Skip to content

Audit log receiver #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
hilmarf wants to merge 22 commits into
base: main
Choose a base branch
from
Open

Audit log receiver #2

hilmarf wants to merge 22 commits into from

Conversation

@hilmarf
Copy link
Member

@hilmarf hilmarf commented Sep 18, 2025
edited
Loading

Audit Log Receiver

Overview

This PR introduces the Audit Log Receiver for the OpenTelemetry Collector. The receiver accepts audit log data via HTTP, persists it using the storage extension, and processes logs asynchronously in the background.

Key Features

  • HTTP Endpoint: Accepts POST requests at /v1/logs (supports JSON and OTLP protobuf).
  • Immediate Response: Returns HTTP 202 Accepted after storing the log.
  • Persistence: Uses the OpenTelemetry storage extension (file, SQL, Redis, etc.) for durability.
  • Asynchronous Processing: Background goroutine processes and exports stored logs based on configurable intervals and age thresholds.
  • Configurable: Supports custom endpoints, storage backends, processing intervals, and age thresholds.
  • High Throughput: Designed for bursty workloads and scalable ingestion.

Architecture

  • Receiver: Handles HTTP requests, generates UUIDs/timestamps, and stores logs.
  • Storage: Persists logs as key-value pairs with user-defined backend.
  • Background Processor: Periodically processes and exports logs older than a configured threshold.
  • Retry Logic: Failed logs remain in storage for future processing attempts.

Architecture Diagram

Example Configuration

extensions:
  file_storage:
    directory: ./storage
    create_directory: true

receivers:
  auditlogreceiver:
    endpoint: 0.0.0.0:4310
    storage: file_storage
    process_interval: 30s
    process_age_threshold: 30s

exporters:
  logging:
    loglevel: debug

service:
  extensions: [file_storage]
  pipelines:
    logs:
      receivers: [auditlogreceiver]
      exporters: [logging]

Testing

  • Includes test scripts for both Windows and Linux.
  • Manual and automated tests for log ingestion and processing.
  • Example test configuration and main program for standalone testing.

Benefits

  • Immediate HTTP response for high-throughput scenarios.
  • Asynchronous, reliable log processing.
  • Flexible storage and configuration.
  • Scalable and robust for audit log workloads.

TODO

  • Implement circuit breaker for retry operations.
  • Improve logging of processed logs (count only valid ones).
  • Analyze persistence queue impact in exporters.

@hilmarf hilmarf mentioned this pull request Sep 17, 2025
Open
@MJarmo MJarmo force-pushed the AuditLogReceiver branch 2 times, most recently from 99bfa37 to 197ca46 Compare September 29, 2025 10:03
@hilmarf hilmarf mentioned this pull request Sep 29, 2025
Open
@hilmarf hilmarf moved this to In progress in OTel-Audit-Logging Oct 14, 2025
Michał Jarmolkiewicz and others added 16 commits October 17, 2025 16:48
add audit log reciver with per mem
a37699f 
Signed-off-by: MJarmo <[email protected]>
persistance storage
1be780e 
Signed-off-by: MJarmo <[email protected]>
add auditlog flow diagram
c09cf53 
Signed-off-by: MJarmo <[email protected]>
add flow jpeg
0fa6de3 
Signed-off-by: MJarmo <[email protected]>
update readme
5325bb6 
Signed-off-by: MJarmo <[email protected]>
add circutbreaker
6b0c0e6 
Signed-off-by: MJarmo <[email protected]>
add flow for GA to build POC image
99a49be 
Signed-off-by: MJarmo <[email protected]>
Fix: Remove empty main.go file that was causing build error
59a6f23 
Signed-off-by: MJarmo <[email protected]>
Update README with Docker instructions and merge content from README-…
05d5448 
…auditlog

Signed-off-by: MJarmo <[email protected]>
Remove duplicate README-auditlog.md after merging content
a1fd930 
Signed-off-by: MJarmo <[email protected]>
handle otlp, add obs logs, test request for otlp, test for otlp
2e7c2e9 
Signed-off-by: MJarmo <[email protected]>
fix json otlp
10bad24 
Signed-off-by: MJarmo <[email protected]>
cover ciructBreaker with flag, add mutex for storage operations
8cf857e 
Signed-off-by: MJarmo <[email protected]>
update config with reddis and circutbreaker off
4c0d785 
Signed-off-by: MJarmo <[email protected]>
add mutex to save in db
d9d04f4 
Signed-off-by: MJarmo <[email protected]>
add makefiles to fix build
be02200 
Signed-off-by: MJarmo <[email protected]>
add license comment
2663ff0 
Signed-off-by: MJarmo <[email protected]>
mend
74a756b 
Signed-off-by: MJarmo <[email protected]>
more fixes
f5efa37 
Signed-off-by: MJarmo <[email protected]>
MJarmo and others added 2 commits October 23, 2025 12:25
clean up
fe2630b 
Signed-off-by: MJarmo <[email protected]>
@hilmarf
Merge branch 'main' into AuditLogReceiver
8d7f459 
Signed-off-by: Hilmar Falkenberg <[email protected]>
@hilmarf hilmarf marked this pull request as ready for review November 21, 2025 14:12
@hilmarf hilmarf moved this from In progress to In review in OTel-Audit-Logging Nov 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

DO-NOT-MERGE

Projects

OTel-Audit-Logging
Status: In review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hilmarf