Hi All
In my infrastructure, more than 20 users using graylog and all having admin access. Is it possible to track users activity. Is there any location where audit logs are stored.
I want to track activities like:
Graylog version - 2.4.6
Elasticsearch version - 5.6
Please help me with this.
Thanks
I believe I’ve seen that auditing is an option, but it is a paid-for Enterprise-level feature.
EDIT:
Confirmed… it’s an Enterprise feature.
@jan shared another “solution” before.
You can set logging form the web server, so you can see in the requests, but it’s not a real audit log.
As I saw the web server logs you should phrase and analyze it.
This is free, but the better is the enterprise feature. You can use it for free under 5GB/day.
Hi, Thanks for your reply @frantz .
No, it will show only logging user activity but will not show users activity. I want to track user activities like:
Is this possible to track without having the Enterprise feature?
Thanks
With the solution I provide you have all what you need.
Access log provide the date and the user who did the action.
For example:
2016-06-08 18:21:55,780 DEBUG: org.graylog2.rest.accesslog - 192.168.122.1 admin [-] "POST streams/abcdef" Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0 200 -1
This log means user admin created the stream with id abcdef at 2016-06-08 18:21:55.
HTTP methods:
Where we can find the log @frantz ?
Log Location ?
Also I think this will not show the username. If 20 users having admin access then the logs always return username as admin.
Did you read the doc ?
Because you can choose the filename in the XML.
By default it’s /var/log/graylog/restaccess.log.
It shows the real username, not the role.
If you have 2 users adminA and adminB with both admin rights, you will see adminA and adminB in the log.
Try this solution you’ll see by your own.
Exactly, I thought for this.
Hey @frantz On which server I need to change log4j2.xml file? I mean on web-interface server or master node server or on data node server?
Quick response will be appreciated.
Thanks
You could just keep all configuration files consistent. 
Also @frantz After configuring log4j2.xml on web-interface node I noticed the following changes.
2018-12-03 02:33:00,826 DEBUG: org.graylog2.rest.accesslog - 192.168.212.209 tafsir [-] "DELETE api/streams/5c05062c0af282750eca0406" Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36 204 -1
Also it shows stream ID not name. Please help me to sove this.
My log4j2.xml file configuration is:
<?xml version="1.0" encoding="UTF-8"?>
<Configuration packages="org.graylog2.log4j" shutdownHook="disable">
<Appenders>
<!-- Simple appender that writes access log to specified file -->
<File name="RestAccessLog" fileName="/var/log/graylog-server/server.log" append="true">
<PatternLayout pattern="%d %-5p: %c - %m%n"/>
</File>
</Appenders>
<Loggers>
<!-- RestAccessLogFilter -->
<Logger name="org.graylog2.rest.accesslog" level="debug" additivity="false">
<AppenderRef ref="RestAccessLog" level="debug"/>
<AppenderRef ref="STDOUT" level="info"/>
</Logger>
</Loggers>
</Configuration>
Thanks
check the api-browser
DELETE is just an HTTP method. You won’t see “CREATE”. You should check after POST events.
As I mentioned before, It’s NOT an audit log. It’s logging the http traffic, where you can find the logs what you need.
Don’t confuse web server logs, and audit logs.
I don’t familiar with java logging, so I don’t know. But I’m sure, you can’t filter for eg. stream create.
As I mentioned, you need to analyle the logs eg with graylog.
basis of our requirement
To be honest - your requirements are fullfilled with the audit plugin in Graylog Enterprise.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.