From 2d4acce3da0d42d2ff63e1d28365f7e2c02e2c3c Mon Sep 17 00:00:00 2001
From: Piotr Kazmierczak <470696+pkazmierczak@users.noreply.github.com>
Date: Wed, 24 Aug 2022 16:31:49 +0200
Subject: [PATCH] docs: Update upgrade guide to reflect enterprise changes
 introduced in nomad-enterprise (#14212)

This PR documents a change made in the enterprise version of nomad that addresses the following issue:

When a user tries to filter audit logs, they do so with a stanza that looks like the following:

audit {
  enabled = true

  filter "remove deletes" {
    type = "HTTPEvent"
    endpoints  = ["*"]
    stages = ["OperationComplete"]
    operations = ["DELETE"]
  }
}

When specifying both an "endpoint" and a "stage", the events with both matching a "endpoint" AND a matching "stage" will be filtered.

When specifying both an "endpoint" and an "operation" the events with both matching a "endpoint" AND a matching "operation" will be filtered.

When specifying both a "stage" and an "operation" the events with a matching a "stage" OR a matching "operation" will be filtered.

The "OR" logic with stages and operations is unexpected and doesn't allow customers to get specific on which events they want to filter. For instance the following use-case is impossible to achieve: "I want to filter out all OperationReceived events that have the DELETE verb".
---
 .changelog/14212.txt                              | 3 +++
 website/content/docs/upgrade/upgrade-specific.mdx | 7 +++++++
 2 files changed, 10 insertions(+)
 create mode 100644 .changelog/14212.txt

diff --git a/.changelog/14212.txt b/.changelog/14212.txt
new file mode 100644
index 000000000..4e5a4bb63
--- /dev/null
+++ b/.changelog/14212.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+audit (Enterprise): fixed inconsistency in event filter logic
+```
diff --git a/website/content/docs/upgrade/upgrade-specific.mdx b/website/content/docs/upgrade/upgrade-specific.mdx
index 86b249b20..2dfc26c12 100644
--- a/website/content/docs/upgrade/upgrade-specific.mdx
+++ b/website/content/docs/upgrade/upgrade-specific.mdx
@@ -23,6 +23,13 @@ to version 3, and in Nomad 1.4.0 Nomad requires the use of raft protocol version
 3. If [`raft_protocol`] version is explicitly set, it must now be set to `3`.
 For more information see the [Upgrading to Raft Protocol 3] guide.
 
+#### Audit logs filtering logic changed
+
+Audit Log filtering in previous versions of Nomad handled `stages` and
+`operations` filters as `OR` filters. If _either_ condition was met, the logs
+would be filtered. As of 1.4.0, `stages` and `operations` are treated as `AND
+filters`. Logs will only be filtered if all filter conditions match.
+
 ## Nomad 1.3.3
 
 Environments that don't support the use of [`uid`][template_uid] and