AuditEvent in REST api

I create a web plugin with REST api.
Everything work fine, but when I start graylog I get a warning.
"WARN [AuditEventModelProcessor] REST endpoint not included in audit trail: POST "
It’s look like I have to add the tag @AuditEvent, and create a AuditEventType.

How is the best way to do this?
Wat is the purpose of Audit Event?

Thank you

Hey @toma,

I cannot help you with your question, since I did not make a REST-API-Plugin myself yet, but I can explain this:

Graylog Enterprise includes a fully fledged Audit functionality for itself. So a system admin is able to see what changes were made to Graylog and from whom. And the warning you got simply states that Gralog noticed a API-endpoint that is not monitored by the audit system. It is a warning, since this is not a critical issue but it should be resolved since your plugin might change some config that is relevant for proper auditing :slight_smile:


Hey toma,

sorry for the inconvenience, we are lacking a bit of documentation there and will update it accordingly.

Philipp already explained perfectly well what the audit system is. To get rid of the warning, you need to use one of two annotations for every method you are exposing as REST method. These are:

  • @NoAuditEvent - If this method is not triggering any actions which should be contained in the audit trail
  • @AuditEvent - If this action should be contained in the audit trail. It requires the type parameter which expects a string of the format: <namespace>:<entity>:<action>. So, if you are e.g. developing a plugin for single sign-on, a possible type could be sso:session:create.

If you are introducing custom types, you need to define them in a subclass of PluginAuditEventTypes (see AuditEventTypes as an example) which needs to be registered with the binder by using addAuditEventTypes() in your plugin’s module.

I hope this helps, if you have any further questions or get stuck, feel free to ask.

Kind regards,

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.