-
Notifications
You must be signed in to change notification settings - Fork 16
Event Sinks
NOTE: Previously, this was known simply as "Notification Providers". Since event firing has been generalized for the sake of improving interoperability with SIEM/SOAR systems, it is now referred to as "Event Sinks", acknowledging that external log facilities are valid targets to receive notifications of system events.
Event Sinks are used by the entire AuthJanitor Automation system to communicate with administrator users and/or log-consuming services. Every major event in the system fires a message to the EventDispatcherService, which then propagates the event through all registered Event Sinks. This means you can load multiple Event Sinks which can receive disparate sets of events; for example, registering a remote syslog server to receive all events, but also sending any "Anomalous" category events immediately to an administrator via an e-mail notification.
The following System Event categories are sent by various components throughout the system:
public enum AuthJanitorSystemEvents
{
/// <summary>
/// Unknown System Event
/// </summary>
Unknown,
/// <summary>
/// Fired when a Resource is created
/// </summary>
ResourceCreated,
/// <summary>
/// Fired when a Resource is updated
/// </summary>
ResourceUpdated,
/// <summary>
/// Fired when a Resource is deleted
/// </summary>
ResourceDeleted,
// -----
/// <summary>
/// Fired when a Policy is created
/// </summary>
PolicyCreated,
/// <summary>
/// Fired when a Policy is updated
/// </summary>
PolicyUpdated,
/// <summary>
/// Fired when a Policy is deleted
/// </summary>
PolicyDeleted,
// -----
/// <summary>
/// Fired when a Secret is created
/// </summary>
SecretCreated,
/// <summary>
/// Fired when a Secret is updated
/// </summary>
SecretUpdated,
/// <summary>
/// Fired when a Secret is deleted
/// </summary>
SecretDeleted,
// -----
/// <summary>
/// Fired when a RotationTask is completed automatically (not by an administrator)
/// </summary>
RotationTaskCompletedAutomatically,
/// <summary>
/// Fired when a RotationTask is completed manually (by an administrator)
/// </summary>
RotationTaskCompletedManually,
/// <summary>
/// Fired when a RotationTask is attempted and failed
/// </summary>
RotationTaskAttemptFailed,
/// <summary>
/// Fired when a RotationTask expires without being completed
/// </summary>
RotationTaskExpired,
/// <summary>
/// Fired when a RotationTask is deleted (not approved)
/// </summary>
RotationTaskDeleted,
/// <summary>
/// Fired when a new RotationTask is created, if the Task requires manual approval
/// </summary>
RotationTaskCreatedForApproval,
/// <summary>
/// Fired when a new RotationTask is created, if the Task uses a managed identity/service principal
/// </summary>
RotationTaskCreatedForAutomation,
/// <summary>
/// Fired when a RotationTask is approved; this is fired prior to either "Completed" event
/// </summary>
RotationTaskApproved,
// -----
/// <summary>
/// Fired when the AuthJanitor Agent is started
/// </summary>
AgentServiceStarted,
/// <summary>
/// Fired when the AuthJanitor Agent is stopped
/// </summary>
AgentServiceStopped,
/// <summary>
/// Fired when the AuthJanitor Administrator tool is started
/// </summary>
AdminServiceStarted,
/// <summary>
/// Fired when the AuthJanitor Administrator tool is stopped
/// </summary>
AdminServiceStopped,
// -----
/// <summary>
/// Fired when a ManagedSecret enters the lead time interval prior to its expiry
/// </summary>
SecretAboutToExpire,
/// <summary>
/// Fired when a ManagedSecret expires without being rotated
/// </summary>
SecretExpired,
/// <summary>
/// Fired when a ManagedSecret is successfully rotated by a fully automatic process
/// </summary>
SecretRotatedAutomatically,
/// <summary>
/// Fired when a ManagedSecret is successfully rotated by a manual process
/// </summary>
SecretRotatedManually,
// -----
/// <summary>
/// Fired if an anomalous event occurred. This is fired if no other event fits the log message and something strange has occurred.
/// </summary>
AnomalousEventOccurred
}
New Event Sinks must inherit from IEventSink
:
public class MyNewEventSink : IEventSink
{
public Task LogEvent(LogLevel logLevel, string source, string eventMessage)
{ /* ... do things based on ILogger's LogLevel ... */ }
public Task LogEvent(AuthJanitorSystemEvents systemEvent, string source, string details);
{ /* ... do things based on a generalized event which provides a detail string ... */ }
public Task LogEvent<T>(AuthJanitorSystemEvents systemEvent, string source, T detailObject);
{ /* ... do things based on a generalized event which provides a detailed system object, like "Resource" or "ManagedSecret" ... */ }
}