HashiCorp Cloud Platform
HCP audit log streaming
Public beta available
HCP audit log streaming is currently in beta. This documentation supports testing and development scenarios. Do not use this feature in secure production environments.
This topic details HashiCorp Cloud Platform’s (HCP) unified audit log streaming capabilities and the process to enable audit log streaming for HCP platform and product events.
Introduction
Audit logs are a record of system events and corresponding identification data that are typically collected for security compliance measures or to aid in an incident response. In HCP, audit logs capture information about events for the entire HCP organization.
HashiCorp Cloud Platform produces two types of audit logs that you can access:
- Platform audit logs track an organization’s interactions with the overall HCP platform, including when users sign-in and create projects.
- Product audit logs track an organization’s interactions with the individual HCP products, such as for HCP Vault Secrets.
This beta introduces a new resource in HashiCorp’s official HCP Terraform provider, hcp_log_streaming_destination
. This resource enables you to stream an organization’s HCP audit logs to an external security information and event management (SIEM) provider, such as Splunk or AWS Cloudwatch, where you can review them.
Prior to this beta, platform audit logs were not directly accessible by HCP users. Product audit logs are available for each HCP product separately.
Workflow
The overall workflow to enable audit log streaming from HCP to an external security information and event management (SIEM) system consists of the following steps:
- Prepare destination and retrieve required credentials. This step varies slightly depending on your SIEM system.
- Configure the audit log streaming destination in the HCP portal. You can also use Terraform and the HashiCorp Cloud Platform (HCP) Provider to complete this step.
- Verify the connection. Use the connection test in the HCP UI to generate a log and send it to your SIEM system. Alternatively, take any action in HCP that generates an audit log, such as attempting a login to an HCP Boundary cluster.
- View the audit log on your external SIEM system to confirm that streaming is properly configured.
Guidance
The HCP documentation has several resources to help you stream audit logs from HCP.
Usage documentation
- Enable audit log streaming to AWS Cloudwatch
- Enable audit log streaming to Datadog
- Enable audit log streaming to Splunk
Reference documentation
Constraints and limitations
Be aware of the following technical constraints and limitations for HCP audit log streaming:
- You must authenticate to HCP with an organization-level service principal. Authentication with a project-level service principal results in an error.
- HCP does not process the audit log queue synchronously. It attempts to send logs for seven days and performs an exponential backoff over that period by increasing the amount of time between attempts.
- When provided with a credential such as a token or API key that is not valid or does not have the correct permissions, HCP does not store logs that it is unable to stream. Logs begin to stream after you apply valid authentication credentials using the HCP UI or the Terraform provider.