Gate data proxy audit logging behind audit_logging server setting

conf/defaults.ini

@@ -47,6 +47,9 @@ root_url = %(protocol)s://%(domain)s:%(http_port)s/
 # Log web requests
 router_logging = false
 
+# This enables query request audit logging, output at warn level, default is false
+audit_logging = false
+
 # the path relative working path
 static_root_path = public
 

conf/sample.ini

@@ -49,6 +49,9 @@
 # Log web requests
 ;router_logging = false
 
+# This enables query request audit logging, output at warn level, default is false
+audit_logging = false
+
 # the path relative working path
 ;static_root_path = public
 

docs/sources/http_api/admin.md

@@ -143,6 +143,7 @@ with Grafana admin permission.
         "protocol":"http",
         "root_url":"%(protocol)s://%(domain)s:%(http_port)s/",
         "router_logging":"true",
+        "audit_logging":"true",
         "static_root_path":"public"
       },
       "session":{

pkg/api/dataproxy.go

@@ -118,8 +118,6 @@ func ProxyDataSourceRequest(c *middleware.Context) {
 		}
 	}
 
-	outputToAuditLog(ds.Type, c)
-
 	proxy := NewReverseProxy(ds, proxyPath, targetUrl)
 	proxy.Transport, err = ds.GetHttpTransport()
 	if err != nil {
@@ -127,19 +125,23 @@ func ProxyDataSourceRequest(c *middleware.Context) {
 		return
 	}
 
+	auditLog(ds.Type, c)
+
 	proxy.ServeHTTP(c.Resp, c.Req.Request)
 	c.Resp.Header().Del("Set-Cookie")
 }
 
-func outputToAuditLog(dataSourceType string, c *middleware.Context) {
-	auditLogger := log.New("data-proxy-audit", "userid", c.UserId, "orgid", c.OrgId, "username", c.Login)
+func auditLog(dataSourceType string, c *middleware.Context) {
+	if setting.AuditLogging {
+		auditLogger := log.New("data-proxy-audit", "userid", c.UserId, "orgid", c.OrgId, "username", c.Login)
 
-	var body string
-	if c.Req.Request.Body != nil {
-		buffer, _ := ioutil.ReadAll(c.Req.Request.Body)
-		c.Req.Request.Body = ioutil.NopCloser(bytes.NewBuffer(buffer))
-		body = string(buffer)
-	}
+		var body string
+		if c.Req.Request.Body != nil {
+			buffer, _ := ioutil.ReadAll(c.Req.Request.Body)
+			c.Req.Request.Body = ioutil.NopCloser(bytes.NewBuffer(buffer))
+			body = string(buffer)
+		}
 
-	auditLogger.Info("Proxying incoming request", "datasource", dataSourceType, "uri", c.Req.RequestURI, "method", c.Req.Request.Method, "body", body)
+		auditLogger.Warn("Proxying incoming request", "datasource", dataSourceType, "uri", c.Req.RequestURI, "method", c.Req.Request.Method, "body", body)
+	}
 }

pkg/setting/setting.go

@@ -65,6 +65,7 @@ var (
 	SshPort            int
 	CertFile, KeyFile  string
 	RouterLogging      bool
+	AuditLogging       bool
 	StaticRootPath     string
 	EnableGzip         bool
 	EnforceDomain      bool
@@ -490,6 +491,7 @@ func NewConfigContext(args *CommandLineArgs) error {
 	HttpAddr = server.Key("http_addr").MustString(DEFAULT_HTTP_ADDR)
 	HttpPort = server.Key("http_port").MustString("3000")
 	RouterLogging = server.Key("router_logging").MustBool(false)
+	AuditLogging = server.Key("audit_logging").MustBool(false)
 	EnableGzip = server.Key("enable_gzip").MustBool(false)
 	EnforceDomain = server.Key("enforce_domain").MustBool(false)
 	StaticRootPath = makeAbsolute(server.Key("static_root_path").String(), HomePath)