Audit logs¶
Beta
This feature is currently in beta. Contact EngFlow if you'd like to use it.
EngFlow audit logs record security-relevant events on your cluster, such as user authentication and access to cached build artifacts. Each log entry captures who performed an action, from where, and what the outcome was.
Audit logs are stored separately from application logs because they contain sensitive information, including user email addresses, IP addresses, and user agent strings.
Logged events¶
Audit log entries are modeled after the Elastic Common Schema (ECS) and cover three categories of events:
| Category | Events |
|---|---|
| Authentication | User sign in and sign out on the EngFlow Build and Test UI |
| File | Action cache reads, writes, and deletes; Content Addressable Storage (CAS) reads and writes |
| IAM | User creation, update, and deletion using the SCIM API |
Each entry is a JSON object that includes the event action and outcome, the email and roles of the user who performed the action, the source IP address, and the user agent string.
Log destinations¶
EngFlow uses Fluent Bit to ship audit logs from the cluster host to your cloud logging backend.
Audit logs are shipped to Google Cloud Logging. Logs are associated with the gce_instance resource type and grouped under the engflow_logs job label, where you can query them using Log Explorer.
Audit logs are shipped to Amazon CloudWatch Logs. They are sent to a separate audit log group and you can query them using CloudWatch Logs Insights.
Log schema¶
See Audit log schema for the full schema and field reference.
Enabling audit logs¶
Contact EngFlow to enable audit logs for your cluster.