Audit logging restaccess.log not created

Graylog Central (peer support)
1

Hi there,

As per post Rest access log reformatting i am trying to achieve a similar outcome although the restaccess.log is not being created under dir /var/log/graylog/server

namei -l /var/log/graylog/server/

dr-xr-xr-x root    root    /
drwxr-xr-x root    root    var
drwxr-xr-x root    root    log
drwxr-xrw- graylog graylog graylog
drwxr-xrw- graylog graylog server

Below is the contents of the log4j2.xml file.
This is the default contents of the file with the addition of the code under http://docs.graylog.org/en/2.4/pages/secure/sec_log_user_activity.html.

I understand as noted by the linked post that this is not a completed file although i will modify this further once the output is written to the restaccess.log.

Graylog version 2.4.6

<?xml version="1.0" encoding="UTF-8"?>
<Configuration packages="org.graylog2.log4j" shutdownHook="disable">
    <Appenders>
        <RollingFile name="rolling-file" fileName="/var/log/graylog-server/server.log" filePattern="/var/log/graylog-server/server.log.%i.gz">
            <PatternLayout pattern="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{1}] %m%n"/>
            <Policies>
                <SizeBasedTriggeringPolicy size="50MB"/>
            </Policies>
            <DefaultRolloverStrategy max="10" fileIndex="min"/>
        </RollingFile>
												  			  
        <!-- Simple appender that writes access log to specified file -->
        <File name="RestAccessLog" fileName="/var/log/graylog/server/restaccess.log" append="true">
            <PatternLayout pattern="%d %-5p: %c - %m%n"/>
        </File>
        <!-- Internal Graylog log appender. Please do not disable. This makes internal log messages available via REST calls. -->
        <Memory name="graylog-internal-logs" bufferSize="500"/>
    </Appenders>
    <Loggers>
        <!-- Application Loggers -->
        <Logger name="org.graylog2" level="info"/>
        <Logger name="com.github.joschi.jadconfig" level="warn"/>
        <!-- This emits a harmless warning for ActiveDirectory every time which we can't work around :( -->
        <Logger name="org.apache.directory.api.ldap.model.message.BindRequestImpl" level="error"/>
        <!-- Prevent DEBUG message about Lucene Expressions not found. -->
        <Logger name="org.elasticsearch.script" level="warn"/>
        <!-- Disable messages from the version check -->
        <Logger name="org.graylog2.periodical.VersionCheckThread" level="off"/>
        <!-- Suppress crazy byte array dump of Drools -->
        <Logger name="org.drools.compiler.kie.builder.impl.KieRepositoryImpl" level="warn"/>
        <!-- Silence chatty natty -->
        <Logger name="com.joestelmach.natty.Parser" level="warn"/>
        <!-- Silence Kafka log chatter -->
        <Logger name="kafka.log.Log" level="warn"/>
        <Logger name="kafka.log.OffsetIndex" level="warn"/>
        <!-- Silence useless session validation messages -->
        <Logger name="org.apache.shiro.session.mgt.AbstractValidatingSessionManager" level="warn"/>
        <!-- RestAccessLogFilter -->
        <Logger name="org.graylog2.rest.accesslog" level="debug" additivity="false">
             <AppenderRef ref="RestAccessLog" level="debug"/>
             <AppenderRef ref="STDOUT" level="info"/>
        <Root level="warn">
            <AppenderRef ref="rolling-file"/>								   
            <AppenderRef ref="graylog-internal-logs"/>
        </Root>
    </Loggers>
</Configuration>

Any help would be appreciated.

Thank you

2

This may answer my question.

Do you need the enterprise license (free or paid) in order to install and access the org.graylog2.rest.accesslog REST api?

3

Your goal is possible just with a slide modification of your log configuration.

I guess you had already checked the forum search if that can help you?

4

Hi Jan,

I was missing the plugin.

Everything works as intended.

Thank you

5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.