Audit logs are a useful feature used to keep track of all your network’s administrative functions and know what happened on your server. It was introduced in Graylog 3.0 as part of the enterprise feature set.
How it works
Just open the Enterprise menu in the navbar, and then click on Audit Logs to open the Overview interface and see what happened. Here you will find a list of everything that happened recently, such as the creation of new dashboards and widgets or the indexes being rotated in the node.
The Configuration Panel
If you click on the Configuration tab, you will see a new window that is split into two different sides. In our example, on the left side, we can see a MongoDB server that is used as default. Graylog will take any administrative action from it and archive it as soon as it is completed. On the right side there’s a Log4j that can be configured as well – you should input that configuration into a text file. If you want to find more about configuring these two, you can find more info on the Graylog Enterprise documentation.
MongoDB and Log4j
If you want to configure the MongoDB side correctly, you'll see that there are different parameters you can set. For example, you can determine how long do you want to retain those logs (one year by default), and how often you want to do a cleanup to purge the old logs, such as every hour. To configure the Log4j you should edit the XML file, give it a logger name and a marker name, and then set it to do the appending. Both the MongoDB server and the Log4j can be set as enabled(default) or disabled. If you configure Log4j on one node, all nodes have to have that same configuration applied.