You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: projects/audit-logging.md
+39-1Lines changed: 39 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -68,4 +68,42 @@ TODO: add link
68
68
69
69
## SIG Meetings and Other Info
70
70
71
-
TODO: add information
71
+
TODO: add information
72
+
73
+
## Appendix
74
+
75
+
### Appendix A: Guarantee of Delivery
76
+
77
+
In the context of this document, guarantee of delivery describes the ability of delivering audit logs from source to destination through OTel means while ensuring that all such signals arrive at the destination and/or providing the source with a means to handle failed delivery.
78
+
79
+
Messaging protocols that support different levels of delivery guarantees may refer to this behavior as _at least once_ or _exactly once_, as opposed to _at most once_.
80
+
81
+
We assume that every component that is involved in the delivery of audit logs from source to destination must support guarantee of delivery individually, rather than assuming that this ability can be provided by e.g. only the collector or SDK.
82
+
83
+
The implications of guarantee of delivery can be illustrated with an example consisting of a workload, an OTel collector, and a durable storage. The workload acts as the source and produces audit logs via the OTel SDK/API. It writes the data via OTLP to the OTel collector. The OTel collector is configured to export audit logs to a durable storage that acts as the destination such as an S3 bucket.
84
+
85
+
The following implications would apply:
86
+
87
+
- workload produces an audit-relevant event:
88
+
89
+
The workload emits the event via the OTel SDK/API. It may wait for acknowledgement of receipt from the collector before proceeding. If the event is rejected or receipt is not acknowledged in time, the workload or SDK may act accordingly, e.g. retry, rollback a database transaction, inform the user, etc.
90
+
91
+
- OTel collector receives the event:
92
+
93
+
To ensure that the event is not lost even if the collector process is terminated or crashes, the collector may need to persist the event before acknowledging receipt to the workload or SDK. If the event cannot be persisted, receipt must be rejected.
94
+
95
+
- OTel collector exports the event:
96
+
97
+
Once the event is exported and the target (i.e. S3) acknowledges receipt, the event can dropped from the collector's persistence.
98
+
99
+
- S3 receives the event:
100
+
101
+
Acknowledges receipt after persisting the event.
102
+
103
+
Note that this is outside the scope of the OTel. More general, when using OTel for audit logging purposes, it's the users (e.g. Ops) responsibility to configure a suitable export target.
104
+
105
+
Note that this example may contain implementation details for illustration purposes. The actual implementation may differ as long as the requirements are met.
106
+
107
+
The example is kept simple for illustration purposes. Many edge cases need to be discussed by the SIG, such as batch-sending of signals or handling of multiple export targets.
108
+
109
+
It may turn out that all OTel receivers, processors, or exporters can be made compatible with guarantee of delivery for audit logging purposes.
0 commit comments