Search code examples
springcloud-foundryaudit-trailaudit-logging

Business audit events on Cloud Foundry

I have some spring-boot micro-services deployed on Cloud Foundry and I have to implement propagation and storing (to a repository) the business audit events emitted by them.

I can do it in several ways, e.g.:

  1. Publish audit events to a Source (Spring Cloud Stream / RabbitMQ) and consume it by a Sink service writing the events to the repository.
  2. Publish audit events as a custom application log and consume it by a log-consuming service filtering and writing the events to the repository.
  3. Publish audit events using internal CF's mechanism as a new custom log type or a custom audit event - I think this option isn't a good idea but I can be wrong...

Is there any recommended approach/pattern to realize this issue on Cloud Foundry platform?

EDIT

All the approaches meet (in my opinion) the 12-factor rules, but each has its advantages and disadvantages:

  • (1) Spring Cloud Streams
    • + ensures delivery (events will not be lost)
    • + allows to use routing (RabbitMQ)
    • - requires connection to a message broker (not as easy as a logger)
  • (2) log-consuming service
    • + is easy
    • - logs can be lost
    • - audit biznes info is too widely propagated - GDPR
  • (3) new CF's log type
    • - probably forces changes in the CF
Solution

  • I'm going to answer your question with a question. What exactly are your "business audit logs"? Would there be a problem if you lost some of them?

    If the answer is yes and it's unacceptable to lose even a single log then I would make the case that they're not really logs, but business records (that perhaps just look like logs). In this case, store the records in a database or other service where there is storage is guaranteed. It's extra work, but you need to make sure these records are properly stored so the extra effort is warranted.

    If the answer is no and it's acceptable to lose some or even all (plan for worst case) of these logs, then I would suggest just writing them to STDOUT. Cloud Foundry will handle the routing of these logs for you, so it's super easy. You can bind a syslog drain if you want to send them to a log consuming service or you could implement a Loggregator Nozzle and read the logs directly from CF. From the app's perspective it doesn't really matter and you could even change your mind later and not need to update your app.

    Hope that helps!