Introduction to Audit Logs
Logging of the log management system is often required for compliance purposes. Audit logs keep track of all the changes made to the Graylog deployment by end users. Graylog will record all state changes into the database, allowing for search, filter and exporting of all audit log entries.
In Graylog Enterprise version 3+, we can now enable the Audit log functionality to log to either a database or create the logs in a log file for collection. By default logging to the database is always enabled, and cannot be disabled.
During the configuration of the audit log, you can select the number of days you would like to retain the history for. This is fully adjustable based on your audit requirements, and is a per Graylog node setting allowing for customized retention periods.
How It Works
Graylog activates the MongoDB audit log feature when the Enterprise functionality is enabled, and starts recording to the local database immediately. Every new action taken by administrators are recorded and put into a window for searching and exporting incase needed.
You can also add additional logging to a log file, with the Log4j2 audit log appender, which will output actions to a file on the system for collection or storage.
Frequently Asked Questions
Can Audit Logs be disabled?
No, once the Enterprise functionality has been enabled, logging can not be disabled to the database.
Can Audit Logs be exported after search filter?
Yes, once you have searched/filtered through the audit logs, you can export the data set for delivery to auditors.