We are using Graylog 5.2.3. I want to view the successful and unsuccessful logins of the users logging into the Web Gui interface. Normally I can only see the unsuccessful logins in “/var/log/graylog-server/server.log” (I was viewing this manually with vim on linux). When I did some more research, I created “Internal Logs” input and I was able to view the failed logs because of the Web Gui. But my main need is how can I view the successful logs?
NOTE: this is provided as is and is not necessarily “supported”, meaning it works today but may not work in the future. The Audit Log feature in graylog is a licensed feature and is meant to be used to solve this problem.
With that said:
I took a quick look and it seems its possible to have some log entries created if you enable the logger for org.graylog.security.authservice
Its enabled using graylog’s api via a curl (or wget) command:
curl -I -X PUT https://user:passwords@graylogserver/api/system/loggers/org.graylog.security.authservice/level/DEBUG \
-H 'X-Requested-By: graylog-api-user'
Output in log looks something like:
DEBUG [MongoDBAuthServiceBackend] Trying to load user <username> from database
DEBUG [MongoDBAuthServiceBackend] Successfully validated password for user <username>