Where would I find the logs for fleet logins, user creation, query creation, execution, etc? (to forward to a SIEM)
07/12/2022, 2:44 PM
Hi, @Ari Weinberg! The
endpoint in the REST API has information on actions taken on packs, policies and queries. You may need to go to the Fleet server's logs (how to get to those will depend a bit on your setup). I'm checking to see if there are alternatives for that and will get back to you with any updates.
07/12/2022, 2:45 PM
Thanks so much!
Where would the fleet servers logs get written to?
07/12/2022, 3:13 PM
Apparently you're thinking along the same lines as @Guillaume. He just created a ticket for adding an admin data stream with user actions. How the logs are handled depends on your environment. How do you have Fleet deployed?