Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ship audit activity to external destinations #8416

Closed
zhumo opened this issue Oct 22, 2022 · 10 comments
Closed

Ship audit activity to external destinations #8416

zhumo opened this issue Oct 22, 2022 · 10 comments
Assignees
@zhumo
Labels
~customer request An enhancement requested by a Fleet customer customer-domon #g-endpoint-ops Endpoint ops product group #legacy-platform-group Legacy: platform group :product Product Design department (shows up on 🦢 Drafting board) story A user story defining an entire feature

Comments

@zhumo
Copy link
Contributor

zhumo commented Oct 22, 2022
edited

Problem

As a Fleet admin who is expanding my Fleet user base to other teams/groups/departments in my organization, I want to aggregate users' Fleet activity in an external destination built for storage and analytics purposes, so that I can analyze user activity in case of issues or set up monitoring to detect non-standard usage.

Business Case

This enables Fleet to be used by a more diverse user base. It reduces the hesitancy on the part of the Fleet admin to give more access more broadly.

Analytics

  • number of Fleet installations with audit logs turned on

Requirements

  • The audit log destination is essentially treated as analogous to the existing osquery_result_log_plugin option.
  • There is a configuration activity_audit_log_plugin which accepts the same set of options as osquery_result_log_plugin.
  • For each of the external destinations, there is a key equivalent to osquery's result_stream called activity_audit_stream, which pushes the data to a certain stream in the external destination.
  • The audit log will support the same log streaming options as osquery result and status logs: filesystem, firehose, kinesis, lambda, pubsub, kafkarest, and stdout.
  • This is a premium-only feature.

Documentation

Analytics

  • In usage statistics, count number of Fleet installations with this feature turned on.

--

Related

PR: #9001

Child issues

Platform team

Documentation

  • See the documentation adde in the PR.
@zhumo zhumo added story A user story defining an entire feature customer-domon #legacy-platform-group Legacy: platform group labels Oct 22, 2022
@zhumo zhumo self-assigned this Oct 22, 2022
@zhumo zhumo mentioned this issue Oct 22, 2022
Closed
@zhumo zhumo added the ~customer request An enhancement requested by a Fleet customer label Dec 2, 2022
@lucasmrod
Copy link
Member

Hi folks!

Let's define what we mean by "audit activities/logs".

Is it the activities we track in the "Activity" section?
Screenshot 2022-12-08 at 14 22 36

Asking because the video mentions Fleet's stdout and stderr when talking about "audit logs".
For instance, I'm running Fleet locally and I created a test policy and fleet's stdout was empty, and stderr contained the following:

level=info ts=2022-12-08T17:13:12.987772Z component=redis mode=standalone
level=info ts=2022-12-08T17:13:13.013995Z msg="started cron schedules: automations, cleanups_then_aggregation, integrations, usage_statistics, vulnerabilities"
ts=2022-12-08T17:13:13.030212Z transport=https address=0.0.0.0:8080 msg=listening
level=info ts=2022-12-08T17:13:15.360995Z component=http path=/api/latest/fleet/device/a4900dc2-762b-48b6-acce-d829feefe636/desktop internal="authentication error: invalid device authentication token" err=": Authentication required"
level=error ts=2022-12-08T17:13:19.819087Z component=http user=unauthenticated method=POST uri=/api/fleet/orbit/enroll took=260.064779ms hardware_uuid=0a084d56-6f5f-fcef-f17d-dbca1c9e706b err="enroll host failed: maximum number of hosts reached: 1"
level=info ts=2022-12-08T17:13:20.363647Z component=http path=/api/latest/fleet/device/a4900dc2-762b-48b6-acce-d829feefe636/desktop internal="authentication error: invalid device authentication token" err=": Authentication required"
level=info ts=2022-12-08T17:13:25.361938Z component=http path=/api/latest/fleet/device/a4900dc2-762b-48b6-acce-d829feefe636/desktop internal="authentication error: invalid device authentication token" err=": Authentication required"
level=error ts=2022-12-08T17:13:28.860183Z cron=cleanups_then_aggregation schedule=cleanups_then_aggregation msg="unlock failed" err="context canceled"
level=error ts=2022-12-08T17:13:28.8602Z cron=integrations schedule=integrations msg="unlock failed" err="context canceled"
level=error ts=2022-12-08T17:13:28.860232Z cron=vulnerabilities schedule=vulnerabilities msg="unlock failed" err="context canceled"
[...]

which doesn't show the policy creation activity. (Fleet's stderr contains all sorts of logs that the user may not be interested in.)

@lucasmrod
Copy link
Member

We clarified this on a call and what we want to stream to an external destination are the activities (as shown in the screenshot).

@lucasmrod lucasmrod mentioned this issue Dec 9, 2022
Closed
@lucasmrod
Copy link
Member

@zhumo This only requires code changes in #platform. Shall I edit the description to remove the remaining TODOs?

@zhumo
Copy link
Contributor Author

zhumo commented Dec 9, 2022

Yes please go ahead!

@lucasmrod
Copy link
Member

@zhumo To not cause issues (and/or degrade performance) with admin operations that will generate activities (ideally all), we'll stream the activity externally on a separate asynchronous job.
Is a delay, of, say, 5 minutes on the external streaming acceptable? (In other words: The activity will be visible in the UI instantly as usual, but the streaming to the external destination may take up to 5 minutes.)

@chiiph

@zhumo
Copy link
Contributor Author

zhumo commented Dec 15, 2022 via email

@lucasmrod lucasmrod mentioned this issue Dec 19, 2022
Closed
@zhumo
Copy link
Contributor Author

zhumo commented Jan 9, 2023

#9001

@zhumo zhumo closed this as completed Jan 9, 2023
@noahtalerman noahtalerman mentioned this issue Jan 9, 2023
Closed
5 tasks
@noahtalerman
Copy link
Member

Re opening this issue because the feature hasn't been released.

@noahtalerman noahtalerman reopened this Jan 9, 2023
@noahtalerman noahtalerman added #g-endpoint-ops Endpoint ops product group :product Product Design department (shows up on 🦢 Drafting board) labels Jan 12, 2023
@fleet-release
Copy link
Contributor

/docs/configuration/config.md)

Auditing activity

  • Easily done
  • Stream to clouds
  • Graphs to analyze

@lukeheath lukeheath reopened this Jan 27, 2023
@fleet-release
Copy link
Contributor

/docs/content/admin/configuration.md#activity-audit-log-plugin) for more details.

A distant stream,
Audit logs, insights gleaned,
Fleet usage soars.

@rachaelshaw rachaelshaw mentioned this issue Apr 26, 2024
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zhumo zhumo

Labels
~customer request An enhancement requested by a Fleet customer customer-domon #g-endpoint-ops Endpoint ops product group #legacy-platform-group Legacy: platform group :product Product Design department (shows up on 🦢 Drafting board) story A user story defining an entire feature
Projects
No open projects
⚗️ ‎‎Roadmap
Status: 🙌 Confirm & Celebrate
Milestone
No milestone
Development

No branches or pull requests
6 participants
@lucasmrod @lukeheath @zhumo @noahtalerman @fleet-release @zayhanlon