Audit log: log arbitrary data about request and response bodies

[david-crespo]

Followup to #7339. Related to #8811.

This is an odd one and kind of painful. With #8820, there are all kinds of auditable events like "update firewall rule" Where what you want to know is what change was actually made — just knowing that it was made is almost useless.

By far the simplest way to handle this would be to log the entire request body (at least when it's JSON), so it's worth considering that and only getting elaborate once it's ruled out. The obvious problem there is that requests and response bodies are arbitrarily large, and it would probably be a bad idea to just log them in the database in their entirety, especially before we have #8818 to limit the size of the table. Even then it's still not great because even within the retention window, somebody could spam so many requests that it fills up the database.