Logging

Configuration

Configure all Gramax Enterprise Server containers except doc-portal and web-editor:

  • LOG_TYPE — log format (default | cef). Default: default.

  • LOG_LEVEL — minimum log level (debug | info | warn | error | fatal). Default: info.

  • LOG_TRANSPORTER — output transport (console | syslog). Default: console.

Additional parameters for LOG_TRANSPORTER=syslog:

  • LOG_SYSLOG_HOST — Syslog server host. Default: 127.0.0.1.

  • LOG_SYSLOG_PORT — port. Default: 514.

  • LOG_SYSLOG_PROTOCOL — protocol (udp4 | tcp4 | tls4 | udp6 | tcp6 | tls6). Default: udp4.

  • LOG_SYSLOG_APP_NAME — application name in log messages. Default: gramax.

CEF log structure

Logs contain structured event information: a unique identifier, message description, severity level, and extensions with additional data from the event context.

Each log consists of two main parts:

  1. Header

  2. Extensions

The log header follows the CEF standard:

CEF:0|<vendor>|<product>|<version>|<event id>|<message>|<severity>|

  • Vendor. Manufacturer (e.g., Gramax).

  • Product. Product name (e.g., GES).

  • Version. Product version (e.g., 1.0).

  • Event ID. Unique event identifier determined by message type. Message keys are mapped to event IDs via a dictionary (e.g., invalidCredentials → 1004).

  • Message. Human-readable event description from the message dictionary.

  • Severity. Numeric value indicating event importance. Severity values map from log levels as follows:

    • Debug: 1

    • Info: 3

    • Warn: 5

    • Error: 7

    • Fatal: 10

Extensions

After the header, extensions are appended using | as a separator — additional data extracted from the event context. Each extension parameter is a key-value pair:

<cefField>=<value>

Extensions provide detailed event information such as request ID, IP address, user email, error details, etc.

Context and extension mapping

CEF extensions are built using a mapping where each context field corresponds to a specific CEF field.

Mapping table

Context field

CEF field (extension)

Description

requestIp

src

IP address of the request

requestId

-

Unique request identifier

userEmail

duser

User email (if provided)

user

duser

User email

login

duser

User login when publishing to Cloud

admin

suser

Administrator email

reason

reason

Reason for denial

error

reason

Error details

ssoType

cs5

SSO authentication type

connectorType

cs5

Connector type used

redirectUrl

cs6

Redirect URL

allowedUrls

msg=Allowed URLs:

List of allowed URLs

fileName

fname

File name (e.g., config file)

filePath

filePath

Full path to file or resource

groupId

cs4

Group identifier

directory

msg=Directory:

Directory path

fullPath

fullPath

Full path to file or resource

resourceId

cs3

Resource identifier

oldValue

cs1

Previous value (before change)

newValue

cs2

New value (after change)

missingVariables

msg=Missing variables:

List of missing variables

url

request

URL specified in the event

daysLeft

cn1

Days remaining until license expiry

response

reason

Additional response data

options

msg=Options:

AI service options at the time of error

Message to event ID mapping

Each system event has a message key that uniquely maps to:

  • Event ID. A unique event identifier.

  • Description. A human-readable message.

Examples:

  • invalidCredentials

    • Event ID: 1004

    • Message: "Invalid credentials"

  • disabledSsoAuth

    • Event ID: 1001

    • Message: "Disabled SSO auth"

  • addEditors (for administrative changes)

    • Event ID: 4001

    • Message: "Add editor"

Log examples

Examples of CEF-format logs. The id field (request identifier) is a random UUID; event id comes from the mapping for each message.

Example: Logged in via SSO

Description: Successful authentication.

  • Event ID: 1028

  • Message: "Logged in via SSO"

  • Severity: 3 (info)

  • Extensions:

    • id — unique request identifier (UUID)

    • src — request IP address

    • ssoType — SSO type

    • duser — user email

Example log:

Mar 31 13:19:54 host CEF:0|Gramax|GES|1.0|1028|Logged in via SSO|3|id=75f78bfe-ec42-4fdc-969c-3f929dcc src=192.168.1.130 ssoType=azure duser=egor.zaidov@example.com

Example: Disabled SSO Auth

Description: Initialization event indicating that SSO authentication is disabled.

  • Event ID: 1001

  • Message: "Disabled SSO auth"

  • Severity: 5 (warn)

Example log:

Apr 01 14:25:30 host CEF:0|Gramax|GES|1.0|1001|Disabled SSO auth|5

Example: Add editor (Admin changes)

Description: Administrative change — adding a new editor.

  • Event ID: 4001

  • Message: "Add editor"

  • Severity: 3 (info)

  • Extensions:

    • id — request UUID

    • src — request IP address

    • suser — administrator identifier

    • newValue — new value (editor)

Example log:

Apr 01 14:35:45 host CEF:0|Gramax|GES|1.0|4001|Add editor|3|id=ad2e5f9c-4b3d-47e8-9a6d-3c2e8d4f src=192.168.1.104 suser=admin@example.com newValue="new_editor" groupId=gramax