search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.65k stars 1.76k forks source link

Guide to managing Teleport audit logs via the ELK stack #13157

Closed ptgott closed 2 years ago

ptgott commented 2 years ago

Details

See #2922

Category

ptgott commented 2 years ago

It's currently not possible to forward logs from the event-handler plugin to Logstash if the event-handler plugin is configured to establish an mTLS handshake with Logstash. Logstash uses Java's sun.security.x509 package, which throws an exception when parsing an X.509 cert if that cert doesn't include an Issuer DN field. The event-handler currently does not add this field. I've opened an issue in teleport-plugins (https://github.com/gravitational/teleport-plugins/issues/606).

I can look into using Fluentd instead of Logstash, but I'm guessing that a lot of organizations use the canonical ELK stack, and it would be great to support this use case.

ptgott commented 2 years ago

Also focus on ways to use Kibana to make sense of your audit logs. Even if we end up writing about using Fluentd for the setup part and replicating a lot of our Fluentd guide, this guide can still be valuable for that purpose.

ptgott commented 2 years ago

~Currently blocked until we can fix this PR and validate that it enables the event-handler plugin to work with Logstash.~