Provide data enrichment capability using pipeline for ROR audit logs

:bulb: Provide data enrichment capability using pipeline feature for ROR audit logs

Currently ROR provides ability to capture audit logs either using standard audit log serializers that comes out of the box or by creating custom serializers in Scala or Java. Though, these are good features to have full control, this essentially needs some kind of additional coding and dependency on non-ES skills. Instead, ROR should provide an option to mention the pipeline to be included on the ROR audit log indexing action so that corresponding pipeline can be defined to either capture additional information as part of the audit logs or parse the incoming audit log using different pipeline processor. This will allow existing out of box serializers to be extended without needing to build separate custom serializers.

With version 7.5.0 enrich pipeline feature, this will even allow to add additional attributes from another ES index, there by allowing audit logs to be further enriched with additional information and without needing to setup separate logstash enrichment process for the audit logs.

:eyes: Example

New option should be made available at both overall level and ACL block level. Block level pipeline always wins, when this parameter is available at both global and block level.

audit_pipeline: add_userinfo

Other example could be, when query content is parsed and stored as JSON instead of string.

:rocket: Let’s do this?

  • 1
  • 2
  • 3
  • 4
  • 5

0 voters