AUDIT LOG FILE

[joaosimoes08]

Attempted Debugging

• [X] I have read the debugging page

Searched GitHub Issues

• [X] I have searched GitHub for the issue.

Describe the Scenario

I want to filter some logs to my SIEM but I can´t find any file on bookstack's docker that contains that info. Are audit logs saved to a file?

Exact BookStack Version

v23.10.4

Log Content

No response

Hosting Environment

Docker on Ubuntu 22.04

[ssddanbrown]

Are audit logs saved to a file?

No. The audit log you see in the BookStack interface is sourced from the activities table within the database. If desired, our logical theme system has the ability to use PHP code to hook into activity events to run custom logic (where you could then write to a log file if desired).

[joaosimoes08]

No. The audit log you see in the BookStack interface is sourced from the activities table within the database. If desired, our logical theme system has the ability to use PHP code to hook into activity events to run custom logic (where you could then write to a log file if desired).

I am trying to send all the logs to a file but I am deploying bookstack using docker. Should I add APP_THEME= to the compose.yml? My code looks like this (still need to add the other activities but I am not able to output any file and I don´t see any error...):

`<?php

use BookStack\Actions\ActivityType; use BookStack\Entities\Models\Page; use BookStack\Facades\Theme; use BookStack\Theming\ThemeEvents;

Theme::listen(ThemeEvents::ACTIVITY_LOGGED, function (string $activityType, $detail) {

if (!$detail instanceof Page) {
    return;
}

$validTypes = [ActivityType::PAGE_UPDATE, ActivityType::PAGE_CREATE];
if (!in_array($activityType, $validTypes)) {
    return;
}

$outPath = "/config/{$detail->id}.html";
file_put_contents($outPath, $detail->html);

});

?>`

[ssddanbrown]

Should I add APP_THEME= to the compose.yml?

Yes, it'll need to align with the name of your theme folder, and your theme folder will need to be in the right place. I have a video on setting up the theme folder in a linuxserver.io stack here: https://www.youtube.com/watch?v=Tf74_2iphz0

As a theme functions.php example:

<?php

use BookStack\Activity\ActivityType;
use BookStack\Activity\Models\Loggable;
use BookStack\Theming\ThemeEvents;
use BookStack\Facades\Theme;

Theme::listen(ThemeEvents::ACTIVITY_LOGGED, function (string $type, string|Loggable $detail) {

    // The path to log events to.
    // The webserver/php process will need permission to write here
    $logFile = storage_path('logs/activity.log');

    // Activities to log.
    // Remove this and the below "if" block to not filter by activity.
    $activitiesToLog = [
        ActivityType::BOOK_CREATE,
        ActivityType::BOOK_UPDATE,
        ActivityType::PAGE_UPDATE,
    ];
    if (!in_array($type, $activitiesToLog)) {
        return;
    }

    // Build the log line
    $detailMsg = is_string($detail) ? $detail : $detail->logDescriptor();
    $user = user();
    $date = date(DATE_RFC3339);
    $logMessage = "[{$date}] {$type} :: user {$user->id} :: $detailMsg \n";

    // Append the log line
    file_put_contents($logFile, $logMessage, FILE_APPEND);
});

[joaosimoes08]

Hey, I'm gonna give it a try tomorrow morning. I will close the issue if that solves the problem! Many thanks for your help

[joaosimoes08]

I am getting "an error ocurred" since I added the theme. I copied the code and pasted, followed every step. Still not getting the activity.log file.

[joaosimoes08]

[2024-01-23 11:20:15] production.ERROR: Class "BookStack\Activity\ActivityType" not found {"userId":1,"exception":"[object] (Error(code: 0): Class \"BookStack\\Activity\\ActivityType\" not found at /config/www/themes/mytheme/functions.php:17) [stacktrace] The error I get when doing cat laravel.log

[ssddanbrown]

@joaosimoes08 In your original post you stated you were using BookStack v23.10.4. Is that correct? If so, how are you verifying this? Just questioning as the error above may indicate an older version in use.

[joaosimoes08]

Sorry, yes the version was outdated. Now i don´t have the error but the activity.log file is not created.

[ssddanbrown]

@joaosimoes08 Alright, the log will likely be in the container. You could try changing the $logFile = storage_path('logs/activity.log'); line to: $logFile = '/config/activity.log';

So that it appears in your mounted /config path on the host.

[joaosimoes08]

It's working now!! Thank you very much.

[ssddanbrown]

Good to hear! I'll therefore close this off.

[joaosimoes08]

Anyway of getting the IP Address to show there? I can´t seem to find the function that gets it.

[ssddanbrown]

@joaosimoes08 $ip = request()->ip(); should get what you want.

[joaosimoes08]

Everything working now! Thanks

[joaosimoes08]

Hey, sorry for bothering again! Anyway I can make the file go to /var/log/bookstack instead of /config folder? Without symlinks

Best Regards

[ssddanbrown]

@joaosimoes08

• Are you still running BookStack in a container?
• Do you want it to go to /var/log/bookstack within the container or on the host system?

[joaosimoes08]

I am still using containers. The file is going for (docker_location)/bookstack_app_data/activity.log. I want the activity.log to be created on /var/log/bookstack in the host machine not inside the container. Is this possible?

[ssddanbrown]

@joaosimoes08 In that case, you could try changing the $logFile line to a known location outside the existing volume like $logFile = '/activity.log';, then add an extra volume mapping to your docker config/command (/var/log/bookstack:/activity.log)

[joaosimoes08]

I will give it a shot.

Thank you very much!

[joaosimoes08]

Good morning, I was hoping to add full path to pages on the audit log. Is it possible? For example, now what we have is I create the book and it logs the ID and name of it, if the book id is 1 and name is test, I get (1) Test. I was hoping I could get this book's full path, for example Shelf1-Test and the same for pages, chapters, books...

Best Regards