This is the last feature which existed on VOMS-Admin but is still missing on IAM
It has been requested by all of the 4 big LHC VO Admins
Audit logs were shared on a dashboard page on VOMS-Admin
It was previously agreed that, instead of doing the same on IAM, it would be more effective to just separate the audit logs from the rest of the logs to allow audit logs to be exported separately to a logging tool (e.g. OpenSearch)
Better filtering, easier search, easier history handling, easier to control access, easy to integrate with any logging tool...
At CERN, we can use separate index patterns (or tenants) for each VO on OpenSearch so that each VO admin can only see their VO’s logs
3 of 4
Issues
Issues that are blocking us from implementing this:
VOMS-AA: There is no logs on INFO level, there are logs only on DEBUG level (GitHub Issue)
DEBUG logs create 50+ lines of log for each proxy creation which is so many unnecessary logs to store
DEBUG logs include the proxy itself and isn’t a good security
IAM + VOMS-AA: Audit logs should be saved to a separate file from the rest of the logs (GitHub Issue)
So that we only share the related logs with the VO Admins
4 of 4
Discussion
Would everyone agree that exporting the logs to a logging tool is a better approach than having them as a dashboard page in IAM?
What information should the VOMS-AA audit logs include?
account id, name, certificate CN, created/failed, reason if failed (?)
Any other discussion about logging?
Maybe we can find time during the following days of Hackathon to fix these issues?