The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

Once you install the Graylog Operations plugin, Graylog automatically writes audit log entries into the database.

View Audit Log Entries

Graylog Audit Log adds a new page to the web interface, which can be reached via “Enterprise/Audit Log.” You can now view and export existing audit log entries in the database, and search and filter for audit events you are interested in with a simple search form.

auditlog-view-entries-1

Expand Event Details

Every row in the audit event entry table is clickable and reveals the details of the audit event when clicked.

All audit events have static fields, like actor,object, etc. In addition, every event has event-specific fields.

The fields on the left side, in the details, are the static fields for every event. The fields on the right side are the event-specific fields.

auditlog-view-entries-2

Search & Filter

To make it easier to get to the audit log entries you need, the audit log UI provides a simple query language to search and filter the audit log entries.

Available Fields

Name

Description

actor

The user that triggered the audit event.

namespace

The namespace of the audit event; may be different in plugins.

object

The object of the audit event; what has been changed.

action

Name of the action that has been executed on the object.

success_status

If the action failed or succeeded.

message

The actual audit event message.

Search for text in the message

If you want to find specific text in the audit event message, enter the word you are looking for into the search bar.

auditlog-search-entries-1

Search for specific fields

You can also filter the entries for specific fields like the actor.

If you want to filter for all events triggered by the user jane, enter actor:jane into the search bar.

To filter for events for more than one actor, use actor:jane,johnor actor:jane actor:john.

To find all audit events that have not been triggered by a user, add a - in front of the field name to negate the condition. To show all events except those created by user jane, add-actor:jane to the search field.

Mix and match several field queries to find the entries you need. Here are more examples.

  • actor:jane,john -namespace:server retrieve all events by users jane and john that are not in the server namespace.
  • index action:create retrieve all events which have the word index in the event message and where the action is create.
  • message:index action:create same as above but with an explicit field selector for the message field.

auditlog-view-entries-3

Export Entries

You can also export the results of your query as JSON or CSV for further processing.

The Export Results button next to the search bar allows you to export.

Hint: Exporting from the UI is currently limited to the newest 10,000 entries. Use the REST API for a larger export.

Export via REST API

If you want to back up the audit log entries or make them available to another system, use the REST API to export them.

Example:

Copy 
# Export 20,000 audit log entries in JSON format
curl -u admin:<admin-password> http://127.0.0.1:9000/api/plugins/org.graylog.plugins.auditlog/entries/export/json?limit=20000

# Export 5,000 audit log entries with actor "jane" in CSV format
curl -u admin:<admin-password> http://127.0.0.1:9000/api/plugins/org.graylog.plugins.auditlog/entries/export/csv?limit=5000&query=actor:jane
Hint: If the query parameter contains whitespace, make sure to properly escape.