Documentation
Solutions Guide

Audit Logging

Configure comprehensive audit logging for all access events. Meet compliance requirements with immutable, searchable audit trails.

Estimated time: 20 minutes

Audit Capabilities

Complete Audit Trail

Every access event logged with full context

Advanced Search

Find any event with powerful search and filters

Export & SIEM

Export logs to your SIEM or data lake

Immutable Logs

Tamper-proof audit logs for compliance

What Gets Logged

Authentication events
Authorization decisions
Session start/end
Resource access
Configuration changes
Certificate operations
Policy violations
Admin actions

Configuration Steps

1

Configure Audit Backend

Set up where audit logs are stored.

tacctl create -f - <<EOF
kind: audit_config
metadata:
  name: production
spec:
  # Store in multiple backends
  audit_events_uri:
    - s3://tigeraccess-audit/events
    - dynamodb://audit-events

  # SIEM integration
  external_audit_storage:
    - type: syslog
      uri: syslog://siem.company.com:514
    - type: splunk
      uri: https://splunk.company.com:8088/services/collector
      token: ${SPLUNK_HEC_TOKEN}
EOF
2

Enable Event Streaming

Stream events in real-time via NATS JetStream.

tacctl create -f - <<EOF
kind: audit_stream
metadata:
  name: real-time
spec:
  stream: AUDIT
  subjects:
    - audit.auth.*
    - audit.session.*
    - audit.access.*
  consumers:
    - name: siem-consumer
      deliver_policy: all
EOF
3

Configure Event Types

Select which events to log.

tacctl create -f - <<EOF
kind: cluster_audit_config
metadata:
  name: default
spec:
  # Events to audit
  events:
    - auth.login
    - auth.logout
    - session.start
    - session.end
    - access.request
    - access.approve
    - access.deny
    - config.change
    - cert.issue
    - cert.revoke
EOF
4

Search Audit Logs

Query logs with powerful search capabilities.

# Search by user
tac audit search [email protected] --from=24h

# Search by resource
tac audit search --resource=prod-db-1 --from=7d

# Search for specific events
tac audit search --event=auth.login --status=failed --from=1h

# Export to JSON
tac audit export --from=2024-01-01 --format=json > audit.json

Audit Logging Enabled

With audit logging configured, you have:

  • Complete audit trail for all access events
  • Real-time event streaming to SIEM
  • Full-text search across all events
  • Immutable, tamper-proof storage

Related Guides

Compliance

Meet regulatory requirements

Session Recording

Record privileged sessions

Zero Trust Security

Implement zero trust