This is an Ash resource extension which generates the default audit log resource.
The audit log resource is used to store user interactions with the authentication system in order to derive extra security behaviour from this information.
Storage
The information stored in this resource is essentially time-series, and should be stored in a resilient data-layer such as postgres.
Usage
There is no need to define any attributes or actions (thought you can if you want). The extension will wire up everything that's needed for the audit log to function.
defmodule MyApp.Accounts.AuditLog do
use Ash.Resource,
data_layer: AshPostgres.DataLayer,
extensions: [AshAuthentication.AuditLogResource],
domain: MyApp.Accounts
postgres do
table "account_audit_log"
repo MyApp.Repo
end
endWhilst it is possible to have multiple audit log resources, there is no need to do so.
Batched writes
In order to reduce the write load on the database writes to the audit log (via the AuditLogResource.log_activity/2 function) will be buffered in a GenServer and written in batches.
Batching can be disabled entirely by setting audit_log.write_batching.enabled? to false.
By default it write a batch every 100 records or every 10 seconds, whichever happens first. This can also be controlled by options in the audit_log.write_batching DSL.
Removing old records
When the log_lifetime DSL option is set to a positive integer then log entries will be automatically removed after that many days. To disable this behaviour, or to manage it manually set it to :infinity. Defaults to 90 days.
audit_log
Configuration options for this audit log resource
Nested DSLs
Options
| Name | Type | Default | Docs |
|---|---|---|---|
domain | module | The Ash domain to use to access this resource. | |
log_lifetime | pos_integer | :infinity | 90 | How long to keep event logs before removing them in days. |
expunge_interval | pos_integer | 12 | How often (in hours) to scan this resource for records which have expired and thus can be removed. |
audit_log.write_action
Configuration applied for the write action
Options
| Name | Type | Default | Docs |
|---|---|---|---|
name | atom | :log_activity | The name of the generated write action. |
audit_log.destroy_action
Configuration applied for the expunge action
Options
| Name | Type | Default | Docs |
|---|---|---|---|
name | atom | :expunge_logs | The name of the generated expunge action. |
audit_log.read_expired_action
Configuration applied for the read action used to find records for removal
Options
| Name | Type | Default | Docs |
|---|---|---|---|
name | atom | :read_expired | The name of the generated read action. |
audit_log.attributes
Attribute renaming configuration
Options
| Name | Type | Default | Docs |
|---|---|---|---|
id | atom | :id | The name of the primary key attribute |
subject | atom | :subject | The attribute within which to store the user's authentication subject (if available). |
identity | atom | :identity | The attribute within which to store the identity field value submitted to the action (e.g. the email or username), if known. |
client_ip | atom | :client_ip | The attribute within which to store the client IP address of the request, if known. The stored value is subject to the ip_privacy_mode configured on the audit log add-on. |
strategy | atom | :strategy | The attribute within which to store the authentication strategy's name. |
audit_log | atom | :audit_log | The attribute within which to store the audit log add-on's name. |
logged_at | atom | :logged_at | The attribute within which to store the time that the event occurred. |
action_name | atom | :action_name | The attribute within which to store the triggering action. |
status | atom | :status | The attribute within which to store the status of the event as defined by the authentication strategy. |
extra_data | atom | :extra_data | The attribute within which to store any additional information about the event. |
resource | atom | :resource | The attribute within which to store the name of the affected resource. |
audit_log.write_batching
Configuration of event log write batching
Options
| Name | Type | Default | Docs |
|---|---|---|---|
enabled? | boolean | true | Whether or not write batching should be enabled. When set to false every event will be written to the log in it's own transaction. |
timeout | timeout | 10000 | Maximum time to wait between writing batches in milliseconds. |
max_size | pos_integer | 100 | Maximum number of events that can be written in a single batch. |