# Audit Log

# Preamble

This guide explains how to configure audit logging. All interactions of clients with the server produce a corresponding log entry. Each log entry will contain the ip, the resource accessed, whether it was successful or not, the hostname that was accessed and a more or less descriptive description of the event.

An example of such a log can be seen here:

2020-05-24T07:55:37.720973 logger=restapi.views.info, user_ip=10.10.10.145, req_method=GET, req_url=/info/, success=True, hostname=0a5048185933, status=HTTP_200_OK, event=READ_INFO_SUCCESS
2020-05-24T07:55:40.190189 logger=restapi.views.login, user_ip=10.10.10.145, req_method=POST, req_url=/authentication/login/, success=True, hostname=0a5048185933, status=HTTP_200_OK, event=LOGIN_STARTED_SUCCESS, user=demo2@example.com, user_id=ba504938-9a23-4162-867f-6840c301bc20
2020-05-24T07:55:40.927078 logger=restapi.views.activate_token, user_ip=10.10.10.145, req_method=POST, req_url=/authentication/activate-token/, success=True, hostname=0a5048185933, status=HTTP_200_OK, event=LOGIN_ACTIVATE_TOKEN_SUCCESS, user=demo2@example.com, user_id=ba504938-9a23-4162-867f-6840c301bc20, kwarg_token_id=a1398962-05a7-433d-a8f3-999df3e157b8
2020-05-24T07:55:41.027323 logger=restapi.views.status, user_ip=10.10.10.145, req_method=GET, req_url=/user/status/, success=True, hostname=0a5048185933, status=HTTP_200_OK, event=READ_STATUS_SUCCESS, user=demo2@example.com, user_id=ba504938-9a23-4162-867f-6840c301bc20
2020-05-24T07:55:41.416086 logger=restapi.views.datastore, user_ip=10.10.10.145, req_method=GET, req_url=/datastore/, success=True, hostname=0a5048185933, status=HTTP_200_OK, event=LIST_ALL_DATASTORES_SUCCESS, user=demo2@example.com, user_id=ba504938-9a23-4162-867f-6840c301bc20
2020-05-24T07:55:41.473771 logger=restapi.views.datastore, user_ip=10.10.10.145, req_method=GET, req_url=/datastore/bed4572d-6a28-4c00-94c2-dd45322de1d0/, success=True, hostname=0a5048185933, status=HTTP_200_OK, event=LIST_DATASTORE_SUCCESS, user=demo2@example.com, user_id=ba504938-9a23-4162-867f-6840c301bc20, kwarg_datastore_id=bed4572d-6a28-4c00-94c2-dd45322de1d0
2020-05-24T07:55:41.936556 logger=restapi.views.share_right, user_ip=10.10.10.145, req_method=GET, req_url=/share/right/, success=True, hostname=0a5048185933, status=HTTP_200_OK, event=READ_GROUP_SHARE_RIGHTS_SUCCESS, user=demo2@example.com, user_id=ba504938-9a23-4162-867f-6840c301bc20
2020-05-24T07:55:42.002075 logger=restapi.views.share, user_ip=10.10.10.145, req_method=GET, req_url=/share/de10070a-e836-4fb7-838c-89a85486c7c5/, success=True, hostname=0a5048185933, status=HTTP_200_OK, event=READ_SHARE_SUCCESS, user=demo2@example.com, user_id=ba504938-9a23-4162-867f-6840c301bc20, kwarg_share_id=de10070a-e836-4fb7-838c-89a85486c7c5
2020-05-24T07:57:11.970816 logger=restapi.views.health_check, user_ip=127.0.0.1, req_method=GET, req_url=/healthcheck/, success=True, hostname=0a5048185933, status=HTTP_200_OK, event=CHECK_HEALTH_SUCCESS

These logs should be sent to your logging aggregator with appropriate retention periods and access control. All logging solutions (ELK, Splunk, ...) are supported and can be used visualize the log nicely.

TIP

This feature is only available in the Enterprise Edition.

# Server (settings.yaml)

Create logging folder

Psono will store the audit.log in this logging folder.
```
mkdir -p /var/log/psono_ee
```

Adjust docker run command

You were starting the Psono server with this command:

docker run --name psono-combo-enterprise \
    --sysctl net.core.somaxconn=65535 \
    -v /opt/docker/psono/settings.yaml:/root/.psono_server/settings.yaml \
    -v /opt/docker/psono-client/config.json:/usr/share/nginx/html/config.json \
    -v /opt/docker/psono-client/config.json:/usr/share/nginx/html/portal/config.json \
    -v /path/to/log/folder:/var/log/psono \
    -d --restart=unless-stopped -p 10200:80 psono/psono-combo-enterprise:latest

Adjust this to include:

...
    -v /var/log/psono_ee:/var/log/psono \
...

Restart the server afterwards

Adjust the setting.yml as shown below

During the installation of the server you have created a settings.yaml that needs to be adjusted now.
```
LOGGING_AUDIT: True
```
Restart the server afterwards

# Other Configuration

# Whitelisting events

By default Psono will log all events. If you discover that you only want to have specific events you can filter them with the following entry in your settings.yml:

LOGGING_AUDIT_WHITELIST: ['FIRST_EVENT_CODE', 'SECOND_EVENT_CODE']

# Blacklisting events

An alternative to whitelisting events is blacklisting events. This can be useful if you want to exclude some events. You can achieve this with the following entry in your settings.yml:

LOGGING_AUDIT_BLACKLIST: ['FIRST_EVENT_CODE', 'SECOND_EVENT_CODE']

← Install Fileserver (optional) Audit Log with Splunk →