Provides a quick method of collecting Slack access logs and integration logs, then forwards them via Logstash.
The auditor is a Python script being executed by Logstash on a set interval. The script will reach out to the Slack API and gather team.accessLogs and team.integrationLogs and output them to stdout, which Logstash collects. Logstash then tags with a proper timestamp and forwards to the service of your choosing.
docker build -t slacklogger:latest .docker run slacklogger:latest .
-
Clone this repo and install the required dependencies,
pip install -r scripts/requirements.txt -
Create OAuth Token For Slack Follow the directions here Creating oAuth Tokens for Slack Apps, and generate a token with the "admin" scope.
-
Install Logstash (We tested/built on 2.4 -> 7.1)
-
Adjust Logstash config to point to Elasticsearch / splunk as an output instead of rubydebug. Although you might want to leave it there while you test.
-
set writeable filepaths / slack token in scripts/config/config.json
-
Run Logstash.
-
Logs.
I've only tested this on teams that are using the paid-for Slack. I don't know if these methods are available to the free api.
The Slack team.accesslog and team.integraiton log methods actually limit the results to a maximum value page of 100. So with 1000 events per page you can only grab the last 100,000 events. However you could work around this by grabbing the date of the last entry on the 100th page and pass that on to the before parameter and repeat the process. Really only usefull for backfilling events or if you have a tremendously high volume of events happening on 30 minute intervals.