Logging of user actions

SonarQube Enterprise 9.9.1.69595

We need to logging user actions on issues (resolve as false positive, resolve as fixed, resolve as won’t fix). We are collecting audit and access logs, but we cannot find any of the logs which can identify that user/developer made one of these particular actions on issue.

We need evidence if somebody made exception from quality gate by these actions.

I would like to ask you if somebody solved similar issue and can advice us how to change settings of Sonar to be able to log it properly.

Thank you

1 Like

Hey there.

You can find an issue changelog associated with each issue under the Activity tab of the issue.

Hello Colin,

Thank you for your tip, but we do not have this “Activity” field in our SonarQube Enterprise 9.9.1.69595.

Moreover we need to log this “Activity” to external logging solution for case of regulation/compliance.
Do you know setup of access/audit logs configuration to see “Activity” in logs?

I figured out that maybe POST api/issues/set_type could give us appropriate logs, but I don’t have evidence yet.

Cheers
//Mirek

Hey there.

Sorry - I didn’t make the connection in my head that you’re on SonarQube v9.9!

In that case, the change log can be found here:

While these activities are logged per-issue (and not in the audit logs), you may be able to monitor POST api/issues/do_transition… or trust the users who are granted the Administer Issues permission!

Hello Colin,

Could you please give me hint in which log we can monitor it (Access or Audit log)?

We are gather data from access and audit logs and we cannot find it in any of these logs. Is there any possibilities that we can setup access log that we will logs user actions?
our access log settings:

webAccessLogPattern: '{“from”:“%i{X-Forwarded-For}”,“clientHost”:“%h”,“user”:“%reqAttribute{LOGIN}”,“time”:“%t”,“server”:“%v”,“requestMethod”:“%m”,“requestURL”:“%r”,“statusCode”:“%s”,“url”:“%i{Referer}”,“UserAgent”:“%i{User-Agent}”,“id”:“%reqAttribute{ID}”,“localIP”:“%A”}

If we do monitoring on API/ISSUES/DO_TRANSITION then all users actions(how, what, when) which use sonar web application can be logged? Could you please share guidline how to setup it?

Thank you and best regards
//Mirek

You would simply be looking for occurences of this web request in your access.log, like you see GET /api/components/search_projects below.

0:0:0:0:0:0:0:1 - - [08/Aug/2023:11:46:21 +0200] "GET /api/components/search_projects?ps=50&facets=reliability_rating%2Csecurity_rating%2Csecurity_review_rating%2Csqale_rating%2Ccoverage%2Cduplicated_lines_density%2Cncloc%2Calert_status%2Clanguages%2Ctags%2Cqualifier&f=analysisDate%2CleakPeriodDate $
0:0:0:0:0:0:0:1 - - [08/Aug/2023:11:46:22 +0200] "GET /api/measures/search?projectKeys=org.sonarqube%3Asonarscanner-maven-basic%2CGreeter%2Ccolin.mueller_myproject_AYhr75HCfYgPX4a7KBIt%2Corg.sonarsource.java%3Ajava%2Ccolin.mueller_test_AYjY9WzW_hCdjNFkiONZ%2Ctest%2CYouTubeRegEx&metricKeys=alert_stat$

Hello,

Thank you for you answer, but I don’t know what I should do with that.

We have a audit issue with regulatory entity. We use SonarQube Enterprise:
Server ID: FD52F9B4-18aaf215224c855, Version: 9.9.1.69595, Date: 2023-08-09

Based on regulatory procedures we need to logging (let say to ELK) all user actions in sonarqube (do_transition- who, when, what).

We setup audit and access logs and we don’t have any information about action there - there is only user made “action” - we are missing which action and where(which project/issue).

To able to keep sonar in our company we need to setup elementary logging that we have evidence about user actions.

Could you please help me with clear instruction how I should setup sonar to be able log user action within issues?

Thank you very much

Hey there.

It sounds like you have some high expectations for support in your Enterprise environment – SonarSource offers commercial support that you might want to talk to your account representative about.

If you want to log further details in access.log, you can adjust the sonar.web.accessLogs.pattern in your conf/sonar.properties file (or via environment variables if deploying through a container) like so:

sonar.web.accessLogs.pattern=%i{X-Forwarded-For} %l %u [%t] "%r" %s %b "%i{Referer}" "%i{User-Agent}" "%reqAttribute{ID}" "%requestContent" "%reqAttribute{LOGIN}"

This specifically adds "%requestContent" "%reqAttribute{LOGIN} to log the request content and user login.

Getting you access logs like this:

- - - [09/Aug/2023:10:30:25 +0200] "POST /api/issues/do_transition HTTP/1.1" 200 - "http://localhost:9000/issues?resolved=false" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36" "AYnZawVgAsKM5QyrAAAf" "issue=AYjDTmcIizLBR2Gosjm5&transition=falsepositive" "admin"

So now you have this data:

"issue=AYjDTmcIizLBR2Gosjm5&transition=falsepositive" "admin"

Documentation for further configuration of sonar.web.accessLogs.pattern is included in the conf/sonar.properties file or the aforementioned environment variables documentation.

2 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.