[SOLVED] Proxmox Audit logins?

K

killmasta93

Renowned Member
Aug 13, 2017
985
62
93
32
Hi I was wondering if its possible to show which IP was logon when someone access on the webGUI, the only log i see is

Code: 
Nov 22 21:48:38 prometheus3 pvedaemon[2832]: <root@pam> successful auth for user 'root@pam'
Nov 22 21:49:00 prometheus3 systemd[1]: Starting Proxmox VE replication runner...
Nov 22 21:49:00 prometheus3 systemd[1]: Started Proxmox VE replication runner.
Nov 22 21:49:25 prometheus3 pvedaemon[2832]: <root@pam> successful auth for user 'sistemas@pve'


Thank you
 
check the logs in '/var/log/pveproxy/access.log'

I hope this helps!
 
  • Like
Reactions: killmasta93
**I agree that the lack of user activity logging is a security risk and makes it difficult to investigate incidents.

I would like to request that the following events be added in the next release:

  • Adding a user
  • Changing a user
  • Deleting a user**
 
For clarity:

Systemd Journald
(replaces syslog and auth.log)

Code: 
#journalctl --since '10 minutes ago' | grep 'auth'

Apr 21 12:35:40 pve1 pvedaemon[1160]: <root@pam> successful auth for user 'root@pam'
Apr 21 12:35:51 pve1 pvedaemon[1160]: authentication failure; rhost=::ffff:172.18.0.86 >

PVE Access Logs
(shows IP address of access token renewals)

Code: 
#grep -i 'POST .*/ticket' /var/log/pveproxy/access.log

::ffff:172.18.0.86 - - [22/04/2025:12:52:34 -0600] "POST /api2/extjs/access/ticket HTTP/1.1" 200 748
::ffff:172.18.0.86 - - [22/04/2025:13:06:34 -0600] "POST /api2/json/access/ticket HTTP/1.1" 200 740

And if that changes in the future, or I understand things better myself to document them better, I will probably update the audit section of the Auth-related Tutorial I've been putting together here:
https://forum.proxmox.com/threads/h...cluster-or-on-single-node.165331/#post-765465

(and hopefully I or someone else will update here as well, since this is what pops up in search right now and where I found part of my answer to begin with)
 
Last edited:
aj@root said:
#journalctl --since '10 minutes ago' | grep 'auth'
Click to expand...
The OP requested:
if its possible to show which IP was logon when someone access on the webGUI
Click to expand...
The implication being of a successful GUI access.

Your code will not show that but only an unsuccessful one.
However cat /var/log/pveproxy/access.log will, (as Stoiko Ivanov correctly replied above).
 
Are there any audit logs for proxmox activity? Like VM creation and deletion via both API or UI.
 
Examples of creating and cloning a VM in my PVE server

Code: 
# journalctl | grep create
Aug 08 23:08:20 pmx1 pvedaemon[3798182]: <root@pam> starting task UPID:pmx1:0002Fxxx:15AA4xxx:68966xxx:qmcreate:101:root@pam:
Aug 08 23:08:21 pmx1 pvedaemon[3798182]: <root@pam> end task UPID:pmx1:0002Fxxx:15AA4xxx:68966xxx:qmcreate:101:root@pam: OK

Code: 
# journalctl | grep clone
Oct 04 03:21:36 pmx1 pvedaemon[3109094]: <root@pam> starting task UPID:pmx1:003AExxx:09B1Dxxx:68E07xxx:qmclone:100:root@pam:
Oct 04 03:44:36 pmx1 pvedaemon[3109094]: <root@pam> end task UPID:pmx1:003AExxx:09B1Dxxx:68E07xxx:qmclone:100:root@pam: OK
 
You must log in or register to reply here.
Top Bottom