Using Graylog 3.0.2. Just got Enterprise for my company and am trying to set up Audit logs, but the instructions here aren’t clear to me. I understand I should edit the server.conf AND log4j2.xml, but I do not see what specifically in the server.conf needs to be edited. auditlog_log4j_enabled, auditlog_log4j_logger_name, auditlog_log4j_marker_name are not fields that exist in server.conf, do I append them?
if you want to have the audit logs just in the database that is done automatically.
if you want to have a seperate file you would need to adjust the log4j configuration and ADD the fields to the server.conf.
As this is an additional plugin the server.conf does not hold the settings.
I tried that, but graylog failed to start when I added them. Is this the proper way?
# Whether the log4j2 appender is enabled or not
auditlog_log4j_enabled = true
# Log4j2 logger name
auditlog_log4j_logger_name = graylog-auditlog
# Log4j2 marker name
auditlog_log4j_marker_name = AUDIT_LOGhow does your log4j configuration look like?
<?xml version="1.0" encoding="UTF-8"?>
<Configuration packages="org.graylog2.log4j" shutdownHook="disable">
<Appenders>
<RollingFile name="rolling-file" fileName="/var/log/graylog-server/server.log" filePattern="/var/log/graylog-server/server.log.%i.gz">
<PatternLayout pattern="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{1}] %m%n"/>
<Policies>
<SizeBasedTriggeringPolicy size="50MB"/>
</Policies>
<DefaultRolloverStrategy max="10" fileIndex="min"/>
</RollingFile>
<!-- Simple appender that writes access log to specified file, this was an attempt to turn on internal auditing
<File name="RestAccessLog" fileName="/var/log/graylog-server/restaccess.log" append="true">
<PatternLayout pattern="%d %-5p: %c - %m%n"/>
</File>-->
<RollingFile name="AUDITLOG" fileName="/var/log/graylog-server/audit.log" filePattern="/var/log/graylog-server/audit-%d{yyyy-MM-dd}.log.gz">
<PatternLayout>
<Pattern>%d - %m - %X%n</Pattern>
</PatternLayout>
<Policies>
<TimeBasedTriggeringPolicy />
</Policies>
</RollingFile>
<!-- Internal Graylog log appender. Please do not disable. This makes internal log messages available via REST calls. -->
<Memory name="graylog-internal-logs" bufferSize="500"/>
</Appenders>
<Loggers>
<!-- Graylog Audit Log. The logger name has to match the "auditlog_log4j_logger_name" setting in the Graylog configuration file -->
<Logger name="graylog-auditlog" level="info" additivity="false">
<AppenderRef ref="AUDITLOG"/>
</Logger>
<!-- RestAccessLogFilter --
<Logger name="org.graylog2.rest.accesslog" level="debug" additivity="false">
<AppenderRef ref="RestAccessLog" level="debug"/>
<AppenderRef ref="STDOUT" level="info"/>-->
<!-- Application Loggers -->
<Logger name="org.graylog2" level="info"/>
<Logger name="com.github.joschi.jadconfig" level="warn"/>
<!-- This emits a harmless warning for ActiveDirectory every time which we can't work around :( -->
<Logger name="org.apache.directory.api.ldap.model.message.BindRequestImpl" level="error"/>
<!-- Prevent DEBUG message about Lucene Expressions not found. -->
<Logger name="org.elasticsearch.script" level="warn"/>
<!-- Disable messages from the version check -->
<Logger name="org.graylog2.periodical.VersionCheckThread" level="off"/>
<!-- Silence chatty natty -->
<Logger name="com.joestelmach.natty.Parser" level="warn"/>
<!-- Silence Kafka log chatter -->
<Logger name="kafka.log.Log" level="warn"/>
<Logger name="kafka.log.OffsetIndex" level="warn"/>
<!-- Silence useless session validation messages -->
<Logger name="org.apache.shiro.session.mgt.AbstractValidatingSessionManager" level="warn"/>
<Root level="warn">
<AppenderRef ref="rolling-file"/>
<AppenderRef ref="graylog-internal-logs"/>
</Root>
</Loggers>
</Configuration>is your graylog-server.log written “normal” with this log4j configuration?
I’m not following. What do you mean by normal?
does you have a graylog server.log in /var/log/graylog/ that contain log information from your Graylog server?
Yes, the files are all in default locations for Ubuntu.