Using EF Core’s Coolest Feature to Audit in .NET

Why do we need this KeyedScoped? AuditInterceptor is already scoped as it was created inside scoped DbContext. It can just store this list as part of its internal state.

Would love a follow up about what to use to store the audit.

I don't know if it was mentioned in this video, but this won't work with the new ExecuteUpdate method from EF Core, you have to use different kind of interceptor and do quite a bit of expressions manipulation.

It's a good video for starters, but don't forget that proper auditing is often quite complex as each business' requirements are typically different. Using a messaging service to store your audits may be a good route, but the argument shouldn't be to preserve database resources; transactional messaging would require use of the outbox pattern (or similar), which takes up resources as well. Aside from that, an interesting take on a common requirement, and I highly recommend EF developers to learn more about the change tracking APIs.

Great video, would love a separate topic on sanitizing/anonymizing data in EF, that would be sweat! Maybe how to create test data based on production data using EF core, in a safe and compliant way?

This is on point. I have learned something new today. Thanks, Nick

That Database window and Sessions (when you connect to a db) in Rider is amazeballs. From my experience so far, its Intellisense blows SSMS and PGAdmin (for Postgres) out of the water. If they could get multiple result sets showing on the same tab/screen (or get a Dump like LINQPad's), it would be legendary.

I had worked with something like this entirely setup using DB triggers (it was an Oracle DB, and the triggers written in its PL/SQL). For affected tables, on any operation changing a row, a new version of the row would be copied to another table (plus some metadata, timestamp etc).
This creates a timeline of changes for those tables, and you can easily query their state at it was at any point in time (changing table schema becomes a bit tricky though).
I found this ability to look back in time *across multiple tables* extremely useful.

It usually works out to perform better to use Update/Insert Triggers in the database for this sort of tracking when writing your audit to SQL as well. Where it is useful, is when your audit entries are going elsewhere, like log files or a NoSQL database etc. Sending an entirely new transaction to SQL with the same data it already has access to in the trigger is silly.

7:14 Couldn't you inject the interceptor in the DbContext constructor and pass that in the OnConfiguring method? That way you avoid injecting dependencies to the DbContext that it won't actually use

I’ve been waiting for this topic in your channel.

Great video, Nick! Would love to see a follow up to this showing your recommendation on how/where to store the data.

What about history tables, (temporal) whose support was added in Ef6

Temporal tables support is way better than manual things to manage. It's nice that it is also supported in EF Core.

Absolutely helpful!
Many thanks @Nick.

It's okay based on the options and different ways to do things. However, use your database audit and CDC features to keep your application agnostic of data and not compromise the performance with extra db transactions due to manual audits.

I've actually implemented something like this for myself. I even added blockchain hashing so I can always validate the audit trail per tenant basis. But my implementation does not work as interceptor, which is really cool idea. I'll have to try if I can bake my process inside SavingChanges method.

I implemented an interceptor a while back to set some strange db credentials to insert or update certain tables (it was in a PCI environment and even then this was strange and unnecessary). For that to work properly, I had to set and unset them every time EF inserted or updated anything in the database. I had to learn what SavingChanges and SavedChanges did the hard way but once I got it working it worked exceptionally well.

Thanks for breaking down EF Core interceptors for auditing! Curious if you've considered using Kafka instead of SNS/SQS for even more scalable event-driven auditing, especially in high-throughput systems.

Using a compiler feature which I personally say has a library level or source generator use sounds like a workaround hacking. Also how it is used is sooooo much more complicated than should be done for the developer.
EF Core is a bigger package should make it by themselves

Great topic! Thanks.

DB audit is better be done on server side instead of client as data may be changed not only by this particular application

Hello,
I assumed I could find the source code link as you mentioned in the comment, but it’s not there. I also subscribed to your Patreon to access the code, but I couldn't find it there either.

Is there a way to use change tracker to figure out what was changed on each entity? E.g. you change customer name, but keep other properties the same - is there a way to figure that fact out using change tracker? Or can I only see the fact customer was updated and that's that?

It is possible to add a user and do not have an audit record, because the application may fail in/before savedChangesAsync, am I right?

where is the github link you said its free please?

Would love to see your thoughts on capturing audit logs in something that is highly performant and can be reported on well.

I don't get the point for why using Keyedscopedscervice for the audit list, could you please explain it ? :)

Let’s say the application is living on premise without the access to any cloud. What would be the best target (storage) to save audits? Could it be a separate DB just for that?

ExecuteUpdate/ExecuteDelete/raw sql make this approach questionable. You are locking yourself in using only EF DbContext for modifying data. If you really need audit, just do it explicitly.
The better use-case for interceptors is adding hints to queries. For example you can use built-in EF TagWith for something like TagWith("FOR UPDATE") and add the interceptor to handle it. The interceptor can look for "-- FOR UPDATE" comment in the sql and modify the sql accordingly.

Good and simple approach. But there should be some advanced way to handle audit logs in transactions or get DB generated values.

Can these interceptors work per each set? I mean, for what I'm seeing I assume this interceptor will work globally, but I'm wondering if I can configure interceptors to have customized behavior for each set that I have, it maybe just for few that I care to intercept

Is there a better way to do handle it and consume it from the PG level? 😊 because I’m using ExecuteDelete/Update a lot.

I work in healthcare and my organization needs to get a certification for our product. One key aspect is the auditing of read access for some sensible information. Would it be possible to use a different kind of interceptor to do the job?

how would this work with the bulk update? idk but i would imagine that the change tracker doesnt do much when that's executed kind of like executing raw sql. but it would be cool. i need to test that!

24:10 this PK looks more like a Primary Key than a Partition Key, since it's the table's PK

if dbcontext is scoped, wouldn't be enough to make interceptor scoped too and just add field with the list of changes?
Edit: oh, now i see that you registered interceptor with AddInterceptor(new AuditInterceptor...), would it be possible to register it with factory from ID?

this was very interesting

Great video!

Great video. Would like to see a follow up on the error handling tho. I would say if you have audit logging in your APP it is mandatory. What happens if you cannot publish the audit log? Rollback? Retry till success (not a guarante)? Etc

Where would be the right place to save those audits? S3 files?

A Microsoft MVP sponsored by AWS alright. You'd have expected this to go the Azure route otherwise.
Still, nothing wrong with showing a bit of the competition.
As for the dumping ground for this, I guess considering the amount of data to be expected logging this granular you'd likely choose data lake for those logs rather than the RDBMS.
Maybe a data warehouse if you want the queryability. Though if you're using Azure anyway, I think Log Analytics would fit the bill just fine for this sort of logging (though since that's got limited data retention, you'd likely need archiving still).

But should not AuditEntries.Clear() also delete other users Audits stored savestates?

Hi Nick,
You mentioned that I could access the code for this video for free, but I can't seem to find the link.
Is it necessary to be a Patreon member to access the code, or perhaps the link was accidentally omitted from the description?
Thanks for clarifying!

Ok it is sponsored by AWS. But sending a message for every save to the cloud and the receive it and write it back to the DB is not the cheapest solution. Why not simply have a background worker that you trigger and that does the saving in an async way (certainly some audit changes could get lost if this crashes).

no link?

Just use temporal table with author instead. You get all the history / snapshot features for free!

outbox pattern yes?

Began with a simple task and ended up tackling SQS Queues.

And that's it!... X 20.. lol

What IDE do you use?

coolest feature vs 26 minutes long neverending video :)

in our company we use nhibernate, so we are stuck with envers wich is not bad but the docs for it are so old and not updated at all :(

We usually solve this by adding triggers on the DB level. Application shouldn't be aware that there is any auditing going on other than to return audit entries when needed.

Roses are red, violets are blue, C# is easy, you can learn too

Typical .NET!!! Convoluted AF!!!