Thank you for voting on this feature. I want to give you an update on our current perspective on this topic and ask for you to provide us your feedback (public or private).

Audit log exporting to SIEM systems has been available to customers using meshStack on-premise with custom solutions at the deployment but we understand the need to enable this for meshStack SaaS customers in an easy-to-use and standard fashion.

We aim to support easy standard integration with standard enterprise SIEM solutions like Splunk or Azure Sentinel using standard ingestion mechanisms.

We have identified three different technical options

Our current plan is to begin work in this area by providing an API first. This is the most versatile option and most importantly it allows backfilling historic audit logs. On top of the API our customer success team would then provide an open source reference solution that exports these logs into a storage bucket. This option can be adapted to custom needs (e.g. S3, Azure Storage etc.) or even direct delivery into Azure Event Hub.

In terms of Events we'd first focus on security relevant events (role binding changes, user events).

We are still planning and collecting customer feedback in this area, but our current plan is to provide a first iteration on a solution by end of 2025.