Network Activity Logging
The network activity logging functionality in NetBird allows you to observe and track changes to your network infrastructure. This includes events such as when a new machine or user has joined your network, when access control policies have been modified, and many other key network events.
Related Video Content
To get started with event logging in NetBird, watch this introductory video:
Access the Activity Logging View
The activity logging feature is enabled by default for every NetBird network. You can access the activity log in the web UI under the Activity tab. This view provides a centralized log of network events. You can use the search bar to search by activity name, and apply filters for timeframes, event types, and users.
The current version of NetBird tracks a wide range of network changes that occur in the Management server, such as modifications to peers, groups, system settings, setup keys, and access control policies.
Click here to view the full list of tracked events
-
Peer Management:
- Peer added by user
- Peer added with setup key
- Peer removed by user
- Peer renamed
- Peer SSH server enabled
- Peer SSH server disabled
- Peer login expiration enabled
- Peer login expiration disabled
-
User Management:
- User joined
- User invited
- User role updated
- User blocked
- User unblocked
- User deleted
-
Group Management:
- Group created
- Group updated
- Group deleted
- Group added to peer
- Group removed from peer
- Group added to user
- Group removed from user
- Group added to setup key
- Group removed from setup key
- Group added to disabled management DNS setting
- Group removed from disabled management DNS setting
-
Policy Management:
- Policy added
- Policy updated
- Policy removed
-
Rule Management:
- Rule added
- Rule updated
- Rule removed
-
Setup Key Management:
- Setup key created
- Setup key updated
- Setup key revoked
- Setup key overused
-
Route Management:
- Route created
- Route removed
- Route updated
-
Account Management:
- Account created
- Account peer login expiration duration updated
- Account peer login expiration enabled
- Account peer login expiration disabled
- Account peer approval enabled
- Account peer approval disabled
-
Nameserver Group Management:
- Nameserver group created
- Nameserver group deleted
- Nameserver group updated
-
Token Management:
- Personal access token created
- Personal access token deleted
-
Service User Management:
- Service user created
- Service user deleted
-
Integration Management:
- Integration created
- Integration updated
- Integration deleted
-
Other Events:
- Transferred owner role
- Posture check created
- Posture check updated
- Posture check deleted
- User logged in peer
- Peer login expired
- Dashboard login
Future versions will also support connection events that occur in NetBird agents (e.g., peer A connected to peer B).
The unknown name or unknown@unknown.com email address may be displayed in the activity event store if the encryption key has been corrupted or lost. This issue is most relevant for self-hosted setups. In this case, the events returned by the API could show unknown@unknown.com for the email address field and unknown for the name field.
If the configuration files have been generated by the configure.sh script, you can find the previous encryption key in the backup files in the same folder as the script. Look for the DataStoreEncryptionKey field in the management.json backup file.
Enable Activity Event Streaming to SIEM Systems
NetBird can stream activity events to your Security Information and Event Management (SIEM) system in real-time. With this feature enabled, you can monitor and analyze NetBird network changes within your SIEM infrastructure. Check the integrations guide for more information about the supported integrations and how to enable them.
Get Started
- Make sure to star us on GitHub
- Follow us on Twitter
- Join our Slack Channel
- NetBird latest release on GitHub