Audit logs
This topic describes how to monitor your network using HCP Consul's audit logging functionality. Audit logs record data about requests made to the Consul server's HTTP API.
For more information about audit logging, including an example of an audit log, refer to Audit Logging in the Consul documentation.
Introduction
Audit logs can provide greater insight into Consul access and usage patterns for the security and compliance teams in your HCP organization. They capture information about Consul-authenticated events that occur through the HTTP API. This information includes a timestamp, the operation method, the endpoint, and the assessor ID associated with the token used to make the API call.
You can obtain a token using the Consul CLI, HTTP API, or Consul UI. These tokens correlate with the assessor ID in the audit log. Refer to the ACL tokens documentation to learn about assessor IDs and other ACL token metadata.
Audit logging is enabled by default on Standard, Plus, and Premium cluster tiers.
Retrieve audit logs
HCP Consul keeps a cluster's audit logs in an encrypted storage environemnt in the same region as the cluster. You can retrieve audit logs in 24-hour increments from the HCP portal.
- Sign in to the HCP Portal.
- Select the organization or project where you created the cluster.
- Click Consul.
- From the Consul Overview, click the cluster ID of the servers whose audit logs you want to access.
- Click Audit logs in the sidebar menu.
- Specify a range of dates and times. Each period of up to 24 hours specified in the range downloadeds as a separate archive.
- Click Request download. HCP begins preparing the audit logs. You can navigate away from the audit log screen during this process.
- When the download request is ready, the status appears as
Available
. Click the download icon next to each archive.
Under Latest download requests, links to download audit log archives are available for 24 hours after their creation.
Log retention
Audit logs are stored within the platform for a minimum of one year. HCP began archiving audit logs in February 2022.
Audit logs are still available after the cluster associated with the log was deleted. Contact HashiCorp Support if you need access to logs from deleted clusters.