User authentication log for ACAS

[jmcneil86043]

I have a client who wants to audit users with ACAS accounts every quarter to verify that authorized users are actually using the logging into system. This is a requirement of good cloud management, for example ISO27001 and GxP.

It is possible to scrape the ACAS NodeJS log and get successful user logins (see below). However, it would be nice if we had a configuration option to set a file path where both successful and unsuccessful logins are stored. I'd want want the success/fail status, and time stamp, and the username.

It would be cooler if it somehow could be configured to push log records off the system so that kubernetes configurations would be easier to manage.

I think this will be cleaner if we modify the NodeJS service instead of scanning current logs. If we agree on a feature and approach, I will be happy to make the change.

FWIW, here is a cron that will scrape the log of a dockerized ACAS and record a CSV of successful logins
0 1,5,9,13,17,21 * * * cd /vol/acas/acas_custom && ~/.local/bin/docker-compose logs | grep 'User logged in succesfully' | sed 's/acas_1.*ACAS] //' | sed 's/info.*user://' | sed 's/\s//g' | sed 's/"//' | sed 's/Z/Z,/' | sort -u - logs/userLog.txt > logs/userLog.txt || true

the file logs/userLog.txt must exist so it can be appended to. This is so that records aren't lost when docker restarts

[brianbolt]

@bffrost I suggested @jmcneil86043 here for issues like this where there could be some shared discussion.

My initial thought is that I think we are already doing the correct thing with logging inside the acas containers which is to log to stdout/stderr. We can and should format logs to be parsable searchable but how the logs are stored and mined feels like a separate issue which is solvable by the deployment/client.

I.e. the default docker log driver just writes the logs to a json file which you are then parsing in your cron. However, you could have used the awslogs driver to push those logs to aws cloud watch. From there you could use the CloudWatch Logs Insights query syntax to do what you have done in the cron.

https://devcenter.heroku.com/articles/writing-best-practices-for-application-logs

[bffrost]

Thanks for including me. I'm inclined to agree with @brianbolt about sending well-formatted logs to a single location in Docker, then parsing them out.
I've experimented with Vector + Loki + Grafana as a log parsing + aggregation + monitoring stack during a hackathon project and was pretty happy with it.
https://vector.dev/
https://grafana.com/oss/loki/
https://grafana.com/grafana/