Audit Logs

TigerGraph’s audit logs track information about user actions such as the action taken, the user permissions, the client used, and so on.

Logging in the same files can also be found for login, and all other requests sent to any of these services.

REST endpoint request history

All requests made to TigerGraph’s REST endpoints are recorded by the RESTPP logs and Nginx logs. Information available in the logs includes:

  • Timestamp of the request

  • API request parameters

  • Request Status

  • User information (when RESTPP authentication is turned on)

RESTPP is responsible for many tasks in the TigerGraph internal architecture and records many internal API calls, which can be hard to distinguish from manual requests. When RESTPP authentication is on, the RESTPP log will record the user information and mark a call if it is made by an internal API. Therefore, you can use the command below to filter for manual requests:

# In the restpp log directory
$ grep -i "requestinfo" log.INFO | grep -v "__INTERNAL_API__"

# All requests exluding the ones made by internal API
I0315 21:11:59.666318 14535 handler.cpp:351] RequestInfo|,1.RESTPP_1_1.1615842719666.N,NNN,0,0,0|user:tigergraph|api:v2|function:NoSchema|graph_name:social|libudf:
I0315 21:41:36.462616 14541 handler.cpp:351] RequestInfo|,196622.RESTPP_1_1.1615844496462.N,NNN,0,0,0|user:tigergraph|api:v2|function:NoSchema|graph_name:social|libudf:

RequestInfo contains the ID of the request, which you can use to look up more information on the request :

Screenshot showing the ID of the request highlighted in the console.

Here is an example of using a request ID to look up a request in the restpp log:

$ grep "1615842719666" log.INFO

# Returns all information about the specific request
# RawRequest log is captured at the entry point of a query
I0315 21:11:59.666026 14535 handler.cpp:285] RawRequest|,1.RESTPP_1_1.1615842719666.N,NNN,0,0,0|GET|/echo?parameter1=parameter_value|async = 0|payload_data.size() = 0|api = v2
# RequestInfo log is captured after the request has been parsed,
# and contains information such as username and the function or UDF to run
I0315 21:11:59.666318 14535 handler.cpp:351] RequestInfo|,1.RESTPP_1_1.1615842719666.N,NNN,0,0,0|user:tigergraph|api:v2|function:NoSchema|graph_name:social|libudf:
# ReturnResult is captured when the request has been processed
I0315 21:11:59.666509 14535 requestrecord.cpp:325] ReturnResult|0|0ms|RESTPP|1.RESTPP_1_1.1615842719666.N|user:tigergraph|/echo|graph_id=1&graph_name=social&parameter1=parameter_value|39

Query execution via RESTPP

NGINX#1.out log contains the endpoint accessed, the IP, and the client. RESTPP log.INFO contains the query run, user who ran it, and the graph it ran against.

In a cluster, the log for the node that processed the request contains the details. For example, if the request was routed to m3, the log would be in NGINX#3.out on m3 or RESTPP log.INFO on m3.

Example query:

curl -H "Authorization: Bearer 4m6nh1rakn60430rjf5asv" <ip_address>:9000/query/ldbc_snb/example_query

Nginx logs:

<ip_address> - - [30/Jun/2022:01:37:52 +0000] "GET /query/ldbc_snb/example_query HTTP/1.1" 200 117 "-" "curl/7.29.0"

RESTPP logs:

I0630 01:41:29.779425 29409 handler.cpp:312] RawRequest|,131076.RESTPP_1_1.1656553289779.N,NNN,0,0,0,S|GET|/query/ldbc_snb/example_query|async = 0|payload_data.size() = 0|api = v2
I0630 01:41:29.779491 29409 handler.cpp:434] RequestInfo|,131076.RESTPP_1_1.1656553289779.N,NNN,0,0,0,S|user:example_user|api:v2|function:queryDispatcher|graph_name:ldbc_snb|libudf:libudf_ldbc_snb
I0630 01:41:29.783354 29410 requestrecord.cpp:349] ReturnResult|0|4ms|GPE_1_1|131076.RESTPP_1_1.1656553289779.N|user:example_user|/query/ldbc_snb/example_query|graph_id=1|117

Query execution via GraphStudio

Nginx NGINX#1.out log contains the endpoint accessed, the IP from where it was accessed, and the client. GraphStudio (GUI) GUI#1.out contains the query run, user who ran it, and the graph it ran against.

Nginx logs

136.2.2.2 - - [30/Jun/2022:01:44:58 +0000] "GET /api/restpp/query/ldbc_snb/example_query HTTP/1.1" 202 67 "http://35.2.2.2:14240/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0"

GraphStudio logs

2022-06-30 01:46:28.911 I | middleware/logger.go:63] <-- |     |               | 8d4b9219-0733-4413-8dd2-e4765a7e08da |    example_user |  136.2.2.2 | GET     /api/restpp/query/ldbc_snb/example_query
2022-06-30 01:46:28.922 I | middleware/logger.go:96] --> | 202 |   11.297188ms | 8d4b9219-0733-4413-8dd2-e4765a7e08da |    example_user |  136.2.2.2 | GET     /api/restpp/query/ldbc_snb/example_query

Query execution via GSQL CLI

The NGINX#1.out log contains the endpoint accessed, the IP from where it was accessed, and the client. GSQL log.INFO contains all commands run during the client session, including queries run, and graph queries ran against.

In a cluster, the GSQL request will be served by the current GSQL leader which could be any node running the GSQL service.

Nginx logs

10.2.2.2 - - [30/Jun/2022:01:51:07 +0000] "POST /query/ldbc_snb/example_query HTTP/1.1" 200 117 "-" "Apache-HttpClient/4.5.13 (Java/11.0.10)"

GSQL logs

Leader:

I@20220630 01:58:37.050 example_user|localhost:50366|00000003140 (QueryRunner.java:87) RunQuery: http://10.2.2.3:9000/query/ldbc_snb/example_query
I@20220630 01:58:37.050 example_user|localhost:50366|00000003140 (GlobalCatalog.java:769) use 4m6****asv to authenticate graph ldbc_snb
I@20220630 01:58:37.066 example_user|localhost:50366|00000003140 (CommandHandler.java:125) (Succeeded) _GSQL_CMD_DDL: run query example_query(...)

Follower:

I@20220630 01:52:02.256  (GsqlHAHandler.java:359) 2430|Forward request to http://10.2.2.3:14240/gsqlserver/gsql/command
I@20220630 01:52:02.269  (GsqlHAHandler.java:464) 2430|Forward request finish http://10.2.2.3:14240/gsqlserver/gsql/command

Monitor user management tasks

User management activities, such as logins, role and privilege changes are recorded in the GSQL logs in the folder gsql.

To view recent activities, use the symlink log.INFO. To filter for information that you need, you can use Linux commands such as grep and tail.

For example, to view recent changes in roles, you can run the following command in the gsql log directory:

$ grep -i "role" log.INFO

# Returns all lines containing the word "role"
#                        username     source IP
I@20210312 22:41:16.167 tigergraph|127.0.0.1:45854|00000000077 (BaseHandler.java:133) Received|POST|/gsql/roles?action=grant&role=globaldesigner&name=lennessy|0
I@20210312 22:41:16.863 tigergraph|127.0.0.1:45854|00000000077 (BaseHandler.java:167) Successful|POST|/gsql/roles?action=grant&role=globaldesigner&name=lennessy|application/json; charset=UTF-8|696ms

To view login activities, search log.INFO for "login" instead.

$ grep -i "login" log.INFO

# Returns all lines containing the world "login"
I@20210315 21:08:42.047 tigergraph|127.0.0.1:53960|00000000001 (BaseHandler.java:133) Received|POST|/gsql/login|28
I@20210315 21:08:42.061 tigergraph|127.0.0.1:53960|00000000001 (LoginHandler.java:52) The gsql client is started on the server, and the working directory
is /home/tigergraph/tigergraph/log/restpp
I@20210315 21:08:42.072 tigergraph|127.0.0.1:53960|00000000001 (LoginHandler.java:80) Successful|Login|tigergraph
I@20210315 21:08:42.080 tigergraph|127.0.0.1:53960|00000000001 (BaseHandler.java:167) Successful|POST|/gsql/login|application/json; charset=UTF-8|35ms