# Audit Log

# Preamble

This guide explains how to configure audit logging. All interactions of clients with the server produce a corresponding log entry. Each log entry will contain the ip, the resource accessed, whether it was successful or not, the hostname that was accessed and a more or less descriptive description of the event.

An example of such a log can be seen here:

2020-05-24T07:55:37.720973 logger=restapi.views.info, user_ip=10.10.10.145, req_method=GET, req_url=/info/, success=True, hostname=0a5048185933, status=HTTP_200_OK, event=READ_INFO_SUCCESS
2020-05-24T07:55:40.190189 logger=restapi.views.login, user_ip=10.10.10.145, req_method=POST, req_url=/authentication/login/, success=True, hostname=0a5048185933, status=HTTP_200_OK, event=LOGIN_STARTED_SUCCESS, user=demo2@example.com, user_id=ba504938-9a23-4162-867f-6840c301bc20
2020-05-24T07:55:40.927078 logger=restapi.views.activate_token, user_ip=10.10.10.145, req_method=POST, req_url=/authentication/activate-token/, success=True, hostname=0a5048185933, status=HTTP_200_OK, event=LOGIN_ACTIVATE_TOKEN_SUCCESS, user=demo2@example.com, user_id=ba504938-9a23-4162-867f-6840c301bc20, kwarg_token_id=a1398962-05a7-433d-a8f3-999df3e157b8
2020-05-24T07:55:41.027323 logger=restapi.views.status, user_ip=10.10.10.145, req_method=GET, req_url=/user/status/, success=True, hostname=0a5048185933, status=HTTP_200_OK, event=READ_STATUS_SUCCESS, user=demo2@example.com, user_id=ba504938-9a23-4162-867f-6840c301bc20
2020-05-24T07:55:41.416086 logger=restapi.views.datastore, user_ip=10.10.10.145, req_method=GET, req_url=/datastore/, success=True, hostname=0a5048185933, status=HTTP_200_OK, event=LIST_ALL_DATASTORES_SUCCESS, user=demo2@example.com, user_id=ba504938-9a23-4162-867f-6840c301bc20
2020-05-24T07:55:41.473771 logger=restapi.views.datastore, user_ip=10.10.10.145, req_method=GET, req_url=/datastore/bed4572d-6a28-4c00-94c2-dd45322de1d0/, success=True, hostname=0a5048185933, status=HTTP_200_OK, event=LIST_DATASTORE_SUCCESS, user=demo2@example.com, user_id=ba504938-9a23-4162-867f-6840c301bc20, kwarg_datastore_id=bed4572d-6a28-4c00-94c2-dd45322de1d0
2020-05-24T07:55:41.936556 logger=restapi.views.share_right, user_ip=10.10.10.145, req_method=GET, req_url=/share/right/, success=True, hostname=0a5048185933, status=HTTP_200_OK, event=READ_GROUP_SHARE_RIGHTS_SUCCESS, user=demo2@example.com, user_id=ba504938-9a23-4162-867f-6840c301bc20
2020-05-24T07:55:42.002075 logger=restapi.views.share, user_ip=10.10.10.145, req_method=GET, req_url=/share/de10070a-e836-4fb7-838c-89a85486c7c5/, success=True, hostname=0a5048185933, status=HTTP_200_OK, event=READ_SHARE_SUCCESS, user=demo2@example.com, user_id=ba504938-9a23-4162-867f-6840c301bc20, kwarg_share_id=de10070a-e836-4fb7-838c-89a85486c7c5
2020-05-24T07:57:11.970816 logger=restapi.views.health_check, user_ip=127.0.0.1, req_method=GET, req_url=/healthcheck/, success=True, hostname=0a5048185933, status=HTTP_200_OK, event=CHECK_HEALTH_SUCCESS

These logs should be sent to your logging aggregator with appropriate retention periods and access control. All logging solutions (ELK, Splunk, ...) are supported and can be used visualize the log nicely.

TIP

This feature is only available in the Enterprise Edition.

# Server (settings.yaml)

Create logging folder

Psono will store the audit.log in this logging folder.
```
mkdir -p /var/log/psono_ee
```

Adjust docker run command

You were starting the Psono server with this command:

docker run --name psono-combo-enterprise \
    --sysctl net.core.somaxconn=65535 \
    -v /opt/docker/psono/settings.yaml:/root/.psono_server/settings.yaml \
    -v /opt/docker/psono-client/config.json:/usr/share/nginx/html/config.json \
    -v /opt/docker/psono-client/config.json:/usr/share/nginx/html/portal/config.json \
    -v /path/to/log/folder:/var/log/psono \
    -d --restart=unless-stopped -p 10200:80 psono/psono-combo-enterprise:latest

Adjust this to include:

...
    -v /var/log/psono_ee:/var/log/psono \
...

Restart the server afterward

Adjust the setting.yml as shown below

During the installation of the server you have created a settings.yaml that needs to be adjusted now.
```
LOGGING_AUDIT: True
```
Restart the server afterward

# Other Configuration

# Whitelisting events

By default Psono will log all events. If you discover that you only want to have specific events you can filter them with the following entry in your settings.yml:

LOGGING_AUDIT_WHITELIST: ['FIRST_EVENT_CODE', 'SECOND_EVENT_CODE']

# Blacklisting events

An alternative to whitelisting events is blacklisting events. This can be useful if you want to exclude some events. You can achieve this with the following entry in your settings.yml:

LOGGING_AUDIT_BLACKLIST: ['FIRST_EVENT_CODE', 'SECOND_EVENT_CODE']

# List of events

ACCEPT_FILE_REPOSITORY_RIGHT_ERROR
ACCEPT_FILE_REPOSITORY_RIGHT_SUCCESS
ACCEPT_MEMBERSHIP_ERROR
ACCEPT_MEMBERSHIP_SUCCESS
ACCEPT_SHARE_RIGHT_ERROR
ACCEPT_SHARE_RIGHT_SUCCESS
ACTIVATE_EMERGENCY_CODE_ERROR
ACTIVATE_EMERGENCY_CODE_SUCCESS
ADD_SECRET_TO_API_KEY_ERROR
ADD_SECRET_TO_API_KEY_SUCCESS
ADMIN_CREATE_GROUP_ERROR
ADMIN_CREATE_GROUP_SUCCESS
ADMIN_CREATE_LDAP_GROUP_MAP_ERROR
ADMIN_CREATE_LDAP_GROUP_MAP_SUCCESS
ADMIN_CREATE_OIDC_GROUP_MAP_ERROR
ADMIN_CREATE_OIDC_GROUP_MAP_SUCCESS
ADMIN_CREATE_POLICY_GROUP_MAP_ERROR
ADMIN_CREATE_POLICY_GROUP_MAP_SUCCESS
ADMIN_CREATE_SAML_GROUP_MAP_ERROR
ADMIN_CREATE_SAML_GROUP_MAP_SUCCESS
ADMIN_CREATE_SCIM_GROUP_MAP_ERROR
ADMIN_CREATE_SCIM_GROUP_MAP_SUCCESS
ADMIN_CREATE_USER_ERROR
ADMIN_CREATE_USER_SUCCESS
ADMIN_DELETE_DUOS_ERROR
ADMIN_DELETE_DUOS_SUCCESS
ADMIN_DELETE_EMERGENCY_CODE_ERROR
ADMIN_DELETE_EMERGENCY_CODE_SUCCESS
ADMIN_DELETE_GOOGLE_AUTHENTICATORS_ERROR
ADMIN_DELETE_GOOGLE_AUTHENTICATORS_SUCCESS
ADMIN_DELETE_GROUP_ERROR
ADMIN_DELETE_GROUP_SHARE_RIGHT_ERROR
ADMIN_DELETE_GROUP_SHARE_RIGHT_SUCCESS
ADMIN_DELETE_GROUPS_ERROR
ADMIN_DELETE_GROUPS_SUCCESS
ADMIN_DELETE_IVALT_ERROR
ADMIN_DELETE_IVALT_SUCCESS
ADMIN_DELETE_LDAP_GROUP_MAP_ERROR
ADMIN_DELETE_LDAP_GROUP_MAP_SUCCESS
ADMIN_DELETE_LINK_SHARE_ERROR
ADMIN_DELETE_LINK_SHARE_SUCCESS
ADMIN_DELETE_MEMBERSHIP_ERROR
ADMIN_DELETE_MEMBERSHIPS_ERROR
ADMIN_DELETE_MEMBERSHIPS_SUCCESS
ADMIN_DELETE_OIDC_GROUP_ERROR
ADMIN_DELETE_OIDC_GROUP_MAP_ERROR
ADMIN_DELETE_OIDC_GROUP_MAP_SUCCESS
ADMIN_DELETE_POLICY_GROUP_MAP_ERROR
ADMIN_DELETE_POLICY_GROUP_MAP_SUCCESS
ADMIN_DELETE_RECOVERY_CODES_ERROR
ADMIN_DELETE_RECOVERY_CODES_SUCCESS
ADMIN_DELETE_SCIM_GROUP_MAP_ERROR
ADMIN_DELETE_SCIM_GROUP_MAP_SUCCESS
ADMIN_DELETE_SESSIONS_ERROR
ADMIN_DELETE_SESSIONS_SUCCESS
ADMIN_DELETE_USERS_ERROR
ADMIN_DELETE_USERS_SUCCESS
ADMIN_DELETE_WEBAUTHNS_ERROR
ADMIN_DELETE_WEBAUTHNS_SUCCESS
ADMIN_DELETE_YUBIKEYS_ERROR
ADMIN_DELETE_YUBIKEYS_SUCCESS
ADMIN_READ_ALL_GROUPS_SUCCESS
ADMIN_READ_EMERGENCY_CODES_SUCCESS
ADMIN_READ_GROUP_ERROR
ADMIN_READ_GROUPS_SUCCESS
ADMIN_READ_INFO_SUCCESS
ADMIN_READ_LDAP_GROUPS_SUCCESS
ADMIN_READ_LDAP_USERS_SUCCESS
ADMIN_READ_MEMBERSHIPS_SUCCESS
ADMIN_READ_POLICIES_ERROR
ADMIN_READ_POLICIES_SUCCESS
ADMIN_READ_RECOVERY_CODES_SUCCESS
ADMIN_READ_SCIM_GROUPS_SUCCESS
ADMIN_READ_SECURITY_REPORT_SUCCESS
ADMIN_READ_SECURITY_REPORTS_SUCCESS
ADMIN_READ_SESSION_ERROR
ADMIN_READ_SESSIONS_SUCCESS
ADMIN_READ_STATS_BROWSER_SUCCESS
ADMIN_READ_STATS_DEVICE_SUCCESS
ADMIN_READ_STATS_OS_SUCCESS
ADMIN_READ_STATS_TWO_FACTOR_SUCCESS
ADMIN_READ_USER_SUCCESS
ADMIN_READ_USERS_SUCCESS
ADMIN_SYNC_LDAP_GROUPS_ERROR
ADMIN_SYNC_LDAP_GROUPS_SUCCESS
ADMIN_SYNC_SAML_GROUPS_ERROR
ADMIN_SYNC_SAML_GROUPS_SUCCESS
ADMIN_UPDATE_GROUP_SHARE_RIGHT_ERROR
ADMIN_UPDATE_GROUP_SHARE_RIGHT_SUCCESS
ADMIN_UPDATE_LDAP_GROUP_MAP_ERROR
ADMIN_UPDATE_LDAP_GROUP_MAP_SUCCESS
ADMIN_UPDATE_MEMBERSHIP_ERROR
ADMIN_UPDATE_OIDC_GROUP_MAP_ERROR
ADMIN_UPDATE_OIDC_GROUP_MAP_SUCCESS
ADMIN_UPDATE_SAML_GROUP_MAP_ERROR
ADMIN_UPDATE_SAML_GROUP_MAP_SUCCESS
ADMIN_UPDATE_SCIM_GROUP_MAP_ERROR
ADMIN_UPDATE_SCIM_GROUP_MAP_SUCCESS
ADMIN_UPDATE_USERS_ERROR
ADMIN_UPDATE_USERS_SUCCESS
API_KEY_INSPECT_ERROR
API_KEY_LOGIN_ERROR
API_KEY_SECRET_READ_ERROR
API_KEY_SECRET_UPDATE_ERROR
ARM_EMERGENCY_CODE_ERROR
CREATE_API_KEY_ERROR
CREATE_AVATAR_ERROR
CREATE_AVATAR_SUCCESS
CREATE_BULK_SECRET_ERROR
CREATE_BULK_SECRET_SUCCESS
CREATE_DATASTORE_REQUEST_ERROR
CREATE_DOWNLOAD_FILE_TRANSFER_ERROR
CREATE_DUO_ERROR
CREATE_EMERGENCY_CODE_ERROR
CREATE_FILE_REPOSITORY_ERROR
CREATE_FILE_REPOSITORY_RIGHT_ERROR
CREATE_GA_ERROR
CREATE_GROUP_ERROR
CREATE_GROUP_FILE_REPOSITORY_RIGHT_ERROR
CREATE_GROUP_FILE_REPOSITORY_RIGHT_SUCCESS
CREATE_IVALT_ERROR
CREATE_LINK_SHARE_ERROR
CREATE_LINK_SHARE_SUCCESS
CREATE_MEMBERSHIP_ERROR
CREATE_POLICY_ERROR
CREATE_PRELOGIN_ERROR
CREATE_PRELOGIN_SUCCESS
CREATE_RECOVERY_CODE_ERROR
CREATE_SECRET_LINK_ERROR
CREATE_SECURITY_REPORT_ERROR
CREATE_SERVER_SECRET_ERROR
CREATE_SERVER_SECRET_SUCCESS
CREATE_SHARE_ERROR
CREATE_SHARE_LINK_ERROR
CREATE_SHARE_LINK_SUCCESS
CREATE_SHARE_RIGHT_ERROR
CREATE_SAML_GROUP_ERROR
CREATE_SAML_GROUP_MAP_ERROR
CREATE_SAML_GROUP_MAP_SUCCESS
CREATE_SCIM_GROUP_MAP_ERROR
CREATE_SCIM_GROUP_MAP_SUCCESS
CREATE_SECRET_ERROR
CREATE_SHARE_ERROR
CREATE_UPLOAD_FILE_TRANSFER_ERROR
CREATE_USER_ERROR
CREATE_WEBAUTHN_ERROR
CREATE_YUBIKEY_OTP_ERROR
DECLINE_FILE_REPOSITORY_RIGHT_ERROR
DECLINE_MEMBERSHIP_ERROR
DECLINE_MEMBERSHIP_SUCCESS
DECLINE_SHARE_RIGHT_ERROR
DECLINE_SHARE_RIGHT_SUCCESS
DELETE_AVATAR_ERROR
DELETE_AVATAR_SUCCESS
DELETE_DATASTORE_ERROR
DELETE_DUO_ERROR
DELETE_FILE_REPOSITORY_ERROR
DELETE_FILE_REPOSITORY_RIGHT_ERROR
DELETE_GROUP_FILE_REPOSITORY_RIGHT_ERROR
DELETE_IVALT_ERROR
DELETE_LDAP_GROUP_ERROR
DELETE_LINK_SHARE_ERROR
DELETE_MEMBERSHIP_ERROR
DELETE_MEMBERSHIPS_SUCCESS
DELETE_OIDC_GROUP_ERROR
DELETE_POLICY_ERROR
DELETE_RECOVERY_CODES_ERROR
DELETE_SCIM_GROUP_ERROR
DELETE_SECRET_FROM_API_KEY_ERROR
DELETE_SECRET_FROM_API_KEY_SUCCESS
DELETE_SECRET_LINK_ERROR
DELETE_SERVER_SECRET_ERROR
DELETE_SAML_GROUP_ERROR
DELETE_SESSION_ERROR
DELETE_SHARE_ERROR
DELETE_USER_ERROR
DELETE_USERS_ERROR
DELETE_WEBAUTHNS_ERROR
DELETE_YUBIKEYS_ERROR
DELETE_YUBIKEYS_SUCCESS
EXECUTE_MANAGEMENT_COMMAND_ERROR
FILESERVER_ALIVE_ERROR
FILESERVER_AUTHORIZE_DOWNLOAD_CHUNK_ERROR
FILESERVER_AUTHORIZE_UPLOAD_CHUNK_ERROR
FILESERVER_CLEANUP_CONFIRM_DELETION_ERROR
FILESERVER_REVOKE_DOWNLOAD_CHUNK_ERROR
FILE_LINK_DELETE_ERROR
FILE_LINK_MOVE_ERROR
FILE_REPOSITORY_DOWNLOAD_ERROR
FILE_REPOSITORY_UPLOAD_ERROR
INVALID_REQUEST
LIST_ALL_DATASTORES_SUCCESS
LOGIN_ACTIVATE_TOKEN_ERROR
LOGIN_DUO_VERIFY_ERROR
LOGIN_GA_VERIFY_ERROR
LOGIN_IVALT_VERIFY_ERROR
LOGIN_STARTED_SUCCESS
LOGIN_VERIFY_EMAIL_ERROR
LOGIN_VERIFY_EMAIL_SUCCESS
LOGIN_WEBAUTHN_INIT_VERIFY_ERROR
LOGIN_WEBAUTHN_VERIFY_ERROR
LOGIN_YUBIKEY_OTP_VERIFY_ERROR
LOGOUT_ERROR
MOVE_SECRET_LINK_ERROR
OIDC_BACKCHANNEL_LOGOUT_CONFIGURATION_DOES_NOT_EXIST_ERROR
OIDC_BACKCHANNEL_LOGOUT_CONFIGURATION_ID_NOT_SPECIFIED_ERROR
OIDC_BACKCHANNEL_LOGOUT_CONFIGURATION_IS_NOT_VALID_ERROR
OIDC_BACKCHANNEL_LOGOUT_MISSING_LOGOUT_TOKEN_PARAMETER_ERROR
OIDC_BACKCHANNEL_LOGOUT_PAYLOAD_EMPTY_SUCCESS
OIDC_BACKCHANNEL_LOGOUT_PAYLOAD_SUB_MISSING_ERROR
OIDC_BACKCHANNEL_LOGOUT_SUCCESS
OIDC_BACKCHANNEL_LOGOUT_USER_NOT_FOUND_SUCCESS
OIDC_CALLBACK_CONFIGURATION_DOES_NOT_EXIST_ERROR
OIDC_CALLBACK_CONFIGURATION_ID_NOT_SPECIFIED_ERROR
OIDC_CALLBACK_CONFIGURATION_IS_NOT_VALID_ERROR
OIDC_CALLBACK_EMAIL_ATTRIBUTE_NOT_PROVIDED_ERROR
OIDC_CALLBACK_INVALID_STATE_ERROR
OIDC_CALLBACK_MISSING_CODE_PARAMETER_ERROR
OIDC_CALLBACK_MISSING_STATE_PARAMETER_ERROR
OIDC_CALLBACK_PAYLOAD_EMPTY_ERROR
OIDC_CALLBACK_PAYLOAD_SUB_MISSING_ERROR
OIDC_CALLBACK_SUCCESS
OIDC_CALLBACK_USERNAME_ATTRIBUTE_NOT_PROVIDED_ERROR
OIDC_INITIATE_LOGIN_ERROR
OIDC_INITIATE_LOGIN_STARTED_SUCCESS
OIDC_PROXY_REDIRECT_INVALID_STATE_TOKEN_ID_ERROR
OIDC_PROXY_REDIRECT_OIDC_STATE_TOKEN_ID_NOT_SPECIFIED_ERROR
OIDC_PROXY_REDIRECT_SUCCESS
READ_ALL_AVATAR_SUCCESS
READ_ALL_GROUPS_SUCCESS
READ_ALL_LINK_SHARES_SUCCESS
READ_ALL_SHARES_SUCCESS
READ_AVATAR_ERROR
READ_AVATAR_IMAGE_ERROR
READ_AVATAR_IMAGE_SUCCESS
READ_EMERGENCY_CODES_SUCCESS
READ_FILE_REPOSITORY_ERROR
READ_GROUP_ERROR
READ_GROUP_NO_PERMISSION_ERROR
READ_GROUP_RIGHTS_ERROR
READ_GROUP_SUCCESS
READ_HISTORY_ERROR
READ_INFO_SUCCESS
READ_LINK_SHARE_ACCESS_ERROR
READ_LINK_SHARE_ACCESS_SUCCESS
READ_LINK_SHARE_ERROR
READ_LINK_SHARE_SUCCESS
READ_MEMBERSHIP_ERROR
READ_MEMBERSHIP_SUCCESS
READ_METADATA_DATASTORE_REQUEST_ERROR
READ_METADATA_SHARE_REQUEST_ERROR
READ_POLICIES_ERROR
READ_POLICIES_SUCCESS
READ_SCIM_GROUPS_SUCCESS
READ_SECRET_ERROR
READ_SECRET_HISTORY_ERROR
READ_SESSION_ERROR
READ_SHARD_ERROR
READ_SHARD_SUCCESS
READ_SHARE_ERROR
READ_SHARE_RIGHTS_ERROR
READ_SHARE_SHARE_NOT_EXIST_ERROR
READ_SAML_GROUP_ERROR
READ_SAML_GROUPS_SUCCESS
READ_STATS_BROWSER_SUCCESS
READ_STATS_DEVICE_SUCCESS
READ_STATS_OS_SUCCESS
READ_STATS_TWO_FACTOR_SUCCESS
READ_USER_ERROR
READ_USER_SUCCESS
READ_USERS_ERROR
READ_USERS_SUCCESS
RECOVERY_CODE_INITIATE_ERROR
RECOVERY_CODE_SET_PASSWORD_ERROR
REGISTRATION_ERROR
REGISTRATION_LICENSE_EXPIRED_ERROR
REGISTRATION_LICENSE_USER_LIMIT_ERROR
REGISTRATION_REGISTRATION_DISABLED_ERROR
REGISTRATION_USERNAME_ALREADY_EXISTS_ERROR
REGISTRATION_USERNAME_EMAIL_MISMATCH_ERROR
SAML_INITIATE_LOGIN_ERROR
SAML_INITIATE_LOGIN_STARTED_SUCCESS
SAML_LOGIN_ERROR
SAML_LOGIN_SUCCESS
SAML_METADATA_ERROR
SCIM_CREATE_GROUP_ERROR
SCIM_CREATE_GROUP_SUCCESS
SCIM_CREATE_USER_ERROR
SCIM_CREATE_USER_SUCCESS
SCIM_DELETE_GROUP_ERROR
SCIM_DELETE_USER_ERROR
SCIM_DELETE_USER_SUCCESS
SCIM_READ_GROUP_ERROR
SCIM_READ_USER_ERROR
SCIM_READ_USER_SUCCESS
SCIM_READ_SCHEMA_SUCCESS
SCIM_UPDATE_USER_ERROR
SCIM_UPDATE_USER_SUCCESS
UPDATE_API_KEY_ERROR
UPDATE_AVATAR_ERROR
UPDATE_AVATAR_SUCCESS
UPDATE_DATASTORE_REQUEST_ERROR
UPDATE_FILE_REPOSITORY_ERROR
UPDATE_FILE_REPOSITORY_RIGHT_ERROR
UPDATE_FILE_REPOSITORY_RIGHT_SUCCESS
UPDATE_GROUP_ERROR
UPDATE_GROUP_FILE_REPOSITORY_RIGHT_ERROR
UPDATE_GROUP_FILE_REPOSITORY_RIGHT_SUCCESS
UPDATE_LINK_SHARE_ACCESS_ERROR
UPDATE_LINK_SHARE_ACCESS_SUCCESS
UPDATE_LINK_SHARE_ERROR
UPDATE_LINK_SHARE_SUCCESS
UPDATE_MEMBERSHIP_ERROR
UPDATE_POLICY_ERROR
UPDATE_SCIM_GROUP_MAP_ERROR
UPDATE_SCIM_GROUP_MAP_SUCCESS
UPDATE_SECRET_ERROR
UPDATE_SHARE_RIGHT_ERROR
UPDATE_SHARE_RIGHT_SUCCESS
USER_DELETE_ERROR
USER_SEARCH_ERROR
USER_UPDATE_DETAILS_ERROR
VALIDATE_DUO_ERROR
VALIDATE_GA_ERROR
VALIDATE_IVALT_ERROR
VALIDATE_WEBAUTHN_ERROR
VALIDATE_YUBIKEY_OTP_ERROR

← Install Favicon Server (optional) Audit Log with Splunk →