Auditing

Auditing can be enabled in the settings by setting Auditing to All. Once enabled auditing can only be disabled by running sudo pritunl unset app.auditing on a Pritunl host. Gaining access to the web console will not allow auditing to be disabled or cleared. Once enabled the two auditing outputs below will be enabled.

Administrator and User Audit

The administrator and user audit is stored in the database. This can be viewed from any host by clicking the audit icon on the right side of a user in the web console. This audit shows actions performed by the user but does not include VPN connections. This audit log is never expires and is never removed from the database.

Journal Audit

The audit journal stores detailed events in the file /var/log/pritunl_journal.log. This file rotates five times starting with /var/log/pritunl_journal.log.1 and ending at /var/log/pritunl_journal.log.5. Each line will contain an audit even formatted as JSON.

Each event has a id that is unique to each event. This can be used by parsing systems to identify each event. The timestamp is the epoch time in seconds. The event is the event type, the types can be found at Journal Events. The reason and reason_long describe why the event occurred. The values user_name and remote_address are included in most events and reference the clients IP address and the clients user name.

{
  "id": "5c75cfc15285f54158d75a36",
  "timestamp": 1551224769.767757,
  "event": "admin_auth_failure",
  "reason": "invalid_username",
  "reason_long": "Invalid username",
  "host_id": "fbcf3dcc59874186a92065879e408627",
  "host_name": "pritunl0",
  "host_local_address": "8.8.8.8",
  "host_public_address": "8.8.8.8",
  "user_name": "testuser",
  "remote_address": "8.8.4.4",
}