About auditing and logs

  • 1 minute(s) read
Prev Next

This document describes Segura’s auditing and logging system, which records all critical cluster operations to ensure traceability and compliance with regulatory and security requirements. It covers auditable events, log access and export, integration with SIEM/SOAR systems, and practical examples.

What is auditable in the cluster

Segura logs the following events in detail:

  • Node addition and removal, including responsible user, date/time, justification, and status.
  • Auto-healing and failover events such as failure detection, remediation attempts, node isolation, and recovery.
  • Elastic scaling adjustments, including automatic/manual provisioning or shutdown of nodes.
  • Privileged user sessions: start, end, executed commands, file transfers, and privilege escalations.
  • Configuration changes to policies, thresholds, cluster parameters, and integrations.

How to access and export logs

  • Audit panel: The administration console provides dashboards for searching, filtering, and exporting key events and logs.
  • Manual or automated export: Logs can be exported in open formats (CSV, JSON) or sent automatically to external destinations via syslog, webhook, or native integrations.
  • Granularity and retention: Configurable levels of detail (successes, failures, critical changes, access attempts) and retention policies according to regulatory needs.

Integration with SIEM/SOAR

  • SIEM: Native integration with platforms like Splunk, QRadar, ArcSight, and Elastic, enabling real-time event forwarding for correlation, alerts, and incident response.
  • SOAR: Support for automated export of alerts and events to facilitate automated responses, investigation workflows, and orchestration of corrective actions.
  • Configuration: Integration via syslog, RESTful APIs, or webhooks, with detailed documentation for each scenario.

Examples of logs and events

  • Node removed from cluster by admin userX, with date/time and reason (e.g., scheduled maintenance).
  • Automatic node provisioning via auto-scaling triggered by session thresholds.
  • Communication failure on node Y, auto-healing initiated, post-recovery status “Healthy”.
  • Elastic scaling policy change approved by admin userY, all details recorded.
  • Successful automatic log export to SIEM/SOAR.