManager) Denied added in v0.5.2 

func (m *AuditLogManager) Denied(username, path, ip, reason string, logType, envID uint)

Denied records a 403/forbidden access attempt at SeverityWarning so SoC dashboards can surface cross-tenant probes. logType pins the resource class (LogTypeEnvironment for env handlers, LogTypeNode for node handlers, etc.). envID is the env the resource lives in, or NoEnvironment when the deny happened before env resolution. The reason field is short free text — never echo back the offered credential.

func (*AuditLogManager) EnvAction 

func (m *AuditLogManager) EnvAction(username, action, ip string, envID uint)

EnvAction - create new environment action audit log entry

func (*AuditLogManager) FailedEnroll added in v0.5.2 

func (m *AuditLogManager) FailedEnroll(ip, envName, reason string, envID uint)

FailedEnroll records a failed osquery-node enrollment attempt — invalid env secret, denied env, malformed payload. Severity warning, scoped to the env in the path (envID == 0 when the env itself was the failure reason).

func (*AuditLogManager) FailedLogin added in v0.5.2 

func (m *AuditLogManager) FailedLogin(username, ip, reason string)

FailedLogin records a failed login attempt — invalid credentials, missing permission, or any other reason the login flow refused to mint a token. `reason` is a short free-text string suitable for SoC alerting and MUST NOT contain the offered password. Severity warning so it sticks out next to the successful-login firehose.

func (*AuditLogManager) GetAll 

func (m *AuditLogManager) GetAll() ([]AuditLog, error)

GetAll - get all audit logs

func (*AuditLogManager) GetByEnv 

func (m *AuditLogManager) GetByEnv(envID uint) ([]AuditLog, error)

GetByEnv - get audit logs by environment

func (*AuditLogManager) GetBySeverityEnv 

func (m *AuditLogManager) GetBySeverityEnv(severity, envID uint) ([]AuditLog, error)

GetBySeverityEnv - get audit logs by severity and environment

func (*AuditLogManager) GetByTypeEnv 

func (m *AuditLogManager) GetByTypeEnv(logType, envID uint) ([]AuditLog, error)

GetByType - get audit logs by type and environment

func (*AuditLogManager) GetEnvActivityBucketed added in v0.5.2 

func (m *AuditLogManager) GetEnvActivityBucketed(envID uint, since time.Time, bucketSeconds int) ([]EnvActivityBucketRow, error)

GetEnvActivityBucketed — returns audit-log counts grouped by bucket and log_type for one env, pushing the binning into SQL. Replaces the in-process histogram over GetEnvSince.

func (*AuditLogManager) GetEnvSince added in v0.5.2 

func (m *AuditLogManager) GetEnvSince(envID uint, since time.Time) ([]AuditLog, error)

GetEnvSince — returns every audit row for the env since the given cutoff, log_type + created_at only (Pluck-style). Used by the activity heatmap so the dashboard can render a 24-hour fleet-activity strip without scanning the full audit_logs table. Smaller fields than GetByEnv to keep the payload tiny — 24 hours of a busy env is still small enough to ship to the SPA, but trimming to two columns keeps the SQL fast.

func (*AuditLogManager) GetPaged added in v0.5.2 

func (m *AuditLogManager) GetPaged(f PageFilter) ([]AuditLog, int64, error)

GetPaged returns audit logs filtered + paginated. Ordering is fixed at created_at DESC so the SPA always shows newest first.

Returns (rows, totalItems, error). On the filtered count the package computes that with the same WHERE clause (one extra COUNT round-trip).

func (*AuditLogManager) LogTypeToString 

func (m *AuditLogManager) LogTypeToString(logType uint) string

LogTypeToString to convert log type to string

func (*AuditLogManager) New 

func (m *AuditLogManager) New(username, line, ip string, logType, severity, envID uint) (AuditLog, error)

New audit log entry

func (*AuditLogManager) NewCarve 

func (m *AuditLogManager) NewCarve(username, path, ip string, envID uint)

NewCarve - create new carve audit log entry

func (*AuditLogManager) NewLogin 

func (m *AuditLogManager) NewLogin(username, ip string)

NewLogin - create new login audit log entry

func (*AuditLogManager) NewLogout 

func (m *AuditLogManager) NewLogout(username, ip string)

NewLogout - create new logout audit log entry

func (*AuditLogManager) NewQuery 

func (m *AuditLogManager) NewQuery(username, query, ip string, envID uint)

NewQuery - create new query audit log entry

func (*AuditLogManager) NewToken 

func (m *AuditLogManager) NewToken(username, ip string)

NewToken - create new token audit log entry

func (*AuditLogManager) NodeAction 

func (m *AuditLogManager) NodeAction(username, action, ip string, envID uint)

NodeAction - create new node action audit log entry

func (*AuditLogManager) Permissions 

func (m *AuditLogManager) Permissions(username, action, ip string, envID uint)

Permissions - create new permissions action audit log entry

func (*AuditLogManager) QueryAction 

func (m *AuditLogManager) QueryAction(username, action, ip string, envID uint)

QueryAction - create new query action audit log entry

func (*AuditLogManager) SavedQueryAction added in v0.5.2 

func (m *AuditLogManager) SavedQueryAction(username, action, ip string, envID uint)

SavedQueryAction - create new saved-query action audit log entry (create / update / delete operations on the saved_queries table).

func (*AuditLogManager) SettingsAction 

func (m *AuditLogManager) SettingsAction(username, action, ip string)

SettingsAction - create new settings action audit log entry

func (*AuditLogManager) SeverityToString 

func (m *AuditLogManager) SeverityToString(severity uint) string

SeverityToString to convert severity to string

func (*AuditLogManager) TagAction 

func (m *AuditLogManager) TagAction(username, action, ip string, envID uint)

TagAction - create new tag action audit log entry

func (*AuditLogManager) UserAction 

func (m *AuditLogManager) UserAction(username, action, ip string)

UserAction - create new user action audit log entry

func (*AuditLogManager) Visit 

func (m *AuditLogManager) Visit(username, path, ip string, envID uint)

Visit - create new visit tag audit log entry

type EnvActivityBucketRow added in v0.5.2 

type EnvActivityBucketRow struct {
	BucketStart int64 `gorm:"column:bucket_start"`
	LogType     uint  `gorm:"column:log_type"`
	Cnt         int64 `gorm:"column:cnt"`
}

EnvActivityBucketRow is one (bucket_start, log_type, count) row returned from the bucketed env-activity query.

type PageFilter added in v0.5.2 

type PageFilter struct {
	Service  string
	Username string
	LogType  uint
	EnvID    uint
	Since    time.Time
	Until    time.Time
	Page     int
	PageSize int
}

PageFilter describes the inputs accepted by GetPaged.

All string fields are case-insensitive partial matches except Service which is an exact match (services are a tiny fixed set: tls / admin / osctrl-api). EnvID == 0 means "no env filter" (NOT "the no-environment rows" — use a dedicated convention if that's ever needed). LogType == 0 means "no type filter". Since / Until are RFC3339 timestamps; either may be the zero value to mean unset.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.