Audit Best Practices
Supported audit options
When installing Immuta, these are the supported options for getting audit logs from events in Immuta:
audit-serviceenabledElasticsearch or OpenSearch
audit-serviceenabledElasticsearch or OpenSearch
Stream logs out of Kubernetes
The recommended option is to stream logs out of Kubernetes for your audit needs.
Connect a SIEM integration to the audit-service pod and use STDOUT to stream audit logs from the container to your SIEM provider:
Set the following in the
immuta-values.yamlto enable STDOUT auditing:
audit:
deployment:
extraEnvVars:
- name: ENABLE_AUDITING
value: "true"To clear up noise, you can filter the log collection on a custom log level to
audit. This will ensure only audit events are collected.
Export logs out of Elasticsearch or OpenSearch
Use your preferred method to export the audit logs from the external Elasticsearch you have configured with your deployment.
Retention period
The retention period for audit logs in Elasticsearch or OpenSearch is 7 days. However, this is configurable in your database. Before deploying Immuta, set the following in the immuta-values.yaml to configure audit retention. This example updates audit retention to 90 days:
The Immuta UI supports a maximum retention period of 90 days. Any audit logs older than 90 days will not appear in the UI.
Dependencies
The audit-service requires Elasticsearch or OpenSearch to function. If your deployment does not include Elasticsearch or OpenSearch, audit-service must be turned off. See the following deployment examples with the set dependencies and the resulting functionality.
Deployment 1
✅
✅
Full product and audit functionality
Deployment 2
✅
❌
Unsupported configuration
Deployment 3
❌
❌
Functional product with no audit
See the Requirements page for a high-level overview of the Immuta deployment requirements.
Last updated
Was this helpful?