Alerting With Audit Logs

If you have a logging aggregator in place, you can leverage Audit Logs and the data they provide to get notifications or alerts for certain Audit Events.

This isn’t a detailed tutorial on logging aggregators or how to use Datadog. The goal of this document is to show how the data provided by Audit Events can help you setup alerts for events of interest.

Alerting and Logging Aggregators

The following section uses Datadog to exemplify using Audit Logs to receive alerts for certain actions. There are many Logging Aggregator tools that can help you with this in similar ways.

Setting Up Logs Collection

Assume that we have a pre-existing Audit Logs configuration in Connect:

etc/rstudio-connect/rstudio-connect.gcfg
[Logging]
AuditLog = "/var/log/connect-audit.log"
AuditLogFormat = "JSON"

With Datadog logging enabled, the following setting configures the Datadog agent to collect audit logging entries:

/etc/datadog-agent/conf.d/rstudio-connect.d/conf.yaml
logs:
  - type: file
    path: /var/log/connect-audit.log
    service: rstudio-connect
    source: rstudio-connect
Warning

It is very likely that you will need to adjust permissions so that your logging aggregator can tail the audit logs file. E.g: sudo chmod 0644 /var/log/connect-audit.log

Setting Up The Monitor

To setup a monitor in Datadog to trigger alerts, first create a New monitor. Then click the Logs option.

Create new monitor in Datadog

Use logs for new monitor in Datadog

Define The Search Query

You can track when user roles change. For example, when a user is granted the administrator role. The edit_user event provides a data field named new_user_role which fires when there are updates to a user role and indicates the new role assigned. You can make use of this information by setting @new_user_role:administrator as the search query. The new monitor considers any new audit log entries that contain the "new_user_role": "administrator" field.

Note

In Datadog, the @ syntax indicates that you want to access an attribute from the log record.

Use new Connect user role as search query

Set Alert Conditions

For this alert, you can specify it to trigger every time a user is granted the administrator role. That means an "Alert threshold" of "above or equal to" "1".

Connect role admin Datadog monitor conditions

Craft The Alert Message

The edit_user event provides many useful data fields. This example makes use of user_guid, actor_description and actor_guid to craft a simple message that includes the unique identifiers for both the new administrator user and the user who made the change.

To use the audit log record data in the Datadog message template, we have to prefix the log field with log.attributes.

For the message subject, configure User granted with administrator role, and for the message body use the following template and set the log.attributes of our interest.

Message Body
{% raw %}
The user ({{ "{{log.attributes.user_guid}}" }}) was granted an administrator role by {{ "{{log.attributes.actor_description}}" }}
({{ "{{log.attributes.actor_guid}}" }})
{% endraw %}

Connect Datadog alerting message template

Define Monitor Permissions

To finish creating the monitor, define who can modify it and who to notify when a modification happens. For this example, leave the defaults and click Save.

Connect Datadog save user role monitor

The New Monitor in Action

With Datadog collecting your Audit Logs and with the new monitor ready and saved, the next time a user is updated with an administrator role, an email alert is sent and the monitor in Datadog registers the event.

The New Monitor Dashboard Connect Datadog admin role given monitor

Email Alert Connect Datadog admin role email alert