Although the platform provides a centralized view of audit logs (system, kubectl and opa) and aggregates the audit logs, it does not store audit logs beyond a certain limit. Also, it is common for security operations teams to want these logs visible in their SIEM such as Splunk to ensure they can perform forensics and analytics in a standardized manner.
- Splunk Cloud
- AWS CloudWatch
It is common for users to operate their SIEMs in private security domains i.e. aggregation endpoints are not directly visible and not open on the Internet. To ensure audit logs can still be aggregated in deployments such as this, we provide a Helm Chart to deploy on one of their managed clusters that has line of sight to the SIEM aggregation endpoint.
Once deployed, the "log aggregation" workload will automatically scrape the latest audit logs from your Org's audit logging system to the configured SIEM (self hosted or Cloud). The audit log harvester workload can be operated on a small infrastructure cluster that is available 24/7.
Only one instance is needed for the entire organization.