Back to blog

Audit Logging in Jenkins: An Outreachy Project

Matt Sicker
May 22, 2019

The Audit Log Plugin for Jenkins is an in development project to integrate standardized audit logging trails to various core actions in Jenkins. This project integrates the recently released Apache Log4j Audit library to allow for a vast array of possible audit logging destinations and configuration. We began this plugin not long after Log4j Audit 1.0.0 was released last year by partnering with Outreachy where we mentored two interns who laid the foundations of the project. This year, we applied to Outreachy again to continue the project, and we were able to accept two more Outreachy interns: Aarthi Rajaraman and Gayathri Rajendar. Both have already been adding new features and improving the plugin over the past couple months, and the internship officially began on 20 May.

This round has some ambitious goals of various features and documentation we wish to create. After having added audit log support for several built-in event listeners in Jenkins around the lifecycle of projects, builds, nodes, and authentication during both the previous internship and the applications to this one, we would like to accomplish the following:

  • Make a 1.0 release of the plugin for the Jenkins Update Center. #34

  • Add documentation on supported audit log types and configuration options. #40

  • Add audit logs for credential usage and lifecycle events. #35, #36

  • Add audit logs for user property lifecycle events. #37

  • Define or document an API for other plugins to use to define and log their own audit events. #30

  • Ensure audit log events use consistent vocabulary with the Jenkins UI. #33

  • Add an audit log event recorder/viewer comparable to the Jenkins logger recorder administrative UI. #32

  • Add support for configuring a syslog-compatible log server for writing audit logs. #29

  • Add support for configuring a relational database such as PostgreSQL for writing audit logs. #31

  • Improve unit test coverage and pay down technical debt. #38

  • Begin discovery on alternative ways to manage the underlying Log4j Core configuration such as via the upcoming integration with Spring Cloud Configuration. #39

In the future, we hope to participate with more projects and mentors. Going on concurrently with Outreachy right now is Google Summer of Code 2019 where we are mentoring several more projects and students. Please extend a warm welcome to all our new contributors and community members from Outreachy and GSoC!

About the author

Matt Sicker

Mathematician, software engineer, and free software evangelist. Works for CloudBees on the Jenkins Security Team along with other Jenkins community work since 2018. PMC Chair of the Apache Logging Services project and Secretary for the Apache Software Foundation.