Anyone know if Fleet audit logs for admin actions I can see osquery #kolide

Anyone know if Fleet audit logs for admin actions?...

Dan Achin

11/03/2020, 8:33 PM

Anyone know if Fleet audit logs for admin actions? I can see a lot of client access in the nginx logs, but not finding anything for the UI or any actions performed there. I'm guessing that changes made like new users, or updates to packs are logged in the DB. Is that right?

zwass

11/03/2020, 8:35 PM

Those things are logged to stderr

Dan Achin

11/03/2020, 9:29 PM

ok, thanks!

Dan Achin

11/03/2020, 9:32 PM

that seems like an odd play to write those kinds of messages. any insight into why stderr was chosen?

zwass

11/03/2020, 10:12 PM

Originally there was logging for every endpoint on stderr as is common with HTTP servers. That logging was very verbose and most folks seemed to want to use it as more of an audit log. Now most of it is hidden unless

logging_debug

flag is set.

Dan Achin

11/03/2020, 10:37 PM

got it, thanks. I see that here - https://github.com/kolide/fleet/blob/master/docs/infrastructure/configuring-the-fleet-binary.md I don't see where that will redirect the logs to though

2 Views

Open in Slack

Previous Next