Skip to main content

Managing Security Events

Last update:

Control panel

Authorization log

With the authorization log, you can find out who used the account and when. You can receive information about authorizations from a new IP address via email.

Account Owner can see the authorizations of all account users. Invited users only see their own authorizations. For more details, see the Access Management in Selectel Products instruction.

If you notice suspicious activity, reset all sessions and change your password.

Audit logs

For your information

Only the Account Owner has access to audit logs.

With audit logs, you can find out about events occurring in the account. Events reflect operations performed on resources or users:

  • authentication and the start or end of a session in the Control panel;
  • reading specific data (accessing the Secrets service, reading encryption keys, etc. );
  • managing access rights and security services (users, roles, passwords, tokens, access keys, secrets, certificates, etc. );
  • mutating operations on resources (creating, modifying, or deleting servers, networks, volumes, etc. ).

Audit logs include both successful and unsuccessful events, as well as events that were disallowed by security policies. When an event occurs, it is added to the audit logs and becomes available within a few minutes.

Audit logs are collected automatically and stored for 90 days. You can export audit logs manually or configure export via API.

Cloud and dedicated servers

In cloud and dedicated servers, operating system events and information security events can be collected and exported to external security event management systems using free tools:

Additional options for security event generation can be implemented using utilities:

  • Auditd — for Linux OS;
  • Sysmon — for Windows OS.

Managed Kubernetes

In Managed Kubernetes clusters, you can receive logs — cluster logs, container logs, and audit logs.

Cluster logs display events that occur to the cluster. For example, cluster creation, node group changes, and certificate and version updates. If a request was performed automatically, for example, a scheduled certificate update occurred, this action will also appear in the logs. You can view cluster logs in the control panel.

Container logs contain events that occur to containers. For example, container creation and deletion. Container log files are stored in the /var/log/pods/ or /var/log/containers directory. Logs for a specific container can be viewed using kubectl logs <container_name>, where <container_name> is the name of the container. If you have many containers in a Managed Kubernetes cluster, you can configure container log retrieval via Filebeat.

Audit logs display events that take place in the cluster. For example, in pods or services. These events can be initiated by users, applications, or the Control Plane. The list of events included in the logs and their parameters depend on the policy (audit policy). The policy applied to Managed Kubernetes audit logs can be viewed in the Selectel documentation on GitHub.

Audit logs can be sent to a security event management system. For example, the Wazuh SIEM system. To receive audit logs from a Managed Kubernetes cluster, configure the integration.