Not all Audit Events are being recorded
Summary
A customer discovered that a branch was unprotected but Audit Logs did not show the event. This made it difficult to debug how a branch became unprotected, even though we do support this event through the API and UI.
After reviewing our Kibana logs, I was able to discover an API call to the protected branches endpoint (/api/v4/projects/:id/protected_branches/:branch) that showed a User submitted a DELETE to remove a protected branch. This particular request should've been available in the Audit Events, but was not for whatever reason. This diminishes trust in audit events - We should determine why some events are not being recorded.
This is possibly related to https://gitlab.com/gitlab-org/gitlab/-/issues/354260
Steps to reproduce
Was unable to reproduce, as my requests in a test project always ended up in Audit Events.
Example Project
Please see ZD Ticket (Internal)
What is the current bug behavior?
A user can unprotect a branch via the API and it won't be recorded in the Audit Events
What is the expected correct behavior?
Any event that protects or unprotects a branch should be recorded in Audit Events.
Relevant logs and/or screenshots
Please note that customer information was redacted for privacy, it's included in the internal only ZD Ticket
Notice how the entry for May 18th does not show up in Audit Events for the date range.
"json.time","json.meta.project","json.status","json.username","json.path","json.method"
"May 21, 2022 @ 07:02:53.018","path/to/project",404,"user","/api/v4/projects/:id/protected_branches/main",DELETE
"May 20, 2022 @ 07:01:54.449","path/to/project",204,"user","/api/v4/projects/:id/protected_branches/main",DELETE
"May 18, 2022 @ 07:02:19.213","path/to/project",204,"user","/api/v4/projects/:id/protected_branches/main",DELETEOutput of checks
This happens on GitLab.com 15.1.0-pre 0fff797d
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)