This article describes what options are available for event logging (for logging) in DRACOON and how to specify the settings for this.
Topics of this article
Possibilities for event logging in DRACOON
All events that take place in a DRACOON environment are logged by DRACOON in real time in the so-called audit log. This makes it possible to trace all processes in a DRACOON environment at any time.
For example, the audit log can be used to determine at what times a certain user logged in, when this user was added to a certain group (and thus gained access to certain data rooms), which user deleted a certain file at what time, and so on. The audit log also records events that were not triggered by any of the users set up in DRACOON, such as anonymous downloads and uploads by external users via shares or file requests, as well as the automatic deletion of users, files, shares and file requests after a set expiration date has passed..
Under Settings > Logging you can define how many days the audit log should go back. You can also define whether the IP address of the respective user should be logged for each event.
For the evaluation of the audit log, powerful reports are available in DRACOON, which can be generated as PDF or CSV files.
In the DRACOON Premium product variant, an external syslog host (server) can also be connected if required, to which all events occurring in DRACOON are forwarded - in this way, all events from DRACOON can be logged in real time in a separate system and processed further from there.
Who is allowed to set the logging settings and view the audit log?
ZTo change the logging settings only users with the role Configuration manager are allowed to do so. The evaluation of the audit log (e.g. via reports or the API) is only allowed for users with the role Auditor.
This division of roles can meet any necessary data protection requirements in companies by ensuring that system administrators (i.e. configuration managers) do not automatically have access to log entries that may disclose personal data of DRACOON users (e.g. file names and usage times) - this authorization can be delegated to a dedicated user with the Auditor role.
Set settings for the audit log
- In the left sidebar, click Settings and then Logging.
- In the Retention time in days field, specify how many days entries should be retained in the audit log (default: 90 days) until they are automatically deleted from the audit log.
- If you want to archive DRACOON log entries in the long term or evaluate them on a large scale, it is recommended to connect an external Sylog host for this purpose (see below).
- If you specify a retention period of 0 days, no events are recorded in the audit log. This can be useful, for example, if you have connected an external syslog host to which all DRACOON events are forwarded and therefore do not need the audit log from DRACOON.
- If you want that for each event in the audit log also the respective IP address is recorded, from which the call (request) of the event originated, activate the switch Record IP addresses.
- Data protection notice: Please note that the recording of IP addresses can be problematic with regard to data protection (DSGVO), as the IP addresses of anonymous uploads/downloads via file requests or shares are also logged. If necessary, clarify this issue with your data protection officer before activating IP address recording.
Connect an external syslog host to DRACOON
Additionally or as an alternative to the audit log of DRACOON you can connect as a user of the product variant DRACOON Premium an external syslog host (server) to DRACOON, to which DRACOON passes all logged events, which would also be contained in the audit log, in real time. In this way you can store the log of the DRACOON events in an own log system and from there later e.g. in an own analysis software evaluate and process as desired.
Data protection notice when using an external syslog host: Please note that the special DRACOON role Auditor, which regulates in DRACOON who may access the audit log of DRACOON, is bypassed when using an external Syslog host - anyone who has access to the contents of the Syslog host can view the log transmitted by DRACOON, which may contain data protection-relevant contents. If necessary, clarify the necessary access rights to the external syslog host with your data protection officer before connecting it to DRACOON.
How to connect your own external Sylog host to DRACOON:
- In the left sidebar, click Settings and then Logging.
- Click the Syslog tab.
- Enable the Use external syslog host switch.
- The Configure External Syslog Host dialog box appears, where you can specify the settings for connecting your syslog host. Specify the IP address or hostname of your syslog host, the port used, and the protocol used (TCP or UDP).
- If you want that for each event from DRACOON also the respective IP address is recorded, from which the call (request) of the event originated, activate the switch Record IP addresses.
Data protection notice: Please note that the recording of IP addresses can be problematic with regard to data protection (DSGVO), as the IP addresses of anonymous uploads/downloads via file requests or shares are also logged. If necessary, clarify this issue with your data protection officer before activating IP address recording.
- Click on Save. The syslog host is connected to DRACOON from now on and should receive events from DRACOON - please check if they arrive correctly at the syslog host and change the settings for the syslog host in DRACOON or at the syslog host itself again if necessary.
Please note that the log data transmitted by DRACOON can occupy a considerable amount of memory on the syslog host over time. Therefore, make sure that there is always enough free memory available there and, if necessary, regularly reduce the size of the log (e.g. by swapping it out) that has accumulated there in the meantime.