Decision Logs Configuration

Styra Load has expanded the OPA decision logger, with support for:

Multiple sinks, including native external integrations such as Splunk.
Configurable log write buffering behavior.

Common Configuration

Enhanced decision logs are provided by a plugin called load_decision_logger.

note

The Styra Load decision logger cannot be used together with the default decision log support that is also included for OPA compatibility.

If both decision logger plugins are configured simultaneously, Styra Load will error and exit.

plugins:
  load_decision_logger:
    drop_decision: /system/log/drop
    mask_decision: /system/log/mask
    buffer:
      type: disk # one of "memory" (default), "disk" and "unbuffered"
      path: /var/tmp/dl.db
    output:
    - type: console
    # any number of further outputs, see individual sink configurations

Drop and Mask Policies

drop_decision and mask_decision are OPA-compatible meaning you can use your existing drop and mask policies. Please refer to the OPA docs for details.

Field	Type	Required	Default	Description
`drop_decision`	`string`	No	`/system/log/drop`	The name of the drop rule used.
`mask_decision`	`string`	No	`/system/log/mask`	The name of the mask rule used.

Buffering

Field	Type	Required	Default	Description
`buffer.type`	`string`	No	`memory`	One of `memory`, `disk`, or `unbuffered`

`memory`

Field	Type	Required	Default	Description
`buffer.max_bytes`	`int`	Yes	524288000 (i.e. 500M)	Maximum buffer size (in bytes) to allow before applying backpressure upstream.

One of the following must also be configured.

Field	Type	Required	Default	Description
`buffer.flush_at_count`	`int`	No	0	Number of messages at which the batch should be flushed. If 0 disables count based batching.
`buffer.flush_at_bytes`	`int`	No	0	Amount of bytes at which the batch should be flushed. If 0 disables size based batching.
`buffer.flush_at_period`	`string`	No		Period in which an incomplete batch should be flushed regardless of its size (e.g. 1s).

The memory buffer behaves in much the same way as OPA's decision logging, except that drop and mask decisions are applied asynchronously. This allows for faster API responses even with decision logging enabled.

`disk`

Field	Type	Required	Description
`buffer.path`	`string`	Yes	The location of the buffer on disk

Disk is an on-disk buffer. It is slower than memory buffering, but is generally more robust, and safe across service restarts.

`unbuffered`

When using an unbuffered decision log, no API response will be sent until the decision has successfully been written to every configured sink. This is the slowest option, but guarantees that decision logs have been written. This can be useful in systems with strict auditability requirements.

Common Output Configuration

Several decision log outputs share common configuration options.

TLS

Field	Type	Required	Default	Description
`output.tls.cert`	`string`	Yes		Path to public certificate that matches the private key.
`output.tls.private_key`	`string`	Yes		Path to private key used to decrypt messages.
`output.tls.ca_cert`	`string`	Yes		Path to public certificate of the certificate authority.
`output.tls.skip_cert_verify`	`bool`	No	false	Skip certificate verification.

Batching

Field	Type	Required	Default	Description
`output.batching.array`	`bool`	No	false	Send batches as arrays of JSON blobs.
`output.batching.compress`	`bool`	No	false	Compress output with gzip.

One of the following must also be configured.

Field	Type	Required	Default	Description
`output.batching.at_count`	`int`	No	0	Number of messages at which the batch should be flushed. If 0 disables count based batching.
`output.batching.at_bytes`	`int`	No	0	Amount of bytes at which the batch should be flushed. If 0 disables size based batching.
`output.batching.at_period`	`string`	No		Period in which an incomplete batch should be flushed regardless of its size (e.g. 1s).

Common Configuration​

Drop and Mask Policies​

Buffering​

memory​

disk​

unbuffered​

Common Output Configuration​

TLS​

Batching​