Add audit logging for S3 and Web handlers (#6571)

This PR brings an additional logger implementation called AuditLog which logs to http targets The intention is to use AuditLog to log all incoming requests, this is used as a mechanism by external log collection entities for processing Minio requests.
2025-11-20 01:50:24 -05:00 · 2018-10-12 12:25:59 -07:00
parent 143e7fe300
commit b0c9ae7490
17 changed files with 232 additions and 17 deletions
--- a/cmd/logger/logger.go
+++ b/cmd/logger/logger.go
@@ -21,6 +21,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"go/build"
+	"net/http"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -341,6 +342,55 @@ func logIf(ctx context.Context, err error) {
 	}
 }

+type auditEntry struct {
+	DeploymentID string            `json:"deploymentid,omitempty"`
+	Time         string            `json:"time"`
+	API          *api              `json:"api,omitempty"`
+	RemoteHost   string            `json:"remotehost,omitempty"`
+	RequestID    string            `json:"requestID,omitempty"`
+	UserAgent    string            `json:"userAgent,omitempty"`
+	Metadata     map[string]string `json:"metadata,omitempty"`
+}
+
+// AuditLog - logs audit logs to all targets.
+func AuditLog(ctx context.Context, r *http.Request) {
+	if Disable {
+		return
+	}
+
+	req := GetReqInfo(ctx)
+	if req == nil {
+		req = &ReqInfo{API: "SYSTEM"}
+	}
+
+	API := "SYSTEM"
+	if req.API != "" {
+		API = req.API
+	}
+
+	tags := make(map[string]string)
+	for _, entry := range req.GetTags() {
+		tags[entry.Key] = entry.Val
+	}
+
+	entry := auditEntry{
+		DeploymentID: deploymentID,
+		RemoteHost:   req.RemoteHost,
+		RequestID:    req.RequestID,
+		UserAgent:    req.UserAgent,
+		Time:         time.Now().UTC().Format(time.RFC3339Nano),
+		API:          &api{Name: API, Args: &args{Bucket: req.BucketName, Object: req.ObjectName}},
+		Metadata:     tags,
+	}
+
+	// Send audit logs only to http targets.
+	for _, t := range Targets {
+		if _, ok := t.(*HTTPTarget); ok {
+			t.send(entry)
+		}
+	}
+}
+
 // ErrCritical is the value panic'd whenever CriticalIf is called.
 var ErrCritical struct{}

@@ -450,10 +500,9 @@ func (f fatalMsg) pretty(msg string, args ...interface{}) {
 	os.Exit(1)
 }

-var info infoMsg
+type infoMsg struct{}

-type infoMsg struct {
-}
+var info infoMsg

 func (i infoMsg) json(msg string, args ...interface{}) {
 	logJSON, err := json.Marshal(&logEntry{