[SOLVED] Proxmox Audit logins?

[killmasta93]

Hi I was wondering if its possible to show which IP was logon when someone access on the webGUI, the only log i see is

Nov 22 21:48:38 prometheus3 pvedaemon[2832]: <root@pam> successful auth for user 'root@pam'
Nov 22 21:49:00 prometheus3 systemd[1]: Starting Proxmox VE replication runner...
Nov 22 21:49:00 prometheus3 systemd[1]: Started Proxmox VE replication runner.
Nov 22 21:49:25 prometheus3 pvedaemon[2832]: <root@pam> successful auth for user 'sistemas@pve'

Thank you

 

[Stoiko Ivanov]

check the logs in '/var/log/pveproxy/access.log'

I hope this helps!

 

[killmasta93]

Thank you that did the trick

 

[azbul]

**I agree that the lack of user activity logging is a security risk and makes it difficult to investigate incidents.

I would like to request that the following events be added in the next release:

• Adding a user
• Changing a user
• Deleting a user**

 

[camel]

As this marked as "[SOLVED]", where can i find the logs now?

 

[aj@root]

For clarity:

Systemd Journald
(replaces syslog and auth.log)

#journalctl --since '10 minutes ago' | grep 'auth'

Apr 21 12:35:40 pve1 pvedaemon[1160]: <root@pam> successful auth for user 'root@pam'
Apr 21 12:35:51 pve1 pvedaemon[1160]: authentication failure; rhost=::ffff:172.18.0.86 >

PVE Access Logs
(shows IP address of access token renewals)

#grep -i 'POST .*/ticket' /var/log/pveproxy/access.log

::ffff:172.18.0.86 - - [22/04/2025:12:52:34 -0600] "POST /api2/extjs/access/ticket HTTP/1.1" 200 748
::ffff:172.18.0.86 - - [22/04/2025:13:06:34 -0600] "POST /api2/json/access/ticket HTTP/1.1" 200 740

And if that changes in the future, or I understand things better myself to document them better, I will probably update the audit section of the Auth-related Tutorial I've been putting together here:
https://forum.proxmox.com/threads/h...cluster-or-on-single-node.165331/#post-765465

(and hopefully I or someone else will update here as well, since this is what pops up in search right now and where I found part of my answer to begin with)

 

[gfngfn256]

#journalctl --since '10 minutes ago' | grep 'auth'

The OP requested:

if its possible to show which IP was logon when someone access on the webGUI

The implication being of a successful GUI access.

Your code will not show that but only an unsuccessful one.
However cat /var/log/pveproxy/access.log will, (as Stoiko Ivanov correctly replied above).

 

[blackline]

Are there any audit logs for proxmox activity? Like VM creation and deletion via both API or UI.

 

[Onslow]

Examples of creating and cloning a VM in my PVE server

# journalctl | grep create
Aug 08 23:08:20 pmx1 pvedaemon[3798182]: <root@pam> starting task UPID:pmx1:0002Fxxx:15AA4xxx:68966xxx:qmcreate:101:root@pam:
Aug 08 23:08:21 pmx1 pvedaemon[3798182]: <root@pam> end task UPID:pmx1:0002Fxxx:15AA4xxx:68966xxx:qmcreate:101:root@pam: OK

# journalctl | grep clone
Oct 04 03:21:36 pmx1 pvedaemon[3109094]: <root@pam> starting task UPID:pmx1:003AExxx:09B1Dxxx:68E07xxx:qmclone:100:root@pam:
Oct 04 03:44:36 pmx1 pvedaemon[3109094]: <root@pam> end task UPID:pmx1:003AExxx:09B1Dxxx:68E07xxx:qmclone:100:root@pam: OK