I have modified the the log4j2.xml file to enable the rest access logging and this is working as expected for local Graylog users. When I try and view the activity of an Active Directory authenticated user I see the UUID of the user in the rest rest access log. Is there any way to capture the sAMAccountName value for the AD user in from the org.graylog2.rest.accesslog logger?
Hello and Welcome
Have a look at the link below to see if this helps you.
If that doesnt help, could you show a screen shot of what your looking at and maybe the version/type of graylog your using?
Hello gsmith thankyou for your post. In answer to your question I am using Graylog 4.0.6. in a five node cluster.
Everything is working as expected. My issue is that for auditory purposes I need an audit log of all user access. All users access Graylog via AD authentication. I need a way to convert the UUID’s of the AD users in the audit log into the AD samaccountname or display name properties.
Using the Enterprise version of Graylog is not an option as the price was too high for the 120GB of logs per day that we are currently injesting
@simoncox You might need to check this link where you can use another option, i.e., lookup table which translates UUID to the User name.
Thanks for your update @makarands. I will look into building a lookup table, Where can I find the UUID for each user? I have checked the Graylog user details page and it does not include the UUID?
To sum it up, I enabled Rest Access log from here.
From the link @makarands posted I realized that the names were no longer visible, so I had created a pipeline/rules to convert the UUID into a USER. Below, using my name.
Created an extractor for the UUID in my Graylog INPUT.
Then I created a rule for each user using pipeline.
rule "Graylog Web Access Greg" when has_field("graylog_gui") AND contains(to_string($message.graylog_gui), "5e224e7683d72eff75055199") then set_field("graylog_gui","greg.smith"); end
We have a couple of users that have access to graylog. So I had these users log into WEB UI so I could get the UUID and convert it into the correct user. I would imagine if you had 20 + users this would be a pain but can be done. Lookup table that @makarands suggested is definitely an a good option but I havent tried that yet.
This is my widget from the above configuration.
Hope that helps.
I just want to mention - if you buy Graylog Enterprise you do not need to make all of the above mentioned as the Build in Audit Logging does all of this plus even more in a nice way.
Thanks @gsmith I will build something along the lines of the example you have provided. I will mark this as the solution and close the thread.
I am new to this community. Do I just leave the topic to close automatically?
Yes , after 14 days it will close.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.