I’m new to Istio, but I have read the logging documentation. However, I’m still confused about how to collect certain types of “security event” logs. For example, I must centrally collect all authentication events, failed authentication events, access attempts to audit trails (logs), changes to permissions/authorization mechanisms, etc. I can see how to collect actual traffic and such, but I don’t see a method for collecting these security based events. If someone has figured this out, I’d appreciate some guidance on where these types of events live.
I think some of these metrics (e.g. mTLS enable/disable, 401/403 HTTP response code) is available in the telemetry: https://istio.io/docs/tasks/telemetry/metrics/using-istio-dashboard/
Some of them exists in the pilot/envoy logs but is more of implementation detail and could change anytime. In general, we may need to update the code to output more metrics about the security policy.
Hi. I am searching for the same. Our mesh use service to service authentication with mtls and authorization policies and we need a way to collect the security events like authentication success/fail and authorization success/fail. Is there a special label/marker for it? 401/403 will give me only fail authentication/authorization but I also need to have a successful login event and successful authorization check.
Appreciate your help.Thank u