From 84a11c4ffcb9ca8c77998064e79f271bf6816a43 Mon Sep 17 00:00:00 2001
From: Daniel Hiltgen <daniel.hiltgen@docker.com>
Date: Thu, 3 Dec 2015 13:35:43 -0800
Subject: [PATCH] Clean up auditing/logging

This refines our logging and auditing a bit to make
things easier to search for within kibana (or similar external systems)

See ./docs/logging.md for more details.
---
 logging.md | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/logging.md b/logging.md
index f0015285ac..77ada52402 100644
--- a/logging.md
+++ b/logging.md
@@ -59,7 +59,7 @@ docker run -d \
     --name logstash \
     --link elasticsearch:es \
     logstash \
-    sh -c "logstash -e 'input { syslog { } } output { stdout { } elasticsearch { hosts => [ \"es\" ] } }'"
+    sh -c "logstash -e 'input { syslog { } } output { stdout { } elasticsearch { hosts => [ \"es\" ] } } filter { json { source => \"message\" } }'"
 
 docker run -d \
     --name kibana \
@@ -68,6 +68,15 @@ docker run -d \
     kibana
 ```
 
-You can then browse to port 5601 on the system running kibana and browse log/event entries.
+You can then browse to port 5601 on the system running kibana and browse log/event entries.  You should specify the "time" field
+for indexing.
 
 Note: When deployed in production, you should secure kibana (not described in this doc)
+
+## Example Searches
+
+Here are a few examples demonstrating some ways to view the aggregated log data:
+
+* `type:"api" AND (tags:"post" OR tags:"put" OR tags:"delete")` -- Show all the modifications on the system
+* `username:"admin"` -- Show all access from a given user
+* `type:"auth fail"` -- Show all authentication failures on the system