After doing a good bit of searching, have yet to find anything that infers the ability to change the default session timeout (including for the admin account). Anyone happen to know where/how to change the default session timeout? The references in the documentation suggest its a “per user”, however there’s nothing that speaks to adjusting the default value.
Thanks!
Hello @loggingone
Its located in the user setting,
Click Edit button and you’ll see it on the left side.
Right, except it only ‘shows’ the value (read-only). It cannot be modified in the user profile. Where/how can you change the value, including for the ‘admin’ user? (eg: how do you make it “4 hours” as an example? or 24 hours?)
Hello,
Click on the user/s you want to modify, then click on Edit User.
Which will open it up , as shown below.
How does one modify the admin account? (“Edit User” doesn’t appear to be possible for the admin account) How does one set/change the default?
Thanks!
Two way this can be done.
1.Reset Admin user password and login Web UI to modify settings. As shown here
2.User as to have admin role modify the admin account
Whether attempting to modify the admin account (via the admin account) or via another account with admin permissions - the GUI does not offer the ability to change the “Sessions Timeout” value for the “admin” account. Suspect that this is either a bug or can only be changed via the addition of some parameter to the graylog.conf file (which does not appear to be documented).
Hello
Judge from your picture, you may have forgot to click on the “Edit User” button.
After Clicking on that button it should look like this.
I showed this before
Chances are that this a configuration or permission issue.
That should help
Based on the below - doesn’t appear that this account (the system “admin” account) can be edited via the GUI. (Which is the account where the session timeout needs to be adjusted. Would also like to adjust the default session timeout for any/all new accounts). Accounts under “Users” can be modify via to which you refer. However the “System Administrator” account, evidently cannot be modified in that fashion.
Ohh… I see now, thanks for the better screenshot.
Correct…
My apologies we don’t use the default Administrator account since we enabled AD DC. For security reasons we created a new user with a admin role.
Depending on how the new user is created, let’s say I created a user Profile and I have admin role.
You can set the session time out from the beginning.
Next scenario
Lets say I have a user created already, I want to adjust the session time. Using my user with admin role I can edit the users session time out.
EDIT: if this is something you want, try posting here for a feature request.
The other option would be to make a mongoDB query to set timeout session for all existing users at once.
Ok @loggingone so your post made me curious about session timeouts and default settings for users created. I noticed that users session timeout default is for an hour when that user is created. Only thing so far that I could find was in MongoDb.
Log into Mongo Shell;
> use graylog
switched to db graylog
> show collections;
### this shows all tables/collections for Graylog
### Example: This shows all users settings.
> db.users.find().pretty();
Result
{
"auth_service_uid" : null,
"last_name" : "user",
"account_status" : "enabled",
"password" : "{bcrypt}$2a$10$./tbUmPMx3ZINNc3Wdo29uckV1fBiwcvT7MAPXiOc.lymohry5fN6{salt}$2a$10$./tbUmPMx3ZINNc3Wdo29u",
"full_name" : "some user",
"session_timeout_ms" : NumberLong(3600000),
"permissions" : [ ],
"external_user" : false,
"first_name" : "some",
"email" : "test_user@localhost.local",
"username" : "some.user"
}
Or get one user and all the information as shown below.
> db.users.find({"username": "some.user"}).pretty();
Result:
{
"_id" : ObjectId("62c78c77777f8d5ed96057f6"),
"service_account" : false,
"timezone" : null,
"auth_service_id" : null,
"roles" : [
ObjectId("5a501e15ffe8b12d4302e5d2"),
ObjectId("5fb32bab77924e5154c87736"),
ObjectId("6193041d2bcd248ac7945273")
],
"auth_service_uid" : null,
"last_name" : "user",
"account_status" : "enabled",
"password" : "{bcrypt}$2a$10$./tbUmPMx3ZINNc3Wdo29uckV1fBiwcvT7MAPXiOc.lymohry5fN6{salt}$2a$10$./tbUmPMx3ZINNc3Wdo29u",
"full_name" : "some user",
"session_timeout_ms" : NumberLong(3600000),
"permissions" : [ ],
"external_user" : false,
"first_name" : "some",
"email" : "test_user@localhost.local",
"username" : "some.user"
}
>
From there, if you know how to use MongoDb to modify a collection/table that would be your best bet.
I personally have not done it yet but I was curious where to find the users info. Still haven’t found where these default setting exists.
Interesting points.
From your data on MongoDB - looks like a simple update could change the value for any/all users. Not sure that its “worthy” of a feature request - at least in this scenario. However, would think that folks may have already run into the common InfoSec policy(s) for session timeouts, idle timeouts, et al. Thus, would imagine that someone has already made the request to address their requirements in the context of users at scale.
Should one infer that the default “admin” account (the “system” account) cannot be changed in terms of the session timeout? (As there’s usually a local full admin account as a ‘fail safe’, whether the name is changed or not, is arguably immaterial - there would still need to be the ability to change the session timeout, no?
Hello,
It depends on what you want to do. I personally do not use default admin account, when users logon using Active Directory the session timeout is 8 hour by default creating a new user manually the default is 1 hour.
Our AD DC is setup for specific user that are able to logon to Graylog, so about 10 user max. Since there are not a lot of users I don’t have a problem with adjusting users Timeout session manually. When create new user without AD DC I will adjust that session time during the configuration process if need be.
I don’t know how your environment is setup nor how many users you have but I guess if there are 100 + users this would be a pain. Having the option or the ability to adjust the default session timeout for any new users logging in would probably be good idea and again this would depend on the environment.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.