Over the past three months, I have been mentoring two Outreachy interns, David and Latha, with my co-mentor, Jeff Thompson. Our project was to introduce a standardized way for creating an audit log of Jenkins and plugins using Apache Log4j Audit. While this type of feature is addressed by other existing plugins, there is no unifying way for plugins to contribute their own actions. This project provided ample opportunities for each of our interns to experience the community processes for starting a new Jenkins plugin, contributing changes to Jenkins itself in order to support more audit event types, using CICD principles, and developing a Jenkins Enhancement Proposal to begin the standardization process of audit logging throughout the ecosystem.

During this internship, David and Latha contributed several aspects of the project, much of which lays the foundation for easily instrumenting more subsystems and plugins with audit logs. A template log4j2.xml file is used for allowing more complex logging output configurations with a configuration UI.

Audit log configuration UI

New APIs have been introduced in Jenkins to allow for more authentication-related events to be audited by the plugin. Audit events have been defined for a few authorization scenarios and some build events. For example, here is a snippet of audit log output for a build execution in the JSON layout:

{
  "thread" : "Executor #0 for master : executing test #1",
  "level" : "OFF",
  "loggerName" : "AuditLogger",
  "marker" : {
    "name" : "Audit",
    "parents" : [ {
      "name" : "EVENT"
    } ]
  },
  "message" : "Audit [buildStart buildNumber=\"1\" cause=\"[Started by user anonymous]\" projectName=\"test\" timestamp=\"Mon Mar 25 13:48:09 CDT 2019\" userId=\"SYSTEM\"]",
  "endOfBatch" : false,
  "loggerFqcn" : "org.apache.logging.log4j.audit.AuditLogger",
  "instant" : {
    "epochSecond" : 1553539689,
    "nanoOfSecond" : 810000000
  },
  "contextMap" : { },
  "threadId" : 54,
  "threadPriority" : 5
}
{
  "thread" : "Executor #0 for master : executing test #1",
  "level" : "OFF",
  "loggerName" : "AuditLogger",
  "marker" : {
    "name" : "Audit",
    "parents" : [ {
      "name" : "EVENT"
    } ]
  },
  "message" : "Audit [buildFinish buildNumber=\"1\" cause=\"[Started by user anonymous]\" projectName=\"test\" timestamp=\"Mon Mar 25 13:48:10 CDT 2019\" userId=\"SYSTEM\"]",
  "endOfBatch" : false,
  "loggerFqcn" : "org.apache.logging.log4j.audit.AuditLogger",
  "instant" : {
    "epochSecond" : 1553539690,
    "nanoOfSecond" : 155000000
  },
  "contextMap" : { },
  "threadId" : 54,
  "threadPriority" : 5
}

Best of all, this project has helped instill important software engineering values such as automated testing and continuous delivery.

As we conclude this round, we look forward to participating in the next Outreachy internship to continue this project and grow the community. For more information about the next round, check out the Outreachy website.

About the Author
Matt Sicker

Mathematician, software engineer, and free software evangelist. Works for CloudBees on the Jenkins Security Team along with other Jenkins community work since 2018. PMC Chair of the Apache Logging Services project and Secretary for the Apache Software Foundation.