Heroku Trails audit logs

[capeterson]

There is a need to automate the flow of customers' Heroku platform audit logs to their log repository or security monitoring tools. Today, these audit logs are served through our Audit Trails feature available for export in JSON format.

We are exploring the potential benefits for our customers to automate the flow of audit logs served through Audit Trails.

Sensitive areas

• heroku run and ps exec (because that's accessing production data, potentially)

Reference Audit Trails for Enterprise Accounts

[nightpool]

The biggest issue with audit logs today is that they're not complete or detailed enough to be able to serve as a "source of truth" for who accessed what on an account, since they're missing detailed information necessary like IPs or user agents or specifics for resources accessed. This was a major learning we had coming out of the 2022 security incident process. For example, audit-trail level logs for every line of text sent or received from a one-off "console" dyno, or logs of which accounts accessed which specific configuration variables. Besides exports, what improvements are Heroku planning on making to the audit trails feature to make sure customers have the right set of tools going forward?

[TGOBrienPP]

Where in your roadmap will near real time audit logging be provided via SYSLOG and/or JSON/API access for export or piping to a log management system (Splunk, DataDog, ELK stack, etc.)? This capability is a must have per our employers risk management and operational expectations; as well as an industry standard capability. Having a manual process to export logs once a month is not realistic nor usable.

[andre5oto]

As a PM who regularly works with our compliance team, I understand the annoying toil required to manually download files needed for security monitoring and compliance reporting. This is a problem affecting our customers and some of our internal teams. Our product team will begin planning and requirements gathering later this year for this feature enhancement. We hope to begin work early next year.

[jonghyeokmoon]

Major Heroku customers in Korea are requesting that Heroku log-in history is included in Audit Trail because it is required by the "Korea Personal Information Protection Act". (In the case of Core products, it is provided as login history(built-in) or event monitoring) "Korea Personal Information Protection Act" specifies that users' login records must be stored for at least one year, and if this feature is not included in the roadmap, it could negatively impact Heroku's long-term sales in South Korea. This function needed be reflected in next year's feature enhancement.

[andre5oto]

User login events is a reasonable ask and will be added to the new features for Audit Trails next year. But I'm looking to see if we could add it sooner to the existing Audit Trails supported events.

[TGOBrienPP]

Thank you @andre5oto - login events is a good start; full audit/change logs are better.

[4lex96]

Hi @andre5oto, is it possible to add the log of last_login datetime attribute of a member of heroku enterprise team? In our organization our security team asked for this attribute to remove from the enterprise team a user if he/she do not login for 6 or more months.

In Heroku this information unfortunally is available only if the user is connected to Heroku CLI and he call the GET /Account API (https://devcenter.heroku.com/articles/platform-api-reference#account) but we need something that could be used by an internal batch for example (outside the Heroku CLI and without the login of the user, maybe by an Admin of the team).

Thanks

[andre5oto]

@4lex96, this is a great suggestion and one that I'm adding to our backlog for logs to produce in Audit Trails.

Furthermore, we continue to explore options for streamed audit trails information similar to the concept of log drains.