Skip to main content

Audit Event Collection

Overview

The System Audit Service collects events from YuChat's internal services. It integrates with SIEM systems over syslog and can persist events to a database (MongoDB). For the full event catalog, see System Audit Service data structures.

Configuring the Producer

This applies to services that emit events (backend, admin-dashboard).

In application.yaml for backend:

rabbitmq:
  servers:
    system-audit:
      uri: ${AUDIT_RABBITMQ_URI} # Host for accessing RMQ for audit events (can use the same host)
      username: ${AUDIT_RABBITMQ_USERNAME} # Username for accessing RMQ for audit events
      password: ${AUDIT_RABBITMQ_PASSWORD} # Password for accessing RMQ for audit events
      virtual-host: ${AUDIT_RABBITMQ_VHOST} # Vhost for accessing RMQ for audit events
client:
  sas:
    host: ${CLIENT_SAS_HOST} # Host for accessing System audit storage service
micronaut:
  executors:
    system-audit: #configuration of event producer thread-pool
      type: fixed
      nThreads: 2

In application.yaml for admin-dashboard:

system:
  audit:
    rmq:
      uri: ${AUDIT_RABBITMQ_URI} # Host for accessing RMQ for audit events (can use the same host)
      username: ${AUDIT_RABBITMQ_USERNAME} # Username for accessing RMQ for audit events
      password: ${AUDIT_RABBITMQ_PASSWORD} # Password for accessing RMQ for audit events
client:
  sas:
    host: ${CLIENT_SAS_HOST} # Host for accessing System audit storage service

Configuring system-audit-service

In application.yaml for system-audit-store:

spring:
  rabbitmq:
    addresses: ${AUDIT_RABBITMQ_URI} # Host for accessing RMQ for audit events (can use the same host)
    username: ${AUDIT_RABBITMQ_USERNAME} # Username for accessing RMQ for audit events
    password: ${AUDIT_RABBITMQ_PASSWORD} # Password for accessing RMQ for audit events
    virtual-host: ${AUDIT_RABBITMQ_VHOST}
system:
  audit:
    config:
      systemAuditEnabled: true
      loggingMode: BODY

Log4j configuration:

Configuration:
  status: "debug"
  monitorInterval: 300
  appenders:
    Console:
      - name: ConsoleAppender
        target: SYSTEM_OUT
        GelfLayout:
          compressionType: "OFF"
          includeNewLineDelimiter: true
    Syslog:
      name: SyslogAppender
      host: ${SYSLOG_HOST}
      port: ${SYSLOG_PORT}
      protocol: UDP
      facility: LOCAL0
      format: RFC5424
      appName: system-audit
      mdcId: mdc
      includeMDC: true
      PatternLayout:
        pattern: "%m"
      connectTimeoutMillis: 30000
      reconnectionDelayMillis: 5000
  Loggers:
    Root:
      level: debug
      AppenderRef:
        - ref: ConsoleAppender
    Logger:
      - name: ru.yuchat.system.audit.service.LoggingStorageService
        level: info
        additivity: false
        AppenderRef:
          - ref: SyslogAppender

In deployment.yaml, confirm that spec.template.spec.containers.args includes -Dlogging.config=$(LOG4J_CONFIG_FILE).

Last updated on