Alerting With Audit Logs#
If you have a logging aggregator in place, you can leverage Audit Logs) and the data they provide to get notifications or alerts for certain Audit Events
Alerting and Logging Aggregators#
We will use DataDog to exemplify how to use Audit Logs to receive alerts for certain actions. There are many Logging Aggregator tools that can help you with this in similar ways.
Note
This isn't a detailed tutorial on logging aggregators or how to use DataDog. The main focus of this document is showing how the data provided by Audit Events can help you setup alerts for events of interest.
Setting Up Logs Collection#
Assume that we have a pre-existing Audit Logs configuration in Connect:
[Logging]
AuditLog = "/var/log/connect-audit.log"
AuditLogFormat = "JSON"
With DataDog logging enabled, the following setting will configure the DataDog agent to collect audit logging entries:
logs:
- type: file
path: /var/log/connect-audit.log
service: rstudio-connect
source: rstudio-connect
Warning
It is very likely that you will need to adjust permissions so that your logging aggregator
can tail the audit logs file. E.g: sudo chmod 0644 /var/log/connect-audit.log
Setting Up The Monitor#
Now, let's see how to setup a monitor in DataDog to trigger alerts.
To begin, create a New monitor and click the Logs option.
Define The Search Query#
Let's say we are interested in being notified when a user is granted the administrator role.
The edit_user
event provides a data field named new_user_role
which fires when there are updates to a user role and indicates the new role assigned.
We'll make use of this information by setting @new_user_role:administrator
as the search query.
The new monitor will consider any new audit log entries that contain the "new_user_role": "administrator"
field.
Note
In DataDog, the @
syntax indicates that we want to access an attribute from the log record.
Set Alert Conditions#
For this alert we'll say we want it to trigger every time a user is granted the administrator role.
That will be an "Alert threshold"
of "above or equal to"
"1"
.
Craft The Alert Message#
The edit_user
event provides many useful data fields,
For this example we'll make use of user_guid
, actor_description
and actor_guid
to craft a simple
message that includes the unique identifiers for both the new administrator user and the user who made the change.
To use the audit log record data in the DataDog message template we have to prefix the log field with log.attributes
.
For the message subject we'll set User granted with administrator role, and for the message body we'll use the following
template and set the log.attributes
of our interest.
The user ({{log.attributes.user_guid}}) was granted an administrator role by {{log.attributes.actor_description}}
({{log.attributes.actor_guid}})
Define Monitor Permissions#
To finish creating the monitor, define who can modify it and who to notify when a modification happens. We'll leave this with the defaults and click Save.
The New Monitor in Action#
With DataDog collecting our Audit Logs and with the new monitor ready and saved, the next time a user is updated with an administrator role, we'll get an alert in our email and the monitor in DataDog will register the event.
The New Monitor Dashboard
Email Alert