Append-only JSONL file ExternalSink for audit-framework — the reference sink plugin.
Project description
audit-framework-jsonl
An append-only JSON-Lines file sink for
audit-framework — and the reference implementation
every other ExternalSink (Splunk HEC, Elasticsearch, syslog, …) can be copied
from.
It implements the ExternalSink port: one compact JSON object per line,
appended to a file. Writes are serialised and offloaded off the event loop, with
optional rotation by date and/or size.
Install
pip install audit-framework-jsonl
Use
from audit_framework_jsonl.sink import JsonlFileSink
from audit_framework.core.middlewares.sink_fanout import SinkFanOutMiddleware
sink = JsonlFileSink("/var/log/audit/audit.jsonl", daily=True, max_bytes=50_000_000)
pipeline.use(SinkFanOutMiddleware([sink])) # fan events out to this sink
Or wire it by configuration through the registry — it advertises itself under
the audit_framework.plugins entry point as the file_jsonl external sink:
registry.discover_entrypoints() # finds file_jsonl
SinkClass = registry.get("external_sink", "file_jsonl")
sink = SinkClass("/var/log/audit/audit.jsonl")
Each emitted line is event.to_dict() serialised compactly, e.g.:
{"actor_id":"alice","action":"DELETE","resource_type":"contract","resource_id":"c-42",...}
Options
| Param | Effect |
|---|---|
name |
The sink_name used for per-policy sink filtering (default "file_jsonl"). |
daily |
Write to a date-stamped file audit-YYYY-MM-DD.jsonl (one per UTC day). |
max_bytes |
Roll the current file aside (audit.<timestamp>.jsonl) before it exceeds this size. Composes with daily. |
clock |
Injectable time source for rotation stamps (testing). |
Writing your own sink
sink.py is deliberately tiny — copy it and change four things:
- a stable
sink_name(matched againstAuditPolicy.sinks), async emit(event, context)— forwardevent.to_dict()to your platform (best-effort; raise on permanent failure so the pipeline records it),async health_check()— report reachability,- a
register(registry)that callsregistry.register("external_sink", "<name>", YourSink)(+ anaudit_framework.pluginsentry point inpyproject.toml).
Development
pip install -e ".[dev]"
pytest # 9 stdlib-only tests (tmp files; no infrastructure)
License
MIT
For AI agents & coding assistants
This package ships its agent guide — AGENTS.md — inside the
wheel (installed at <site-packages>/audit_framework_jsonl/AGENTS.md). Read it offline, with no
docs site and no network, even from an airgapped Nexus PyPI mirror:
python -m audit_framework_jsonl
python -c "import audit_framework_jsonl; print(audit_framework_jsonl.overview())"
AGENTS.md is the single source of truth: mental model, one runnable quickstart,
and the exact public API. audit_framework_jsonl.overview() returns it, and tests/guide_test.py
compiles its examples so the guide can't drift from the code.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file audit_framework_jsonl-0.1.1.tar.gz.
File metadata
- Download URL: audit_framework_jsonl-0.1.1.tar.gz
- Upload date:
- Size: 8.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0d1bdb456058957bccde9b36c81b6a6b2e127ed2794d7191cb2e303b128128b8
|
|
| MD5 |
de7a193a12d66d0009087b58cb862271
|
|
| BLAKE2b-256 |
71f39f67803c59ecc310aeefe51d5aaa9b98db673e861dc4a526971cd4848319
|
Provenance
The following attestation bundles were made for audit_framework_jsonl-0.1.1.tar.gz:
Publisher:
release.yml on vanmarkic/audit-logger
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
audit_framework_jsonl-0.1.1.tar.gz -
Subject digest:
0d1bdb456058957bccde9b36c81b6a6b2e127ed2794d7191cb2e303b128128b8 - Sigstore transparency entry: 2060482905
- Sigstore integration time:
-
Permalink:
vanmarkic/audit-logger@3ac6823128c64ab93b2487aac60a0315824964f9 -
Branch / Tag:
refs/tags/audit-framework-jsonl-v0.1.1 - Owner: https://github.com/vanmarkic
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@3ac6823128c64ab93b2487aac60a0315824964f9 -
Trigger Event:
push
-
Statement type:
File details
Details for the file audit_framework_jsonl-0.1.1-py3-none-any.whl.
File metadata
- Download URL: audit_framework_jsonl-0.1.1-py3-none-any.whl
- Upload date:
- Size: 9.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e9b43fa0e71c2b5ab7418d7bcefa14e2889c764fb58f0eb405621c1ce8b21214
|
|
| MD5 |
713855b043e049c3f09ebbdb7a84707f
|
|
| BLAKE2b-256 |
638bf7364b32f43609f1b13ddf1da01664405782bdbfde06e30c9513c53afe29
|
Provenance
The following attestation bundles were made for audit_framework_jsonl-0.1.1-py3-none-any.whl:
Publisher:
release.yml on vanmarkic/audit-logger
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
audit_framework_jsonl-0.1.1-py3-none-any.whl -
Subject digest:
e9b43fa0e71c2b5ab7418d7bcefa14e2889c764fb58f0eb405621c1ce8b21214 - Sigstore transparency entry: 2060483245
- Sigstore integration time:
-
Permalink:
vanmarkic/audit-logger@3ac6823128c64ab93b2487aac60a0315824964f9 -
Branch / Tag:
refs/tags/audit-framework-jsonl-v0.1.1 - Owner: https://github.com/vanmarkic
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@3ac6823128c64ab93b2487aac60a0315824964f9 -
Trigger Event:
push
-
Statement type: