[I] As a user, I want audit logs for the APISIX Admin API, so that all configuration changes are transparent and traceable [apisix]

Sat, 27 Sep 2025 08:08:27 -0700 


mdnfiras opened a new issue, #12640:
URL: https://github.com/apache/apisix/issues/12640

   ### Description
   
   As a user, I would like the APISIX Admin API to provide audit logs that 
record all configuration changes (e.g., route creation, updates, deletions, 
plugin configurations), along with details such as who made the change, when it 
was made, and what was changed.
   
   Motivation:
   * Transparency and accountability: making sure all changes are visible and 
traceable to specific users or automation processes.
   * Troubleshooting and debugging: quickly identifying when and why a 
misconfiguration was introduced.
   * Compliance and security: many organisations must comply with standards 
(like ISO 27001, etc.), which require detailed audit trails for system changes.
   * Forensics and incident response: having audit logs helps reconstruct the 
sequence of events that led to a security incident or system outage.
   
   Proposed criteria:
   * Admin API operations (create, update, delete) are logged.
   * Logs include: timestamp, user/actor identity, request details, and result 
(success/failure).
   * Logs storage:
     * Storage format: logs are stored in a structured and queryable format 
(e.g., JSON).
     * Storage backend: configurable backends for audit log storage: e.g., 
file, database, external logging system, perhaps existing logging plugins can 
be reused?
   * Dashboard integration:
     * A dedicated audit logs viewer is available in the APISIX Dashboard where 
logs can be filtered and searched by actor, resource, action type, or time 
range.
     * UI displays change diffs where applicable (e.g., before/after for route 
changes).
     * export functionality (e.g., download as JSON or CSV) for compliance 
audits.
   
   Example usage:
   * The user would have to enable this in the APISIX config file. And if the 
implementation reuses existing logging plugins, then the user would have to 
choose a logging plugin and configure it for audit logging
   ```yaml
   apisix:
     admin_audit_logs:
       enabled: true
       logging_plugin_name: elasticsearch-logger
       logging_plugin_config:
         # configure the chosen plugin here
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to