XML

Word

Printable

Type: Story
Resolution: Done
Priority: Major
Fix Version/s: Logging 5.8.0
Affects Version/s: None
Component/s: Log Collection
Labels:
- groomed
- hypershift-audit

Story Points:
5
Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
api-audit-policy
Docs QE Status:
NEW
Feature Link:
OBSDA-344 - Audit log forwarding produces excessive data, configuration for prefiltering is needed
QE Status:
NEW
Intelligence Requested:
Market:

Sprint:
Log Collection - Sprint 236, Log Collection - Sprint 237, Log Collection - Sprint 238, Log Collection - Sprint 239, Log Collection - Sprint 240, Log Collection - Sprint 241, Log Collection - Sprint 242

SFDC Cases Links:
SFDC Cases Counter:

Implementation

The policy fliter is based on the existing executable filter: https://gitlab.cee.redhat.com/gsleeman/splunk-audit-exporter

The CLO filter will use a VRL transform so it can integrate smoothly with other vector-based sources, filters, transforms and sinks.

The VRL transform will be "compiled" from the policy document to implement that specific policy

It will be important to test for equivalence of output between CLO and splunk-audit-exporter across a wide range of log data.

links to

Implementation pull request

Assignee:: Alan Conway

Reporter:: Alan Conway

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2023/04/20 8:30 PM

Updated:: 2023/12/21 6:03 PM

Resolved:: 2023/09/26 8:29 PM