diff --git a/website/docs/endpoint-devices/device-compliance/device-reporting.md b/website/docs/endpoint-devices/device-compliance/device-reporting.md index b5a233e119..56baa1c5b3 100644 --- a/website/docs/endpoint-devices/device-compliance/device-reporting.md +++ b/website/docs/endpoint-devices/device-compliance/device-reporting.md @@ -37,7 +37,7 @@ For an example of the facts provided for a Linux device, see [here](./facts-linu ## Endpoint devices in event logs -Authentication events involving endpoint devices are included in the [event logs](../../sys-mgmt/events/logging-events.md). For example: +Authentication events involving endpoint devices are included in the [event logs](../../sys-mgmt/events/logging-events.mdx). For example: ![Example of device authentication event](device-event-example.png) @@ -49,4 +49,4 @@ To search for event logs matching a specific endpoint device: 2. Navigate to **Events** > **Logs**. 3. In the search bar, enter: `context.device.name = ""` -For more information on searching the events logs, see [Logging events](../../sys-mgmt/events/logging-events.md). +For more information on searching the events logs, see [Logging events](../../sys-mgmt/events/logging-events.mdx). diff --git a/website/docs/releases/2025/v2025.8.mdx b/website/docs/releases/2025/v2025.8.mdx index e560b668d1..738fac344a 100644 --- a/website/docs/releases/2025/v2025.8.mdx +++ b/website/docs/releases/2025/v2025.8.mdx @@ -11,7 +11,7 @@ slug: "/releases/2025.8" ![Screenshot of the admin interface showing events plotted on a histogram chart and on a map](../../sys-mgmt/events/event-map-chart.png) -- **Advanced search**: :ak-enterprise Search for [users](../../users-sources/user/user_basic_operations.md#tell-me-more) and [event logs](../../sys-mgmt/events/logging-events.md#tell-me-more) with custom query language to filter on their properties and attributes. +- **Advanced search**: :ak-enterprise Search for [users](../../users-sources/user/user_basic_operations.md#tell-me-more) and [event logs](../../sys-mgmt/events/logging-events.mdx#tell-me-more) with custom query language to filter on their properties and attributes. - **Email stage rate limiting**: The email stage can now be configured to set a maximum number of emails that can be sent within a specified time period. diff --git a/website/docs/sys-mgmt/data-exports.md b/website/docs/sys-mgmt/data-exports.md index 9c560c8254..e67b878a43 100644 --- a/website/docs/sys-mgmt/data-exports.md +++ b/website/docs/sys-mgmt/data-exports.md @@ -8,7 +8,7 @@ authentik enterprise allows you to export user and event data in CSV format for The content included in a data export matches that returned by the API endpoints for the respective object types. -For detailed instructions on exporting users and events, see [Export users](../users-sources/user/user_basic_operations.md#export-users-) and [Export events](events/logging-events.md#export-events-) respectively. +For detailed instructions on exporting users and events, see [Export users](../users-sources/user/user_basic_operations.md#export-users-) and [Export events](events/logging-events.mdx#export-events-) respectively. You can access past data exports from the **Events** > **Data Exports** page. On this page you can view the query used for a specific export, search exports by data type and user, download completed exports and delete exports that you no longer need. diff --git a/website/docs/sys-mgmt/events/index.md b/website/docs/sys-mgmt/events/index.md index 8d78d8939c..80e3600b13 100644 --- a/website/docs/sys-mgmt/events/index.md +++ b/website/docs/sys-mgmt/events/index.md @@ -14,7 +14,7 @@ Events can be used to define [notification rules](notifications.md), with specif Event logging in authentik provides several layers of transparency about user and system actions, from a quick view on the Overview dashboard, to a full, searchable list of all events, with a volume graph to highlight any spikes, in the Admin interface under **Events > Logs**. -Refer to our [Logging documentation](./logging-events.md) for more information. +Refer to our [Logging documentation](./logging-events.mdx) for more information. ## Event retention and forwarding diff --git a/website/docs/sys-mgmt/events/logging-events.md b/website/docs/sys-mgmt/events/logging-events.mdx similarity index 69% rename from website/docs/sys-mgmt/events/logging-events.md rename to website/docs/sys-mgmt/events/logging-events.mdx index 81602a6310..42e4118a2a 100644 --- a/website/docs/sys-mgmt/events/logging-events.md +++ b/website/docs/sys-mgmt/events/logging-events.mdx @@ -2,6 +2,8 @@ title: Logging events --- +import { KeyBindingsTable } from "@goauthentik/docusaurus-theme/components/KeyBindingsTable"; + Logs are a vital tool for system diagnostics, event auditing, user management, reporting, and more. They capture detailed information about each event including the client's IP address, the user involved, the date and time, and the specific action taken. Event logging in authentik is highly configurable. You can set the [retention period](./index.md#event-retention-and-forwarding) for storing and displaying events, specify which events should trigger a [notification](./notifications.md), and access low-level details about when and where each event occurred. @@ -32,34 +34,6 @@ With the enterprise version, you can view recent events on both a world map view ![](./event-map-chart.png) -## Advanced queries for event logs:ak-enterprise {#tell-me-more} - -You can construct advanced queries to find specific event logs. In the Admin interface, navigate to **Events > Logs**, and then use the auto-complete in the **Search** field or enter your own queries to return results with greater specificity. - -- **Field**: `action`, `event_uuid`, `app`, `client_ip`, `user`, `brand`, `context`, `created` - -- **Operators**: `=`, `!=`, `~`, `!~`, `startswith`, `not startswith`, `endswith`, `not endswith`, `in`, `not in` - -- **Values**: `True`, `False`, `None`, and more - -- **Example queries**: - - search event by application name: `app startswith "N"` - - search event by action: `action = "login"` - - search event by authorized application context: `authorized_application.name = "My app"` - - search event by country: `context.geo.country = "Germany"` - - search event by IP address: `client_ip = "10.0.0.1"` - - search event by brand: `brand.name = "my brand"` - - search event by user: `user.username in ["ana", "akadmin"]` - -For more examples, refer to the list of [Event actions](./event-actions.md) and the related examples for each type of event. - -:::info - -1. To dismiss the drop-down menu option, click **ESC**. -2. If the list of operators does not appear in a drop-down menu you will need to manually enter it. -3. For queries that include `user`, `brand`, or `context` you need to use a compound term such as `user.username` or `brand.name`. - ::: - ## Export events :ak-enterprise You can export your authentik instance's events to a CSV file. To generate a data export, follow these steps: @@ -72,3 +46,79 @@ You can export your authentik instance's events to a CSV file. To generate a dat 6. In the notification, click **Download**. To review, download, or delete past data exports, navigate to **Events** > **Data Exports** in the Admin interface. + +## Advanced queries for event logs:ak-enterprise {#tell-me-more} + +You can construct advanced queries to find specific event logs. In the Admin interface, navigate to **Events > Logs**, and then use the auto-complete in the **Search** field or enter your own queries to return results with greater specificity. + +- **Field**: `action`, `event_uuid`, `app`, `client_ip`, `user`, `brand`, `context`, `created` +- **Operators**: `=`, `!=`, `~`, `!~`, `startswith`, `not startswith`, `endswith`, `not endswith`, `in`, `not in` +- **Values**: `True`, `False`, `None`, and more + +### Examples + +The following are examples of advanced queries: + +```sh Search event by application name +app startswith "N" +``` + +```sh Search event by action +action = "login" +``` + +```sh Search event by authorized application context +authorized_application.name = "My app" +``` + +```sh Search event by country +context.geo.country = "Germany" +``` + +```sh Search event by IP address +client_ip = "10.0.0.1" +``` + +```sh Search event by brand +brand.name = "my brand" +``` + +```sh Search event by user +user.username in ["ana", "akadmin"] +``` + +For more examples, refer to the list of [Event actions](./event-actions.md) and the related examples for each type of event. + +:::info + +1. If the list of operators does not appear in a drop-down menu you will need to manually enter it. +2. For queries that include `user`, `brand`, or `context` you need to use a compound term such as `user.username` or `brand.name`. + ::: + +### Keyboard shortcuts for advanced queries + +The following keyboard shortcuts can be used in the advanced query search: + +↓], + ["Select previous suggestion", ], + ["Accept the current suggestion", Enter], + ["Dismiss suggestions", ESC], + ], + ], + [ + "Search", + [ + ["Submit the current query", Enter], + ["Clear the current query", ESC], + ], + ], + ]} + +/> diff --git a/website/docusaurus-theme/components/KeyBindingsTable/index.tsx b/website/docusaurus-theme/components/KeyBindingsTable/index.tsx new file mode 100644 index 0000000000..b67161527b --- /dev/null +++ b/website/docusaurus-theme/components/KeyBindingsTable/index.tsx @@ -0,0 +1,42 @@ +import styles from "./styles.module.css"; + +export type KeyBindingGroup = [label: React.ReactNode, bindings: KeyBinding[]]; + +export type KeyBinding = [label: React.ReactNode, key: React.ReactNode]; + +export interface KeyBindingsTableProps extends React.HTMLAttributes { + bindings?: KeyBindingGroup[]; +} + +export const KeyBindingsTable: React.FC = ({ bindings = [], ...props }) => { + return ( + + + + + + + + + {bindings.map(([label, bindings], groupIndex) => ( + + + + + {bindings.map(([label, key], bindingIndex) => ( + + + + + ))} + + ))} +
+ Action + + Key Binding +
+ {label} +
{label}{key}
+ ); +}; diff --git a/website/docusaurus-theme/components/KeyBindingsTable/styles.module.css b/website/docusaurus-theme/components/KeyBindingsTable/styles.module.css new file mode 100644 index 0000000000..51ef354472 --- /dev/null +++ b/website/docusaurus-theme/components/KeyBindingsTable/styles.module.css @@ -0,0 +1,55 @@ +.table { + width: 100%; + + --ifm-table-border-color: var(--ifm-color-info-contrast-background); + --ifm-table-stripe-background: transparent; + --ifm-table-stripe-background: var(--ifm-color-emphasis-100); + + thead { + background-color: var(--ifm-color-info-contrast-background); + text-align: left; + } + + tr, + td, + th { + border-color: transparent; + } + + tr { + th { + border-block-end-color: var(--ifm-color-info-contrast-background); + } + + td:first-child { + text-align: end; + + font-family: var(--ifm-heading-font-family); + font-weight: 300; + border-inline-end-color: var(--ifm-color-secondary-dark); + } + } + + tbody tr th { + --ifm-table-cell-padding: 0.5rem; + font-weight: 600; + font-family: var(--ifm-heading-font-family); + text-align: end; + background-color: transparent; + } + + kbd { + user-select: none; + text-rendering: optimizeLegibility; + font-weight: 900; + letter-spacing: 0.05em; + padding: 0.25rem 0.25rem; + } + .actionColumn { + min-width: 20rem; + } + + .bindingColumn { + width: 100%; + } +}