Skip to main content

Audit Event Collection

Description of Event Audit System in YuChat

The System audit service is designed to collect events in internal YuChat services and can be integrated with SIEM systems via the syslog protocol. It is possible to configure persistent storage of events in a database (Mongo) if necessary. Event types are described in the documentation: system audit service data structures

Configuration of system-audit-service producer

Relevant for services that emit events (backend, admin-dashboard) In application.yaml backend

rabbitmq:
  servers:
    system-audit:
      uri: ${AUDIT_RABBITMQ_URI} # Host for accessing RMQ for audit events (can use the same host)
      username: ${AUDIT_RABBITMQ_USERNAME} # Username for accessing RMQ for audit events
      password: ${AUDIT_RABBITMQ_PASSWORD} # Password for accessing RMQ for audit events
      virtual-host: ${AUDIT_RABBITMQ_VHOST} # Vhost for accessing RMQ for audit events
client:
  sas:
    host: ${CLIENT_SAS_HOST} # Host for accessing System audit storage service
micronaut:
  executors:
    system-audit: #configuration of event producer thread-pool
      type: fixed
      nThreads: 2

In application.yaml admin-dashboard

system:
  audit:
    rmq:
      uri: ${AUDIT_RABBITMQ_URI} # Host for accessing RMQ for audit events (can use the same host)
      username: ${AUDIT_RABBITMQ_USERNAME} # Username for accessing RMQ for audit events
      password: ${AUDIT_RABBITMQ_PASSWORD} # Password for accessing RMQ for audit events
client:
  sas:
    host: ${CLIENT_SAS_HOST} # Host for accessing System audit storage service

Configuration of system-audit-service

In application.yaml system-audit-store

spring:
  rabbitmq:
    addresses: ${AUDIT_RABBITMQ_URI} # Host for accessing RMQ for audit events (can use the same host)
    username: ${AUDIT_RABBITMQ_USERNAME} # Username for accessing RMQ for audit events
    password: ${AUDIT_RABBITMQ_PASSWORD} # Password for accessing RMQ for audit events
    virtual-host: ${AUDIT_RABBITMQ_VHOST}
system:
  audit:
    config:
      systemAuditEnabled: true
      loggingMode: BODY

Log4j configuration

Configuration:
  status: "debug"
  monitorInterval: 300
  appenders:
    Console:
      - name: ConsoleAppender
        target: SYSTEM_OUT
        GelfLayout:
          compressionType: "OFF"
          includeNewLineDelimiter: true
    Syslog:
      name: SyslogAppender
      host: ${SYSLOG_HOST}
      port: ${SYSLOG_PORT}
      protocol: UDP
      facility: LOCAL0
      format: RFC5424
      appName: system-audit
      mdcId: mdc
      includeMDC: true
      PatternLayout:
        pattern: "%m"
      connectTimeoutMillis: 30000
      reconnectionDelayMillis: 5000
  Loggers:
    Root:
      level: debug
      AppenderRef:
        - ref: ConsoleAppender
    Logger:
      - name: ru.yuchat.system.audit.service.LoggingStorageService
        level: info
        additivity: false
        AppenderRef:
          - ref: SyslogAppender

In deployment.yaml in the spec.template.spec.containers.args section, check for the presence of the argument -Dlogging.config=$(LOG4J_CONFIG_FILE)

Last updated on