# Audit Best Practices ## Supported audit options When installing Immuta, these are the supported options for getting audit logs from events in Immuta: | Supported audit options | Requirements | | ------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | | [Stream logs out of Kubernetes](#stream-logs-out-of-kubernetes) | | | [Export logs out of Elasticsearch or OpenSearch](#export-logs-out-of-elasticsearch-or-opensearch) | | ### Stream logs out of Kubernetes {% hint style="success" %} The recommended option is to stream logs out of Kubernetes for your audit needs. {% endhint %} Connect a SIEM integration to the `audit-service` pod and use STDOUT to stream audit logs from the container to your SIEM provider. The Helm chart is configured for this by default. To clear up noise, you can filter the log collection on a custom log level to `audit`. This will ensure only audit events are collected. ### Export logs out of Elasticsearch or OpenSearch Use your preferred method to export the audit logs from the external Elasticsearch you have configured with your deployment. ## Retention period {% hint style="info" %} The retention period may be configured when starting the database while deploying Immuta and cannot be adjusted in an update. {% endhint %} The retention period for audit logs in Elasticsearch or OpenSearch is 7 days. However, this is configurable in your database. Before deploying Immuta, set the following in the [`immuta-values.yaml`](/latest/configuration/self-managed-deployment/install/managed-public-cloud.md#install-immuta) to configure audit retention. This example updates audit retention to 90 days: ```yaml audit: init: extraEnvVars: - name: AUDIT_RETENTION_POLICY_IN_DAYS value: "90" ``` The Immuta UI supports a maximum retention period of 90 days. Any audit logs older than 90 days will not appear in the UI. ## Dependencies The `audit-service` requires Elasticsearch or OpenSearch to function. If your deployment does not include Elasticsearch or OpenSearch, `audit-service` must be turned off. See the following deployment examples with the set dependencies and the resulting functionality. | | Audit service | Elasticsearch or OpenSearch | Result | | ------------ | -------------------- | --------------------------- | ------------------------------------ | | Deployment 1 | :white\_check\_mark: | :white\_check\_mark: | Full product and audit functionality | | Deployment 2 | :white\_check\_mark: | ❌ | Unsupported configuration | | Deployment 3 | ❌ | ❌ | Functional product with no audit | See the [Requirements page](/latest/configuration/self-managed-deployment/deployment-requirements.md) for a high-level overview of the Immuta deployment requirements. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://documentation.immuta.com/latest/configuration/self-managed-deployment/configure/audit-best-practices.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.