Where would I find the logs for fleet logins, user creation, query creation, execution, etc? (to forward to a SIEM)

Hi, @Ari Weinberg! The

/activities

endpoint in the REST API has information on actions taken on packs, policies and queries. You may need to go to the Fleet server's logs (how to get to those will depend a bit on your setup). I'm checking to see if there are alternatives for that and will get back to you with any updates.

Thanks so much! Where would the fleet servers logs get written to?

Apparently you're thinking along the same lines as @Guillaume. He just created a ticket for adding an admin data stream with user actions. How the logs are handled depends on your environment. How do you have Fleet deployed?

via docker-compose

In that case, you can configure the container to manage the logs in whatever way works best for you!

Yes but those logs are super verbose. I really like the idea from above, so Ill keep an eye on that.

Yeah, there's definitely a lot of information coming through the pipeline. I'll make a note to follow up with you if/when we get a timeline on that feature request.