Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Problem/Motivation
In many industries that are under strict regulatory oversight (such as financial or healthcare), it is required to provide a detailed audit trail of all changes made to an application. In some cases, it may also be desirable to store the actual serialized before and after object data in the audit log.
As such, this module should either provide natively or offer a means for other modules to provide audit tracking on at least the following items:
- Module enable/disable.
- Site configuration changes.
- System Configuration form submissions.
- Pageviews by authenticated users (in some cases, HIPAA requires that you be able to tell an auditor which content has been viewed by which users within a certain time frame)
- Changes to Media or other types of non-node entities.
Site administrators should be able to control which items to audit track based on the needs of their site.
Proposed resolution
There are several ways to approach this problem depending on whether we want these features to be included within the module itself or if we want to allow other modules to extend the audit_log module. Though there is a lot of overlap between both paths.
Allow other modules to extend audit_log
- Make API and Schema changes listed below.
- External modules would call \Drupal::service('audit_log.logger')->log() directly to report an auditable event. (alternatively, we could change the audit_log module so that we define an Event and EventSubscriber architecture where the external modules would raise an audit_log event (https://api.drupal.org/api/drupal/core!core.api.php/group/events/8.2.x)
- When building the administrative UI, provide hooks, events, or a plugin architecture for external modules to include their own configuration and display formatters.
Including this functionality within audit_log
- Make API and Schema changes listed below.
- Directly implement handlers for each of the above types of logging.
- Build administrative UI that allows selecting which actions and objects are logged.
User interface changes
TBD.
API changes
Modify the log() method of the service 'audit_log.logger' to take an AuditLogEventIterface object rather than an EntityInterface object as a parameter.
Modify the hook_entity_action() methods in audit_log.module to build an AuditLogEvent object and pass that to the audit_log.logger service rather than passing the raw entity. I would suggest modifying the AuditLogEvent object definition so that the class constructor takes a passed entity and action string rather than setting individual properties on the class.
Data model changes
We will need to make the names on some of the Event object properties more generic. For example:
- EntityID => ObjectID
- EntityType => SourceType
- Add properties for before/after data snapshots.
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | 2863831-3.patch | 2.25 KB | dagmar |
| |||
Comments
Comment #2
dagmarI've been doing some test. If we define a generic entity event subscriber. Like provided in this patch, we automatically get support for all entity types. We can always have a more specific subscriber if the priority is greater than -1.
Regarding tracking config changes, it seems there are a lot of config related events that this module could subscribe and log. There are two types of config. Those that are entities, and those that are not entities. Maybe we could create a new type of entity that implements EntityInterface for those configs that are not entities. And notify about changes on that fake entity to track the events.
This seems a bit out of the scope of this module. You have the history module for that.
Comment #3
dagmarHere is the patch I'm mentioning at #2
Comment #4
shawn_smiley CreditAttribution: shawn_smiley at Achieve Internet commentedI like the generic entity approach in your patch. I think that makes a lot of sense for tracking most of the changes on a site.
Let me play around a bit with the config events you mentioned to get a sense of the data that gets communicated.