log

Function Description

log is a build.security built-in function that adds log statement(s) to the decision log upon evaluation.
It's important to note that the log statements appear only in the decision log when HTTP authz requests are made to the PDP server, and not, for example, in the Rego playground.

Function format

log(statement)
Parameters:
    statement - the string to add to the decision log.

Function Usage Example

1
log("A simple log statement")
2
3
# Log Rego values by converting them to string
4
log(sprintf("Logging some values: %v %v", [x, y]))
Copied!
Usage in production
Most Rego rules are cached upon evaluation, but adding certain functions such as log inside rules prevents them from getting cached.
This not only affects performance, it also means that if there is a evaluation containing log inside a Rego loop, the decision log will end up being large.
As such, using log is encouraged only for development and debugging.

An alternative approach

The recommended way to record useful information in production is by restructuring policy: move statements out from inside rules to new rules in the global scope. This way, their evaluation will be recorded in the result.
Example, change the following rule:
1
rule_with_multiple_checks {
2
...check_1...
3
...check_2...
4
...check_3...
5
}
Copied!
by making new rules in the global scope:
1
check_1 {
2
...
3
}
4
5
check_2 {
6
...
7
}
8
9
check_3 {
10
...
11
}
12
13
final_rule {
14
check_1
15
check_2
16
check_3
17
}
Copied!
The evaluation output of check_1, check_2 and check_3 will now be accessible on your build.security console's playground.
Last modified 3mo ago
Copy link