graylog2-web-interface icon indicating copy to clipboard operation
graylog2-web-interface copied to clipboard

Published 20 hours ago verified publisher icon graylog-labs

Feature Request: audit log for activity in Graylog2

Open dmelamedcl opened this issue 11 years ago • 6 comments

In order to use Graylog in enterprise with Graylog storing sensitive log messages, one of the things I am missing is the ability to get an audit log for activities inside Graylog (i.e. who saw log messages and which ones).

dmelamedcl avatar May 02 '14 05:05 dmelamedcl

+1

henrikjohansen avatar May 02 '14 20:05 henrikjohansen

Can you give a bit more information about where the audiot logs should be stored? Is writing that to a local file (like an access log) enough? Is writing it to Graylog2 fine, too? Does it have to be stored in some secure place?

I could need some advice on how people are using this in practice. :) Thanks!

lennartkoopmann avatar May 05 '14 01:05 lennartkoopmann

Wasn't @kroepke playing with something for the API logs a while back, directly feeding them into graylog2 ?

I would prefer to have the audit log searchable from within graylog2 - once message signing is implemented it should provide enough confidence against possible manipulation.

henrikjohansen avatar May 05 '14 13:05 henrikjohansen

The web interface can send its access log to graylog2, yes. I would need to review which fields are already exposed, not sure the user is in there yet. If so, then we would have most of what is necessary already, yes.

On Mon, May 5, 2014 at 3:48 PM, Henrik Johansen [email protected]:

Wasn't @kroepke https://github.com/kroepke playing with something for the API logs a while back, directly feeding them into graylog2 ?

I would prefer to have the audit log searchable from within graylog2 - once message signing is implemented it should provide enough confidence against possible manipulation.

— Reply to this email directly or view it on GitHubhttps://github.com/Graylog2/graylog2-web-interface/issues/772#issuecomment-42189223 .

kroepke avatar May 23 '14 12:05 kroepke

Greetings, is this issue still active? We would like to log when an admin permits a user to access a stream and when a user accesses a stream. Is this audited in some logfile? R/Daniel

tubesenf avatar Apr 28 '15 14:04 tubesenf

Couple notes:

  • RestAccessLogFilter already implements audit logging for REST API
  • RestAccessLogFilter is typically called by web interface, not the user. Logged IP is that of the web interface.
  • RestAccessLogFilter is not able to handle X-Forwarded-For schemantics at this moment.
  • The schemantics of the web interface and the REST API are not guaranteed to map 1:1 to each other. For example it is possible to show logs to user in the web interface, without causing a call to REST API.

Also, this might interest someone: https://github.com/mikkolehtisalo/mod_gllog

mikkolehtisalo avatar Jan 17 '16 18:01 mikkolehtisalo