Maybe I can help answer your question.
For tracking users activities, The Enterprise version might be able to handle this.Unfortunately, I do not use Enterprise version so I’m not completely sure.
In my environment I had to do a work around for user activities as follow.
I’m using Graylog 4.0.6 with NXlog shipper.
I had to configure NXLog to read restaccess.log file.
Once that was done, I create an extractor Graylog Input called “graylog_gui” and then created a widget from that field.
Graylog Version 3.3.x displays the full name of the users, Example I’ll use my name as shown in bold print.
2021-04-09 22:23:44,520 DEBUG: org.graylog2.rest.accesslog – 10.10.10.10 greg.smith [-] “GET api/system/cluster/nodes” Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 200 -1
As of Graylog version 4.0.6 users are displayed as a GUID as shown in bold print.
2021-04-09 22:23:44,520 DEBUG: org.graylog2.rest.accesslog – 10.10.10.10 5e224e7683d72eff75055199 [-] “GET api/system/cluster/nodes” Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 200 -1
I had to create a pipeline to turn the sting 5e224e7683d72eff75055199 → greg.smith as shown below.
rule "Graylog Web Access Greg"
has_field("graylog_gui") AND contains(to_string($message.graylog_gui), "5e224e7683d72eff75055199")
I havent doent that before, maybe someone else has.
Hope this helps