Question on Rest.Accesslog

Using Graylog 3.3 I configured the log4j2.xml file to logging user activity.
Using this:

The output looked like this

2020-12-01 23:10:15,169 DEBUG: org.graylog2.rest.accesslog - 11.111.1.11 SOME_USER [-] "GET api/views/fields" Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 200 -1

From that I was able to make a widget and confiure an extractor to get the user name from the message and now I dont get a user name I get a string of numbers. Is this correct or could I have done something wrong when upgrading to v4.0?

Now I get this:

2020-12-01 23:10:15,169 DEBUG: org.graylog2.rest.accesslog - 11.111.1.11
**5e224e7683d72eff75055199**  [-] "GET api/views/fields" Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 200 -1

My Graylog Environment

Graylog 4.0.0+9376305 on graylog.enseva-labs.net 1 (Red Hat, Inc. 1.8.0_272 on Linux 3.10.0-1160.6.1.el7.x86_64)
MongoDB “version": “4.4.1”
Elasticsearch “7.10”
CentOS Linux release 7.8.2003 (Core), 8 CPU’s, 8 GB memory, 1TB HDD (Virtual Machine).

Any suggestion or advice would be apperciated, thanks in advance.

he @gsmith

usernames where not unique in Graylog, that is the reason that internal communication has changed to use the UUID of the user.

As this is used for authentication in the connection to Graylog itself the logging does not know the username anymore and has only the UUID available to write that into a log.

The only option would be to use the audit log that is available as part of Graylog Enterprise. The other option you build a lookup table that translate the uuid to a username and use that for enrichment.

@jan
Thank you for the reply,
This make sense now, I thought I messed something up.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.