Skip to content

Audit log receiver#2

Open
hilmarf wants to merge 22 commits intomainfrom
AuditLogReceiver
Open

Audit log receiver#2
hilmarf wants to merge 22 commits intomainfrom
AuditLogReceiver

Conversation

@hilmarf
Copy link
Member

@hilmarf hilmarf commented Sep 18, 2025
edited
Loading

Audit Log Receiver

Overview

This PR introduces the Audit Log Receiver for the OpenTelemetry Collector. The receiver accepts audit log data via HTTP, persists it using the storage extension, and processes logs asynchronously in the background.

Key Features

  • HTTP Endpoint: Accepts POST requests at /v1/logs (supports JSON and OTLP protobuf).
  • Immediate Response: Returns HTTP 202 Accepted after storing the log.
  • Persistence: Uses the OpenTelemetry storage extension (file, SQL, Redis, etc.) for durability.
  • Asynchronous Processing: Background goroutine processes and exports stored logs based on configurable intervals and age thresholds.
  • Configurable: Supports custom endpoints, storage backends, processing intervals, and age thresholds.
  • High Throughput: Designed for bursty workloads and scalable ingestion.

Architecture

  • Receiver: Handles HTTP requests, generates UUIDs/timestamps, and stores logs.
  • Storage: Persists logs as key-value pairs with user-defined backend.
  • Background Processor: Periodically processes and exports logs older than a configured threshold.
  • Retry Logic: Failed logs remain in storage for future processing attempts.

Architecture Diagram

Example Configuration

extensions:
  file_storage:
    directory: ./storage
    create_directory: true

receivers:
  auditlogreceiver:
    endpoint: 0.0.0.0:4310
    storage: file_storage
    process_interval: 30s
    process_age_threshold: 30s

exporters:
  logging:
    loglevel: debug

service:
  extensions: [file_storage]
  pipelines:
    logs:
      receivers: [auditlogreceiver]
      exporters: [logging]

Testing

  • Includes test scripts for both Windows and Linux.
  • Manual and automated tests for log ingestion and processing.
  • Example test configuration and main program for standalone testing.

Benefits

  • Immediate HTTP response for high-throughput scenarios.
  • Asynchronous, reliable log processing.
  • Flexible storage and configuration.
  • Scalable and robust for audit log workloads.

TODO

  • Implement circuit breaker for retry operations.
  • Improve logging of processed logs (count only valid ones).
  • Analyze persistence queue impact in exporters.

@hilmarf hilmarf mentioned this pull request Sep 17, 2025
Closed
@MJarmo MJarmo force-pushed the AuditLogReceiver branch 2 times, most recently from 99bfa37 to 197ca46 Compare September 29, 2025 10:03
@hilmarf hilmarf mentioned this pull request Sep 29, 2025
Open
@hilmarf hilmarf moved this to In progress in OTel-Audit-Logging Oct 14, 2025
Michał Jarmolkiewicz and others added 16 commits October 17, 2025 16:48
add audit log reciver with per mem
a37699f 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
persistance storage
1be780e 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
add auditlog flow diagram
c09cf53 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
add flow jpeg
0fa6de3 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
update readme
5325bb6 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
add circutbreaker
6b0c0e6 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
add flow for GA to build POC image
99a49be 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
Fix: Remove empty main.go file that was causing build error
59a6f23 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
Update README with Docker instructions and merge content from README-…
05d5448 
…auditlog

Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
Remove duplicate README-auditlog.md after merging content
a1fd930 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
handle otlp, add obs logs, test request for otlp, test for otlp
2e7c2e9 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
fix json otlp
10bad24 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
cover ciructBreaker with flag, add mutex for storage operations
8cf857e 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
update config with reddis and circutbreaker off
4c0d785 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
add mutex to save in db
d9d04f4 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
add makefiles to fix build
be02200 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
Add missing Makefile for test-auditlog module
9e06c1c 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
add license comment
2663ff0 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
mend
74a756b 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
more fixes
f5efa37 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
MJarmo and others added 2 commits October 23, 2025 12:25
clean up
fe2630b 
Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>
@hilmarf
Merge branch 'main' into AuditLogReceiver
8d7f459 
Signed-off-by: Hilmar Falkenberg <hilmar.falkenberg@sap.com>
@hilmarf hilmarf marked this pull request as ready for review November 21, 2025 14:12
@hilmarf hilmarf moved this from In progress to In review in OTel-Audit-Logging Nov 21, 2025
hilmarf pushed a commit that referenced this pull request Feb 24, 2026
@alexcams @edmocosta
[pkg/ottl] OTTL Base64Encode function (open-telemetry#46075)
6f65082 
<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue.
Ex. Adding a feature - Explain what this achieves.-->
#### Description
Add `Base64Encode` OTTL converter function to encode strings into base64
format with support for multiple variants (`base64`, `base64-raw`,
`base64-url`, `base64-raw-url`). This function addresses the need to
handle characters not allowed by certain exporters like NATS Core.
<!-- Issue number (e.g. open-telemetry#1234) or full URL to issue, if applicable. -->
#### Link to tracking issue
Fixes open-telemetry#46071

<!--Describe what testing was performed and which tests were added.-->
#### Testing
Tested manually and added unit and e2e tests.
Test config:
```yaml
processors:
  transform:
    log_statements:
      - context: log
        statements:
          - set(attributes["encoded_default"], Base64Encode(attributes["plain_text"]))
          
          - set(attributes["encoded_base64_raw"], Base64Encode(attributes["plain_text"], "base64-raw"))
          
          - set(attributes["encoded_base64_url"], Base64Encode(attributes["plain_text"], "base64-url"))
          
          - set(attributes["encoded_base64_raw_url"], Base64Encode(attributes["plain_text"], "base64-raw-url"))
```
Test input:
```json
{"plain_text": "test string"}
{"plain_text": "hello world"}
{"plain_text": "special chars: @#$%"}
{"plain_text": "URL encoding test: https://example.com?param=value&other=123"}
```
Test result:
```
LogRecord #0
Body: Str({"plain_text": "test string"})
Attributes:
     -> log.file.name: Str(test_data.log)
     -> plain_text: Str(test string)
     -> encoded_default: Str(dGVzdCBzdHJpbmc=)
     -> encoded_base64_raw: Str(dGVzdCBzdHJpbmc)
     -> encoded_base64_url: Str(dGVzdCBzdHJpbmc=)
     -> encoded_base64_raw_url: Str(dGVzdCBzdHJpbmc)
LogRecord #1
Body: Str({"plain_text": "hello world"})
Attributes:
     -> log.file.name: Str(test_data.log)
     -> plain_text: Str(hello world)
     -> encoded_default: Str(aGVsbG8gd29ybGQ=)
     -> encoded_base64_raw: Str(aGVsbG8gd29ybGQ)
     -> encoded_base64_url: Str(aGVsbG8gd29ybGQ=)
     -> encoded_base64_raw_url: Str(aGVsbG8gd29ybGQ)
LogRecord #2
Body: Str({"plain_text": "special chars: @#$%"})
Attributes:
     -> log.file.name: Str(test_data.log)
     -> plain_text: Str(special chars: @#$%)
     -> encoded_default: Str(c3BlY2lhbCBjaGFyczogQCMkJQ==)
     -> encoded_base64_raw: Str(c3BlY2lhbCBjaGFyczogQCMkJQ)
     -> encoded_base64_url: Str(c3BlY2lhbCBjaGFyczogQCMkJQ==)
     -> encoded_base64_raw_url: Str(c3BlY2lhbCBjaGFyczogQCMkJQ)
LogRecord #3
Body: Str({"plain_text": "URL encoding test: https://example.com?param=value&other=123"})
Attributes:
     -> log.file.name: Str(test_data.log)
     -> plain_text: Str(URL encoding test: https://example.com?param=value&other=123)
     -> encoded_default: Str(VVJMIGVuY29kaW5nIHRlc3Q6IGh0dHBzOi8vZXhhbXBsZS5jb20/cGFyYW09dmFsdWUmb3RoZXI9MTIz)
     -> encoded_base64_raw: Str(VVJMIGVuY29kaW5nIHRlc3Q6IGh0dHBzOi8vZXhhbXBsZS5jb20/cGFyYW09dmFsdWUmb3RoZXI9MTIz)
     -> encoded_base64_url: Str(VVJMIGVuY29kaW5nIHRlc3Q6IGh0dHBzOi8vZXhhbXBsZS5jb20_cGFyYW09dmFsdWUmb3RoZXI9MTIz)
     -> encoded_base64_raw_url: Str(VVJMIGVuY29kaW5nIHRlc3Q6IGh0dHBzOi8vZXhhbXBsZS5jb20_cGFyYW09dmFsdWUmb3RoZXI9MTIz)
```
<!--Describe the documentation added.-->
#### Documentation
Updated `README.md` with function documentation, usage examples, and
supported variants.

<!--Please delete paragraphs that you did not use before submitting.-->

---------

Co-authored-by: Edmo Vamerlatti Costa <11836452+edmocosta@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

DO-NOT-MERGE

Projects

OTel-Audit-Logging
Status: In review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hilmarf