Graphlytic 5.1.3

Table of Contents

1. Graphlytic logging

Graphlytic uses SLF4J and Logback binding.

1.1. Configuration

Logging levels, loggers, appenders, and general log turning on/off are configured in the <GRAPHLYTIC_HOME>/conf/logback.xml file.

The location of the log directory with all produced logs is configured in the <GRAPHLYTIC_HOME>/conf/graphlytic.conf file.

Log file rollover

Currently, the logback.xml configuration keeps only logs that are less than 365 days old. To change this, update each <maxHistory> or comment it out to turn off deletion entirely.

Please note that a maximum of 32 files is removed. If the configuration is changed from 365 to a lower number, the old files must be removed manually.

2. Logs

2.1. Common log

file: graphlytic.log

Contains all logs.

2.2. Audit log

2.2.1. Backend Audit log

File: graphlytic-audit.log

Contains backend audit logs (a subset of the common log):

when a user was successfully logged into Graphlytic (time, name of the user)
information about unsuccessful authentication (time, name of the user)
information about data changing operations for nodes and relationships (create, update, delete) (time, name of the user, name of the operation).

Format of the log record (row in the log file)

<timestamp> INFO AUDIT_LOGGER:<loggerInstanceId> - AUDIT <action> <actionData>

timestamp - system time
loggerInstanceId - internal Java logger id, not usable for audit reporting
action - action code, like CSV_EXPORT_NODE or VIS_ACCESS
actionData - here are key:value pairs with data specific to the <action>. Every action can have different actionData stored

Implemented events

Action	Custom Data	Note
LOGIN_SUCCESS
LOGIN_FAILURE
LOGOUT_SUCCESS
CSV_EXPORT_NODES	numOfRecords	numOfRecords - number of exported rows with data
CSV_EXPORT_RELS	numOfRecords	numOfRecords - number of exported rows with data
PNG_EXPORT
VIS_CREATE	visId	visId - The ID of the created visualization
VIS_ACCESS	visId	visId -The ID of the accessed visualization
PUBLIC_VIS_ACCESS	visId	visId -The ID of the accessed visualization
VIS_SHARE_USERS	addedUsers, removedUsers	Note: the VIS_SHARE_USERS and VIS_SHARE_GROUPS are always as double record log (two log rows for one action) because with one frontend action of vis sharing, there are two backend calls (one call is for change in user sharing list and one is for change in group sharing list)
VIS_SHARE_GROUPS	addedGroups, removedGroups
CREATE_NODE
UPDATE_NODE
UPDATE_NODES	updatedNodes	updatedNodes - number of updated nodes
DELETE_NODE
CREATE_RELATIONSHIP
UPDATE_RELATIONSHIP
DELETE_NODE_RELATIONSHIP
CREATE_USER	createdUser	If the user was created with the SSO workflow, then the 'user' is set to the actually created user.
UPDATE_USER	updatedUser
DELETE_USER	deletedUser
UNDELETE_USER	undeletedUser
ENABLE_USER	enabledUser
DISABLE_USER	disabledUser
CHANGE_PASSWORD	passwordChangedForUser	If the password was changed with email password self-service or SSO workflows, then the 'user' is set to the same value as 'passwordChangedForUser'.
CREATE_GROUP	createdGroup, permissions	Permissions is a comma-separated list of all granted permissions, e.g., 'PERM_DATA_MGMT,PERM_SETTINGS'.
UPDATE_GROUP	updatedGroup, permissions	Permissions is a comma-separated list of all granted permissions, e.g., 'PERM_DATA_MGMT,PERM_SETTINGS'.
DELETE_GROUP	deletedGroup
ADD_USER_TO_GROUP	group, users	The 'users' attribute is a multivalued one with values separated by a comma.
REMOVE_USER_FROM_GROUP	group, users	The 'users' attribute is a multivalued one with values separated by a comma.
UPDATE_GROUP_PERMISSION	group, permissions	Permissions is a comma-separated list of all granted permissions, e.g., 'PERM_DATA_MGMT,PERM_SETTINGS'.
UPDATE_GROUP_DATA_SECURITY	group
UPDATE_SETTINGS	setting
CREATE_JOB	job
UPDATE_JOB	job
DELETE_JOB	job
RUN_JOB	job
LIBRARY_CREATE	libraryId	libraryId - the ID of the library created
LIBRARY_UPDATE	libraryId	libraryId - the ID of the library updated
LIBRARY_DELETE	libraryId	libraryId - the ID of the library deleted
FILE_IMPORT_STARTED
GREMLIN_QUERY

Examples

01.16 10:09:13.198  INFO AUDIT_LOGGER:30 - AUDIT LOGIN_SUCCESS user:'admin'
01.16 10:09:24.502  INFO AUDIT_LOGGER:964 - AUDIT CSV_EXPORT_NODES user:'admin' numOfRecords:16
01.16 10:09:55.815  INFO AUDIT_LOGGER:1118 - AUDIT CSV_EXPORT_RELS user:'admin' numOfRecords:2217
01.16 10:10:00.266  INFO AUDIT_LOGGER:111 - AUDIT PNG_EXPORT user:'admin'
01.16 10:12:13.479  INFO AUDIT_LOGGER:99 - AUDIT VIS_ACCESS user:'admin' visId:2
01.16 10:12:25.981  INFO AUDIT_LOGGER:148 - AUDIT CSV_EXPORT_WIDGET user:'admin' numOfRecords:2656
01.16 10:13:55.033  INFO AUDIT_LOGGER:43 - AUDIT LOGIN_FAILURE user:'admin' exception:'Bad credentials'
01.16 10:14:04.059  INFO AUDIT_LOGGER:43 - AUDIT LOGIN_FAILURE user:'someLoginFail' exception:'Bad credentials'
01.16 10:14:16.990  INFO AUDIT_LOGGER:30 - AUDIT LOGIN_SUCCESS user:'admin'
01.16 10:14:20.662  INFO AUDIT_LOGGER:99 - AUDIT VIS_ACCESS user:'admin' visId:2
01.16 10:24:26.603  INFO AUDIT_LOGGER:411 - AUDIT VIS_SHARE_USERS user:'admin' visId:2 addedUsers:0 removedUsers:0
01.16 10:24:26.604  INFO AUDIT_LOGGER:449 - AUDIT VIS_SHARE_GROUPS user:'admin' visId:2 addedGroups:1 removedGroups:0

2.2.2. Frontend Audit log

File: graphlytic-frontend.log

Contains audit logs (a subset of the common log) of the Graphlytic frontend application with richer context information, e.g., about exploring.

Format of the log record (row in the log file)

{"serverTimestamp":"2020-02-13T16:44:29.342+01:00","userLogin":"admin","ipAddress":"0:0:0:0:0:0:0:1","eventType":"EXPLORING","urlPath":"/visualization","exploringMode":"FINAL_DATA","exploredNodeIds":["2","5"]}

Implemented events

Action

Custom Data

EXPLORING

exploringMode: "FINAL_DATA" (without opening the explore filter), "USER_FILTER" (with opened explore filter)
exploredNodeIds: Graph DB IDs of explored nodes
exploredNodeUids: UID values of explored nodes (present only when the UUID functionality is turned on)
noFilter: flag. True if no filtering options were used. False if nodes or edges filtering was used.

SEARCH

searchType:
- "QUERY": when a custom query (Cypher or Gremlin) was used.
- "TEMPLATE": when a query template was used.
- "FULLTEXT": usage of the fulltext search.
numOfNodes: number of nodes found based on the search action.
numOfRelationships: number of relationships found based on the search action.
searchTerm: search term used in the "FULLTEXT" searchType.
query: query that was executed in the "TEMPLATE" or "QUERY" searchType.
title: title of the executed query template in the "TEMPLATE" searchType or saved query in the "QUERY" searchType.

3. Audit Log REST API

3.1. GET /audit/data

Service GET /audit/data can be used to read normalized audit log data.

Every record (a parsed line from an audit log file) consists of these attributes:

Record attribute	Data type	Description
logger	String	Logger identification. Values are "BE" (backend logger) or "FE" (frontend logger)
dateTime	Number	Epoch time of the logged event
username	null or String	Username of the user who created the event.
action	String	Audit event action. Values: see the chapter below.
json	null or Object	Additional data for the event. The structure is dependent on the "action" value.

Example of response

[
    {
        "logger": "BE",
        "dateTime": 1581155429371,
        "action": "LOGIN_SUCCESS",
        "username": "admin",
        "json": null
    },
    {
        "logger": "BE",
        "dateTime": 1581193189302,
        "action": "UPDATE_NODE",
        "username": "admin",
        "json": null
    },
    {
        "logger": "FE",
        "dateTime": 1583488172967,
        "action": "EXPLORING",
        "username": "admin",
        "json":{
            "serverTimestamp": "2020-03-06T10:49:32.967+01:00",
            "userLogin": "admin",
            "ipAddress": "0:0:0:0:0:0:0:1",
            "eventType": "EXPLORING",
            "urlPath": "/visualization",
            "exploringMode": "FINAL_DATA",
            "exploredNodeIds":["46152", "46153", "46154", "46155"]
        }
    }
]

3.2. POST /audit/data/frontend

Graphlytic REST API service for frontend events collecting. Can be used in custom widgets to log specific user behavior.

Request example

{
    "eventType" : "some event type",
    "urlPath" : "...",
    "userTimestamp" : "...",
    ...other event data entered as key:value pairs...
}