gitlab-org--gitlab-foss/doc/administration/audit_event_streaming.md

2.5 KiB

stage group info
Manage Compliance To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments

Audit event streaming (ULTIMATE)

Introduced in GitLab 14.5 with a flag named ff_external_audit_events_namespace. Disabled by default.

FLAG: On self-managed GitLab, by default this feature is not available. To make it available per group, ask an administrator to enable the feature flag named ff_external_audit_events_namespace. On GitLab.com, this feature is not available. You should not use this feature for production environments.

Event streaming allows owners of top-level groups to set an HTTP endpoint to receive all audit events about the group, and its subgroups and projects.

Top-level group owners can manage their audit logs in third-party systems such as Splunk, using the Splunk HTTP Event Collector. Any service that can receive structured JSON data can be used as the endpoint.

NOTE: GitLab can stream a single event more than once to the same destination. Use the id key in the payload to deduplicate incoming data.

Add a new event streaming destination

WARNING: Event streaming destinations will receive all audit event data, which could include sensitive information. Make sure you trust the destination endpoint.

To enable event streaming, a group owner must add a new event streaming destination using the externalAuditEventDestinationCreate mutation in the GraphQL API.

mutation {
  externalAuditEventDestinationCreate(input: { destinationUrl: "https://mydomain.io/endpoint/ingest", groupPath: "my-group" } ) {
    errors
    externalAuditEventDestination {
      destinationUrl
      group {
        name
      }
    }
  }
}

Event streaming is enabled if:

  • The returned errors object is empty.
  • The API responds with 200 OK.

List currently enabled streaming destinations

Group owners can view a list of event streaming destinations at any time using the externalAuditEventDesinations query type.

query {
  group(fullPath: "my-group") {
    id
    externalAuditEventDestinations {
      nodes {
        destinationUrl
        id
      }
    }
  }
}

If the resulting list is empty, then audit event streaming is not enabled for that group.