Skip to content

Provides an easy way to collect and send Slack access & integration logs.

Notifications You must be signed in to change notification settings

nickbabkin/slack-auditor

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Slack API Auditor

Provides a quick method of collecting Slack access logs and integration logs, then forwards them via Logstash.

How this works

The auditor is a Python script being executed by Logstash on a set interval. The script will reach out to the Slack API and gather team.accessLogs and team.integrationLogs and output them to stdout, which Logstash collects. Logstash then tags with a proper timestamp and forwards to the service of your choosing.

How to Deploy

Via Dockerfile

  1. docker build -t slacklogger:latest .
  2. docker run slacklogger:latest .

Run locally / build from source

  1. Clone this repo and install the required dependencies, pip install -r scripts/requirements.txt

  2. Create OAuth Token For Slack Follow the directions here Creating oAuth Tokens for Slack Apps, and generate a token with the "admin" scope.

  3. Install Logstash (We tested/built on 2.4 -> 7.1)

  4. Adjust Logstash config to point to Elasticsearch / splunk as an output instead of rubydebug. Although you might want to leave it there while you test.

  5. set writeable filepaths / slack token in scripts/config/config.json

  6. Run Logstash.

  7. Logs.

Caveats

I've only tested this on teams that are using the paid-for Slack. I don't know if these methods are available to the free api.

The Slack team.accesslog and team.integraiton log methods actually limit the results to a maximum value page of 100. So with 1000 events per page you can only grab the last 100,000 events. However you could work around this by grabbing the date of the last entry on the 100th page and pass that on to the before parameter and repeat the process. Really only usefull for backfilling events or if you have a tremendously high volume of events happening on 30 minute intervals.

About

Provides an easy way to collect and send Slack access & integration logs.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 81.3%
  • Dockerfile 18.7%