Enable audit log streaming
This topic describes how to enable audit logs to stream to Amazon CloudWatch and Datadog.
HCP Plus tier required: Audit Logs are only available for HCP Plus tier registries. Learn more about HCP Plus.
Introduction
HCP Packer supports near real-time streaming of audit events. Audit logs allow administrators to track user activity and enable security teams to ensure compliance in accordance with regulatory requirements. HCP Packer supports streaming audit logs to Datadog and Amazon CloudWatch.
The HCP Packer platform stores audit logs for at least one year, and you can access logs for both active and deleted registries.
Requirements
You can only stream to one external account at a time.
Amazon CloudWatch
You must have AWS ID and External ID from the HCP Packer Audit Logs page within your HCP Portal to set up Amazon CloudWatch.
Datadog
- You must know which region your Datadog account is in.
- You must have a Datadog API key. Refer to the Datadog documentation for information about obtaining an API key.
Amazon CloudWatch
- From the HCP Packer Overview page, select the Audit Logs view.
- Click Enable Log Streaming.
- From the Enable audit logs streaming view, select Amazon CloudWatch as the provider.
- From the Amazon CloudWatch as the provider page, keep AWS ID and External ID handy. You would need that in the next steps.
- Create an IAM policy and a role. Refer to AWS setup for instructions.
- Under the provider, enter the Destination name, Role ARN (copied from the previous step), and select the AWS region where you are intend to store your data.
- Click Test connection to receive a test event and confirm the connection has been established.
- Click Save.
Logs should arrive within your Amazon CloudWatch in a few minutes of using Packer.
HCP Packer dynamically creates the log group and log streams. You can find the log group in your
Amazon CloudWatch console with the prefix /hashicorp
after setting up your configuration.
This allows you to easily distinguish which logs are coming from HashiCorp. Note that the log group for the test event differs from the log group for actual events.
Refer to the AWS documentation for details on log exploration.
Datadog
- From the HCP Packer Overview page, select the Audit Logs view.
- Click Enable Log Streaming.
- From the Enable audit logs streaming view, select Datadog as the provider.
- Under the provider, enter your Destination name, API Key and select the Datadog site region that matches your existing Datadog environment.
- Click Test connection to receive a test event and confirm the connection has been established.
- Click Save.
Logs should arrive within your Datadog environment in a few minutes of using Packer. Refer to the Datadog documentation for details on log exploration.
Testing streaming configuration
During the streaming configuration setup, you can test that your streaming configuration works within HCP. Testing verifies that your credentials are correct and that other parameters on the configuration plan work. To test, enter the necessary parameters for the logging provider you wish to test, then click Test connection button.
HCP sends a test message to the logging provider and shares the success or failure status on the Enable log streaming page.
You can also test any updated streaming configurations to ensure they still work as intended.
Updating streaming configuration
After configuring streaming, you could update your configuration for a variety of reasons. You may want to rotate a secret used for your logging provider, or switch logging providers altogether.
- Select Edit streaming configuration from the Manage menu on the Audit logs page.
- If you want to select a new provider, do so now.
- Enter new parameters for the provider.
- (Optional) Test the connection by clicking the Test connection.
- Click Save.
AWS Setup
As a part of the Amazon CloudWatch setup, you need to create an IAM Policy and Role. Refer following section to do that per your preferred method.
AWS Management Console
Choose the JSON option and copy and paste the policy below.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "HCPLogStreaming", "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:DescribeLogGroups", "logs:CreateLogStream", "logs:CreateLogGroup", "logs:TagLogGroup" ], "Resource": "*" } ]}
Finish the rest of the setup to create and save policy.
Choose AWS account as your trusted entity type.
Select Another AWS account for the AWS account field.
Use AWS ID value from the HCP Packer Audit Logs page as your account ID.
From options, select Require external ID.
For External ID, use the External ID value from your HCP Packer Audit Logs page.
Finish the process of saving and creating your custom role.
Attach the policy that you created in the previous steps to this role.
Finish the role creation setup.
Copy the ARN of the role and go back to Amazon CloudWatch section to finish rest of the steps.
Terraform
data "aws_iam_policy_document" "allow_hcp_to_stream_logs" { statement { effect = "Allow" actions = [ "logs:PutLogEvents", # To write logs to cloudwatch "logs:DescribeLogStreams", # To get the latest sequence token of a log stream "logs:DescribeLogGroups", # To check if a log group already exists "logs:CreateLogGroup", # To create a new log group "logs:CreateLogStream" # To create a new log stream ] resources = [ "*" ] }}data "aws_iam_policy_document" "trust_policy" { statement { sid = "HCPLogStreaming" effect = "Allow" actions = ["sts:AssumeRole"] principals { identifiers = ["<AWS ID-generated-by-Hashicorp>"] type = "AWS" } condition { test = "StringEquals" variable = "sts:ExternalId" values = [ "<External ID-generated-by-Hashicorp>" ] } }}resource "aws_iam_role" "role" { name = "hcp-log-streaming" description = "iam role that allows hcp to send logs to cloudwatch logs" assume_role_policy = data.aws_iam_policy_document.trust_policy.json inline_policy { name = "inline-policy" policy = data.aws_iam_policy_document.allow_hcp_to_stream_logs.json }}