Skip to content

[Request] CR property to enable audit logging #1257

New issue
New issue
Open
#1260
Open
[Request] CR property to enable audit logging#1257
#1260
Assignees
jtolentino1
Labels
featNew feature or request
@andrewazores

Description

@andrewazores
andrewazores
opened on Mar 5, 2026

Describe the feature

See cryostatio/cryostat#1305

CRYOSTAT_AUDIT_ENABLED environment variable needs to be configurable. This feature is disabled by default and must be explicitly enabled by setting this environment variable.

Cryostat's implementation of this has it as a new opt-in feature to ensure that it is not accidentally/inadvertently enabled. This could happen if a user has installed Cryostat via the Operator and performs an Operator upgrade keeping the same Cryostat CR instance. But, this is quite a valuable feature and adds important new capabilities (and will probably be useful for more future capabilities), so I think there's a good case for making it enabled by default when users create a brand new Cryostat CR. This does mean that cryostat-db will need a larger PVC, and the user needs to be aware that the database will grow indefinitely over time as the Cryostat instance is used, so the user may need to expand the PVC periodically. If the user is sure that they will not need the historical information provided by the audit log then they can opt out and keep a smaller PVC which will reach some steady state size given a steady state of number of discovered target applications, started recordings, created Automated Rules, etc.

In a Kubernetes/OpenShift context the audit log is probably quite valuable, as it enables Cryostat to retain information about lost Target JVMs as well as their k8s lineages (Target <- Pod <- ReplicaSet <- Deployment <- Namespace).

cryostatio/cryostat#1401

This also allows for clients to refer back to historical information about lost targets based on data signals like the cached automated analysis reports. In cases like unexpected Target JVM shutdown due to application crashes or OOMKill, it's clearly valuable for the user or other clients to be able to not only retrieve the archived recordings associated with that lost Target, but to get contextual information about what that Target was (perhaps to correlate it with other observability signals, like k8s Event logs).

cryostatio/cryostat-openshift-console-plugin#792
#1057

Anything other information?

No response

Metadata

Metadata

Assignees

Labels

featNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions