- 25 May 2022
- 2 Minutes to read
- Updated on 25 May 2022
- 2 Minutes to read
Once you installed the Graylog Operations plugin, Graylog will automatically write audit log entries into the database.
View Audit Log Entries
Graylog Audit Log adds a new page to the web interface which can be reached via “Enterprise/Audit Log”. You can view and export existing audit log entries inthe database.
It also provides a simple search form to search and filter for audit events you are interested in.
Expand Event Details
Every row in the audit event entry table is clickable. Once clicked it will reveal the details of the audit event.
All audit events have static fields like actor , object and others. In addition to that, every event has some event specific fields.
The fields on the left side in the details are the static fields every even has and the fields on the right side are the event specific fields.
Search & Filter
To make it easier to get to the audit log entries you need, the audit log UI provides a simple query language to search and filter the audit log entries.
You can either enter one or more words into the search field or choose to look for some specific fields in the audit log entries.
Search for text in the message
If you just want to find some text in the audit event message, you can enter the word you are looking for into the search bar.
Search for specific fields
You can also filter the entries for specific fields like the
If you want to filter for all events triggered by the user jane you can enter
actor:janeinto the search bar.
Maybe you want to filter for events for more than one actor. That can be done by using either
Or you want to find all audit events which have not been triggered by auser. Add a
- in front of the field name to negate the condition. To show all events except those created by user jane you can add
-actor:janeto the search field.
You can mix and match several field queries to find the entries you need. Here are some more examples.
actor:jane,john -namespace:serverget all events by users jane and john which are not in the server namespace
index action:createget all events which have the word index in the event message and where the action is create
message:index action:createsame as above, just with an explicit field selector for the message field
If the simple entry viewer is not enough, you can also export the result of your query as JSON or CSV to further process it.
The “Export Results” button next to the search bar can be used to do that.
The export from the UI is currently limited to the newest 10,000 entries. Use the REST API if you need a bigger export.
Export via REST API
If you want to backup the audit log entries or make them available to another system, you can use the REST API to export them.
# Export 20,000 audit log entries in JSON format curl -u admin:<admin-password> http://127.0.0.1:9000/api/plugins/org.graylog.plugins.auditlog/entries/export/json?limit=20000 # Export 5,000 audit log entries with actor "jane" in CSV format curl -u admin:<admin-password> http://127.0.0.1:9000/api/plugins/org.graylog.plugins.auditlog/entries/export/csv?limit=5000&query=actor:jane
Make sure the
queryparameter is properly escaped if it contains whitespace.