Revert [v18] Update Audit page to use server side search/pagination

api/client/client.go

@@ -2796,7 +2796,7 @@ func (c *Client) UploadEncryptedRecording(ctx context.Context, sessionID string,
 }
 
 // SearchEvents allows searching for events with a full pagination support.
-func (c *Client) SearchEvents(ctx context.Context, fromUTC, toUTC time.Time, namespace string, eventTypes []string, limit int, order types.EventOrder, startKey string, search string) ([]events.AuditEvent, string, error) {
+func (c *Client) SearchEvents(ctx context.Context, fromUTC, toUTC time.Time, namespace string, eventTypes []string, limit int, order types.EventOrder, startKey string) ([]events.AuditEvent, string, error) {
 	request := &proto.GetEventsRequest{
 		Namespace:  namespace,
 		StartDate:  fromUTC,
@@ -2805,7 +2805,6 @@ func (c *Client) SearchEvents(ctx context.Context, fromUTC, toUTC time.Time, nam
 		Limit:      int32(limit),
 		StartKey:   startKey,
 		Order:      proto.Order(order),
-		Search:     search,
 	}
 
 	response, err := c.grpc.GetEvents(ctx, request)

integrations/event-handler/helpers.go

@@ -38,7 +38,7 @@ import (
 type TeleportSearchEventsClient interface {
 	export.Client
 	// SearchEvents searches for events in the audit log and returns them using their protobuf representation.
-	SearchEvents(ctx context.Context, fromUTC, toUTC time.Time, namespace string, eventTypes []string, limit int, order types.EventOrder, startKey string, search string) ([]events.AuditEvent, string, error)
+	SearchEvents(ctx context.Context, fromUTC, toUTC time.Time, namespace string, eventTypes []string, limit int, order types.EventOrder, startKey string) ([]events.AuditEvent, string, error)
 	// StreamSessionEvents returns session events stream for a given session ID using their protobuf representation.
 	StreamSessionEvents(ctx context.Context, sessionID string, startIndex int64) (chan events.AuditEvent, chan error)
 	// SearchUnstructuredEvents searches for events in the audit log and returns them using an unstructured representation (structpb.Struct).

integrations/event-handler/legacy_events_watcher_test.go

@@ -59,7 +59,7 @@ func (c *mockTeleportEventWatcher) setSearchEventsError(err error) {
 	c.mockSearchErr = err
 }
 
-func (c *mockTeleportEventWatcher) SearchEvents(ctx context.Context, fromUTC, toUTC time.Time, namespace string, eventTypes []string, limit int, order types.EventOrder, startKey string, search string) ([]events.AuditEvent, string, error) {
+func (c *mockTeleportEventWatcher) SearchEvents(ctx context.Context, fromUTC, toUTC time.Time, namespace string, eventTypes []string, limit int, order types.EventOrder, startKey string) ([]events.AuditEvent, string, error) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 
@@ -105,7 +105,7 @@ func (c *mockTeleportEventWatcher) StreamSessionEvents(ctx context.Context, sess
 }
 
 func (c *mockTeleportEventWatcher) SearchUnstructuredEvents(ctx context.Context, fromUTC, toUTC time.Time, namespace string, eventTypes []string, limit int, order types.EventOrder, startKey string) ([]*auditlogpb.EventUnstructured, string, error) {
-	events, lastKey, err := c.SearchEvents(ctx, fromUTC, toUTC, namespace, eventTypes, limit, order, startKey, "")
+	events, lastKey, err := c.SearchEvents(ctx, fromUTC, toUTC, namespace, eventTypes, limit, order, startKey)
 	if err != nil {
 		return nil, "", trace.Wrap(err)
 	}

integrations/lib/testing/integration/client.go

@@ -109,7 +109,6 @@ func (api *Client) SearchAccessRequestEvents(ctx context.Context, reqID string)
 		100,
 		types.EventOrderAscending,
 		"",
-		"",
 	)
 	result := make([]*events.AccessRequestCreate, 0, len(auditEvents))
 	for _, event := range auditEvents {

lib/auth/authclient/clt.go

@@ -342,7 +342,7 @@ func (c *Client) StreamSessionEvents(ctx context.Context, sessionID session.ID,
 
 // SearchEvents allows searching for audit events with pagination support.
 func (c *Client) SearchEvents(ctx context.Context, req events.SearchEventsRequest) ([]apievents.AuditEvent, string, error) {
-	events, lastKey, err := c.APIClient.SearchEvents(ctx, req.From, req.To, apidefaults.Namespace, req.EventTypes, req.Limit, req.Order, req.StartKey, req.Search)
+	events, lastKey, err := c.APIClient.SearchEvents(ctx, req.From, req.To, apidefaults.Namespace, req.EventTypes, req.Limit, req.Order, req.StartKey)
 	if err != nil {
 		return nil, "", trace.Wrap(err)
 	}

lib/auth/grpcserver.go

@@ -3929,7 +3929,6 @@ func (g *GRPCServer) GetEvents(ctx context.Context, req *authpb.GetEventsRequest
 		Limit:      int(req.Limit),
 		Order:      types.EventOrder(req.Order),
 		StartKey:   req.StartKey,
-		Search:     req.Search,
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)

lib/events/api.go

@@ -1188,8 +1188,6 @@ type SearchEventsRequest struct {
 	// If the previous response had LastKey set then this should be
 	// set to its value. Otherwise leave empty.
 	StartKey string
-	// Search is an optional search query to filter events.
-	Search string
 }
 
 type SearchSessionEventsRequest struct {

lib/events/filelog.go

@@ -195,7 +195,7 @@ func (l *FileLog) trimSizeAndMarshal(event apievents.AuditEvent) ([]byte, error)
 // This function may never return more than 1 MiB of event data.
 func (l *FileLog) SearchEvents(ctx context.Context, req SearchEventsRequest) ([]apievents.AuditEvent, string, error) {
 	l.logger.DebugContext(ctx, "SearchEvents", "from", req.From, "to", req.To, "event_type", req.EventTypes, "limit", req.Limit)
-	return l.searchEventsWithFilter(req.From, req.To, req.Limit, req.Order, req.StartKey, searchEventsFilter{eventTypes: req.EventTypes, search: req.Search})
+	return l.searchEventsWithFilter(req.From, req.To, req.Limit, req.Order, req.StartKey, searchEventsFilter{eventTypes: req.EventTypes})
 }
 
 func (l *FileLog) searchEventsWithFilter(fromUTC, toUTC time.Time, limit int, order types.EventOrder, startAfter string, filter searchEventsFilter) ([]apievents.AuditEvent, string, error) {
@@ -373,7 +373,6 @@ func (l *FileLog) GetEventExportChunks(ctx context.Context, req *auditlogpb.GetE
 type searchEventsFilter struct {
 	eventTypes []string
 	condition  utils.FieldsCondition
-	search     string
 }
 
 // Close closes the audit log, which includes closing all file handles and
@@ -579,21 +578,6 @@ func (l *FileLog) findInFile(path string, filter searchEventsFilter) ([]EventFie
 		if filter.condition != nil {
 			accepted = accepted && filter.condition(utils.Fields(ef))
 		}
-		// Check if search filter matches.
-		if accepted && filter.search != "" {
-			eventJSON := strings.ToLower(string(scanner.Bytes()))
-			searchTerms := strings.Fields(strings.ToLower(filter.search))
-
-			matchedAll := true
-			for _, term := range searchTerms {
-				if !strings.Contains(eventJSON, term) {
-					matchedAll = false
-					break
-				}
-			}
-
-			accepted = matchedAll
-		}
 
 		if accepted {
 			retval = append(retval, ef)
@@ -621,11 +605,9 @@ type eventFile struct {
 // byDate implements sort.Interface.
 type byDate []eventFile
 
-func (f byDate) Len() int { return len(f) }
-
+func (f byDate) Len() int           { return len(f) }
 func (f byDate) Less(i, j int) bool { return f[i].ModTime().Before(f[j].ModTime()) }
-
-func (f byDate) Swap(i, j int) { f[i], f[j] = f[j], f[i] }
+func (f byDate) Swap(i, j int)      { f[i], f[j] = f[j], f[i] }
 
 // ByTimeAndIndex sorts events by time extracting timestamp from JSON field
 // and if there are several session events with the same session

lib/web/apiserver.go

@@ -872,16 +872,7 @@ func (h *Handler) bindDefaultEndpoints() {
 	h.GET("/webapi/sites/:site/db/exec/ws", h.WithClusterAuthWebSocket(h.dbConnect))
 
 	// Audit events handlers.
-	// TODO (avatus): delete in v21
-	// Deprecated: Use the v2 endpoint instead.
-	//
-	// clusterSearchEvents handles audit event retrieval for a given site.
-	// This legacy endpoint returns event listings without advanced search capabilities.
-	// Prefer using /v2/webapi/sites/:site/events/search for full query-based filtering.
-	h.GET("/webapi/sites/:site/events/search", h.WithClusterAuth(h.clusterSearchEvents)) // search site events
-	// clusterSearchEventsV2 handles audit event retrieval for a given site with support for
-	// advanced search filters and query parameters.
-	h.GET("/v2/webapi/sites/:site/events/search", h.WithClusterAuth(h.clusterSearchEventsV2))            // search site events
+	h.GET("/webapi/sites/:site/events/search", h.WithClusterAuth(h.clusterSearchEvents))                 // search site events
 	h.GET("/webapi/sites/:site/events/search/sessions", h.WithClusterAuth(h.clusterSearchSessionEvents)) // search site session events
 
 	h.GET("/webapi/sites/:site/ttyplayback/:sid", h.WithClusterAuth(h.ttyPlaybackHandle))
@@ -4417,47 +4408,6 @@ func toFieldsSlice(rawEvents []apievents.AuditEvent) ([]events.EventFields, erro
 	return el, nil
 }
 
-// clusterSearchEventsV2 returns all audit log events matching the provided criteria
-//
-// GET /v2/webapi/sites/:site/events/search
-//
-// Query parameters:
-//
-//	"from"    : date range from, encoded as RFC3339
-//	"to"      : date range to, encoded as RFC3339
-//	"limit"   : optional maximum number of events to return on each fetch
-//	"startKey": resume events search from the last event received,
-//	            empty string means start search from beginning
-//	"include" : optional comma-separated list of event names to return e.g.
-//	            include=session.start,session.end, all are returned if empty
-//	"order":    optional ordering of events. Can be either "asc" or "desc"
-//	            for ascending and descending respectively.
-//	            If no order is provided it defaults to descending.
-//	"search":   optional search term to filter events by (case-insensitive substring match)
-func (h *Handler) clusterSearchEventsV2(w http.ResponseWriter, r *http.Request, p httprouter.Params, sctx *SessionContext, cluster reversetunnelclient.Cluster) (any, error) {
-	values := r.URL.Query()
-
-	var eventTypes []string
-	if include := values.Get("include"); include != "" {
-		eventTypes = strings.Split(include, ",")
-	}
-
-	search := values.Get("search")
-
-	searchEvents := func(clt authclient.ClientI, from, to time.Time, limit int, order types.EventOrder, startKey string) ([]apievents.AuditEvent, string, error) {
-		return clt.SearchEvents(r.Context(), events.SearchEventsRequest{
-			From:       from,
-			To:         to,
-			EventTypes: eventTypes,
-			Limit:      limit,
-			Order:      order,
-			StartKey:   startKey,
-			Search:     search,
-		})
-	}
-	return clusterEventsList(r.Context(), sctx, cluster, r.URL.Query(), searchEvents)
-}
-
 // clusterSearchEvents returns all audit log events matching the provided criteria
 //
 // GET /v1/webapi/sites/:site/events/search
@@ -4616,7 +4566,7 @@ func QueryLimitAsInt32(query url.Values, name string, def int32) (int32, error)
 // queryOrder returns the order parameter with the specified name from the
 // query string or a default if the parameter is not provided.
 func queryOrder(query url.Values, name string, def types.EventOrder) (types.EventOrder, error) {
-	value := strings.ToLower(query.Get(name))
+	value := query.Get(name)
 	switch value {
 	case "desc":
 		return types.EventOrderDescending, nil

web/packages/teleport/src/Audit/Audit.story.tsx

@@ -67,10 +67,9 @@ export const Failed = () => {
 export const AllPossibleEvents = () => (
   <EventList
     events={events}
-    search=""
-    setSearch={() => null}
-    setSort={() => null}
-    sort={{ dir: 'ASC', fieldName: 'created' }}
+    fetchMore={() => null}
+    fetchStatus={''}
+    pageSize={1000}
   />
 );