Audit Best Practices

Supported audit options

When installing Immuta, these are the supported options for getting audit logs from events in Immuta:

Stream logs out of Kubernetes

Connect a SIEM integration to the audit-service pod and use STDOUT to stream audit logs from the container to your SIEM provider:

1. Set the following in the immuta-values.yaml to enable STDOUT auditing:

audit:
  deployment:
      extraEnvVars:
        - name: ENABLE_AUDITING
          value: "true"

1. To clear up noise, you can filter the log collection on a custom log level to audit. This will ensure only audit events are collected.

Export logs out of Elasticsearch or OpenSearch

Use your preferred method to export the audit logs from the external Elasticsearch you have configured with your deployment.

Retention period

The default retention period for audit logs in Elasticsearch or OpenSearch is 7 days. However, this is configurable in your database to any limit your organization wants.

The Immuta UI supports a maximum retention period of 90 days. So if you configure an audit retention of over 90 days, all audit logs older than 90 days will not appear in the UI.

Deploying Immuta

Before deploying Immuta, set the following in the immuta-values.yaml to configure audit retention. This example updates audit retention to 90 days:

Updating

If you want to update the retention period after Immuta has been deployed, you must update the following database column in the Immuta database:

Dependencies

The audit-service requires Elasticsearch or OpenSearch to function. If your deployment does not include Elasticsearch or OpenSearch, audit-service must be turned off. See the following deployment examples with the set dependencies and the resulting functionality.

See the Requirements page for a high-level overview of the Immuta deployment requirements.