Where can I set up audit logging in Graylog? What I mean is a log of searches and message contents that a Graylog user makes. To me it seems the Enterprise version audit plugin tracks changes to Graylog, not regular user actions, like searches and viewing actual messages. Can the user actions be recorded with that, or should we switch to “trace” in the subsystem indexer in the logging configuration?
The Audit Log of Graylog Enterprise only records actions which modify the state of Graylog. It doesn’t record every action of every user.
If you want something like that, you’ll probably have to create a plugin for that yourself.
While probably not exactly what you’re looking for, you can also utilize the Graylog access logs for this purpose: http://docs.graylog.org/en/2.2/pages/securing.html#logging-user-activity
Thank you for the reply. It is very helpful.