Hi,
I have graylog 3.3.11 enterprise running and have been trying to set up Log4j 2 Audit Log that comes with graylog Enterprise. I have followed the steps laid out here: Setup — Graylog 3.3.8 documentation
I added the lines to the server conf file and added the appropriate lines to log4j2.xml but the web console states that there is “No appender configuration available. Please ensure graylog-auditlog is correctly configured in the Log4j configuration file.”
Any help would be appreciated. Thanks.
Status
Enabled
Message signing status
Disabled
Log4j logger name
graylog-auditlog
Log4j marker name
AUDIT_LOG
Log4j appender configuration
No appender configuration available. Please ensure graylog-auditlog
is correctly configured in the Log4j configuration file.
log4j2.xml
<?xml version="1.0" encoding="UTF-8"?>
<Configuration packages="org.graylog2.log4j" shutdownHook="disable">
<Appenders>
<RollingFile name="rolling-file" fileName="/var/log/graylog-server/server.log" filePattern="/var/log/graylog-server/server.log.%i.gz">
<PatternLayout pattern="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{1}] %m%n"/>
<Policies>
<SizeBasedTriggeringPolicy size="50MB"/>
</Policies>
<DefaultRolloverStrategy max="10" fileIndex="min"/>
</RollingFile>
<!-- added file audit logging from enterprise version ##################################################### -->
<!-- Rotate audit logs daily -->
<RollingFile name="AUDITLOG" fileName="/var/log/graylog-server/audit.log" filePattern="/var/log/graylog-server/audit-%d{yyyy-MM-dd}.log.gz">
<PatternLayout>
<Pattern>%d - %m - %X%n</Pattern>
</PatternLayout>
<Policies>
<TimeBasedTriggeringPolicy />
</Policies>
</RollingFile>
<!-- ##################################################### -->
<!-- Internal Graylog log appender. Please do not disable. This makes internal log messages available via REST calls. -->
<Memory name="graylog-internal-logs" bufferSize="500"/>
</Appenders>
<Loggers>
<!-- Application Loggers -->
<Logger name="org.graylog2" level="info"/>
<Logger name="com.github.joschi.jadconfig" level="warn"/>
<!-- This emits a harmless warning for ActiveDirectory every time which we can't work around :( -->
<Logger name="org.apache.directory.api.ldap.model.message.BindRequestImpl" level="error"/>
<!-- Prevent DEBUG message about Lucene Expressions not found. -->
<Logger name="org.elasticsearch.script" level="warn"/>
<!-- Disable messages from the version check -->
<Logger name="org.graylog2.periodical.VersionCheckThread" level="off"/>
<!-- Silence chatty natty -->
<Logger name="com.joestelmach.natty.Parser" level="warn"/>
<!-- Silence Kafka log chatter -->
<Logger name="kafka.log.Log" level="warn"/>
<Logger name="kafka.log.OffsetIndex" level="warn"/>
<!-- Silence useless session validation messages -->
<Logger name="org.apache.shiro.session.mgt.AbstractValidatingSessionManager" level="warn"/>
<!-- added logger for auditlog ##################################################### -->
<!-- Graylog Audit Log. The logger name has to match the "auditlog_log4j_logger_name" setting in the Graylog configuration file -->
<Logger name="graylog-auditlog" level="info" additivity="false">
<AppenderRef ref="AUDITLOG"/>
</Logger>
<!-- ##################################################### -->
<Root level="warn">
<AppenderRef ref="rolling-file"/>
<AppenderRef ref="graylog-internal-logs"/>
</Root>
</Loggers>
</Configuration>
server.conf lines
# AuditLog Log4j2 Configurations for Graylog Enterprise
#
# auditlog_log4j_enabled
# The log4j2 audit log appender is disabled by default and can be enabled by setting this option to true.
# The default value for this is false.
auditlog_log4j_enabled = true
# auditlog_log4j_logger_name
# This configures the log4j2 logger name of the audit log.
# The default value for this is gl-org.graylog.plugins.auditlog.
auditlog_log4j_logger_name = graylog-auditlog
# auditlog_log4j_marker_name
# This configures the log4j2 marker name for the audit log.
# The default value for this is AUDIT_LOG.
auditlog_log4j_marker_name = AUDIT_LOG