Skip to content

Alerting With Audit Logs#

If you have a logging aggregator in place, you can leverage Audit Logs) and the data they provide to get notifications or alerts for certain Audit Events

Alerting and Logging Aggregators#

We will use DataDog to exemplify how to use Audit Logs to receive alerts for certain actions. There are many Logging Aggregator tools that can help you with this in similar ways.

Note

This isn't a detailed tutorial on logging aggregators or how to use DataDog. The main focus of this document is showing how the data provided by Audit Events can help you setup alerts for events of interest.

Setting Up Logs Collection#

Assume that we have a pre-existing Audit Logs configuration in Connect:

/etc/rstudio-connect/rstudio-connect.gcfg
[Logging]
AuditLog = "/var/log/connect-audit.log"
AuditLogFormat = "JSON"

With DataDog logging enabled, the following setting will configure the DataDog agent to collect audit logging entries:

/etc/datadog-agent/conf.d/rstudio-connect.d/conf.yaml
logs:
  - type: file
    path: /var/log/connect-audit.log
    service: rstudio-connect
    source: rstudio-connect

Warning

It is very likely that you will need to adjust permissions so that your logging aggregator can tail the audit logs file. E.g: sudo chmod 0644 /var/log/connect-audit.log

Setting Up The Monitor#

Now, let's see how to setup a monitor in DataDog to trigger alerts.

To begin, create a New monitor and click the Logs option.

Create new monitor in DataDog

Use logs for new monitor in DataDog

Define The Search Query#

Let's say we are interested in being notified when a user is granted the administrator role. The edit_user event provides a data field named new_user_role which fires when there are updates to a user role and indicates the new role assigned. We'll make use of this information by setting @new_user_role:administrator as the search query. The new monitor will consider any new audit log entries that contain the "new_user_role": "administrator" field.

Note

In DataDog, the @ syntax indicates that we want to access an attribute from the log record.

Use new Connect user role as search query

Set Alert Conditions#

For this alert we'll say we want it to trigger every time a user is granted the administrator role. That will be an "Alert threshold" of "above or equal to" "1".

Connect role admin DataDog monitor conditions

Craft The Alert Message#

The edit_user event provides many useful data fields, For this example we'll make use of user_guid, actor_description and actor_guid to craft a simple message that includes the unique identifiers for both the new administrator user and the user who made the change.

To use the audit log record data in the DataDog message template we have to prefix the log field with log.attributes.

For the message subject we'll set User granted with administrator role, and for the message body we'll use the following template and set the log.attributes of our interest.

Message Body
The user ({{log.attributes.user_guid}}) was granted an administrator role by {{log.attributes.actor_description}}
({{log.attributes.actor_guid}})

Connect DataDog alerting message template

Define Monitor Permissions#

To finish creating the monitor, define who can modify it and who to notify when a modification happens. We'll leave this with the defaults and click Save.

Connect DataDog save user role monitor

The New Monitor in Action#

With DataDog collecting our Audit Logs and with the new monitor ready and saved, the next time a user is updated with an administrator role, we'll get an alert in our email and the monitor in DataDog will register the event.

The New Monitor Dashboard Connect DataDog admin role given monitor

Email Alert Connect DataDog admin role email alert