Alerting With Audit Logs
If you have a logging aggregator in place, you can leverage Audit Logs and the data they provide to get notifications or alerts for certain Audit Events
Alerting and Logging Aggregators
The following section uses DataDog to exemplify using Audit Logs to receive alerts for certain actions. There are many Logging Aggregator tools that can help you with this in similar ways.
This isn’t a detailed tutorial on logging aggregators or how to use DataDog. The goal of this document is showing how the data provided by Audit Events can help you setup alerts for events of interest.
Setting Up Logs Collection
Assume that we have a pre-existing Audit Logs configuration in Connect:
etc/rstudio-connect/rstudio-connect.gcfg
[Logging]
AuditLog = "/var/log/connect-audit.log"
AuditLogFormat = "JSON"
With DataDog logging enabled, the following setting configures the DataDog agent to collect audit logging entries:
/etc/datadog-agent/conf.d/rstudio-connect.d/conf.yaml
logs:
- type: file
path: /var/log/connect-audit.log
service: rstudio-connect
source: rstudio-connect
It is very likely that you will need to adjust permissions so that your logging aggregator can tail the audit logs file. E.g: sudo chmod 0644 /var/log/connect-audit.log
Setting Up The Monitor
Now, let’s see how to setup a monitor in DataDog to trigger alerts.
To begin, create a New monitor and click the Logs option.
Define The Search Query
Let’s say we are interested in being notified when a user is granted the administrator role. The edit_user
event provides a data field named new_user_role
which fires when there are updates to a user role and indicates the new role assigned. You can make use of this information by setting @new_user_role:administrator
as the search query. The new monitor considers any new audit log entries that contain the "new_user_role": "administrator"
field.
In DataDog, the @
syntax indicates that we want to access an attribute from the log record.
Set Alert Conditions
For this alert, you can specify it to trigger every time a user is granted the administrator role. That means an "Alert threshold"
of "above or equal to"
"1"
.
Craft The Alert Message
The edit_user
event provides many useful data fields. For this example we’ll make use of user_guid
, actor_description
and actor_guid
to craft a simple message that includes the unique identifiers for both the new administrator user and the user who made the change.
To use the audit log record data in the DataDog message template, we have to prefix the log field with log.attributes
.
For the message subject, configure User granted with administrator role, and for the message body use the following template and set the log.attributes
of our interest.
Message Body
{% raw %}
The user ({{ "{{log.attributes.user_guid}}" }}) was granted an administrator role by {{ "{{log.attributes.actor_description}}" }}
({{ "{{log.attributes.actor_guid}}" }}) {% endraw %}
Define Monitor Permissions
To finish creating the monitor, define who can modify it and who to notify when a modification happens. For this example, leave the defaults and click Save.
The New Monitor in Action
With DataDog collecting your Audit Logs and with the new monitor ready and saved, the next time a user is updated with an administrator role, you’ll get an alert in our email and the monitor in DataDog will register the event.
The New Monitor Dashboard
Email Alert