Enterprise Audit Setup?

Using Graylog 3.0.2. Just got Enterprise for my company and am trying to set up Audit logs, but the instructions here aren’t clear to me. I understand I should edit the server.conf AND log4j2.xml, but I do not see what specifically in the server.conf needs to be edited. auditlog_log4j_enabled, auditlog_log4j_logger_name, auditlog_log4j_marker_name are not fields that exist in server.conf, do I append them?

if you want to have the audit logs just in the database that is done automatically.

if you want to have a seperate file you would need to adjust the log4j configuration and ADD the fields to the server.conf.

As this is an additional plugin the server.conf does not hold the settings.

I tried that, but graylog failed to start when I added them. Is this the proper way?

# Whether the log4j2 appender is enabled or not
auditlog_log4j_enabled = true

# Log4j2 logger name
auditlog_log4j_logger_name = graylog-auditlog

# Log4j2 marker name
auditlog_log4j_marker_name = AUDIT_LOG

how does your log4j configuration look like?

<?xml version="1.0" encoding="UTF-8"?>
<Configuration packages="org.graylog2.log4j" shutdownHook="disable">
        <RollingFile name="rolling-file" fileName="/var/log/graylog-server/server.log" filePattern="/var/log/graylog-server/server.log.%i.gz">
            <PatternLayout pattern="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{1}] %m%n"/>
                <SizeBasedTriggeringPolicy size="50MB"/>
            <DefaultRolloverStrategy max="10" fileIndex="min"/>

        <!-- Simple appender that writes access log to specified file, this was an attempt to turn on internal auditing
        <File name="RestAccessLog" fileName="/var/log/graylog-server/restaccess.log" append="true">
            <PatternLayout pattern="%d %-5p: %c - %m%n"/>

        <RollingFile name="AUDITLOG" fileName="/var/log/graylog-server/audit.log" filePattern="/var/log/graylog-server/audit-%d{yyyy-MM-dd}.log.gz">
                <Pattern>%d - %m - %X%n</Pattern>
                <TimeBasedTriggeringPolicy />

        <!-- Internal Graylog log appender. Please do not disable. This makes internal log messages available via REST calls. -->
        <Memory name="graylog-internal-logs" bufferSize="500"/>

        <!-- Graylog Audit Log.  The logger name has to match the "auditlog_log4j_logger_name" setting in the Graylog configuration file -->
        <Logger name="graylog-auditlog" level="info" additivity="false">
            <AppenderRef ref="AUDITLOG"/>

        <!-- RestAccessLogFilter --
        <Logger name="org.graylog2.rest.accesslog" level="debug" additivity="false">
                <AppenderRef ref="RestAccessLog" level="debug"/>
                <AppenderRef ref="STDOUT" level="info"/>-->
        <!-- Application Loggers -->
        <Logger name="org.graylog2" level="info"/>
        <Logger name="com.github.joschi.jadconfig" level="warn"/>
        <!-- This emits a harmless warning for ActiveDirectory every time which we can't work around :( -->
        <Logger name="org.apache.directory.api.ldap.model.message.BindRequestImpl" level="error"/>
        <!-- Prevent DEBUG message about Lucene Expressions not found. -->
        <Logger name="org.elasticsearch.script" level="warn"/>
        <!-- Disable messages from the version check -->
        <Logger name="org.graylog2.periodical.VersionCheckThread" level="off"/>
        <!-- Silence chatty natty -->
        <Logger name="com.joestelmach.natty.Parser" level="warn"/>
        <!-- Silence Kafka log chatter -->
        <Logger name="kafka.log.Log" level="warn"/>
        <Logger name="kafka.log.OffsetIndex" level="warn"/>
        <!-- Silence useless session validation messages -->
        <Logger name="org.apache.shiro.session.mgt.AbstractValidatingSessionManager" level="warn"/>
        <Root level="warn">
            <AppenderRef ref="rolling-file"/>
            <AppenderRef ref="graylog-internal-logs"/>

is your graylog-server.log written “normal” with this log4j configuration?

I’m not following. What do you mean by normal?

does you have a graylog server.log in /var/log/graylog/ that contain log information from your Graylog server?

Yes, the files are all in default locations for Ubuntu.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.