Logging

Table of Contents


Graphlytic logging

Graphlytic uses slf4j and logback binding.

Configuration

Logging levels, loggers, appenders, and general log turning on/off is configured in the <GRAPHLYTIC_HOME>/conf/logback.xml file.

The location of log directory with all produced logs is configured in the <GRAPHLYTIC_HOME>/conf/graphlytic.conf file.


Logs

Common log

file: graphlytic.log

Contains all logs.

Audit log

Backend Audit log

File: graphlytic-audit.log

Contains backend audit logs (a subset of the common log):

  • when a user was successfully logged into Graphlytic (time, name of the user)

  • information about unsuccessful authentication (time, name of the user)

  • information about data changing operations for nodes and relationships (create, update, delete) (time, name of the user, name of the operation).


Format of the log record (row in the log file)

<timestamp> INFO AUDIT_LOGGER:<loggerInstanceId> - AUDIT <action> <actionData>
  • timestamp - system time

  • loggerInstanceId - internal Java logger id, not usable for audit reporting

  • action - action code, like CSV_EXPORT_NODE or VIS_ACCESS

  • actionData - here are key:value pairs with data specific to the <action>. Every action can have different actionData stored


Implemented events

Action

Custom Data

Note

LOGIN_SUCCESS


prior to Graphlytic 3.0.0 logged as "USER auth success"

LOGIN_FAILURE


prior to Graphlytic 3.0.0 logged as "USER auth fail"

LOGOUT_SUCCESS



CSV_EXPORT_NODES

numOfRecords

numOfRecords - number of exported rows with data

CSV_EXPORT_RELS

numOfRecords

numOfRecords - number of exported rows with data

PNG_EXPORT



VIS_CREATE

visId

visId - The ID of the created visualization

VIS_ACCESS

visId

visId -The ID of the accessed visualization

VIS_SHARE_USERS

addedUsers, removedUsers

images/s/w0k7xq/8703/51k4y0/_/images/icons/emoticons/warning.svg Note: the VIS_SHARE_USERS and VIS_SHARE_GROUPS are always as double record log (two log rows for one action) because with one frontend action of vis sharing there are two backend calls (one call is for change in user sharing list and one is for change in group sharing list)

VIS_SHARE_GROUPS

addedGroups, removedGroups

CREATE_NODE



UPDATE_NODE



UPDATE_NODES

updatedNodes

updatedNodes - number of updated nodes

DELETE_NODE



CREATE_RELATIONSHIP



UPDATE_RELATIONSHIP



DELETE_NODE_RELATIONSHIP



CREATE_USER

createdUser

If the user was created with the SSO workflow then the 'user' is set to the actually created user.

UPDATE_USER

updatedUser


DELETE_USER

deletedUser


UNDELETE_USER

undeletedUser


ENABLE_USER

enabledUser


DISABLE_USER

disabledUser


CHANGE_PASSWORD

passwordChangedForUser

If the password was changed with email password self-service or SSO workflows then the 'user' is set to the same value as 'passwordChangedForUser'.

CREATE_GROUP

createdGroup, permissions

Permissions is a comma-separated list of all granted permissions, e.g. 'PERM_DATA_MGMT,PERM_SETTINGS'.

UPDATE_GROUP

updatedGroup, permissions

Permissions is a comma-separated list of all granted permissions, e.g. 'PERM_DATA_MGMT,PERM_SETTINGS'.

DELETE_GROUP

deletedGroup


ADD_USER_TO_GROUP

group, users

The 'users' attribute is a multivalued one with values separated by comma.

REMOVE_USER_FROM_GROUP

group, users

The 'users' attribute is a multivalued one with values separated by comma.

UPDATE_GROUP_PERMISSION

group, permissions

Permissions is a comma-separated list of all granted permissions, e.g. 'PERM_DATA_MGMT,PERM_SETTINGS'.

UPDATE_GROUP_DATA_SECURITY

group


UPDATE_SETTINGS

setting


CREATE_JOB

job


UPDATE_JOB

job


DELETE_JOB

job


RUN_JOB

job



Examples

Examples
20.01.16 10:09:13.198 INFO AUDIT_LOGGER:30 - AUDIT LOGIN_SUCCESS user:'admin'
20.01.16 10:09:24.502 INFO AUDIT_LOGGER:964 - AUDIT CSV_EXPORT_NODES user:'admin' numOfRecords:16
20.01.16 10:09:55.815 INFO AUDIT_LOGGER:1118 - AUDIT CSV_EXPORT_RELS user:'admin' numOfRecords:2217
20.01.16 10:10:00.266 INFO AUDIT_LOGGER:111 - AUDIT PNG_EXPORT user:'admin'
20.01.16 10:12:13.479 INFO AUDIT_LOGGER:99 - AUDIT VIS_ACCESS user:'admin' visId:2
20.01.16 10:12:25.981 INFO AUDIT_LOGGER:148 - AUDIT CSV_EXPORT_WIDGET user:'admin' numOfRecords:2656
20.01.16 10:13:55.033 INFO AUDIT_LOGGER:43 - AUDIT LOGIN_FAILURE user:'admin' exception:'Bad credentials'
20.01.16 10:14:04.059 INFO AUDIT_LOGGER:43 - AUDIT LOGIN_FAILURE user:'someLoginFail' exception:'Bad credentials'
20.01.16 10:14:16.990 INFO AUDIT_LOGGER:30 - AUDIT LOGIN_SUCCESS user:'admin'
20.01.16 10:14:20.662 INFO AUDIT_LOGGER:99 - AUDIT VIS_ACCESS user:'admin' visId:2
20.01.16 10:24:26.603 INFO AUDIT_LOGGER:411 - AUDIT VIS_SHARE_USERS user:'admin' visId:2 addedUsers:0 removedUsers:0
20.01.16 10:24:26.604 INFO AUDIT_LOGGER:449 - AUDIT VIS_SHARE_GROUPS user:'admin' visId:2 addedGroups:1 removedGroups:0

Frontend Audit log

File: graphlytic-frontend.log

Contains audit logs (a subset of the common log) of the Graphlytic frontend application with richer context information, e.g. about exploring.


Format of the log record (row in the log file)

graphlytic-frontend.log
{"serverTimestamp":"2020-02-13T16:44:29.342+01:00","userLogin":"admin","ipAddress":"0:0:0:0:0:0:0:1","eventType":"EXPLORING","urlPath":"/visualization","exploringMode":"FINAL_DATA","exploredNodeIds":["2","5"]}


Implemented events

Action

Custom Data

EXPLORING

  • exploringMode: "FINAL_DATA" (without opening of the explore filter), "USER_FILTER" (with opened explore filter)

  • exploredNodeIds: Graph DB IDs of explored nodes

  • exploredNodeUids: UID values of explored nodes (present only when the UUID functionality is turned on)

  • noFilter: flag. True if no filtering options were used. False if nodes or edges filtering was used.

SEARCH

  • searchType:

    • "QUERY": when a custom query (cypher or gremlin) was used.

    • "TEMPLATE": when a query template was used.

    • "FULLTEXT": usage of the fulltext search.

  • numOfNodes: num of nodes found based on the search action.

  • numOfRelationships: num of relationships found based on the search action.

  • searchTerm: search term used in the "FULLTEXT" searchType.

  • query: query that was executed in the "TEMPLATE" or "QUERY" searchType.

  • title: title of the executed query template in the "TEMPLATE" searchType or saved query in the "QUERY" searchType.



Audit Log REST API

GET /audit/data

Service GET /audit/data can be used to read normalized audit log data.

Every record (a parsed line from an audit log file) consists of these attributes:

Record attribute

Data type

Description

logger

String

Logger identification. Values are "BE" (backend logger) or "FE" (frontend logger)

dateTime

Number

Epoch time of the logged event

username

String

Username of the user who created the event.

action

String

Audit event action. Values: see the chapter below.

json

null or Object

Additional data for the event. The structure is dependent on the "action" value.

Example of response
[
{
"logger": "BE",
"dateTime": 1581155429371,
"action": "LOGIN_SUCCESS",
"username": "admin",
"json": null
},
{
"logger": "BE",
"dateTime": 1581193189302,
"action": "UPDATE_NODE",
"username": "admin",
"json": null
},
{
"logger": "FE",
"dateTime": 1583488172967,
"action": "EXPLORING",
"username": "admin",
"json":{
"serverTimestamp": "2020-03-06T10:49:32.967+01:00",
"userLogin": "admin",
"ipAddress": "0:0:0:0:0:0:0:1",
"eventType": "EXPLORING",
"urlPath": "/visualization",
"exploringMode": "FINAL_DATA",
"exploredNodeIds":["46152", "46153", "46154", "46155"]
}
}
]

POST /audit/data/frontend

Graphlytic REST API service for frontend events collecting. Can be used in custom widgets to log specific user behavior.

Request example
{
"eventType" : "some event type",
"urlPath" : "...",
"userTimestamp" : "...",
...other event data entered as key:value pairs...
}