Auditing
Enable auditing logs in Pritunl
Auditing can be enabled in the settings by setting Auditing to All. Once enabled auditing can only be disabled by running sudo pritunl unset app.auditing
on a Pritunl host. Gaining access to the web console will not allow auditing to be disabled or cleared. Once enabled the two auditing outputs below will be enabled.
Administrator and User Audit
The administrator and user audit is stored in the database. This can be viewed from any host by clicking the audit icon on the right side of a user in the web console. This audit shows actions performed by the user but does not include VPN connections. This audit log is never expires and is never removed from the database.
Journal Audit
The audit journal stores detailed events in the file /var/log/pritunl_journal.log
. This file rotates five times starting with /var/log/pritunl_journal.log.1
and ending at /var/log/pritunl_journal.log.5
. Each line will contain an audit even formatted as JSON.
Each event has a id
that is unique to each event. This can be used by parsing systems to identify each event. The timestamp
is the epoch time in seconds. The event
is the event type, the types can be found at Journal Events. The reason
and reason_long
describe why the event occurred. The values user_name
and remote_address
are included in most events and reference the clients IP address and the clients user name.
{
"id": "5c75cfc15285f54158d75a36",
"timestamp": 1551224769.767757,
"event": "admin_auth_failure",
"reason": "invalid_username",
"reason_long": "Invalid username",
"host_id": "fbcf3dcc59874186a92065879e408627",
"host_name": "pritunl0",
"host_local_address": "8.8.8.8",
"host_public_address": "8.8.8.8",
"user_name": "testuser",
"remote_address": "8.8.4.4",
}
Updated almost 6 years ago