In my infrastructure, more than 20 users using graylog and all having admin access. Is it possible to track users activity. Is there any location where audit logs are stored.
I want to track activities like:
Who created the dashboard and when.
Who created streams and when.
Who added the extractors and did changes in input.
Graylog version - 2.4.6
Elasticsearch version - 5.6
@jan shared another “solution” before.
You can set logging form the web server, so you can see in the requests, but it’s not a real audit log.
As I saw the web server logs you should phrase and analyze it.
This is free, but the better is the enterprise feature. You can use it for free under 5GB/day.
With the solution I provide you have all what you need.
Access log provide the date and the user who did the action.
For example: 2016-06-08 18:21:55,780 DEBUG: org.graylog2.rest.accesslog - 192.168.122.1 admin [-] "POST streams/abcdef" Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0 200 -1
This log means user admin created the stream with id abcdef at 2016-06-08 18:21:55.
Don’t confuse web server logs, and audit logs.
I don’t familiar with java logging, so I don’t know. But I’m sure, you can’t filter for eg. stream create.
As I mentioned, you need to analyle the logs eg with graylog.