Audit users activity on graylog


(Tafsir) #1

Hi All

In my infrastructure, more than 20 users using graylog and all having admin access. Is it possible to track users activity. Is there any location where audit logs are stored.

I want to track activities like:

  1. Who created the dashboard and when.
  2. Who created streams and when.
  3. Who added the extractors and did changes in input.

Graylog version - 2.4.6
Elasticsearch version - 5.6

Please help me with this.

Thanks


(Tess) #2

I believe I’ve seen that auditing is an option, but it is a paid-for Enterprise-level feature.

EDIT:
Confirmed… it’s an Enterprise feature.


#3

@jan shared another “solution” before.
You can set logging form the web server, so you can see in the requests, but it’s not a real audit log.
As I saw the web server logs you should phrase and analyze it.

This is free, but the better is the enterprise feature. You can use it for free under 5GB/day.


#4

I think you mean:
http://docs.graylog.org/en/2.4/pages/secure/sec_log_user_activity.html


(Tafsir) #5

Hi, Thanks for your reply @frantz .

No, it will show only logging user activity but will not show users activity. I want to track user activities like:

  1. Who created the dashboard and when.
  2. Who created streams and when.
  3. Who added the extractors and did changes in input.

Is this possible to track without having the Enterprise feature?

Thanks


#6

With the solution I provide you have all what you need.
Access log provide the date and the user who did the action.

For example:
2016-06-08 18:21:55,780 DEBUG: org.graylog2.rest.accesslog - 192.168.122.1 admin [-] "POST streams/abcdef" Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0 200 -1
This log means user admin created the stream with id abcdef at 2016-06-08 18:21:55.

HTTP methods:

  • GET = read
  • POST = create
  • PUT = update
  • DELETE = delete

(Tafsir) #7

Where we can find the log @frantz ?

Log Location ?

Also I think this will not show the username. If 20 users having admin access then the logs always return username as admin.


#8

Did you read the doc ?
Because you can choose the filename in the XML.
By default it’s /var/log/graylog/restaccess.log.

It shows the real username, not the role.
If you have 2 users adminA and adminB with both admin rights, you will see adminA and adminB in the log.

Try this solution you’ll see by your own.


(Tafsir) #9

Ok will try and let you know @frantz

Thanks for the reply :slightly_smiling_face:


#10

Exactly, I thought for this.


(Tafsir) #11

Hey @frantz On which server I need to change log4j2.xml file? I mean on web-interface server or master node server or on data node server?

Quick response will be appreciated.

Thanks


(Tess) #12

taco

You could just keep all configuration files consistent. :slight_smile:


(Tafsir) #13

Also @frantz After configuring log4j2.xml on web-interface node I noticed the following changes.

  1. Not showing streams creation msg in the log.
  2. But if I delete the stream it prompt deletion msg. for example:
2018-12-03 02:33:00,826 DEBUG: org.graylog2.rest.accesslog - 192.168.212.209 tafsir [-] "DELETE api/streams/5c05062c0af282750eca0406" Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36 204 -1

Also it shows stream ID not name. Please help me to sove this.

My log4j2.xml file configuration is:

<?xml version="1.0" encoding="UTF-8"?>
<Configuration packages="org.graylog2.log4j" shutdownHook="disable">
    <Appenders>
        <!-- Simple appender that writes access log to specified file -->
        <File name="RestAccessLog" fileName="/var/log/graylog-server/server.log" append="true">
            <PatternLayout pattern="%d %-5p: %c - %m%n"/>
        </File>
    </Appenders>
    <Loggers>
        <!-- RestAccessLogFilter -->
        <Logger name="org.graylog2.rest.accesslog" level="debug" additivity="false">
                <AppenderRef ref="RestAccessLog" level="debug"/>
                <AppenderRef ref="STDOUT" level="info"/>
        </Logger>
    </Loggers>
</Configuration>

@Totally_Not_A_Robot ^^

Thanks


#14

check the api-browser
DELETE is just an HTTP method. You won’t see “CREATE”. You should check after POST events.

As I mentioned before, It’s NOT an audit log. It’s logging the http traffic, where you can find the logs what you need.


(Tafsir) #15

@macko003 Can we customize log4j2.xml on the basis of our requirement?


#16

Don’t confuse web server logs, and audit logs.
I don’t familiar with java logging, so I don’t know. But I’m sure, you can’t filter for eg. stream create.
As I mentioned, you need to analyle the logs eg with graylog.


(Jan Doberstein) #17

basis of our requirement

To be honest - your requirements are fullfilled with the audit plugin in Graylog Enterprise.


(system) closed #18

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.