-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
4.5.2, 4.5.3, 4.5.4, 4.5.5, 5.0
-
MOODLE_405_STABLE, MOODLE_500_STABLE
We need to integrate Moodle with SIEM systems for security monitoring and event analysis. Previously, there were plugins available for this purpose, but the development of these plugins was discontinued over 10 years ago. As a result, we attempted an alternative approach by connecting directly to the Moodle database and extracting logs from the mdl_logstore_standard_log table. However, the logs we retrieved are not detailed enough for effective analysis.
For example, when extracting logs related to assignment of administrative roles, it is not possible to identify who assigned the roles to whom (for instance, the information looks like this:
| 105855866 | \core\event\config_log_created | core | created | config_log | config_log | 3049 | c | 0 | 1 | 10 | 0 | 3049 | 0 | NULL | 0 | a:4:{s:4:"name";s:10:"siteadmins";s:8:"oldvalue";s:27:"2, 3, 5, 3049, 66153, 84336";s:5:"value";s:30:"2, 3, 5, 3049, 66153, 84336, 8";s:6:"plugin";s:4:"core";}{}), which does not provide specific information about which users were added or changed in the admin role.
To address this, we propose the development or updating of a plugin for SIEM system integration that:
- Automatically exports Moodle logs (including events related to administrative roles and other critical system events).
- Provides more detailed log information, such as:
-
- Which users are changing roles and who they are assigning them to.
-
- Specific event data (e.g., who and when changed configuration settings).
- Allows setting up filters to export relevant data (e.g., only for certain roles or event types).
- Ensures compatibility with popular SIEM systems for easy export of data in standard formats.
This would greatly improve the security, monitoring, and auditing capabilities of Moodle in real-world environments, enabling the detection of anomalies and faster event analysis.