dcm4chee-arc-light: audit logs kibana help

[Michael Andersen]

Hi,

I had a dcm4chee-arc-light instance running with keycloak via this setup: https://github.com/dcm4che/dcm4chee-arc-light/wiki/Run-secured-archive-services-on-a-single-host

I realized I wanted audit log functionality so I followed this setup to extend what was currently working for me: https://github.com/dcm4che/dcm4chee-arc-light/wiki/Run-secured-archive-services-and-Elastic-Stack-on-a-single-host

Everything from my previous instance continued to work and I could access the elasticsearch/kibana pages through: https://<docker-host>:8643, however I don't see any index patterns or sources besides: logstash-wildfly-2021.01.29

I was expecting to see something like what was described here: https://github.com/dcm4che/dcm4chee-arc-light/wiki/View-Audit-Messages-in-Kibana

Being new to dcm4chee-arc-light, audit logs, kibana, etc. I'm a bit at a loss for what I'm missing. Any help would be appreciated! Thanks!

[vrinda...@j4care.com]

In Kibana, by default it considers only last 15 mins. Can you expand the time range and check (as a first step) if there are at least any raw audit messages that you see? (See the 3rd screenshot in View audit messages in Kibana wiki)

By default, audit logging is enabled in archive. An alternative way to check if your archive is indeed sending out audit messages (in case you have not disabled audit logging), is to use syslogd tool which prints out the audit message in xml format.  Also, do you see in your Wildfly server.log, following info ? (host/port depends upon your config)

[org.dcm4che3.net.audit.AuditLogger] (EE-ManagedScheduledExecutorService-default-Thread-1) Send audit message to localhost/127.0.0.1:6514

[org.dcm4chee.arc.audit.AuditScheduler] (EE-ManagedScheduledExecutorService-default-Thread-10) finished AuditScheduler.execute()

[Gunter Zeilinger]

Don't now why your postings to the forum get deleted - I reported the issue to Google...

You may post questions to https://github.com/dcm4che/dcm4chee-arc-light/discussions instead.

The archive application uses host/port configured for the logstash device in LDAP, which are initialized according corresponding environment parameters of the LDAP container on first start up - which may differ from the environment parameters of your current archive container.

You may verify and adjust its values using the UI Configuration page. Be aware that the

Protocol of the Network Connection (SYSLOG_TLS or SYSLOG_UDP) must match with the Protocol of the Network Connection by the configured Audit Logger of the Archive (and Keycloak) device.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Monday, February 1st, 2021 at 6:25 PM, Michael Andersen <mjpan...@gmail.com> wrote:

[I've posted this response several times but it keeps being deleted?]

Thanks for the response, the only logs on Elastic Search are related to Keycloak events with the source logstash-wildfly.

The wildfly server.log shows audit messages being sent to port 514 instead of port 8514. I've checked the dcm4chee_arc container and the SYSLOG_PORT environment variable is 8514 as I set it in the docker-compose files. I am a bit confused that the setup in docker guide specifies using 8514 and TLS but it seems 6514 is the default TLS port for the logstash container. I can try playing around with that (though it still doesn't explain why 514 is being used).

--
You received this message because you are subscribed to the Google Groups "dcm4che" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dcm4che+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dcm4che/50c15f47-dd36-4a5f-a930-7ede0b166f8en%40googlegroups.com.

[Michael Andersen]

Thank you for the response. If this reply is also deleted I will repost in the other forum. 

I am now seeing audit logs in elasticsearch show up around once a day for a one hour period (same time each day). They all have the tag "_grokparsefailure". By playing with the network configuration and viewing the wildfly logs (which do show up in elasticsearch regularly) I know that the audit logger is regularly running and sending, but it doesn't result in anything viewable in elasticsearch.