Ingest Audit Logs

[Rotfuks]

Motivation

As we manage the infrastructure for our customers those systems are highly sensitive. In order to guarantee their safety we have to provide information about who is how and why accessing those systems. This can be done through audit logs. Therefore we need to provide audit logs to our customers.

Stories

Beta Give feedback

1. Add a log receiver on CAPI MCs to be able to receive teleport audit logs and send them to Loki and customers SIEMs #3343
   0 of 3
   kind/story team/atlas +2
2. https://github.com/giantswarm/giantswarm/issues/29095
3. https://github.com/giantswarm/giantswarm/issues/25602

Outcome

• We have Audit Logs for our systems ingested and can provide the audit information to our customers through the typical channels.

[TheoBrigitte]

Regarding Teleport audit events, there is a way to export events from our Teleport cloud and ship then into Fluentd (or probably any other JSON compatible log ingester ... Alloy 👀), but exported events are from all installations and I haven't found a way to filter events from the teleport side.

I did follow the Export Events with Fluentd guide, and used the identity file from kg get secret abc-identity-output -oyaml|yq -r .data.identity|base64 -d> identity.
We use Teleport cloud, meaning our Auth service is hosted at teleport.giantswarm.io, so events are produced at the cloud level. The teleport-event-handler would then connect to the Auth service and retrieve the events it contains.

Useful links:

• https://goteleport.com/docs/admin-guides/management/export-audit-events/fluentd/
• https://goteleport.com/docs/reference/monitoring/audit/#events
• https://goteleport.com/docs/reference/access-controls/roles/#filter-fields