Title
#fleet
a

Ari Weinberg

07/12/2022, 2:19 PM
Where would I find the logs for fleet logins, user creation, query creation, execution, etc? (to forward to a SIEM)
Kathy Satterlee

Kathy Satterlee

07/12/2022, 2:44 PM
Hi, @Ari Weinberg! The
/activities
endpoint in the REST API has information on actions taken on packs, policies and queries. You may need to go to the Fleet server's logs (how to get to those will depend a bit on your setup). I'm checking to see if there are alternatives for that and will get back to you with any updates.
a

Ari Weinberg

07/12/2022, 2:45 PM
Thanks so much! Where would the fleet servers logs get written to?
Kathy Satterlee

Kathy Satterlee

07/12/2022, 3:13 PM
Apparently you're thinking along the same lines as @Guillaume. He just created a ticket for adding an admin data stream with user actions. How the logs are handled depends on your environment. How do you have Fleet deployed?
a

Ari Weinberg

07/12/2022, 3:13 PM
via docker-compose
Kathy Satterlee

Kathy Satterlee

07/12/2022, 3:56 PM
In that case, you can configure the container to manage the logs in whatever way works best for you!
a

Ari Weinberg

07/12/2022, 3:57 PM
Yes but those logs are super verbose. I really like the idea from above, so Ill keep an eye on that.
Kathy Satterlee

Kathy Satterlee

07/12/2022, 4:01 PM
Yeah, there's definitely a lot of information coming through the pipeline. I'll make a note to follow up with you if/when we get a timeline on that feature request.