Skip to main content

Append-only JSONL file ExternalSink for audit-framework — the reference sink plugin.

Project description

audit-framework-jsonl

An append-only JSON-Lines file sink for audit-framework — and the reference implementation every other ExternalSink (Splunk HEC, Elasticsearch, syslog, …) can be copied from.

It implements the ExternalSink port: one compact JSON object per line, appended to a file. Writes are serialised and offloaded off the event loop, with optional rotation by date and/or size.

Install

pip install audit-framework-jsonl

Use

from audit_framework_jsonl.sink import JsonlFileSink
from audit_framework.core.middlewares.sink_fanout import SinkFanOutMiddleware

sink = JsonlFileSink("/var/log/audit/audit.jsonl", daily=True, max_bytes=50_000_000)
pipeline.use(SinkFanOutMiddleware([sink]))   # fan events out to this sink

Or wire it by configuration through the registry — it advertises itself under the audit_framework.plugins entry point as the file_jsonl external sink:

registry.discover_entrypoints()                 # finds file_jsonl
SinkClass = registry.get("external_sink", "file_jsonl")
sink = SinkClass("/var/log/audit/audit.jsonl")

Each emitted line is event.to_dict() serialised compactly, e.g.:

{"actor_id":"alice","action":"DELETE","resource_type":"contract","resource_id":"c-42",...}

Options

Param Effect
name The sink_name used for per-policy sink filtering (default "file_jsonl").
daily Write to a date-stamped file audit-YYYY-MM-DD.jsonl (one per UTC day).
max_bytes Roll the current file aside (audit.<timestamp>.jsonl) before it exceeds this size. Composes with daily.
clock Injectable time source for rotation stamps (testing).

Writing your own sink

sink.py is deliberately tiny — copy it and change four things:

  1. a stable sink_name (matched against AuditPolicy.sinks),
  2. async emit(event, context) — forward event.to_dict() to your platform (best-effort; raise on permanent failure so the pipeline records it),
  3. async health_check() — report reachability,
  4. a register(registry) that calls registry.register("external_sink", "<name>", YourSink) (+ an audit_framework.plugins entry point in pyproject.toml).

Development

pip install -e ".[dev]"
pytest        # 9 stdlib-only tests (tmp files; no infrastructure)

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

audit_framework_jsonl-0.1.0.tar.gz (5.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

audit_framework_jsonl-0.1.0-py3-none-any.whl (6.0 kB view details)

Uploaded Python 3

File details

Details for the file audit_framework_jsonl-0.1.0.tar.gz.

File metadata

  • Download URL: audit_framework_jsonl-0.1.0.tar.gz
  • Upload date:
  • Size: 5.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for audit_framework_jsonl-0.1.0.tar.gz
Algorithm Hash digest
SHA256 9efa2a63bdd76973d09c7c9723e36d761af1038f82cbc11c62daa40cda610e2d
MD5 0c4465c51c2beeaee9fefba13c6e2c93
BLAKE2b-256 0f64e8141303f06e5c3a29b789a34537dfc98139e313e4297cb48e1dd7de505b

See more details on using hashes here.

Provenance

The following attestation bundles were made for audit_framework_jsonl-0.1.0.tar.gz:

Publisher: release.yml on vanmarkic/audit-logger

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file audit_framework_jsonl-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for audit_framework_jsonl-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 cbe6b84d04322bb175abd25919e8670d563b1dd62fb5b888cc7603694be4b7b0
MD5 d9ab0e5a3bc722941298e963452640af
BLAKE2b-256 9d33f1183a16ae1d75854747d9500218fa757d65a699b66afbcd615ad7d85469

See more details on using hashes here.

Provenance

The following attestation bundles were made for audit_framework_jsonl-0.1.0-py3-none-any.whl:

Publisher: release.yml on vanmarkic/audit-logger

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page