Audit Logging

Moogsoft Enterprise provides logging of the following information:

You can also view changes in the severity of Situations.

Audit log entry details

Audit log entries contain the following markers:

  • CONFIG_AUDIT: Configuration changes including creating and updating system configuration properties, and updating user properties.

  • SESSION_AUDIT: User sessions and authentication.

  • PERMISSIONS_AUDIT: Creating and updating users, changing roles and teams.

User sessions and authentication

Moogsoft Enterprise logs all of the following for user sessions and for all uses of authentication subsystems, regardless of whether authentication is successful, whether acting as a client or a server, or of the underlying protocol.

These log entries contain the SESSION_AUDIT marker:

  • User (DB/SAML/Graze) session creation.

  • User (DB/SAML/Graze) session expiry.

  • User logging out from UI.

  • User login failure.

Access session log information using Graze and MoogDb v2

You can use the following Graze endpoints or MoogDb v2 methods to access session audit log information:


Graze Endpoint

MoogDb V2 Method

Return session information for users over a period of time.



Return session information for an individual user.



Authorization changes

Moogsoft Enterprise logs all of the following authorization changes with the PERMISSIONS_AUDIT marker:

  • Creating or deleting principals, including usernames, teams, and roles.

  • Modifying privileges, team assignments, or other "marks of authority" associated with principals.

  • Creating or deleting teams, roles, or other names for authorisation categories.

  • Modifying privileges or access associated with teams, roles, or users.

Configuration changes by administrators

Moogsoft Enterprise logs all of the following administrative changes with the CONFIG_AUDIT marker:

  • Creating a new user and updating a user.

  • Creating a new team and updating a team.

  • Adding and editing a Cookbook.

  • Adding, deleting, and editing a Recipe.

  • Toggling/editing Tempus.

  • Toggling and retraining Probable Root Cause.

  • Adding, deleting, and updating merge groups.

  • Creating, editing and deleting link definitions.

  • Adding, editing, and disabling Situation and alert columns.

  • Creating, editing, and deleting the Workflow Engine.

  • Customization changes.

  • Online help and support changes.

  • Changes to Hotkeys.

  • Changes to Chatops.

  • Adding, editing, and deleting action states.

  • Creating, editing, and deleting Situation client tools, Situation server tools, alert client tools, alert server tools, and generic server tools.

  • Updating the system config file.

  • Restarting Moogfarmd

Enable audit logging

Audit logging is disabled by default. To enable it, follow these steps:

  1. Locate the log file of the component for which you want to add audit logging. See Configure Logging for details.Configure Logging

  2. Add a RollingFile section to the configuration.appenders section of the file. For example:

    "RollingFile": {
        "name": "AUDIT",
        "fileName": "/tmp/audit.log",
        "filePattern": "audit.log-%d{MM-dd-yy}-%i.gz",
        "PatternLayout": {
            "pattern": "%-5level: [%thread][%date{yyyMMdd HH:mm:ss.SSS Z}] [%file:%line] +|%message|+%n"
            "Policies": {
                "SizeBasedTriggeringPolicy": {
                    "size": "500M"
            "DefaultRolloverStrategy": {
                "max": "40"
        "filters": {
            "MarkerFilter": {
                "marker": "AUDIT",
                "onMatch": "ACCEPT",
                "onMismatch": "DENY"
  3. Replace the original loggers block in the same log file:

            "name": "com.moogsoft",
            "additivity": false,
            "AppenderRef": [
                "ref": "STDOUT"
            "level": "info"

    with the following:

        "Logger": [
            "name": "com.moogsoft",
            "additivity": false,
            "AppenderRef": [
                "ref": "STDOUT"
            "level": "info"
            "name": "com.moogsoft",
            "additivity": false,
            "AppenderRef": [
                "ref": "AUDIT"
            "level": "trace"

Situation severity changes

You can use the Graze endpoint getSituationSeverityChanges to return the changes in severity for a Situation. The highest severity of any of the alerts in a Situation determines the severity of the Situation. This endpoint returns increases in severity and a change to a severity of 0 (Clear).

If a Situation has closed, this endpoint returns a severity of 0 (Clear) and the timestamp when the Situation was closed. The endpoint does not return any further changes in severity after it has returned to 0 (Clear).

See getSituationSeverityChanges for more information.


Example log file entries with the CONFIG_AUDIT marker:

DEBUG: [http-apr-8085-exec-1][20191004 11:40:44.703 +0100] [] +|Admin request: [createUser] called by [admin]|+
DEBUG: [http-apr-8085-exec-11][20191004 11:44:21.078 +0100] [] +|Admin request: [createSystemConfig] called by [admin]|+
DEBUG: [http-apr-8085-exec-3][20191004 11:44:28.721 +0100] [] +|Admin request: [deleteSystemConfig] called by [admin]|+
DEBUG: [http-apr-8085-exec-8][20191004 11:44:39.936 +0100] [] +|Admin request: [updateSystemConfig] called by [admin]|+
DEBUG: [http-apr-8085-exec-7][20191004 11:54:49.054 +0100] [] +|Admin request: [manageAlertColumns] called by [admin]|+
DEBUG: [http-apr-8085-exec-8][20191004 11:56:05.710 +0100] [] +|Admin request: [getTempus] called by [admin]|+
DEBUG: [http-apr-8085-exec-7][20191004 12:08:31.005 +0100] [] +|Admin request: [updateSystemConfig] called by [admin]|+
WARN : [http-apr-8085-exec-11][20191004 12:09:34.142 +0100] [] +|User [admin] login failed|+
DEBUG: [http-apr-8085-exec-3][20191004 12:09:46.173 +0100] [] +|Create session: started [username: [admin]; session: [...6f40ab08]]|+
DEBUG: [http-apr-8085-exec-1][20191004 12:11:16.243 +0100] [] +|Admin request: [setFeatureToggleState] called by [admin]|+

Example log file entries with the SESSION_AUDIT marker:

WARN : [http-apr-8085-exec-4][20191001 15:12:15.399 +0100] [] +|User [aa] account unknown|+
WARN : [http-apr-8085-exec-9][20191001 15:12:24.018 +0100] [] +|User [admin] login failed|+
DEBUG: [http-apr-8085-exec-9][20191001 15:23:23.666 +0100] [] +|Create session: started [username: [ava]; session: [...141fe68b]]|+
DEBUG: [0:AdapterHandler][20191001 15:25:06.983 +0100] [] +|Seession [username: [ava]; session: [...141fe68b]] expired.|+
WARN : [http-apr-8085-exec-6][20191001 15:25:21.720 +0100] [] +|User [admin] login failed|+
DEBUG: [http-apr-8085-exec-3][20191001 15:26:58.446 +0100] [] +|Create session: started [username: [isaac]; session: [...e22b6fa0]]|+
DEBUG: [http-apr-8085-exec-4][20191001 15:29:10.686 +0100] [] +|Session username: [isaac]; session: [...e22b6fa0] was closed - user logged out.|+
WARN : [http-apr-8085-exec-7][20191001 15:29:34.546 +0100] [] +|User [aloo] login failed|+
DEBUG: [http-apr-8085-exec-8][20191001 15:35:16.658 +0100] [] +|Create session: started [username: [admin]; session: [...1f8a886f]]|+
DEBUG: [http-apr-8085-exec-1][20191001 15:35:21.893 +0100] [] +|Session username: [admin]; session: [...1f8a886f] was closed - user logged out.|+
WARN : [http-apr-8085-exec-7][20191001 15:35:28.212 +0100] [] +|User [admin] login failed|+

Example log file entries with the PERMISSIONS_AUDIT marker:

DEBUG: [http-apr-8085-exec-8][20200512 17:19:42.525 +0100] [] +|Admin request: [createUser] called by [admin]|+
DEBUG: [http-apr-8085-exec-8][20200512 17:19:42.755 +0100] [] +|User with Id: [5] and name: [newuser] roles changed, new roles are: [[4]].|+
DEBUG: [http-apr-8085-exec-8][20200512 17:19:42.758 +0100] [] +|Created user [newuser]|+
DEBUG: [http-apr-8085-exec-9][20200512 17:20:12.953 +0100] [] +|Admin request: [createTeam] called by [admin]|+
DEBUG: [http-apr-8085-exec-9][20200512 17:20:12.997 +0100] [] +|Team [my new team 123] created with ID [2]|+
DEBUG: [http-apr-8085-exec-10][20200512 17:20:35.153 +0100] [] +|Admin request: [updateRole] called by [admin]|+
DEBUG: [http-apr-8085-exec-10][20200512 17:20:35.156 +0100] [] +|Updated role: ID: [4], name: [Operator], permissions: [[sig_visualize, sig_modify, sig_resolve, thread_create, add_media, alert_assign, alert_modify, alert_close, filters, prc_feedback, all_data, manage_maint, moolet_informs, view_summary, collect_insights, collab_write, collab_read]].|+