Audit logs¶
Beta
This feature is currently in beta. Contact EngFlow if you'd like to use it.
EngFlow audit logs record security-relevant events on your cluster, such as user authentication and access to cached build artifacts. Each log entry captures who performed an action, from where, and what the outcome was.
Audit logs are stored separately from application logs because they contain sensitive information, including user email addresses, IP addresses, and user agent strings.
Logged events¶
Audit log entries are modeled after the Elastic Common Schema (ECS) and cover the following categories of events:
| Category | Value | Events |
|---|---|---|
| Authentication | auth |
User sign in and sign out on the EngFlow Build and Test UI |
| IAM | iam |
User creation, update, and deletion using the SCIM API |
| File | file |
Action cache and Content Addressable Storage (CAS) reads, writes, and deletes |
Each entry is a JSON object that includes the event action and outcome, the email and roles of the user who performed the action, the source IP address, and the user agent string.
Excluding categories¶
You can exclude individual categories from the audit log using the --audit_log_excluded_categories flag. The flag accepts multiple values using the flag literals from the table above. For example, to suppress file-access and authentication events:
Log destinations¶
EngFlow uses Fluent Bit to ship audit logs from the cluster host to your cloud logging backend.
Audit logs are shipped to Google Cloud Logging. Logs are associated with the gce_instance resource type and grouped under the engflow_logs job label, where you can query them using Log Explorer.
Audit logs are shipped to Amazon CloudWatch Logs. They are sent to a separate audit log group and you can query them using CloudWatch Logs Insights.
Log schema¶
See Audit log schema for the full schema and field reference.
Enabling audit logs¶
Contact EngFlow to enable audit logs for your cluster.