I’m new to Istio, but I have read the logging documentation. However, I’m still confused about how to collect certain types of “security event” logs. For example, I must centrally collect all authentication events, failed authentication events, access attempts to audit trails (logs), changes to permissions/authorization mechanisms, etc. I can see how to collect actual traffic and such, but I don’t see a method for collecting these security based events. If someone has figured this out, I’d appreciate some guidance on where these types of events live.
I think some of these metrics (e.g. mTLS enable/disable, 401/403 HTTP response code) is available in the telemetry: https://istio.io/docs/tasks/telemetry/metrics/using-istio-dashboard/
Some of them exists in the pilot/envoy logs but is more of implementation detail and could change anytime. In general, we may need to update the code to output more metrics about the security policy.