audit_logging: Remove debug log header and JSON Authentication: prefix

Feedback from real-world users is that they really want raw JSON
strings in the log.

We can not easily remove the leading "  " but the other strings above
and before the JSON are really annoying to strip back off

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13714

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
(cherry-picked from edab1318f9138c0d87de7cc7cfa5da8e29c906f8 and modified
for v4-9 by Gary Lockyer)

auth/auth_log.c

@@ -78,11 +78,10 @@ static const char* get_password_type(const struct auth_usersupplied_info *ui);
 static void log_json(struct imessaging_context *msg_ctx,
 		     struct loadparm_context *lp_ctx,
 		     struct json_object *object,
-		     const char *type,
 		     int debug_class,
 		     int debug_level)
 {
-	audit_log_json(type, object, debug_class, debug_level);
+	audit_log_json(object, debug_class, debug_level);
 	if (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx)) {
 		audit_message_send(msg_ctx,
 				   AUTH_EVENT_NAME,
@@ -102,9 +101,8 @@ static void log_json(struct imessaging_context *msg_ctx,
  *  To process the resulting log lines from the commend line use jq to
  *  parse the json.
  *
- *  grep "JSON Authentication" log file |
- *  sed 's;^[^{]*;;' |
- * jq -rc  '"\(.timestamp)\t\(.Authentication.status)\t
+ *  grep "^  {" log file |
+ *  jq -rc '"\(.timestamp)\t\(.Authentication.status)\t
  *           \(.Authentication.clientDomain)\t
  *           \(.Authentication.clientAccount)
  *           \t\(.Authentication.workstation)
@@ -272,7 +270,6 @@ static void log_authentication_event_json(
 	log_json(msg_ctx,
 		 lp_ctx,
 		 &wrapper,
-		 AUTH_JSON_TYPE,
 		 DBGC_AUTH_AUDIT_JSON,
 		 debug_level);
 	json_free(&wrapper);
@@ -300,8 +297,7 @@ failure:
  *  To process the resulting log lines from the commend line use jq to
  *  parse the json.
  *
- *  grep "JSON Authentication" log_file |\
- *  sed "s;^[^{]*;;" |\
+ *  grep "^  {" log_file |\
  *  jq -rc '"\(.timestamp)\t
  *           \(.Authorization.domain)\t
  *           \(.Authorization.account)\t
@@ -409,7 +405,6 @@ static void log_successful_authz_event_json(
 	log_json(msg_ctx,
 		 lp_ctx,
 		 &wrapper,
-		 AUTHZ_JSON_TYPE,
 		 DBGC_AUTH_AUDIT_JSON,
 		 debug_level);
 	json_free(&wrapper);

lib/audit_logging/audit_logging.c

@@ -105,13 +105,11 @@ const struct json_object json_empty_object = {.valid = false, .root = NULL};
  *
  * Write the json object to the audit logs as a formatted string
  *
- * @param prefix Text to be printed at the start of the log line
  * @param message The content of the log line.
  * @param debub_class The debug class to log the message with.
  * @param debug_level The debug level to log the message with.
  */
-void audit_log_json(const char* prefix,
-		    struct json_object* message,
+void audit_log_json(struct json_object* message,
 		    int debug_class,
 		    int debug_level)
 {
@@ -126,13 +124,20 @@ void audit_log_json(const char* prefix,
 	ctx = talloc_new(NULL);
 	s = json_to_string(ctx, message);
 	if (s == NULL) {
-		DBG_ERR("json_to_string for (%s) returned NULL, "
-			"JSON audit message could not written\n",
-			prefix);
+		DBG_ERR("json_to_string returned NULL, "
+			"JSON audit message could not written\n");
 		TALLOC_FREE(ctx);
 		return;
 	}
-	DEBUGC(debug_class, debug_level, ("JSON %s: %s\n", prefix, s));
+	/*
+	 * This is very strange, but we call this routine to get a log
+	 * output without the header.  JSON logs all have timestamps
+	 * so this only makes parsing harder.
+	 *
+	 * We push out the raw JSON blob without a prefix, consumers
+	 * can find such lines by the leading {
+	 */
+	DEBUGADDC(debug_class, debug_level, ("%s\n", s));
 	TALLOC_FREE(ctx);
 }
 

lib/audit_logging/audit_logging.h

@@ -42,8 +42,7 @@ extern const struct json_object json_empty_object;
 
 #define JSON_ERROR -1
 
-void audit_log_json(const char *prefix,
-		    struct json_object *message,
+void audit_log_json(struct json_object *message,
 		    int debug_class,
 		    int debug_level);
 void audit_message_send(struct imessaging_context *msg_ctx,

source4/dsdb/samdb/ldb_modules/audit_log.c

@@ -1139,7 +1139,6 @@ static void log_standard_operation(
 		struct json_object json;
 		json = operation_json(module, request, reply);
 		audit_log_json(
-			OPERATION_JSON_TYPE,
 			&json,
 			DBGC_DSDB_AUDIT_JSON,
 			OPERATION_LOG_LVL);
@@ -1160,7 +1159,6 @@ static void log_standard_operation(
 			struct json_object json;
 			json = password_change_json(module, request, reply);
 			audit_log_json(
-				PASSWORD_JSON_TYPE,
 				&json,
 				DBGC_DSDB_PWD_AUDIT_JSON,
 				PASSWORD_LOG_LVL);
@@ -1221,7 +1219,6 @@ static void log_replicated_operation(
 		struct json_object json;
 		json = replicated_update_json(module, request, reply);
 		audit_log_json(
-			REPLICATION_JSON_TYPE,
 			&json,
 			DBGC_DSDB_AUDIT_JSON,
 			REPLICATION_LOG_LVL);
@@ -1311,7 +1308,6 @@ static void log_transaction(
 			&audit_private->transaction_guid,
 			duration);
 		audit_log_json(
-			TRANSACTION_JSON_TYPE,
 			&json,
 			DBGC_DSDB_TXN_AUDIT_JSON,
 			log_level);
@@ -1384,7 +1380,6 @@ static void log_commit_failure(
 			reason,
 			&audit_private->transaction_guid);
 		audit_log_json(
-			TRANSACTION_JSON_TYPE,
 			&json,
 			DBGC_DSDB_TXN_AUDIT_JSON,
 			log_level);

source4/dsdb/samdb/ldb_modules/group_audit.c

@@ -507,7 +507,6 @@ static void log_primary_group_change(
 			group,
 			status);
 		audit_log_json(
-			AUDIT_JSON_TYPE,
 			&json,
 			DBGC_DSDB_GROUP_AUDIT_JSON,
 			GROUP_LOG_LVL);
@@ -582,7 +581,6 @@ static void log_membership_change(
 			group,
 			status);
 		audit_log_json(
-			AUDIT_JSON_TYPE,
 			&json,
 			DBGC_DSDB_GROUP_AUDIT_JSON,
 			GROUP_LOG_LVL);

source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c

@@ -752,19 +752,16 @@ static void test_get_primary_group_dn(void **state)
 /*
  * Mocking for audit_log_json to capture the called parameters
  */
-const char *audit_log_json_prefix = NULL;
 struct json_object *audit_log_json_message = NULL;
 int audit_log_json_debug_class = 0;
 int audit_log_json_debug_level = 0;
 
 
 void audit_log_json(
-	const char* prefix,
 	struct json_object* message,
 	int debug_class,
 	int debug_level)
 {
-	audit_log_json_prefix = prefix;
 	audit_log_json_message = message;
 	audit_log_json_debug_class = debug_class;
 	audit_log_json_debug_level = debug_level;