We’re overhauling Dgraph’s docs to make them clearer and more approachable. If
you notice any issues during this transition or have suggestions, please
let us know.
- Endpoint
- Logged-in User Name
- Server host address
- Client Host address
- Request Body (truncated at 4KB)
- Timestamp
- Namespace
- Query Parameters (if provided)
- Response status
Audit log scope
Most queries and mutations sent to Dgraph Alpha and Dgraph Zero are logged. Specifically, the following are logged:- HTTP requests sent over Dgraph Zero’s 6080 port and Dgraph Alpha’s 8080 port (except as noted below)
- gRPC requests sent over Dgraph Zero’s 5080 port and Dgraph Alpha’s 9080 port (except the Raft, health and Dgraph Zero stream endpoints noted below)
- Responses to queries and mutations
- HTTP requests to
/health
,/state
and/jemalloc
endpoints - gRPC requests to Raft endpoints (see Raft)
- gRPC requests to health endpoints (
Check
andWatch
) - gRPC requests to Dgraph Zero stream endpoints (
StreamMembership
,UpdateMembership
,Oracle
,Timestamps
,ShouldServe
andConnect
)
Audit log files
All audit logs are in JSON format. Dgraph has a “rolling-file” policy for audit logs, where the current log file is used until it reaches a configurable size (default: 100 MB), and then is replaced by another current audit log file. Older audit log files are retained for a configurable number of days (default: 10 days). For example, by sending this query:Enable audit logging
You can enable audit logging on a Dgraph Alpha or Dgraph Zero node by using the--audit
flag to specify semicolon-separated options for audit logging. When
you enable audit logging, a few options are available for you to configure:
compress=true
tells Dgraph to use compression on older audit log filesdays=20
tells Dgraph to retain older audit logs for 20 days, rather than the default of 10 daysoutput=/path/to/audit/logs
tells Dgraph which path to use for storing audit logsencrypt-file=/encryption/key/path
tells Dgraph to encrypt older log files with the specified keysize=200
tells Dgraph to store audit logs in 200 MB files, rather than the default of 100 MB files
Example commands
The commands in this section show you how to enable and configure audit logging.Enable audit logging
In the simplest scenario, you can enable audit logging by simply specifying the directory to store audit logs on a Dgraph Alpha node:Enable audit logging with compression
In many cases you want to compress older audit logs to save storage space. You can do this with a command like the following:Enable audit logging with encryption
You can also enable encryption of audit logs to protect sensitive information that might exist in logged requests. You can do this, along with compression, with a command like the following:Decrypt audit logs
To decrypt encrypted audit logs, you can use thedgraph audit decrypt
command,
as follows: