From 39b99b2e059ea2505128fa30ff89c3290bec3014 Mon Sep 17 00:00:00 2001
From: Peter Wilson <peter.wilson@hashicorp.com>
Date: Fri, 19 Jul 2024 11:12:51 +0100
Subject: [PATCH] Audit: log 'warnings' from eventlogger even if audit is
 deemed a success (#27809)

* make sure we still log underyling pipeline errors even if audit is deemed a success

* changelog
---
 audit/broker.go     | 12 ++++++++++++
 changelog/27809.txt |  3 +++
 2 files changed, 15 insertions(+)
 create mode 100644 changelog/27809.txt

diff --git a/audit/broker.go b/audit/broker.go
index 96cd1405f3d1..9f582bec048c 100644
--- a/audit/broker.go
+++ b/audit/broker.go
@@ -315,6 +315,12 @@ func (b *Broker) LogRequest(ctx context.Context, in *logical.LogInput) (ret erro
 
 	// Audit event ended up in at least 1 sink.
 	if len(status.CompleteSinks()) > 0 {
+		// We should log warnings to the operational logs regardless of whether
+		// we consider the overall auditing attempt to be successful.
+		if len(status.Warnings) > 0 {
+			b.logger.Error("log request underlying pipeline error(s)", "error", &multierror.Error{Errors: status.Warnings})
+		}
+
 		return retErr.ErrorOrNil()
 	}
 
@@ -397,6 +403,12 @@ func (b *Broker) LogResponse(ctx context.Context, in *logical.LogInput) (ret err
 
 	// Audit event ended up in at least 1 sink.
 	if len(status.CompleteSinks()) > 0 {
+		// We should log warnings to the operational logs regardless of whether
+		// we consider the overall auditing attempt to be successful.
+		if len(status.Warnings) > 0 {
+			b.logger.Error("log response underlying pipeline error(s)", "error", &multierror.Error{Errors: status.Warnings})
+		}
+
 		return retErr.ErrorOrNil()
 	}
 
diff --git a/changelog/27809.txt b/changelog/27809.txt
new file mode 100644
index 000000000000..332c9155d95a
--- /dev/null
+++ b/changelog/27809.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+audit: Ensure that any underyling errors from audit devices are logged even if we consider auditing to be a success.
+```
\ No newline at end of file