audit: support a configurable prefix string to write before each message (#2359)

A static token at the beginning of a log line can help systems parse logs better. For example, rsyslog and syslog-ng will recognize the '@cee: ' prefix and will parse the rest of the line as a valid json message. This is useful in environments where there is a mix of structured and unstructured logs.
2025-11-01 19:17:58 +00:00 · 2017-02-10 19:56:28 -05:00
parent a18f77e69c
commit 57aac16cd2
10 changed files with 130 additions and 13 deletions
--- a/audit/format_json.go
+++ b/audit/format_json.go
@@ -8,13 +8,22 @@ import (

 // JSONFormatWriter is an AuditFormatWriter implementation that structures data into
 // a JSON format.
-type JSONFormatWriter struct{}
+type JSONFormatWriter struct {
+	Prefix string
+}

 func (f *JSONFormatWriter) WriteRequest(w io.Writer, req *AuditRequestEntry) error {
 	if req == nil {
 		return fmt.Errorf("request entry was nil, cannot encode")
 	}

+	if len(f.Prefix) > 0 {
+		_, err := w.Write([]byte(f.Prefix))
+		if err != nil {
+			return err
+		}
+	}
+
 	enc := json.NewEncoder(w)
 	return enc.Encode(req)
 }
@@ -24,6 +33,13 @@ func (f *JSONFormatWriter) WriteResponse(w io.Writer, resp *AuditResponseEntry)
 		return fmt.Errorf("response entry was nil, cannot encode")
 	}

+	if len(f.Prefix) > 0 {
+		_, err := w.Write([]byte(f.Prefix))
+		if err != nil {
+			return err
+		}
+	}
+
 	enc := json.NewEncoder(w)
 	return enc.Encode(resp)
 }