Recording Activity log to Syslog or Event Viewer
Passwork can record events from the Activity log in CEF (Common Event Format), this allows you to customize the sending of events to the SIEM.
We do not provide instructions or examples on how to configure specific logging solutions, as such actions are directly dependent on the infrastructure of a particular company.
Go to Settings and Users → Activity log → Settings, activate the option — Write activity logs to the syslog or Windows event log:
By default, once activated, all Passwork events will be written to a local file:
- DEB (Ubuntu, Debian, Astra Linux) — /var/log/syslog
- RPM (CentOS, RedHat) — /var/log/messages
- Docker — /<passwork>/log/php/syslog
If DEB-based Linux servers do not have a syslog file, you need to install the package — apt install syslog-ng -y
Every event includes:
- Event ID — a unique identifier of the action, for example item_created;
- Severity — importance level of the event from 1 (low) to 10 (high);
- Description — a description of the action that occurred;
- Additional fields:
- suid — ID of the user who performed the action;
- suser — Login of the user who performed the action;
- duid — ID of the user on whom the action was performed;
- duser — Login of the user on whom the action was performed;
- passworkIp — IP address of the client.
Event structure:
Passwork implements the following events that are committed to a local file — Events list from the Activity Log
